Document Comparison
PCI_DSS_v3_ROC_Reporting_Templatev1.1.pdf
→
PCI_DSS_v3_1_ROC_Reporting_Template.pdf
78% similar
224 → 198
Pages
67673 → 68740
Words
1520
Content Changes
From Revision History
- February 2014 PCI DSS 3.0, Revision1.0 To introduce the template for submitting Reports on Compliance.
- July 2014 PCI DSS 3.0, Revision 1.1 Errata - Minor edits made to address typos and general errors, slight addition of content
- April 2015 PCI DSS 3.1, Revision1.0 Revision to align with changes from PCI DSS 3.0 to PCI DSS 3.1 (see PCI DSS – Summary of
- April 2015 © 2015 PCI Security Standards Council, LLC. All Rights Reserved. Page ii Table of Contents
Content Changes
1520 content changes. 68 administrative changes (dates, page numbers) hidden.
Added
p. 2
July 2014 PCI DSS 3.0, Revision 1.1 Errata - Minor edits made to address typos and general errors, slight addition of content
Added
p. 5
• Section 1: Contact Information and Report Date
• Section 2: Summary Overview
• Section 3: Description of Scope of Work and Approach Taken
• Section 4: Details about Reviewed Environment
• Section 5: Quarterly Scan Results
• Section 6: Findings and Observations
• Section 2: Summary Overview
• Section 3: Description of Scope of Work and Approach Taken
• Section 4: Details about Reviewed Environment
• Section 5: Quarterly Scan Results
• Section 6: Findings and Observations
Added
p. 6
• Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers
• Appendices B and C: Compensating Controls and Compensating Controls Worksheet (as applicable)
If a requirement is completely excluded from review without any consideration as to whether it could apply, the “Not Tested” option should be selected. Examples of situations where this could occur may include:
An organization may be asked by their acquirer to validate a subset of requirements•for example: using the prioritized approach to validate certain milestones.
An organization may wish to validate a new security control that impacts only a subset of requirements•for example, implementation of a new encryption methodology that requires assessment of PCI DSS Requirements 2, 3, and 4.
A service provider organization might offer a service that covers only a limited number of PCI DSS requirements•for example, a physical storage provider may only wish to validate the physical security controls per PCI DSS Requirement 9 …
• Appendices B and C: Compensating Controls and Compensating Controls Worksheet (as applicable)
If a requirement is completely excluded from review without any consideration as to whether it could apply, the “Not Tested” option should be selected. Examples of situations where this could occur may include:
An organization may be asked by their acquirer to validate a subset of requirements•for example: using the prioritized approach to validate certain milestones.
An organization may wish to validate a new security control that impacts only a subset of requirements•for example, implementation of a new encryption methodology that requires assessment of PCI DSS Requirements 2, 3, and 4.
A service provider organization might offer a service that covers only a limited number of PCI DSS requirements•for example, a physical storage provider may only wish to validate the physical security controls per PCI DSS Requirement 9 …
Added
p. 10
• The requirement and/or testing procedure exists in both standards, in which case the response noted above would likely be sufficient. Noting that the service provider is compliant with 2.0 of the PCI DSS in the response is worthwhile to address any possible changes to requirements or testing procedures. As noted above, future-dated requirements are considered Not Applicable until the future date has passed. Until that date, an acceptable answer for the accompanying “not applicable” finding might be something like: “Not Applicable, as this is a future-dated requirement. Assessor verified this is the responsibility of Service Provider X, as verified through review of x/y contract (document). Assessor reviewed the AOC for Service Provider X, dated 1/12/2013, and confirmed the SP is compliant with v2.0 of the PCI DSS.” Refer to the FAQs on the PCI SSC website at https://www.pcisecuritystandards.org/faq/ for more information.
Added
p. 14
Describe the nature of the entity’s business (what kind of work they do, etc.)
Note: This is not intended to be a cut-and-paste from the entity’s website, but should be a tailored description that shows the assessor understands the business of the entity being assessed.
As noted in PCI DSS, v3.1
• “At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data, and identify all systems that are connected to or if compromised could impact the CDE (e.g. authentication servers) to ensure they are included in the PCI DSS scope.” Note
• additional reporting has been added below to emphasize systems that are connected to or if compromised could impact the CDE.
Note: This is not intended to be a cut-and-paste from the entity’s website, but should be a tailored description that shows the assessor understands the business of the entity being assessed.
As noted in PCI DSS, v3.1
• “At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data, and identify all systems that are connected to or if compromised could impact the CDE (e.g. authentication servers) to ensure they are included in the PCI DSS scope.” Note
• additional reporting has been added below to emphasize systems that are connected to or if compromised could impact the CDE.
Added
p. 16
• Identify the technologies used and any supporting processes
As part of this assessment Separately 3.7 Wireless summary If there are no wireless networks or technologies in use, describe how this was verified by the assessor.
• Wireless payment applications (for example, POS terminals)
As part of this assessment Separately 3.7 Wireless summary If there are no wireless networks or technologies in use, describe how this was verified by the assessor.
• Wireless payment applications (for example, POS terminals)
Added
p. 26
• Provide the name of the assessor who attests that the testing of these requirements and/or responsibilities of the MSP is accurately represented in the signed Attestation of Compliance.
Added
p. 29
• Network connections, and
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Approved <Report Findings Here> Tested <Report Findings Here> 1.1.2 Current diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks. ☐ ☐ ☐ ☐ ☐ 1.1.2.a Examine diagram(s) and observe network configurations to verify that a current network diagram exists and that it documents all connections to the cardholder data environment, including any wireless networks.
• Shows all cardholder data flows across systems and networks.
• Is kept current and updated as needed upon changes to the environment.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Approved <Report Findings Here> Tested <Report Findings Here> 1.1.2 Current diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks. ☐ ☐ ☐ ☐ ☐ 1.1.2.a Examine diagram(s) and observe network configurations to verify that a current network diagram exists and that it documents all connections to the cardholder data environment, including any wireless networks.
• Shows all cardholder data flows across systems and networks.
• Is kept current and updated as needed upon changes to the environment.
Added
p. 36
• Network Address Translation (NAT),
• Placing servers containing cardholder data behind proxy servers/firewalls,
• Removal or filtering of route advertisements for private networks that employ registered addressing,
• Internal use of RFC1918 address space instead of registered addresses.
Mark 1.4.b as “not applicable” <Report Findings Here> If “yes,” identify the documented policies and configuration standards that define the following:
• Placing servers containing cardholder data behind proxy servers/firewalls,
• Removal or filtering of route advertisements for private networks that employ registered addressing,
• Internal use of RFC1918 address space instead of registered addresses.
Mark 1.4.b as “not applicable” <Report Findings Here> If “yes,” identify the documented policies and configuration standards that define the following:
Added
p. 41
• Encryption keys were changed from default at installation
• From default at installation
<Report Findings Here> 2.1.1.b Interview personnel and examine policies and procedures to verify:
• Default SNMP community strings are required to be changed upon installation.
• Authentication over wireless networks
• Center for Internet Security (CIS)
• International Organization for Standardization (ISO)
• SysAdmin Audit Network Security (SANS) Institute
• National Institute of Standards Technology (NIST) 2.2.a Examine the organization’s system configuration standards for all types of system components and verify the system Identify the documented system configuration standards for all types of system components examined.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place configuration standards are consistent with industry-accepted hardening standards.
• Changing of all vendor-supplied defaults and elimination of unnecessary default accounts
• Changing of all vendor-supplied defaults and elimination of unnecessary default accounts
• Implementing only one …
• From default at installation
<Report Findings Here> 2.1.1.b Interview personnel and examine policies and procedures to verify:
• Default SNMP community strings are required to be changed upon installation.
• Authentication over wireless networks
• Center for Internet Security (CIS)
• International Organization for Standardization (ISO)
• SysAdmin Audit Network Security (SANS) Institute
• National Institute of Standards Technology (NIST) 2.2.a Examine the organization’s system configuration standards for all types of system components and verify the system Identify the documented system configuration standards for all types of system components examined.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place configuration standards are consistent with industry-accepted hardening standards.
• Changing of all vendor-supplied defaults and elimination of unnecessary default accounts
• Changing of all vendor-supplied defaults and elimination of unnecessary default accounts
• Implementing only one …
Added
p. 47
Documented <Report Findings Here> Implemented <Report Findings Here> 2.2.3.b For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols:
Added
p. 47
Indicate whether the assessed entity includes POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS
• for which the entity asserts are not susceptible to any known exploits for those protocols. (yes/no) If ‘no,’ mark the remainder of 2.2.3.b as ‘not applicable.’ <Report Findings Here> If ‘yes,’ identify the document(s) examined to verify that the entity maintains documentation that verifies the devices are not susceptible to any known exploits for SSL/early TLS.
<Report Findings Here> 2.2.3.c For all other environments using SSL and/or early TLS:
Review the documented Risk Mitigation and Migration Plan to verify it includes:
Indicate whether the assessed entity includes any other environments using SSL and/or early TLS (yes/no) If ‘no,’ mark the remainder of 2.2.3.c as ‘not applicable.’ <Report Findings Here>
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW …
• for which the entity asserts are not susceptible to any known exploits for those protocols. (yes/no) If ‘no,’ mark the remainder of 2.2.3.b as ‘not applicable.’ <Report Findings Here> If ‘yes,’ identify the document(s) examined to verify that the entity maintains documentation that verifies the devices are not susceptible to any known exploits for SSL/early TLS.
<Report Findings Here> 2.2.3.c For all other environments using SSL and/or early TLS:
Review the documented Risk Mitigation and Migration Plan to verify it includes:
Indicate whether the assessed entity includes any other environments using SSL and/or early TLS (yes/no) If ‘no,’ mark the remainder of 2.2.3.c as ‘not applicable.’ <Report Findings Here>
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW …
Added
p. 48
If ‘yes,’ identify the Risk Mitigation and Migration Plan document(s) examined to verify that it includes:
Added
p. 48
<Report Findings Here> 2.2.4 Configure system security parameters to prevent misuse. ☐ ☐ ☐ ☐ ☐ 2.2.4.a Interview system administrators and/or security managers to verify that they have knowledge of common security parameter settings for system components.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place components and inspect the common security parameters to verify that they are set appropriately and in accordance with the configuration standards.
<Report Findings Here> 2.3.e For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols:
Indicate whether the assessed entity includes POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS
• for which the entity asserts are not susceptible …
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place components and inspect the common security parameters to verify that they are set appropriately and in accordance with the configuration standards.
<Report Findings Here> 2.3.e For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols:
Indicate whether the assessed entity includes POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS
• for which the entity asserts are not susceptible …
Added
p. 58
• Database contents Incoming transaction data <Report Findings Here> All logs (for example, transaction, history, debugging error) <Report Findings Here> History files <Report Findings Here> Trace files <Report Findings Here> Database schemas <Report Findings Here> Database contents <Report Findings Here> If applicable, any other output observed to be generated <Report Findings Here> 3.2.2 Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions after authorization. ☐ ☐ ☐ ☐ ☐ 3.2.2 For a sample of system components, examine data sources, including but not limited to the following, and verify that the three-digit or four-digit card verification code or value printed on the front of the card or the signature panel (CVV2, CVC2, CID, CAV2 data) is not stored after authorization:
• Database contents For each data …
• Database contents For each data …
Added
p. 84
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 6.3.1 Remove development, test and/or custom application accounts, user IDs, and passwords before applications become active or are released to customers. ☐ ☐ ☐ ☐ ☐ 6.3.1 Examine written software- development procedures and interview responsible personnel to verify that pre- production and/or custom application accounts, user IDs and/or passwords are removed before an application goes into production or is released to customers.
• Code reviews ensure code is developed according to secure coding guidelines.
• Appropriate corrections are implemented prior to release.
• Code review results are reviewed and approved by management prior to release.
• Appropriate corrections are implemented prior to release.
• Code reviews ensure code is developed according to secure coding guidelines (see PCI DSS Requirement 6.5).
• Code-review results are reviewed and approved by management prior to …
• Code reviews ensure code is developed according to secure coding guidelines.
• Appropriate corrections are implemented prior to release.
• Code review results are reviewed and approved by management prior to release.
• Appropriate corrections are implemented prior to release.
• Code reviews ensure code is developed according to secure coding guidelines (see PCI DSS Requirement 6.5).
• Code-review results are reviewed and approved by management prior to …
Added
p. 106
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.1.1 Interview administrative personnel to confirm that all users are assigned a unique ID for access to system components or cardholder data.
• Monitored when in use.
• Disabled when not in use.
<Report Findings Here> 8.1.5.b Interview personnel and observe processes to verify that vendor remote access accounts are monitored while being used.
• Examine documentation describing the authentication method(s) used.
• For each type of authentication method used and for each type of system component, observe an authentication to verify authentication is functioning consistent with documented authentication method(s).
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.2.1.a Examine vendor documentation and system configuration settings to verify that passwords are protected with strong …
• Monitored when in use.
• Disabled when not in use.
<Report Findings Here> 8.1.5.b Interview personnel and observe processes to verify that vendor remote access accounts are monitored while being used.
• Examine documentation describing the authentication method(s) used.
• For each type of authentication method used and for each type of system component, observe an authentication to verify authentication is functioning consistent with documented authentication method(s).
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.2.1.a Examine vendor documentation and system configuration settings to verify that passwords are protected with strong …
Added
p. 116
• Shared user IDs for system administration activities and other critical functions do not exist.
• Shared and generic user IDs are not used to administer any system components.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.5.b Examine authentication policies and procedures to verify that use of group and shared IDs and/or passwords or other authentication methods are explicitly prohibited.
• Shared and generic user IDs are not used to administer any system components.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.5.b Examine authentication policies and procedures to verify that use of group and shared IDs and/or passwords or other authentication methods are explicitly prohibited.
Added
p. 117
Identify the documented procedures examined to verify that different authentication credentials are used for access to each customer.
<Report Findings Here> 8.7.b Examine database and application configuration settings to verify that all user access to, user queries of, and user actions on (for example, move, copy, delete), the database are through programmatic methods only (for example, through stored procedures).
<Report Findings Here> 8.7.b Examine database and application configuration settings to verify that all user access to, user queries of, and user actions on (for example, move, copy, delete), the database are through programmatic methods only (for example, through stored procedures).
Added
p. 123
• Identifying onsite personnel and visitors (for example, assigning badges),
• Identifying onsite personnel and visitors (for example, assigning badges),
• Changing access requirements, and
• Changing access requirements, and
• Visitors are clearly identified, and
<Report Findings Here> 9.2.c Verify that access to the identification process (such as a badge system) is limited to authorized personnel.
• Identifying onsite personnel and visitors (for example, assigning badges),
• Changing access requirements, and
• Changing access requirements, and
• Visitors are clearly identified, and
<Report Findings Here> 9.2.c Verify that access to the identification process (such as a badge system) is limited to authorized personnel.
Added
p. 126
• The visitor’s name,
• The visitor’s name,
• The firm represented, and
• The firm represented, and
• The visitor’s name,
• The firm represented, and
• The firm represented, and
Added
p. 129
<Report Findings Here> 9.8.1 Shred, incinerate, or pulp hard-copy materials so that cardholder data cannot be reconstructed. Secure storage containers used for materials that are to be destroyed. ☐ ☐ ☐ ☐ ☐ 9.8.1.a Interview personnel and examine procedures to verify that hard-copy materials are crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 9.8.2 Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed. ☐ ☐ ☐ ☐ ☐ 9.8.2 Verify that cardholder data on electronic media is rendered unrecoverable (e.g. via a secure wipe program in accordance with industry- accepted standards for secure deletion, or by physically destroying the media).
• Make, model of device.
• Make, model of device.
• Device serial number or other method of unique identification.
• …
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 9.8.2 Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed. ☐ ☐ ☐ ☐ ☐ 9.8.2 Verify that cardholder data on electronic media is rendered unrecoverable (e.g. via a secure wipe program in accordance with industry- accepted standards for secure deletion, or by physically destroying the media).
• Make, model of device.
• Make, model of device.
• Device serial number or other method of unique identification.
• …
Added
p. 138
• Initialization of audit logs.
• User identification
• User identification
• Success or failure indication
• Success or failure indication
• Where there is more than one designated time server, the time servers peer with one another to keep accurate time.
• Systems receive time information only from designated central time server(s).
• Where there is more than one designated time server, the designated central time server(s) peer with one another to keep accurate time.
• Systems receive time only from designated central time server(s).
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 10.4.2.a Examine system configurations and time-synchronization settings to verify that access to time data is restricted to only personnel with a business need to access time data.
• Logged <Report Findings Here>
• Monitored <Report Findings Here>
• Time settings are configured to either accept time updates from specific, industry-accepted time …
• User identification
• User identification
• Success or failure indication
• Success or failure indication
• Where there is more than one designated time server, the time servers peer with one another to keep accurate time.
• Systems receive time information only from designated central time server(s).
• Where there is more than one designated time server, the designated central time server(s) peer with one another to keep accurate time.
• Systems receive time only from designated central time server(s).
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 10.4.2.a Examine system configurations and time-synchronization settings to verify that access to time data is restricted to only personnel with a business need to access time data.
• Logged <Report Findings Here>
• Monitored <Report Findings Here>
• Time settings are configured to either accept time updates from specific, industry-accepted time …
Added
p. 147
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place
• Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion- prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.).
• Logs of all critical system components
• Logs of all critical system components
<Report Findings Here> 10.6.3.b Observe processes and interview personnel to verify that follow- up to exceptions and anomalies is performed.
Indicate whether wireless scanning is utilized. (yes/no) If ‘no,’ mark the remainder of 11.1.c as ‘not applicable.’
• Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion- prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.).
• Logs of all critical system components
• Logs of all critical system components
<Report Findings Here> 10.6.3.b Observe processes and interview personnel to verify that follow- up to exceptions and anomalies is performed.
Indicate whether wireless scanning is utilized. (yes/no) If ‘no,’ mark the remainder of 11.1.c as ‘not applicable.’
Added
p. 164
<Report Findings Here> Describe how the personnel who perform the penetration tests demonstrated they are qualified to perform the tests <Report Findings Here> Describe how organizational independence of the tester was observed to exist.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Isolate all out-of-scope systems from systems in the CDE.
<Report Findings Here> 11.3.4.b Examine the results from the most recent penetration test to verify that:
• Penetration testing to verify segmentation controls is performed at least annually and after any changes to segmentation controls/methods.
• The penetration testing covers all segmentation controls/methods in use.
• At critical points in the cardholder data environment.
<Report Findings Here> Updated per vendor instructions to ensure optimal protection.
Examples of files that should be monitored:
• System executables
• Application executables
• Configuration and parameter files
• Centrally stored, historical or archived, log and audit files
PCI …
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Isolate all out-of-scope systems from systems in the CDE.
<Report Findings Here> 11.3.4.b Examine the results from the most recent penetration test to verify that:
• Penetration testing to verify segmentation controls is performed at least annually and after any changes to segmentation controls/methods.
• The penetration testing covers all segmentation controls/methods in use.
• At critical points in the cardholder data environment.
<Report Findings Here> Updated per vendor instructions to ensure optimal protection.
Examples of files that should be monitored:
• System executables
• Application executables
• Configuration and parameter files
• Centrally stored, historical or archived, log and audit files
PCI …
Added
p. 175
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all personnel. ☐ ☐ ☐ ☐ ☐ 12.4.a Verify that information security policy and procedures clearly define information security responsibilities for all personnel.
<Report Findings Here> 12.4.b Interview a sample of responsible personnel to verify they understand the security policies.
• Monitoring all access to data
• Personnel attend security awareness training:
<Report Findings Here> 12.4.b Interview a sample of responsible personnel to verify they understand the security policies.
• Monitoring all access to data
• Personnel attend security awareness training:
Added
p. 181
<Report Findings Here> 12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity. ☐ ☐ ☐ ☐ ☐ 12.8.5 Verify the entity maintains information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
Added
p. 183
• Provide appropriate training to staff with security breach response responsibilities.
• Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum.
• Coverage and responses of all critical system components.
• Roles, responsibilities, and communication strategies in the event of a compromise including notification of the payment brands, at a minimum.
• Specific incident response procedures.
• Specific incident response procedures.
• Business recovery and continuity procedures
• Data back-up processes
• Coverage and responses for all critical system components.
• Reference or inclusion of incident response procedures from the payment brands.
• Reference or inclusion of incident response procedures from the payment brands.
• Business recovery and continuity procedures.
• Data back-up processes.
• Analysis of legal requirements for reporting compromises.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Any evidence of unauthorized activity. …
• Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum.
• Coverage and responses of all critical system components.
• Roles, responsibilities, and communication strategies in the event of a compromise including notification of the payment brands, at a minimum.
• Specific incident response procedures.
• Specific incident response procedures.
• Business recovery and continuity procedures
• Data back-up processes
• Coverage and responses for all critical system components.
• Reference or inclusion of incident response procedures from the payment brands.
• Reference or inclusion of incident response procedures from the payment brands.
• Business recovery and continuity procedures.
• Data back-up processes.
• Analysis of legal requirements for reporting compromises.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Any evidence of unauthorized activity. …
Removed
p. 2
July 2014 1.1 Errata - Minor edits made to address typos and general errors, slight addition of content
Modified
p. 2
February 2014 1.0 To introduce the template for submitting Reports on Compliance.
February 2014 PCI DSS 3.0, Revision1.0 To introduce the template for submitting Reports on Compliance.
Removed
p. 5
Section 1: Contact Information and Report Date Section 2: Summary Overview Section 3: Description of Scope of Work and Approach Taken Section 4: Details about Reviewed Environment
Modified
p. 5
Use of this Reporting Template is mandatory for all v3.0 submissions; however, it may NOT be used for 2.0 submissions. Refer to the ROC Reporting Instructions for PCI DSS v2.0 for guidance on completing 2.0 submissions.
Use of this Reporting Template is mandatory for all v3.1 submissions.
Modified
p. 5
Do not delete any content from any place in this document, including this section and the versioning above. These instructions are important for the assessor as the report is written and for the recipient in understanding the context the responses and conclusions are made. Addition of text or sections is applicable within reason, as noted above. Refer to the “ROC Reporting Template for PCI DSS v3.0: Frequently Asked Questions (FAQs)” document on the PCI SSC website for further guidance.
Do not delete any content from any place in this document, including this section and the versioning above. These instructions are important for the assessor as the report is written and for the recipient in understanding the context the responses and conclusions are made. Addition of text or sections is applicable within reason, as noted above. Refer to the “Frequently Asked Questions for use with ROC Reporting Template for PCI DSS v3.x” document on the PCI SSC website for further …
Modified
p. 5
The Report on Compliance (ROC) is produced during onsite PCI DSS assessments as part of an entity’s validation process. The ROC provides details about the entity’s environment and assessment methodology, and documents the entity’s compliance status for each PCI DSS Requirement. A PCI DSS compliance assessment involves thorough testing and assessment activities, from which the assessor will generate detailed work papers. These work papers contain comprehensive records of the assessment activities, including observations, results of system testing, configuration data, file …
The Report on Compliance (ROC) is produced during onsite PCI DSS assessments as part of an entity’s validation process. The ROC provides details about the entity’s environment and assessment methodology, and documents the entity’s compliance status for each PCI DSS Requirement. A PCI DSS compliance assessment involves thorough testing and assessment activities, from which the assessor will generate detailed work papers. These work papers contain comprehensive records of the assessment activities, including observations, results of system testing, configuration data, file …
Modified
p. 6
ROC Summary of Assessor Findings With the Reporting Template, an effort was made to efficiently use space, and as such, there is one response column for results/evidence (“ROC Reporting Details: Assessor’s Response”) instead of three. Additionally, the results for “Summary of Assessor Findings” were expanded to more effectively represent the testing and results that took place, which should be aligned with the AOC.
ROC Summary of Assessor Findings With the Reporting Template, an effort was made to efficiently use space, and as such, there is one response column for results/evidence (“ROC Reporting Details: Assessor’s Response”) instead of three. Additionally, the results for “Summary of Assessor Findings” were expanded to more effectively represent the testing and results that took place, which should be aligned with the Attestation of Compliance (AOC).
Modified
p. 6
The following table is a helpful representation when considering which selection to make. Remember, only one response should be selected at the sub-requirement level, and reporting of that should be consistent with other required documents, such as the Attestation of Compliance (AOC).
The following table is a helpful representation when considering which selection to make. Remember, only one response should be selected at the sub- requirement level, and reporting of that should be consistent with other required documents, such as the AOC.
Modified
p. 6
Refer to the “ROC Reporting Template for PCI DSS v3.0: Frequently Asked Questions (FAQs)” document on the PCI SSC website for further guidance.
Refer to the “Frequently Asked Questions for use with ROC Reporting Template for PCI DSS v3.x” document on the PCI SSC website for further guidance.
Modified
p. 7
**Note, future-dated requirements are considered Not Applicable until the future data has passed While it is true that the requirement is likely not tested (hence the original instructions), it is not required to be tested until the future date has passed, and the requirement is therefore not applicable until that date. As such, a “Not Applicable” response to future- dated requirements is accurate, whereas a “Not Tested” response would imply there was not any consideration as to whether it could …
**Note, future-dated requirements are considered Not Applicable until the future date has passed. While it is true that the requirement is likely not tested (hence the original instructions), it is not required to be tested until the future date has passed, and the requirement is therefore not applicable until that date. As such, a “Not Applicable” response to future- dated requirements is accurate, whereas a “Not Tested” response would imply there was not any consideration as to whether it could …
Modified
p. 8
(See “What is the difference between ‘Not Applicable’ and ‘Not Tested’?” below for examples of when this option should be used.) In the sample, the Summary of Assessment Findings at 1.1 is “not tested” if either 1.1.a or 1.1.b are concluded to be “not tested.” Requirement X: Sample
(See “What is the difference between ‘Not Applicable’ and ‘Not Tested’?” below for examples of when this option should be used.) In the sample, the Summary of Assessment Findings at 1.1 is “not tested” if either 1.1.a or 1.1.b are concluded to be “not tested.” What is the difference between “Not Applicable” and “Not Tested?” Requirements that are deemed to be not applicable to an environment must be verified as such. Using the example of wireless and an organization that …
Modified
p. 8 → 9
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place with CCW Not Applicable Not Tested Not in Place 1.1 Sample sub-requirement 1.1.a Sample testing procedure Reporting Instruction <Report Findings Here> 1.1.b Sample testing procedure Reporting Instruction <Report Findings Here> ROC Reporting Details The reporting instructions in the Reporting Template explain the intent of the response required. There is no need to repeat the testing procedure or the reporting …
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place with CCW Not Applicable Not Tested Not in Place 1.1 Sample sub-requirement ☐ ☐ ☐ ☐ ☐ 1.1.a Sample testing procedure Reporting Instruction <Report Findings Here> 1.1.b Sample testing procedure Reporting Instruction <Report Findings Here> ROC Reporting Details The reporting instructions in the Reporting Template explain the intent of the response required. There is no need to repeat the testing …
Modified
p. 8 → 9
• In Sections 4.10, “Documentation Reviewed,” and 4.11, “Individuals Interviewed” below, there is a space for a reference number and it is the QSA’s choice to use the document name/interviewee job title or the reference number at the individual reporting instruction response.
• In Sections 4.10, “Documentation Reviewed,” and 4.11, “Individuals Interviewed” below, there is a space for a reference number and it is the QSA’s choice to use the document name/interviewee job title or the reference number at the individual reporting instruction response.
Removed
p. 9
During the implementation period for PCI DSS 3.0, an entity being assessed against PCI DSS v3.0 may be relying on the compliance of third-party service providers who are assessed as compliant against PCI DSS v2.0. This is acceptable, and there is no need to force the third-party service provider to be assessed against PCI DSS 3.0 while their PCI DSS 2.0 assessment is still valid. How should this be documented? In the scenario where the entity is assessing against PCI DSS 3.0, but the third-party service provider’s current compliant assessment is against PCI DSS 2.0, two possibilities exist:
The requirement and/or testing procedure exists in both standards, in which case the response noted above would likely be sufficient. Noting that the service provider is compliant with 2.0 of the PCI DSS in the response is worthwhile to address any possible changes to requirements or testing procedures.
The requirement and/or testing procedure exists in both standards, in which case the response noted above would likely be sufficient. Noting that the service provider is compliant with 2.0 of the PCI DSS in the response is worthwhile to address any possible changes to requirements or testing procedures.
Modified
p. 9
• Short and to the point, but provide detail and individual content that is not simply an echoing of the testing procedure or reporting instruction nor a template answer used from report-to-report, but instead relevant and specific to the assessed entity.
• Short and to the point, but provide detail and individual content that is not simply an echoing of the testing procedure or reporting instruction nor a template answer used from report-to-report, but instead relevant and specific to the assessed entity.
Modified
p. 9
Example Reporting Instruction: Describe the procedures for secure key distribution that were observed to be implemented. Example Reporting Instruction: For the interview, summarize the relevant details discussed that verify … Dependence on another service provider’s compliance:
Example Reporting Instruction: Describe the procedures for secure key distribution that were observed to be implemented. Example Reporting Instruction: For the interview, summarize the relevant details discussed that verify …
Modified
p. 9 → 10
“Assessor verified this is the responsibility of Service Provider X, as verified through review of x/y contract (document). Assessor reviewed the AOC for Service Provider X, dated MM/DD/YYYY, and confirmed the service provider was found to be PCI DSS compliant against PCI DSS v2.0 (or PCI DSS v3.0) for all applicable requirements, and that it covers the scope of the services used by the assessed entity.” That response could vary, but what’s important is that it is noted as “in …
“Assessor verified this is the responsibility of Service Provider X, as verified through review of x/y contract (document). Assessor reviewed the AOC for Service Provider X, dated MM/DD/YYYY, and confirmed the service provider was found to be PCI DSS compliant against PCI DSS v2.0 (or PCI DSS v3.0/PCI DSS v3.1) for all applicable requirements, and that it covers the scope of the services used by the assessed entity.” That response could vary, but what’s important is that it is noted …
Modified
p. 9 → 10
Dependence on another service provider’s compliance where the service providers is compliant with PCI DSS v2.0, but the entity is being assessed against PCI DSS v3.0:
Dependence on another service provider’s compliance where the service providers is compliant with PCI DSS v2.0, but the entity is being assessed against PCI DSS v3.1:
Modified
p. 10 → 11
Use this Reporting Template when assessing against v3.0 of the PCI DSS.
Use this Reporting Template when assessing against v3.1 of the PCI DSS.
Modified
p. 12 → 13
Disclose all services offered to the assessed entity by the QSAC, including but not limited to whether the assessed entity uses any security-relates devices or security-related applications that have been developed or manufactured by the QSA, or to which the QSA owns the rights or that the QSA has configured or manages:
Disclose all services offered to the assessed entity by the QSAC, including but not limited to whether the assessed entity uses any security-related devices or security-related applications that have been developed or manufactured by the QSA, or to which the QSA owns the rights or that the QSA has configured or manages:
Modified
p. 12 → 13
Describe efforts made to ensure no conflict of interest resulted above mentioned services provided by the QSAC:
Describe efforts made to ensure no conflict of interest resulted from the above mentioned services provided by the QSAC:
Removed
p. 13
Note: This is not intended to be a cut-and-paste from the entity’s web site, but should be a tailored description that shows the assessor understands payment and the entity’s role.
Modified
p. 13 → 14
What types of payment channels the entity serves, such as card-present and card-not-present (for example, mail order/telephone order (MOTO), e- commerce).
Note: This is not intended to be a cut-and-paste from above, but should build on the understanding of the business and the impact this can have upon the security of cardholder data. website What types of payment channels the entity serves, such as card-present and card-not-present (for example, mail order/telephone order (MOTO), e- commerce).
Modified
p. 14 → 15
3. Description of Scope of Work and Approach Taken 3.1 Assessor’s validation of scope accuracy Document how the assessor validated the accuracy of the PCI DSS scope for the assessment, including:
3. Description of Scope of Work and Approach Taken 3.1 Assessor’s validation of defined cardholder data environment and scope accuracy Document how the assessor validated the accuracy of the defined CDE/PCI DSS scope for the assessment, including:
Modified
p. 14 → 15
Describe the methods or processes (for example, tools, observations, feedback, scans, data flow analysis) used to verify that no cardholder data exists outside of the CDE scope defined for this assessment (as executed by the assessor, assessed entity or a combination):
Describe the methods or processes (for example, tools, observations, feedback, scans, data flow analysis) used to verify that no cardholder data exists outside of the defined CDE (as executed by the assessor, assessed entity or a combination):
Modified
p. 14 → 15
Describe how the results of the methods/processes were evaluated by the assessor to verify that PCI DSS scope is appropriate:
Describe how the results of the methods/processes were evaluated by the assessor to verify that the PCI DSS scope of review is appropriate:
Modified
p. 14 → 15
Provide the name of the assessor who attests that the scope of the assessment has been verified to be accurate and appropriate, to the best of the assessor’s ability and with all due diligence:
Provide the name of the assessor who attests that the defined CDE and scope of the assessment has been verified to be accurate, to the best of the assessor’s ability and with all due diligence:
Modified
p. 15 → 16
• Explain how the assessor validated the effectiveness of the segmentation, as follows:
Removed
p. 17
List all countries where the entity conducts business.
Modified
p. 18
If there are wireless networks or technologies in use, identify and describe all wireless technologies in use that are connected to or could impact the security of the cardholder data environment. This would include:
If there are wireless networks or technologies in use, identify and describe all wireless technologies in use that are connected to or could impact
Modified
p. 18 → 19
• All other wireless devices/technologies 3.8 Wireless details For each wireless technology in scope, identify the following:
Modified
p. 20 → 21
Note: The table below list of files and tables that store cardholder data must be supported by an inventory created (or obtained from the client) and retained by the assessor in the work papers.
Note: The list of files and tables that store cardholder data in the table below must be supported by an inventory created (or obtained from the client) and retained by the assessor in the work papers.
Modified
p. 20 → 21
Type of Device Vendor (make/model) Role/Functionality 4.5 Critical software in use in the cardholder data environment Identify and list all critical software in the cardholder environment, such as E-commerce applications, applications accessing CHD for non- payment functions (fraud modeling, credit verification, etc.), software performing security functions or enforcing PCI DSS controls, underlying
Type of Device Vendor (make/model) Role/Functionality 4.5 Critical software in use in the cardholder data environment Identify and list all critical software in the cardholder environment, such as e-commerce applications, applications accessing CHD for non-payment functions (fraud modeling, credit verification, etc.), software performing security functions or enforcing PCI DSS controls, underlying operating systems that store, process or transmit CHD, system management software, virtualization management software, and other critical software
• including homegrown software/applications. For each item in the list, provide details …
• including homegrown software/applications. For each item in the list, provide details …
Modified
p. 21 → 22
• Provide the name of the assessor who attests that every system component and all business facilities have been assessed.
Modified
p. 21 → 22
• Provide the name of the assessor who attests that all sample sets used for this assessment are represented in the below “Sample sets for reporting” table. Examples may include, but are not limited to firewalls, application servers, retail locations, data centers, User IDs, people, etc.
Modified
p. 21 → 22
• Describe the sampling rationale and/or standardized PCI DSS security and operational processes/controls used for selecting sample sizes (for people, processes, technologies, devices, locations/sites, etc.).
Modified
p. 21 → 22
• Describe how the above processes and controls were validated by the assessor.
Modified
p. 22 → 23
Note: When a reporting instruction asks for a sample, the QSA may either refer to the Sample Set Identifier here (for example “Sample Set-1”) OR list the sampled items individually in the response. Add rows as needed.
Note: When a reporting instruction asks for a sample, the QSA may either refer to the Sample Set Identifier here (for example “Sample Set-1”) OR list the sampled items individually in the response. Examples of sample sets may include, but are not limited to, firewalls, application servers, retail locations, data centers, User IDs, people, etc. Add rows as needed.
Modified
p. 23 → 24
PCI SSC listing reference number Expiry date of listing, if applicable Provide the name of the assessor who attests that all PA-DSS validated payment applications were reviewed to verify they have been implemented in a PCI DSS compliant manner according to the payment application vendor’s PA-DSS implementation Guide Provide the name of the assessor who attests that all PCI SSC-validated P2PE applications and solutions were reviewed to verify they have been implemented in a PCI DSS compliant manner …
PCI SSC listing reference number Expiry date of listing, if applicable Provide the name of the assessor who attests that all PA-DSS validated payment applications were reviewed to verify they have been implemented in a PCI DSS compliant manner according to the payment application vendor’s PA-DSS Implementation Guide Provide the name of the assessor who attests that all PCI SSC-validated P2PE applications and solutions were reviewed to verify they have been implemented in a PCI DSS compliant manner …
Modified
p. 23 → 24
Any additional comments or findings assessor would like to share, as applicable:
Any additional comments or findings the assessor would like to share, as applicable:
Modified
p. 24 → 25
• List the requirements that apply to the MSP and are included in this assessment.
Modified
p. 24 → 25
• List the requirements that are the responsibility of the MSP’s customers (and have not been included in this assessment).
Modified
p. 25 → 26
• Identify which of the MSP’s IP addresses are scanned as part of the MSP’s quarterly vulnerability scans.
Modified
p. 25 → 26
• Identify which of the MSP’s IP addresses are the responsibility of the MSP’s customers.
Modified
p. 25 → 26
List of all requirements/testing procedures with this result Summary of the issue (for example, not deemed in scope for the assessment, reliance on a third-party service provider who is compliant to PCI DSS v2.0 and hasn’t yet assessed against 3.0, etc.)
List of all requirements/testing procedures with this result Summary of the issue (for example, not deemed in scope for the assessment, reliance on a third-party service provider who is compliant to PCI DSS v2.0 and hasn’t yet assessed against 3.0 or 3.1, etc.)
Modified
p. 26 → 27
Describe how the assessor verified any vulnerabilities noted in the initial scan have been corrected, as shown in a re-scan.
Describe how the assessor verified that any vulnerabilities noted in the initial scan have been corrected, as shown in a re-scan.
Modified
p. 28 → 29
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 1.1 Establish and implement firewall and router configuration standards that include the following:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 1.1 Establish and implement firewall and router configuration standards that include the following:
Modified
p. 28 → 29
• Changes to firewall and router configurations.
Modified
p. 28 → 29
Testing and approval of all network connections.
Testing and approval of all network connections. <Report Findings Here> Testing and approval of all changes to firewall and router configurations.
Modified
p. 28 → 29
Identify the sample of records for network connections that were examined.
Modified
p. 28 → 29
<Report Findings Here> Identify the responsible personnel interviewed who confirm that network connections were approved and tested.
<Report Findings Here> Identify the responsible personnel interviewed who confirm that network connections were approved and tested.
Modified
p. 28 → 29
Approved <Report Findings Here> Tested <Report Findings Here> 1.1.1.c Identify a sample of actual changes made to firewall and router configurations, Identify the sample of records for firewall and router configuration changes that were examined.
Approved <Report Findings Here> Tested <Report Findings Here> 1.1.1.c Identify a sample of actual changes made to firewall and router configurations, compare to the change records, and interview responsible personnel to verify the changes were approved and tested.
Removed
p. 29
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Place compare to the change records, and interview responsible personnel to verify the changes were approved and tested.
Identify the current network diagram(s) examined.
Identify the current network diagram(s) examined.
Modified
p. 29
<Report Findings Here> Identify the responsible personnel interviewed who confirm that changes made to firewall and router configurations were approved and tested.
Modified
p. 29 → 30
<Report Findings Here> Describe how network connections were observed and compared to the diagram(s) to verify that the diagram:
Identify the current network diagram(s) examined. <Report Findings Here> Describe how network connections were observed and compared to the diagram(s) to verify that the diagram:
Modified
p. 29 → 30
Identify the document examined to verify processes require that the network diagram is kept current.
Modified
p. 29 → 30
<Report Findings Here> Identify the responsible personnel interviewed for this testing procedure.
<Report Findings Here> Identify the responsible personnel interviewed for this testing procedure.
Modified
p. 29 → 30
<Report Findings Here> For the interview, summarize the relevant details discussed to verify that the diagram is kept current.
<Report Findings Here> For the interview, summarize the relevant details discussed to verify that the diagram is kept current.
Modified
p. 29 → 30
<Report Findings Here> 1.1.3 Current diagram that shows all cardholder data flows across systems and networks.
<Report Findings Here> 1.1.3 Current diagram that shows all cardholder data flows across systems and networks. ☐ ☐ ☐ ☐ ☐ 1.1.3.a Examine data flow diagram and interview personnel to verify the diagram:
Modified
p. 29 → 30
Identify the data-flow diagram(s) examined. <Report Findings Here> Identify the responsible personnel interviewed for this testing procedure.
Removed
p. 30
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Place Shows all cardholder data flows across systems and networks. Is kept current and updated as needed upon changes to the environment.
Modified
p. 30
For the interview, summarize the relevant details discussed to verify the diagram:
<Report Findings Here> For the interview, summarize the relevant details discussed to verify the diagram:
Modified
p. 30
<Report Findings Here> 1.1.4 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone.
<Report Findings Here> 1.1.4 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone. ☐ ☐ ☐ ☐ ☐
Modified
p. 30 → 31
1.1.4.a Examine the firewall configuration standards and verify that they include requirements for a firewall at each Internet connection and between any DMZ and the internal network zone.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 1.1.4.a Examine the firewall configuration standards and verify that they include requirements for a firewall at each Internet connection and between any DMZ and the internal network zone.
Modified
p. 30 → 31
Identify the firewall configuration standards document examined to verify requirements for a firewall:
Modified
p. 30 → 31
• At each Internet connection.
Modified
p. 30 → 31
• Between any DMZ and the internal network zone.
Modified
p. 30 → 31
Provide the name of the assessor who attests that the current network diagram identified at 1.1.2.a was compared to the firewall configuration standards identified at 1.1.4.a to verify they are consistent with each other.
Modified
p. 30 → 31
At each Internet connection. <Report Findings Here> Between any DMZ and the internal network zone.
At each Internet connection. <Report Findings Here> Between any DMZ and the internal network zone. <Report Findings Here> 1.1.5 Description of groups, roles, and responsibilities for management of network components. ☐ ☐ ☐ ☐ ☐ 1.1.5.a Verify that firewall and router configuration standards include a description of groups, roles, and responsibilities for management of network components.
Modified
p. 30 → 31
Identify the firewall and router configuration standards document(s) reviewed to verify they include a description of groups, roles and responsibilities for management of network components.
Removed
p. 31
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 1.1.5.a Verify that firewall and router configuration standards include a description of groups, roles, and responsibilities for management of network components.
Identify the firewall and router configuration standards document(s) reviewed to verify they include a description of groups, roles and responsibilities for management of network components.
Identify the firewall and router configuration standards document(s) reviewed to verify they include a description of groups, roles and responsibilities for management of network components.
Modified
p. 31
Identify the personnel responsible for management of network components interviewed for this testing procedure.
Modified
p. 31
<Report Findings Here> For the interview, summarize the relevant details discussed to verify that roles and responsibilities are assigned as documented for management of firewall and router components.
<Report Findings Here> For the interview, summarize the relevant details discussed to verify that roles and responsibilities are assigned as documented for management of firewall and router components.
Modified
p. 31 → 32
1.1.6.a Verify that firewall and router configuration standards include a documented list of all services, protocols and ports, including business justification for each•for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 1.1.6.a Verify that firewall and router configuration standards include a documented list of all services, protocols and ports, including business justification for each•for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols.
Modified
p. 31 → 32
Identify the firewall configuration standards document(s) reviewed to verify the document(s) contains a list of all services, protocols and ports necessary for business, including a business justification for each.
Modified
p. 31 → 32
<Report Findings Here> Identify the router configuration standards document(s) reviewed to verify the document contains a list of all services, protocols and ports necessary for business, including a business justification for each.
<Report Findings Here> Identify the router configuration standards document(s) reviewed to verify the document contains a list of all services, protocols and ports necessary for business, including a business justification for each.
Modified
p. 31 → 32
Indicate whether any insecure services, protocols or ports are allowed. (yes/no) <Report Findings Here> If “yes,” complete the instructions below for EACH insecure service, protocol, and port allowed: (add rows as needed) Identify the documented justification. <Report Findings Here> Identify the firewall and router configuration standards reviewed to verify that security features are documented for each insecure service/protocol/port.
Removed
p. 32
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Identify the firewall and router configuration standards reviewed to verify that security features are documented for each insecure service/protocol/port.
Identify the firewall and router configuration standards reviewed to verify they require a review of firewall rule sets at least every six months.
Identify the firewall and router configuration standards reviewed to verify they require a review of firewall rule sets at least every six months.
Modified
p. 32
Describe how the firewall and router configurations were examined to verify that the documented security features are implemented for each insecure service, protocol and/or port.
Modified
p. 32
<Report Findings Here> 1.1.7 Requirement to review firewall and router rule sets at least every six months.
<Report Findings Here> 1.1.7 Requirement to review firewall and router rule sets at least every six months. ☐ ☐ ☐ ☐ ☐ 1.1.7.a Verify that firewall and router configuration standards require review of firewall and router rule sets at least every six months.
Modified
p. 32
Identify the firewall and router configuration standards reviewed to verify they require a review of firewall rule sets at least every six months.
Modified
p. 32
Identify the document(s) relating to rule set reviews that were examined to verify that rule sets are reviewed at least every six months for firewall and router rule sets.
Modified
p. 32 → 33
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Identify the responsible personnel interviewed who confirm that rule sets are reviewed at least every six months for firewall and router rule sets.
Removed
p. 33
Identify the firewall and router configuration standards reviewed to verify they identify inbound and outbound traffic necessary for the cardholder data environment.
Describe how router configuration files were examined to verify they are synchronized.
Describe how router configuration files were examined to verify they are synchronized.
Modified
p. 33
Identify the firewall and router configuration standards reviewed to verify they identify inbound and outbound traffic necessary for the cardholder data environment.
Modified
p. 33
All other inbound traffic <Report Findings Here> All other outbound traffic <Report Findings Here> 1.2.2 Secure and synchronize router configuration files.
All other inbound traffic <Report Findings Here> All other outbound traffic <Report Findings Here> 1.2.2 Secure and synchronize router configuration files. ☐ ☐ ☐ ☐ ☐ 1.2.2.a Examine router configuration files to verify they are secured from unauthorized access.
Modified
p. 33
Describe how router configuration files were examined to verify they are secured from unauthorized access.
Modified
p. 33 → 34
Describe how router configuration files were examined to verify they are synchronized.
Modified
p. 33 → 34
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 1.2.2.b Examine router configurations to verify they are synchronized•for example, the running (or active) configuration matches the start-up configuration (used when machines are booted).
Modified
p. 34
1.2.3.a Examine firewall and router configurations to verify that there are perimeter firewalls installed between all wireless networks and the cardholder data environment.
Modified
p. 34
Describe how firewall and router configurations were examined to verify perimeter firewalls are in place between all wireless networks and the cardholder data environment.
Modified
p. 34
Indicate whether traffic between the wireless environment and the cardholder data environment is necessary for business purposes. (yes/no) <Report Findings Here> Describe how firewall and/or router configurations were observed to verify firewalls deny all traffic from any wireless environment into the cardholder environment.
Modified
p. 34
<Report Findings Here> Describe how firewall and/or router configurations were observed to verify firewalls permit only authorized traffic from any wireless environment into the cardholder environment.
<Report Findings Here> Describe how firewall and/or router configurations were observed to verify firewalls permit only authorized traffic from any wireless environment into the cardholder environment.
Removed
p. 35
Describe how the firewall and router configurations were examined to verify that configurations limit inbound Internet traffic to IP addresses within the DMZ.
Modified
p. 35
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 1.3.1 Examine firewall and router configurations to verify that a DMZ is implemented to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. ☐ ☐ ☐ ☐ ☐ 1.3.1 Examine firewall and router configurations to verify that a DMZ is implemented to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and …
Modified
p. 35
Describe how the firewall and router configurations were examined to verify that configurations limit inbound Internet traffic to IP addresses within the DMZ.
Modified
p. 35
<Report Findings Here> 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.
<Report Findings Here> 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ. ☐ ☐ ☐ ☐ ☐ 1.3.2 Examine firewall and router configurations to verify that inbound Internet traffic is limited to IP addresses within the DMZ.
Modified
p. 35
<Report Findings Here> 1.3.3 Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment.
<Report Findings Here> 1.3.3 Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment. ☐ ☐ ☐ ☐ ☐ 1.3.3 Examine firewall and router configurations to verify direct connections inbound or outbound are not allowed for traffic between the Internet and the cardholder data environment.
Modified
p. 35
(For example, block traffic originating from the Internet with an internal source address) 1.3.4 Examine firewall and router configurations to verify that anti-spoofing measures are implemented, for example internal addresses cannot pass from the Internet into the DMZ.
(For example, block traffic originating from the Internet with an internal source address) ☐ ☐ ☐ ☐ ☐ 1.3.4 Examine firewall and router configurations to verify that anti-spoofing measures are implemented, for example internal addresses cannot pass from the Internet into the DMZ.
Modified
p. 35
Describe how firewall and router configurations were examined to verify that anti-spoofing measures are implemented.
Modified
p. 35
<Report Findings Here> Describe the anti-spoofing measures implemented <Report Findings Here> 1.3.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.
<Report Findings Here> Describe the anti-spoofing measures implemented <Report Findings Here> 1.3.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. ☐ ☐ ☐ ☐ ☐
Removed
p. 36
Identify whether any system components store cardholder data. (yes/no) <Report Findings Here> Describe how firewall and router configurations were examined to verify that the system components that store cardholder data are located on an internal network zone, and are segregated from the DMZ and other untrusted networks.
Modified
p. 36
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 1.3.5 Examine firewall and router configurations to verify that outbound traffic from the cardholder data environment to the Internet is explicitly authorized.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 1.3.5 Examine firewall and router configurations to verify that outbound traffic from the cardholder data environment to the Internet is explicitly authorized.
Modified
p. 36
Describe how firewall and router configurations were examined to verify that outbound traffic from the cardholder data environment to the Internet is explicitly authorized.
Modified
p. 36
<Report Findings Here> 1.3.6 Implement stateful inspection, also known as dynamic packet filtering. (That is, only “established” connections are allowed into the network.) 1.3.6 Examine firewall and router configurations to verify that the firewall performs stateful inspection (dynamic packet filtering). (Only established connections should be allowed in, and only if they are associated with a previously established session.) Describe how firewall and router configurations were examined to verify that the firewall performs stateful inspection.
<Report Findings Here> 1.3.6 Implement stateful inspection, also known as dynamic packet filtering. (That is, only “established” connections are allowed into the network.) ☐ ☐ ☐ ☐ ☐ 1.3.6 Examine firewall and router configurations to verify that the firewall performs stateful inspection (dynamic packet filtering). (Only established connections should be allowed in, and only if they are associated with a previously established session.) Describe how firewall and router configurations were examined to verify that the firewall performs stateful inspection.
Modified
p. 36
<Report Findings Here> Describe how observed firewall configurations implement stateful inspection <Report Findings Here> 1.3.7 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.
<Report Findings Here> Describe how observed firewall configurations implement stateful inspection <Report Findings Here> 1.3.7 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks. ☐ ☐ ☐ ☐ ☐ 1.3.7 Examine firewall and router configurations to verify that system components that store cardholder data are on an internal network zone, segregated from the DMZ and other untrusted networks.
Removed
p. 37
Note: Methods to obscure IP addressing may include, but are not limited to: Network Address Translation (NAT), Placing servers containing cardholder data behind proxy servers/firewalls, Removal or filtering of route advertisements for private networks that employ registered addressing, Internal use of RFC1918 address space instead of registered addresses.
Modified
p. 37 → 36
1.3.8.a Examine firewall and router configurations to verify that methods are in place to prevent the disclosure of private IP addresses and routing information from internal networks to the Internet.
1.3.8.a Examine firewall and router configurations to verify that methods are in place to prevent the disclosure of Describe the methods in place to prevent the disclosure of private IP addresses and routing information from internal networks to the Internet.
Modified
p. 37 → 36
<Report Findings Here> Describe how firewall and router configurations were examined to verify that methods are in place to prevent the disclosure of private IP addresses and routing information from internal networks to the Internet.
<Report Findings Here> 1.3.8 Do not disclose private IP addresses and routing information to unauthorized parties.
Modified
p. 37
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 1.3.8 Do not disclose private IP addresses and routing information to unauthorized parties.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place private IP addresses and routing information from internal networks to the Internet.
Modified
p. 37
Describe how firewall and router configurations were examined to verify that methods are in place to prevent the disclosure of private IP addresses and routing information from internal networks to the Internet.
Modified
p. 37
Identify the document reviewed that specifies whether any disclosure of private IP addresses and routing information to external parties is permitted.
Modified
p. 37
<Report Findings Here> For each permitted disclosure, identify the responsible personnel interviewed who confirm that the disclosure is authorized.
<Report Findings Here> For each permitted disclosure, identify the responsible personnel interviewed who confirm that the disclosure is authorized.
Modified
p. 37
• Personal firewall software is actively running.
Modified
p. 37
• Personal firewall software is not alterable by users of mobile and/or employee-owned devices.
Modified
p. 38
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 1.4.a Examine policies and configuration standards to verify:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 1.4.a Examine policies and configuration standards to verify:
Modified
p. 38
• Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network, and which are also used to access the network.
Modified
p. 38
• Personal firewall software is configured to actively run.
Modified
p. 38
• Personal firewall software is configured to actively run.
Modified
p. 38
• Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices.
Modified
p. 38
• Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices.
Modified
p. 38
Indicate whether mobile and/or employee-owned computers with direct connectivity to the Internet when outside the network are used to access the organization’s network. (yes/no) <Report Findings Here> If “no,” identify the document reviewed that explicitly prohibits mobile and/or employee-owned computers with direct connectivity to the Internet when outside the network from being used to access the organization’s network.
Modified
p. 38
• Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network, (for example, laptops used by employees), and which are also used to access the network.
Removed
p. 39
<Report Findings Here> Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for managing firewalls are:
Modified
p. 39
• Personal firewall software is actively running.
Modified
p. 39
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 1.4.b Inspect a sample of mobile and/or employee-owned devices to verify that:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 1.4.b Inspect a sample of mobile and/or employee-owned devices to verify that:
Modified
p. 39
• Personal firewall software is installed and configured per the organization’s specific configuration settings.
Modified
p. 39
• Personal firewall software is not alterable by users of mobile and/or employee-owned devices.
Modified
p. 39
Identify the sample of mobile and/or employee- owned devices selected for this testing procedure.
Modified
p. 39
<Report Findings Here> Actively running. <Report Findings Here> Not alterable by users of mobile and/or employee-owned devices.
<Report Findings Here> Actively running. <Report Findings Here> Not alterable by users of mobile and/or employee- owned devices.
Modified
p. 39
<Report Findings Here> 1.5 Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.
<Report Findings Here> 1.5 Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties. ☐ ☐ ☐ ☐ ☐ 1.5 Examine documentation and interview personnel to verify that security policies and operational procedures for managing firewalls are:
Modified
p. 39
<Report Findings Here> Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for managing firewalls are:
Removed
p. 40
<Report Findings Here> Identify the vendor manuals and sources on the Internet used to find vendor-supplied accounts/passwords.
Modified
p. 40
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.
Modified
p. 40
2.1.a Choose a sample of system components, and attempt to log on (with system administrator help) to the devices and applications using default vendor-supplied accounts and passwords, to verify that ALL default passwords (including those on operating systems, software that provides security services, application and system accounts, POS terminals, and Simple Network Management Protocol (SNMP) community strings) have been changed. (Use vendor manuals and sources on the Internet to find vendor-supplied accounts/passwords.) Identify the sample of system components selected.
2.1.a Choose a sample of system components, and attempt to log on (with system administrator help) to the devices and applications using default vendor- supplied accounts and passwords, to verify that ALL default passwords (including those on operating systems, software that provides security services, application and system accounts, POS terminals, and Simple Network Management Protocol (SNMP) community strings) have been changed. (Use vendor manuals and sources on the Internet to find vendor-supplied accounts/passwords.) Identify the sample of system components selected. …
Modified
p. 40
<Report Findings Here> For each item in the sample, describe how attempts to log on (with system administrator help) to the sample of devices and applications using default vendor-supplied accounts and passwords were performed to verify that all default passwords have been changed.
<Report Findings Here> For each item in the sample, describe how attempts to log on (with system administrator help) to the sample of devices and applications using default vendor-supplied accounts and passwords were performed to verify that all default passwords have been changed.
Modified
p. 41
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 2.1.c Interview personnel and examine supporting documentation to verify that:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 2.1.c Interview personnel and examine supporting documentation to verify that:
Modified
p. 41
• All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network.
Modified
p. 41
• All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network.
Modified
p. 41
• Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network.
Modified
p. 41
• Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network.
Modified
p. 41
Identify responsible personnel interviewed who verify that:
Modified
p. 41
<Report Findings Here> Identify supporting documentation examined for this testing procedure.
<Report Findings Here> Identify supporting documentation examined for this testing procedure.
Modified
p. 41
<Report Findings Here> Describe how the supporting documentation was examined to verify that:
<Report Findings Here> Describe how the supporting documentation examined verified that:
Removed
p. 42
<Report Findings Here> Identify responsible personnel interviewed who verify that encryption keys are changed:
From default at installation Anytime anyone with knowledge of the keys leaves the company or changes positions.
From default at installation Anytime anyone with knowledge of the keys leaves the company or changes positions.
Modified
p. 42 → 41
• Encryption keys are changed anytime Indicate whether there are wireless environments connected to the cardholder data environment or transmitting cardholder data. (yes/no) If “no,” mark 2.1.1 as “Not Applicable” and proceed to 2.2.
Modified
p. 42
<Report Findings Here> Identify supporting documentation examined for this testing procedure.
<Report Findings Here> Identify supporting documentation examined for this testing procedure.
Modified
p. 42
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 2.1.1.a Interview responsible personnel and examine supporting documentation to verify that:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Identify responsible personnel interviewed who verify that encryption keys are changed:
Modified
p. 42
• Anytime anyone with knowledge of the keys leaves the company or changes positions.
Removed
p. 43
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 2.1.1.b Interview personnel and examine policies and procedures to verify:
Default SNMP community strings are not used. Default passwords/passphrases on access points are not used.
Default SNMP community strings are not used. Default passwords/passphrases on access points are not used.
Modified
p. 43 → 42
Identify responsible personnel interviewed who verify that:
Modified
p. 43 → 42
• Default passwords/phrases on access points are required to be changed upon installation.
Modified
p. 43 → 42
• Default SNMP community strings are required to be changed upon installation.
Modified
p. 43 → 42
• Default SNMP community strings are required to be changed upon installation.
Modified
p. 43 → 42
• Default passwords/phrases on access points are required to be changed upon installation.
Modified
p. 43 → 42
• Default passwords/phrases on access points are required to be changed upon installation.
Modified
p. 43 → 42
<Report Findings Here> Identify policies and procedures examined to verify that:
<Report Findings Here> Identify policies and procedures examined to verify that:
Modified
p. 43 → 42
Identify vendor documentation examined for this testing procedure.
Modified
p. 43
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Describe how examined vendor documentation was used to attempt to login to wireless devices (with system administrator help) to verify:
Modified
p. 43
• Transmission over wireless networks Identify vendor documentation examined for this testing procedure.
Modified
p. 43
Authentication over wireless networks. <Report Findings Here> Transmission over wireless networks. <Report Findings Here>
Authentication over wireless networks. <Report Findings Here> Transmission over wireless networks. <Report Findings Here> 2.1.1.e Examine vendor documentation and observe wireless configuration settings to verify other security-related wireless vendor defaults were changed, if applicable.
Removed
p. 44
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 2.1.1.e Examine vendor documentation and observe wireless configuration settings to verify other security-related wireless vendor defaults were changed, if applicable.
Center for Internet Security (CIS) International Organization for Standardization (ISO) SysAdmin Audit Network Security (SANS) Institute National Institute of Standards Technology (NIST) 2.2.a Examine the organization’s system configuration standards for all types of system components and verify the system configuration standards are consistent with industry- accepted hardening standards.
<Report Findings Here> Identify the industry-accepted hardening standards the system configuration standards were verified to be consistent with.
Center for Internet Security (CIS) International Organization for Standardization (ISO) SysAdmin Audit Network Security (SANS) Institute National Institute of Standards Technology (NIST) 2.2.a Examine the organization’s system configuration standards for all types of system components and verify the system configuration standards are consistent with industry- accepted hardening standards.
<Report Findings Here> Identify the industry-accepted hardening standards the system configuration standards were verified to be consistent with.
Modified
p. 44 → 43
Identify vendor documentation examined for this testing procedure.
Modified
p. 44 → 43
<Report Findings Here> Describe how wireless configuration settings were observed with examined vendor documentation to verify other security-related wireless vendor defaults were changed, if applicable.
<Report Findings Here> Describe how wireless configuration settings were observed with examined vendor documentation to verify other security-related wireless vendor defaults were changed, if applicable.
Modified
p. 44
Identify the industry-accepted hardening standards the system configuration standards were verified to be consistent with.
Modified
p. 44
Identify the policy documentation verified to define that system configuration standards are updated as new vulnerability issues are identified <Report Findings Here> Identify the personnel interviewed for this testing procedure.
Modified
p. 44
<Report Findings Here> For the interview, summarize the relevant details discussed that verify that the process is implemented.
<Report Findings Here> For the interview, summarize the relevant details discussed that verify that the process is implemented.
Modified
p. 45 → 44
<Report Findings Here> 2.2.c Examine policies and interview personnel to verify that system configuration standards are applied when new systems are configured and verified as being in place before a system is installed on the network.
Modified
p. 45 → 44
Identify the policy documentation examined to verify it defines that system configuration standards are applied when new systems are configured and verified as being in place before a system is installed on the network <Report Findings Here> Identify the personnel interviewed for this testing procedure.
Removed
p. 46
Changing of all vendor- supplied defaults and elimination of unnecessary default accounts Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server Enabling only necessary services, protocols, daemons, etc., as required for the function of the system Implementing additional security features for any required services, protocols or daemons that are considered to be insecure Configuring system security parameters to prevent misuse Removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers Identify the system configuration standards for all types of system components that include the following procedures:
Changing of all vendor-supplied defaults and elimination of unnecessary default accounts Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server Enabling only necessary services, protocols, …
Changing of all vendor-supplied defaults and elimination of unnecessary default accounts Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server Enabling only necessary services, protocols, …
Modified
p. 46 → 45
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 2.2.d Verify that system configuration standards include the following procedures for all types of system components:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 2.2.d Verify that system configuration standards include the following procedures for all types of system components:
Modified
p. 47 → 45
• Removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers <Report Findings Here> 2.2.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)
Modified
p. 47 → 45
Identify the sample of system components observed.
Modified
p. 47 → 45
<Report Findings Here> For each item in the sample, describe how system configurations were inspected to verify that only one primary function per server is implemented.
<Report Findings Here> For each item in the sample, describe how system configurations were inspected to verify that only one primary function per server is implemented.
Modified
p. 47 → 46
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 2.2.1.b If virtualization technologies are used, inspect the system configurations to verify that only one primary function is implemented per virtual system component or device.
Modified
p. 47 → 46
Indicate whether virtualization technologies are used. (yes/no) <Report Findings Here> If “no,” describe how systems were observed to verify that no virtualization technologies are used.
Modified
p. 47 → 46
<Report Findings Here> Identify the functions for which virtualization technologies are used.
<Report Findings Here> Identify the functions for which virtualization technologies are used.
Modified
p. 47 → 46
<Report Findings Here> Identify the sample of virtual system components or devices observed.
<Report Findings Here> Identify the sample of virtual system components or devices observed.
Modified
p. 47 → 46
<Report Findings Here> For each virtual system component and device in the sample, describe how the system configurations were inspected to verify that only one primary function is implemented per virtual system component or device.
<Report Findings Here> For each virtual system component and device in the sample, describe how the system configurations were inspected to verify that only one primary function is implemented per virtual system component or device.
Modified
p. 47 → 46
<Report Findings Here> 2.2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system.
<Report Findings Here> 2.2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system. ☐ ☐ ☐ ☐ ☐ 2.2.2.a Select a sample of system components and inspect enabled system services, daemons, and protocols to verify that only necessary services or protocols are enabled.
Removed
p. 48
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 2.2.2.a Select a sample of system components and inspect enabled system services, daemons, and protocols to verify that only necessary services or protocols are enabled.
Removed
p. 48
Documented <Report Findings Here> Implemented <Report Findings Here> 2.2.4 Configure system security parameters to prevent misuse.
Modified
p. 48 → 46
<Report Findings Here> For each item in the sample, describe how the enabled system services, daemons, and protocols were inspected to verify that only necessary services or protocols are enabled.
Identify the sample of system components selected. <Report Findings Here> For each item in the sample, describe how the enabled system services, daemons, and protocols were inspected to verify that only necessary services or protocols are enabled.
Modified
p. 48 → 46
For each item in the sample of system components from 2.2.2.a, indicate whether any insecure services, daemons, or protocols are enabled. (yes/no) If “no,” mark the remainder of 2.2.2.b and 2.2.3 as “Not Applicable.” <Report Findings Here> If “yes,” identify responsible personnel interviewed who confirm that a documented business justification was present for each insecure service, daemon, or protocol <Report Findings Here>
Modified
p. 48 → 47
If “yes” at 2.2.b, perform the following:
If “yes” at 2.2.2.b, perform the following:
Modified
p. 48 → 47
Identify configuration settings inspected. <Report Findings Here> Describe how configuration settings were inspected to verify that security features for all insecure services, daemons, or protocols are:
Removed
p. 49
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 2.2.4.a Interview system administrators and/or security managers to verify that they have knowledge of common security parameter settings for system components.
<Report Findings Here> For each item in the sample, describe how the common security parameters were inspected to verify that they are set appropriately and in accordance with the configuration standards.
<Report Findings Here> For each item in the sample, describe how the common security parameters were inspected to verify that they are set appropriately and in accordance with the configuration standards.
Modified
p. 49 → 48
Identify the system administrators and/or security managers interviewed for this testing procedure.
Modified
p. 49 → 48
<Report Findings Here> For the interview, summarize the relevant details discussed to verify that they have knowledge of common security parameter settings for system components.
<Report Findings Here> For the interview, summarize the relevant details discussed to verify that they have knowledge of common security parameter settings for system components.
Modified
p. 49 → 48
Identify the system configuration standards examined to verify that common security parameter settings are included.
Modified
p. 49 → 48
<Report Findings Here> 2.2.4.c Select a sample of system Identify the sample of system components selected. <Report Findings Here>
Modified
p. 49
For each item in the sample, describe how the common security parameters were inspected to verify that they are set appropriately and in accordance with the configuration standards.
Modified
p. 49
<Report Findings Here> 2.2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.
<Report Findings Here> 2.2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. ☐ ☐ ☐ ☐ ☐ 2.2.5.a Select a sample of system components and inspect the configurations to verify that all unnecessary functionality (for example, scripts, drivers, features, subsystems, file systems, etc.) is removed.
Modified
p. 49
<Report Findings Here> For each item in the sample, describe how the configurations were inspected to verify that all unnecessary functionality is removed.
Identify the sample of system components selected. <Report Findings Here> For each item in the sample, describe how the configurations were inspected to verify that all unnecessary functionality is removed.
Modified
p. 49
Documented <Report Findings Here> Support secure configuration <Report Findings Here>
Documented <Report Findings Here> Support secure configuration <Report Findings Here> 2.2.5.c. Examine the documentation and security parameters to verify that only documented functionality is present on the sampled system components.
Modified
p. 50 → 49
Identify documentation examined for this testing procedure.
Modified
p. 50 → 49
<Report Findings Here> Describe how the security parameters were examined with relevant documentation to verify that only documented functionality is present on the sampled system components from 2.2.5.a.
<Report Findings Here> Describe how the security parameters were examined with relevant documentation to verify that only documented functionality is present on the sampled system components from 2.2.5.a.
Modified
p. 50 → 49
<Report Findings Here> 2.3 Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.
<Report Findings Here> 2.3 Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or TLS for web-based management and other non-console administrative access.
Modified
p. 50
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 2.2.5.c. Examine the documentation and security parameters to verify that only documented functionality is present on the sampled system components.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 2.3 Select a sample of system components and verify that non-console administrative access is encrypted by performing the following:
Modified
p. 50
Identify the sample of system components selected for 2.3.a-2.3.d to verify that non-console administrative access is encrypted <Report Findings Here> 2.3.a Observe an administrator log on to each system and examine system configurations to verify that a strong encryption method is invoked before the administrator’s password is requested.
Modified
p. 50
Describe how the administrator log on for each system was observed to verify that a strong encryption method is invoked before the administrator’s password is requested.
Modified
p. 50
<Report Findings Here> Describe how system configurations for each system were examined to verify that a strong encryption method is invoked before the administrator’s password is requested.
<Report Findings Here> Describe how system configurations for each system were examined to verify that a strong encryption method is invoked before the administrator’s password is requested.
Modified
p. 50
<Report Findings Here> Identify the strong encryption method used for non-console administrative access.
<Report Findings Here> Identify the strong encryption method used for non-console administrative access.
Modified
p. 50
Describe how services on systems were reviewed to determine that Telnet and other insecure remote- login commands are not available for non-console access.
Modified
p. 51 → 50
<Report Findings Here> Describe how parameter files on systems were reviewed to determine that Telnet and other insecure remote-login commands are not available for non- console access.
Modified
p. 51 → 50
<Report Findings Here> 2.3.c Observe an administrator log on to each system to verify that administrator access to any web-based management interfaces is encrypted with strong cryptography.
<Report Findings Here> 2.3.c Observe an administrator log on to each system to verify that administrator access to any web-based management For each item in the sample from 2.3:
Modified
p. 51
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Describe how the administrator log on to each system was observed to verify that administrator access to any web-based management interfaces was encrypted with strong cryptography.
Modified
p. 51
<Report Findings Here> Identify the strong encryption method used for any web-based management interfaces.
<Report Findings Here> Identify the strong encryption method used for any web-based management interfaces.
Modified
p. 51
Identify the vendor documentation examined to verify that strong cryptography for the technology in use is implemented according to industry best practices and/or vendor recommendations.
Modified
p. 51
<Report Findings Here> For the interview, summarize the relevant details discussed that verify that strong cryptography for the technology in use is implemented according to industry best practices and/or vendor recommendations.
<Report Findings Here> For the interview, summarize the relevant details discussed that verify that strong cryptography for the technology in use is implemented according to industry best practices and/or vendor recommendations.
Modified
p. 51 → 52
<Report Findings Here> 2.4 Maintain an inventory of system components that are in scope for PCI DSS.
<Report Findings Here> 2.4 Maintain an inventory of system components that are in scope for PCI DSS. ☐ ☐ ☐ ☐ ☐ 2.4.a Examine system inventory to verify that a list of hardware and software components is maintained and includes a description of function/use for each.
Modified
p. 51 → 52
Maintained <Report Findings Here> Includes a description of function/use for each <Report Findings Here>
Maintained <Report Findings Here> Includes a description of function/use for each <Report Findings Here> 2.4.b Interview personnel to verify the documented inventory is kept current.
Removed
p. 52
Identify the document reviewed to verify that security policies and operational procedures for managing vendor defaults and other security parameters are documented.
Modified
p. 52
<Report Findings Here> For the interview, summarize the relevant details discussed that verify that the documented inventory is kept current.
<Report Findings Here> For the interview, summarize the relevant details discussed that verify that the documented inventory is kept current.
Modified
p. 52
<Report Findings Here> 2.5 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.
<Report Findings Here> 2.5 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. ☐ ☐ ☐ ☐ ☐
Modified
p. 52 → 53
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 2.4.b Interview personnel to verify the documented inventory is kept current.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 2.5 Examine documentation and interview personnel to verify that security policies and operational procedures for managing vendor defaults and other security parameters are:
Modified
p. 52 → 53
<Report Findings Here> Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for managing vendor defaults and other security parameters are:
<Report Findings Here> Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for managing vendor defaults and other security parameters are:
Modified
p. 52 → 53
• Known to all affected parties <Report Findings Here> 2.6 Shared hosting providers must protect each entity’s hosted environment and cardholder data. These providers must meet specific requirements as detailed in Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers. ☐ ☐ ☐ ☐ ☐ 2.6 Perform testing procedures A.1.1 through A.1.4 detailed in Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers for PCI DSS assessments of shared hosting providers, to verify that shared hosting providers protect …
Modified
p. 52 → 53
Indicate whether the assessed entity is a shared hosting provider. (yes/no) <Report Findings Here> If “yes,” provide the name of the assessor who attests that Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers has been completed.
Modified
p. 53 → 54
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 3.1 Keep cardholder data storage to a minimum by implementing data-retention and disposal policies, procedures and processes that include at least the following for all CHD storage:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 3.1 Keep cardholder data storage to a minimum by implementing data-retention and disposal policies, procedures and processes that include at least the following for all CHD storage:
Modified
p. 53 → 54
• Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements.
Modified
p. 53 → 54
• Processes for secure deletion of data when no longer needed.
Modified
p. 53 → 54
• Specific retention requirements for cardholder data
Modified
p. 53 → 54
• A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention.
Removed
p. 54
Legal, regulatory, and business requirements for data retention, including: - Specific requirements for retention of cardholder data (for example, cardholder data needs to be held for X period for Y business reasons). - Secure deletion of cardholder data when no longer needed for legal, regulatory, or business reasons. - Coverage for all storage of cardholder data.
Modified
p. 54
• Specific requirements for retention of cardholder data (for example, cardholder data needs to be held for X period for Y business reasons).
Modified
p. 54
• A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements.
Modified
p. 54
Identify the data-retention and disposal documentation examined to verify policies, procedures, and processes define the following for all cardholder data (CHD) storage:
Modified
p. 54
• A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements.
Modified
p. 54 → 55
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 3.1.a Examine the data- retention and disposal policies, procedures and processes to verify they include at least the following:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 3.1.b Interview personnel to verify that:
Removed
p. 55
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 3.1.b Interview personnel to verify that:
Modified
p. 55
• All locations of stored cardholder data are included in the data-retention and disposal processes.
Modified
p. 55
• All locations of stored cardholder data are included in the data-retention and disposal processes.
Modified
p. 55
• Either a quarterly automatic or manual process is in place to identify and securely delete stored cardholder data.
Modified
p. 55
• Either a quarterly automatic or manual process is in place to identify and securely delete stored cardholder data.
Modified
p. 55
• The quarterly automatic or manual process is performed for all locations of cardholder data.
Modified
p. 55
• The quarterly automatic or manual process is performed for all locations of cardholder data.
Modified
p. 55
Identify the personnel interviewed who confirm that:
Modified
p. 55
<Report Findings Here> Describe the quarterly process in place to identify and securely delete stored cardholder data, including whether it is an automatic or manual process.
<Report Findings Here> Describe the quarterly process in place to identify and securely delete stored cardholder data, including whether it is an automatic or manual process.
Modified
p. 56
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 3.1.c For a sample of system components that store cardholder data:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 3.1.c For a sample of system components that store cardholder data:
Modified
p. 56
• Examine files and system records to verify that the data stored does not exceed the requirements defined in the data-retention policy.
Modified
p. 56
• Observe the deletion mechanism to verify data is deleted securely.
Modified
p. 56
Identify the sample of system components selected.
Modified
p. 56
<Report Findings Here> For each item in the sample, describe how files and system records were examined to verify that the data stored does not exceed the requirements defined in the data-retention policy.
<Report Findings Here> For each item in the sample, describe how files and system records were examined to verify that the data stored does not exceed the requirements defined in the data-retention policy.
Modified
p. 56
<Report Findings Here> Describe how the deletion mechanism was observed to verify data is deleted securely.
<Report Findings Here> Describe how the deletion mechanism was observed to verify data is deleted securely.
Modified
p. 56
It is permissible for issuers and companies that support issuing services to store sensitive authentication data if: There is a business justification, and The data is stored securely.
It is permissible for issuers and companies that support issuing services to store sensitive authentication data if: • There is a business justification, and
Modified
p. 56
Indicate whether the assessed entity is an issuer or supports issuing service. (yes/no) <Report Findings Here> If “yes,” complete the responses for 3.2.a and 3.2.b and mark 3.2.c and 3.2.d as “Not Applicable.” If “no,” mark the remainder of 3.2.a and 3.2.b as “Not Applicable” and proceed to 3.2.c and 3.2.d.
Modified
p. 56
Identify the documentation reviewed to verify there is a documented business justification for the storage of sensitive authentication data.
Modified
p. 56
<Report Findings Here> Identify the interviewed personnel who confirm there is a documented business justification for the storage of sensitive authentication data.
<Report Findings Here> Identify the interviewed personnel who confirm there is a documented business justification for the storage of sensitive authentication data.
Modified
p. 56
<Report Findings Here> For the interview, summarize the relevant details of the business justification described.
<Report Findings Here> For the interview, summarize the relevant details of the business justification described.
Modified
p. 57
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 3.2.b For issuers and/or companies that support issuing services and store sensitive authentication data, examine data stores and system configurations to verify that the sensitive authentication data is secured.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place verify that the sensitive authentication data is secured.
Modified
p. 57
Describe how the data stores and system configurations were examined to verify that the sensitive authentication data is secured.
Modified
p. 57
Indicate whether sensitive authentication data is received. (yes/no) <Report Findings Here> If “yes,” complete 3.2.c and 3.2.d.
Modified
p. 57
Identify the document(s) reviewed to verify that it defines that data is not retained after authorization.
Modified
p. 57
<Report Findings Here> Describe how system configurations were examined to verify the data is not retained after authorization.
<Report Findings Here> Describe how system configurations were examined to verify the data is not retained after authorization.
Modified
p. 57
Identify the document(s) reviewed to verify that it defines processes for securely deleting the data to verify that the data is unrecoverable.
Modified
p. 57
<Report Findings Here> Describe how the processes for securely deleting the data were examined to verify that the data is unrecoverable.
<Report Findings Here> Describe how the processes for securely deleting the data were examined to verify that the data is unrecoverable.
Removed
p. 58
Incoming transaction data All logs (for example, transaction, history, debugging, error) History files Trace files Several database schemas Database contents Identify the sample of system components selected for 3.2.1-3.2.3.
Modified
p. 58 → 57
<Report Findings Here> 3.2.1 Do not store the full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained on a chip, or elsewhere) after authorization. This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data. Note: In the normal course of business, the following data elements from the magnetic stripe may need to be retained:
Modified
p. 58 → 57
• Service code To minimize risk, store only these data elements as needed for business.
Removed
p. 59
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 3.2.2 Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions.
Removed
p. 59
Incoming transaction data All logs (for example, transaction, history, debugging, error) History files Trace files Several database schemas Database contents For each data source type below from the sample of system of components at 3.2.1, summarize the specific examples of each data source type observed to verify that the three-digit or four-digit card verification code or value printed on the front of the card or the signature panel (CVV2, CVC2, CID, CAV2 data) is not stored after authorization. If that type of data source is not present, indicate that in the space.
Modified
p. 59
Incoming transaction data <Report Findings Here> All logs (for example, transaction, history, debugging error) <Report Findings Here> History files <Report Findings Here> Trace files <Report Findings Here> Database schemas <Report Findings Here> Database contents <Report Findings Here> If applicable, any other output observed to be generated <Report Findings Here> 3.2.3 Do not store the personal identification number (PIN) or the encrypted PIN block.
Incoming transaction data <Report Findings Here> All logs (for example, transaction, history, debugging error) <Report Findings Here> History files <Report Findings Here> Trace files <Report Findings Here> Database schemas <Report Findings Here> Database contents <Report Findings Here> If applicable, any other output observed to be generated <Report Findings Here> 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only …
Modified
p. 59
• Database contents For each data source type below from the sample of system of components at 3.2.1, summarize the specific examples of each data source type observed. If that type of data source is not present, indicate that in the space.
Removed
p. 60
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Place Trace files Several database schemas Database contents If applicable, any other output observed to be generated <Report Findings Here> 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see the full PAN.
Identify the document(s) reviewed to verify that written policies and procedures for masking the displays of PANs include the following:
Identify the document(s) reviewed to verify that written policies and procedures for masking the displays of PANs include the following:
Modified
p. 60
Identify the document(s) reviewed to verify that written policies and procedures for masking the displays of PANs include the following:
Modified
p. 60
• A list of roles that need access to displays of full PAN is documented, together with a legitimate business need for each role to have such access.
Modified
p. 60
• A list of roles that need access to displays of full PAN is documented, together with a legitimate business need for each role to have such access.
Modified
p. 60
• PAN must be masked when displayed such that only personnel with a legitimate business need can see the full PAN.
Modified
p. 60
• PAN must be masked when displayed such that only personnel with a legitimate business need can see the full PAN.
Modified
p. 60
• All other roles not specifically authorized to see the full PAN must only see masked PANs.
Modified
p. 60
• All other roles not specifically authorized to see the full PAN must only see masked PANs.
Modified
p. 60
<Report Findings Here> PAN is masked for all other requests. <Report Findings Here> 3.3.c Examine displays of PAN Describe how displays of PAN were examined to verify that:
<Report Findings Here> PAN is masked for all other requests. <Report Findings Here> 3.3.c Examine displays of PAN (for example, on screen, on paper receipts) to verify that PANs are masked when displaying cardholder data, and that only those with a legitimate business need are able to see full PAN.
Removed
p. 61
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Place (for example, on screen, on paper receipts) to verify that PANs are masked when displaying cardholder data, and that only those with a legitimate business need are able to see full PAN.
Modified
p. 61
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:
Modified
p. 61
• One-way hashes based on strong cryptography, (hash must be of the entire PAN).
Modified
p. 61
• Truncation (hashing cannot be used to replace the truncated segment of PAN).
Modified
p. 61
• Index tokens and pads (pads must be securely stored).
Modified
p. 61
• Strong cryptography with associated key-management processes and procedures.
Modified
p. 61
Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity’s environment, additional controls should be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN.
Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity’s environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN.
Modified
p. 61
3.4.a Examine documentation about the system used to protect the PAN, including the vendor, type of system/process, and the encryption algorithms (if applicable) to verify that the Identify the documentation about the system used to protect the PAN examined.
3.4.a Examine documentation about the system used to protect the PAN, including the vendor, type of system/process, and the encryption algorithms (if applicable) to verify that the PAN is rendered unreadable using any of the following methods:
Modified
p. 61
<Report Findings Here> Briefly describe the documented methods
<Report Findings Here> Briefly describe the documented methods
Removed
p. 62
One-way hashes based on strong cryptography, Truncation Index tokens and pads, with the pads being securely stored Strong cryptography, with associated key- management processes and procedures Identify which of the following methods is used to render the PAN unreadable:
Identify the sample of data repositories selected.
Identify the sample of removable media selected.
Identify the sample of data repositories selected.
Identify the sample of removable media selected.
Modified
p. 62 → 61
• Strong cryptography, with associated key- management processes and procedures <Report Findings Here> 3.4.b Examine several tables or files from a sample of data repositories to verify the PAN is rendered unreadable (that is, not stored in plain-text).
Modified
p. 62 → 61
<Report Findings Here> Identify the tables or files examined for each item in the sample of data repositories.
Identify the sample of data repositories selected. <Report Findings Here> Identify the tables or files examined for each item in the sample of data repositories.
Modified
p. 62 → 61
<Report Findings Here> For each item in the sample, describe how the table or file was examined to verify the PAN is rendered unreadable.
<Report Findings Here> For each item in the sample, describe how the table or file was examined to verify the PAN is rendered unreadable.
Modified
p. 62 → 61
<Report Findings Here> 3.4.c Examine a sample of removable media (for example, backup tapes) to confirm that the PAN is rendered unreadable.
<Report Findings Here> 3.4.c Examine a sample of removable Identify the sample of removable media selected. <Report Findings Here>
Modified
p. 62
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Place PAN is rendered unreadable using any of the following methods:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place media (for example, backup tapes) to confirm that the PAN is rendered unreadable.
Modified
p. 62
For each item in the sample, describe how the sample of removable media was examined to confirm that the PAN is rendered unreadable.
Modified
p. 62
Identify the sample of audit logs selected. <Report Findings Here> For each item in the sample, describe how the sample of audit logs was examined to confirm that the PAN is rendered unreadable or removed from the logs.
Removed
p. 63
<Report Findings Here> For each disk encryption mechanism in use, describe how the configuration was inspected and the authentication process observed to verify that logical access to encrypted file systems is separate from the native operating system’s authentication mechanism.
<Report Findings Here> Identify the personnel interviewed who confirm that cryptographic keys are stored securely.
<Report Findings Here> Identify the personnel interviewed who confirm that cryptographic keys are stored securely.
Modified
p. 63 → 62
<Report Findings Here> 3.4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials). Decryption keys must not be associated with user accounts.
Modified
p. 63 → 62
Indicate whether disk encryption is used. (yes/no) <Report Findings Here> If “yes,” complete the remainder of 3.4.1.a, 3.4.1.b, and 3.4.1.c.
Modified
p. 63 → 62
If “no,” mark the remainder of 3.4.1.a, 3.4.1.b and 3.4.1.c as “Not Applicable.’ Describe the disk encryption mechanism(s) in use.
If “no,” mark the remainder of 3.4.1.a, 3.4.1.b and 3.4.1.c as “Not Applicable.’ Describe the disk encryption mechanism(s) in use. <Report Findings Here> For each disk encryption mechanism in use, describe how the configuration was inspected and the authentication process observed to verify that logical access to encrypted file systems is separate from the native operating system’s authentication mechanism.
Modified
p. 63 → 62
<Report Findings Here> 3.4.1.b Observe processes and interview personnel to verify that cryptographic keys are stored securely (for example, stored on removable media that is adequately protected with strong access controls).
<Report Findings Here> 3.4.1.b Observe processes and interview personnel to verify that cryptographic keys Describe how processes were observed to verify that cryptographic keys are stored securely.
Modified
p. 63
Identify the personnel interviewed who confirm that cryptographic keys are stored securely.
Modified
p. 63
<Report Findings Here> 3.4.1.c Examine the Identify the configurations examined. <Report Findings Here>
<Report Findings Here> 3.4.1.c Examine the configurations and observe the processes to verify that cardholder data on removable media is encrypted wherever stored.
Modified
p. 64 → 63
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Place configurations and observe the processes to verify that cardholder data on removable media is encrypted wherever stored.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place are stored securely (for example, stored on removable media that is adequately protected with strong access controls).
Modified
p. 64 → 63
Identify the configurations examined. <Report Findings Here> Describe how the configurations were examined and the processes observed to verify that cardholder data on removable media is encrypted wherever stored.
Modified
p. 64 → 63
Note: This requirement applies to keys used to encrypt stored cardholder data, and also applies to key- encrypting keys used to protect data-encrypting keys•such key-encrypting keys must be at least as strong as the data-encrypting key.
Note: This requirement applies to keys used to encrypt stored cardholder data, and also applies to key-encrypting keys used to protect data-encrypting keys•such key-encrypting keys must be at least as strong as the data-encrypting key.
Removed
p. 65
Identify user access lists examined. <Report Findings Here> Describe how user access lists were examined to verify that access to keys is restricted to the fewest number of custodians necessary.
Modified
p. 65 → 63
• Access to keys is restricted to the fewest number of custodians necessary.
Modified
p. 65 → 63
• Access to keys is restricted to the fewest number of custodians necessary.
Modified
p. 65 → 63
• Key-encrypting keys are at least as strong as the data-encrypting keys they protect.
Modified
p. 65 → 63
• Key-encrypting keys are stored separately from data-encrypting keys.
Modified
p. 65 → 63
• Keys are stored securely in the fewest possible locations and forms.
Modified
p. 65 → 63
• Keys are stored securely in the fewest possible locations and forms.
Modified
p. 65 → 63
Identify the documented key-management policies and processes examined to verify processes are defined to protect keys used for encryption of cardholder data against disclosure and misuse and include at least the following:
Modified
p. 65 → 63
• Key-encrypting keys are at least as strong as the data-encrypting keys they protect.
Modified
p. 65 → 63
• Key-encrypting keys are stored separately from data-encrypting keys.
Modified
p. 65 → 63
<Report Findings Here> 3.5.1 Restrict access to cryptographic keys to the fewest number of custodians necessary.
<Report Findings Here> 3.5.1 Restrict access to cryptographic keys to the fewest number of custodians necessary. ☐ ☐ ☐ ☐ ☐ 3.5.1 Examine user access lists to verify Identify user access lists examined. <Report Findings Here>
Modified
p. 66 → 64
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 3.5.2 Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place that access to keys is restricted to the fewest number of custodians necessary.
Modified
p. 66 → 64
• Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key. • Within a secure cryptographic device (such as a hardware/host security module (HSM) or PTS-approved point-of-interaction device). • As at least two full-length key components or key shares, in accordance with an industry-accepted method.
Modified
p. 66 → 64
• Encrypted with a key-encrypting key that is at least as strong as the data- encrypting key, and that is stored separately from the data-encrypting key.
Modified
p. 66 → 64
Identify the documented procedures examined to verify that cryptographic keys used to encrypt/decrypt cardholder data must only exist in one (or more) of the following forms at all times.
Modified
p. 66 → 64
• Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data- encrypting key.
Modified
p. 66 → 64
• Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of-interaction device).
Modified
p. 66 → 64
• As key components or key shares, in accordance with an industry-accepted method.
Modified
p. 67 → 64
• As key components or key shares, in accordance with an industry-accepted method.
Modified
p. 67 → 64
• Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point- of-interaction device).
Modified
p. 67 → 65
• Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data- encrypting key.
Modified
p. 67 → 65
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 3.5.2.b Examine system configurations and key storage locations to verify that cryptographic keys used to encrypt/decrypt cardholder data exist in one, (or more), of the following form at all times.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 3.5.2.b Examine system configurations and key storage locations to verify that cryptographic keys used to encrypt/decrypt cardholder data exist in one, (or more), of the following form at all times.
Modified
p. 67 → 65
• Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of-interaction device).
Modified
p. 67 → 65
Provide the name of the assessor who attests that all locations where keys are stored were identified.
Modified
p. 67 → 65
<Report Findings Here> Describe how system configurations and key storage locations were examined to verify that cryptographic keys used to encrypt/decrypt cardholder data must only exist in one (or more) of the following forms at all times.
<Report Findings Here> Describe how system configurations and key storage locations were examined to verify that cryptographic keys used to encrypt/decrypt cardholder data must only exist in one (or more) of the following forms at all times.
Modified
p. 67 → 65
<Report Findings Here> 3.5.2.c Wherever key- encrypting keys are used, examine system configurations and key storage locations to verify:
<Report Findings Here> 3.5.2.c Wherever key-encrypting keys are used, examine system configurations and key storage locations to verify:
Modified
p. 67 → 65
• Key-encrypting keys are at least as strong as the data-encrypting keys they protect.
Removed
p. 68
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 3.5.3 Store cryptographic keys in the fewest possible locations.
Describe how key storage locations were examined and processes were observed to verify that keys are stored in the fewest possible locations.
Identify the documented key-management procedures examined to verify procedures specify how to generate strong keys.
Describe how key storage locations were examined and processes were observed to verify that keys are stored in the fewest possible locations.
Identify the documented key-management procedures examined to verify procedures specify how to generate strong keys.
Modified
p. 68 → 66
3.6.a Additional Procedure for service providers: If the service provider shares keys with their customers for transmission or storage of cardholder data, examine the documentation that the service provider provides to their customers to verify that it includes guidance on how to securely transmit, store, and update customers’ keys, in accordance with Requirements 3.6.1 through 3.6.8 below.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 3.6.a Additional Procedure for service provider assessments only: If the service provider shares keys with their customers for transmission or storage of cardholder data, examine the documentation that the service provider provides to their customers to verify that it includes guidance on how to securely transmit, store, and update customers’ keys, in accordance with Requirements …
Modified
p. 68 → 66
Indicate whether the assessed entity is a service provider that shares keys with their customers for transmission or storage of cardholder data. (yes/no) <Report Findings Here> If “yes,” Identify the document that the service provider provides to their customers examined to verify that it includes guidance on how to securely transmit, store and update customers’ keys, in accordance with Requirements 3.6.1 through 3.6.8 below.
Modified
p. 68 → 66
Identify the documented key-management procedures examined to verify procedures specify how to generate strong keys.
Modified
p. 68 → 66
Describe how the method for generating keys was observed to verify that strong keys are generated.
Removed
p. 69
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 3.6.2 Secure cryptographic key distribution.
Identify the documented key-management procedures examined to verify procedures specify how to securely store keys.
Describe how the method for storing keys was observed to verify that keys are stored securely.
Identify the documented key-management procedures examined to verify procedures specify how to securely store keys.
Describe how the method for storing keys was observed to verify that keys are stored securely.
Modified
p. 69 → 66
Identify the documented key-management procedures examined to verify procedures specify how to securely distribute keys.
Modified
p. 69 → 66
<Report Findings Here> 3.6.2 Secure cryptographic key distribution. ☐ ☐ ☐ ☐ ☐ 3.6.2.a Verify that key-management procedures specify how to securely distribute keys.
Modified
p. 69 → 66
Describe how the method for distributing keys was observed to verify that keys are distributed securely.
Modified
p. 69 → 66
<Report Findings Here> 3.6.3 Secure cryptographic key storage.
<Report Findings Here> 3.6.3 Secure cryptographic key storage. ☐ ☐ ☐ ☐ ☐ 3.6.3.a Verify that key-management procedures specify how to securely store keys.
Modified
p. 69 → 66
Identify the documented key-management procedures examined to verify procedures specify how to securely store keys.
Modified
p. 69 → 67
Describe how the method for storing keys was observed to verify that keys are stored securely.
Modified
p. 69 → 67
<Report Findings Here> 3.6.4 Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines (for example, NIST Special Publication 800-57).
<Report Findings Here> 3.6.4 Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines (for example, NIST Special Publication 800- 57).
Modified
p. 69 → 67
3.6.4.a Verify that key- management procedures include a defined cryptoperiod for each key type in use and define a process for key changes at the end of the defined cryptoperiod(s).
3.6.4.a Verify that key-management procedures include a defined cryptoperiod for each key type in use and define a process for key changes at the end of the defined cryptoperiod(s).
Modified
p. 69 → 67
Identify the document that defines:
Modified
p. 69 → 67
• A process for key changes at the end of the defined cryptoperiod(s) <Report Findings Here> 3.6.4.b Interview personnel to verify that keys are changed at the end of the defined cryptoperiod(s).
Modified
p. 69 → 67
Identify personnel interviewed for this testing procedure who confirm that keys are changed at the end of the defined cryptoperiod(s).
Removed
p. 70
The retirement or replacement of keys when the integrity of the key has been weakened. The replacement of known or suspected compromised keys. Any keys retained after retiring or replacing are not used for encryption operations.
Modified
p. 70 → 67
<Report Findings Here> 3.6.5 Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key component), or keys are suspected of being compromised.
Modified
p. 70 → 67
3.6.5.a Verify that key- management procedures specify processes for the following:
3.6.5.a Verify that key-management procedures specify processes for the following:
Modified
p. 70 → 67
Identify the key-management document examined to verify that key-management processes specify the following:
Modified
p. 70 → 67
• The retirement or replacement of keys when the integrity of the key has been weakened.
Modified
p. 70 → 67
• The replacement of known or suspected compromised keys.
Modified
p. 70 → 67
• Any keys retained after retiring or replacing are not used for encryption operations.
Modified
p. 71 → 68
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 3.6.5.b Interview personnel to verify the following processes are implemented:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 3.6.5.b Interview personnel to verify the following processes are implemented:
Modified
p. 71 → 68
• Keys are retired or replaced as necessary when the integrity of the key has been weakened, including when someone with knowledge of the key leaves the company.
Modified
p. 71 → 68
3.6.6.a Verify that manual clear- text key-management procedures specify processes for the use of the following:
3.6.6.a Verify that manual clear-text key- management procedures specify processes for the use of the following:
Modified
p. 71 → 68
Indicate whether manual clear-text cryptographic key-management operations are used. (yes/no) <Report Findings Here> If “no,” mark the remainder of 3.6.6.a and 3.6.6.b as “Not Applicable.” If “yes,” complete 3.6.6.a and 3.6.6.b.
Removed
p. 72
<Report Findings Here> 3.6.6 b Interview personnel and/or observe processes to verify that manual clear-text keys are managed with:
Identify the document examined to verify that key-management procedures specify processes to prevent unauthorized substitution of keys.
Identify the document examined to verify that key-management procedures specify processes to prevent unauthorized substitution of keys.
Modified
p. 72 → 68
Identify the document examined to verify that manual clear-text key-management procedures define processes for the use of the following:
Modified
p. 72 → 68
• Dual control of keys, such that at least two people are required to perform any key- management operations and no one person has access to the authentication materials of another.
Modified
p. 72 → 69
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Place are under the control of at least two people who only have knowledge of their own key components; AND Dual control of keys, such that at least two people are required to perform any key- management operations and no one person has access to the authentication materials (for example, passwords or keys) of another.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 3.6.6 b Interview personnel and/or observe processes to verify that manual clear-text keys are managed with:
Modified
p. 72 → 69
• Dual control Identify the personnel interviewed for this testing procedure, if applicable.
Modified
p. 72 → 69
Split knowledge <Report Findings Here> Dual Control <Report Findings Here> 3.6.7 Prevention of unauthorized substitution of cryptographic keys.
Split knowledge <Report Findings Here> Dual Control <Report Findings Here> 3.6.7 Prevention of unauthorized substitution of cryptographic keys. ☐ ☐ ☐ ☐ ☐ 3.6.7.a Verify that key-management procedures specify processes to prevent unauthorized substitution of keys.
Modified
p. 72 → 69
Identify the document examined to verify that key- management procedures specify processes to prevent unauthorized substitution of keys.
Modified
p. 72 → 69
Identify the personnel interviewed for this testing procedure, if applicable.
Modified
p. 72 → 69
<Report Findings Here> For the interview, summarize the relevant details discussed and/or describe how processes were observed to verify that unauthorized substitution of keys is prevented.
<Report Findings Here> For the interview, summarize the relevant details discussed and/or describe how processes were observed to verify that unauthorized substitution of keys is prevented.
Removed
p. 73
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 3.6.8 Requirement for cryptographic key custodians to formally acknowledge that they understand and accept their key-custodian responsibilities.
Documented, In use, and Known to all affected parties Identify the document reviewed to verify that security policies and operational procedures for protecting stored cardholder data are documented.
<Report Findings Here> Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for protecting stored cardholder data are:
Documented, In use, and Known to all affected parties Identify the document reviewed to verify that security policies and operational procedures for protecting stored cardholder data are documented.
<Report Findings Here> Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for protecting stored cardholder data are:
Modified
p. 73 → 69
Identify the document examined to verify that key- management procedures specify processes for key custodians to acknowledge that they understand and accept their key-custodian responsibilities.
Modified
p. 73 → 69
<Report Findings Here> 3.6.8 Requirement for cryptographic key custodians to formally acknowledge that they understand and accept their key-custodian responsibilities. ☐ ☐ ☐ ☐ ☐ 3.6.8.a Verify that key-management procedures specify processes for key custodians to acknowledge (in writing or electronically) that they understand and accept their key-custodian responsibilities.
Modified
p. 73 → 69
Describe how key custodian acknowledgements or other evidence were observed to verify that key custodians have acknowledged that they understand and accept their key-custodian responsibilities.
Modified
p. 73 → 70
<Report Findings Here> 3.7 Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties.
<Report Findings Here> Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for protecting stored cardholder data are:
Removed
p. 74
Examples of open, public networks include but are not limited to: The Internet Wireless technologies, including 802.11 and Bluetooth Cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA) General Packet Radio Service (GPRS) Satellite communications 4.1.a Identify all locations where cardholder data is transmitted or received over open, public Identify all locations where cardholder data is transmitted or received over open, public networks.
Modified
p. 74 → 71
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 4.1 Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks, including the following:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 4.1 Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks, including the following:
Modified
p. 74 → 71
• Only trusted keys and certificates are accepted.
Modified
p. 74 → 71
• The protocol in use only supports secure versions or configurations.
Modified
p. 74 → 71
• The encryption strength is appropriate for the encryption methodology in use.
Modified
p. 75 → 72
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Identify the documented standards examined. <Report Findings Here> Describe how the documented standards were examined and compared to system configurations to verify the use of:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested Identify the documented standards examined. <Report Findings Here> Describe how the documented standards were examined and compared to system configurations to verify the use of:
Modified
p. 75 → 72
• For acceptance of only trusted keys and/or certificates.
Modified
p. 75 → 72
• For acceptance of only trusted keys and/or certificates.
Modified
p. 75 → 72
• For the protocol in use to only support secure versions and configurations (that insecure versions or configurations are not supported).
Modified
p. 75 → 72
• For the protocol in use to only support secure versions and configurations (that insecure versions or configurations are not supported).
Modified
p. 75 → 72
• For implementation of proper encryption strength per the encryption methodology in use.
Modified
p. 75 → 72
• For implementation of proper encryption strength per the encryption methodology in use.
Modified
p. 75 → 72
Identify the document reviewed to verify that processes are specified for the following:
Modified
p. 75 → 72
Describe the sample of inbound and outbound transmissions observed as they occurred.
Modified
p. 75 → 72
<Report Findings Here> Describe how the samples of inbound and outbound transmissions were observed as they occurred to verify that all cardholder data is encrypted with strong cryptography during transit.
<Report Findings Here> Describe how the samples of inbound and outbound transmissions were observed as they occurred to verify that all cardholder data is encrypted with strong cryptography during transit.
Modified
p. 75 → 72
For all instances where cardholder data is transmitted or received over open, public networks:
Removed
p. 76
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Place certificates to verify that only trusted keys and/or certificates are accepted.
Modified
p. 76 → 72
Describe the mechanisms used to ensure that only trusted keys and/or certificates are accepted.
Modified
p. 76 → 72
<Report Findings Here> Describe how the mechanisms were observed to accept only trusted keys and/or certificates.
<Report Findings Here> Describe how the mechanisms were observed to accept only trusted keys and/or certificates.
Modified
p. 76 → 73
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 4.1.e Examine system configurations to verify that the protocol is implemented to use only secure configurations and does not support insecure versions or configurations.
Modified
p. 76 → 73
<Report Findings Here> 4.1.f Examine system configurations to verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) For each encryption methodology in use, Identify vendor recommendations/best practices for encryption strength.
<Report Findings Here> 4.1.f Examine system configurations to verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) For each encryption methodology in use, Identify vendor recommendations/best practices for encryption strength.
Modified
p. 76 → 73
<Report Findings Here> Identify the encryption strength observed to be implemented.
<Report Findings Here> Identify the encryption strength observed to be implemented.
Modified
p. 76 → 73
<Report Findings Here> 4.1.g For SSL/TLS implementations, examine system configurations to verify that SSL/TLS is enabled whenever cardholder data is transmitted or received.
<Report Findings Here> 4.1.g For TLS implementations, examine system configurations to verify that TLS is enabled whenever cardholder data is transmitted or received.
Modified
p. 76 → 73
HTTPS appears as part of the browser URL. <Report Findings Here> Cardholder data is only requested if HTTPS appears as part of the URL.
Modified
p. 76 → 73
Indicate whether TLS is implemented to encrypt cardholder data over open, public networks in the CDE. (yes/no) <Report Findings Here> If “yes,” for all instances where TLS is used to encrypt cardholder data over open, public networks, describe how system configurations were examined to verify that TLS is enabled whenever cardholder data is transmitted or received, as follows:
Modified
p. 76 → 73
• Cardholder data is only requested if “HTTPS” appears as part of the URL.
Modified
p. 77 → 74
<Report Findings Here> 4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission.
Modified
p. 77 → 75
• Industry best practices (for example, IEEE 802.11i) are used to implement strong encryption for authentication and transmission.
Modified
p. 77 → 75
Identify all wireless networks transmitting cardholder data or connected to the cardholder data environment.
Modified
p. 77 → 75
<Report Findings Here> Identify the documented standards examined to verify processes define the following for all wireless networks identified:
<Report Findings Here> Identify the documented standards examined to verify processes define the following for all wireless networks identified:
Modified
p. 77 → 75
• Industry best practices (for example, IEEE 802.11i) are used to implement strong encryption for authentication and transmission.
Modified
p. 77 → 75
• Weak encryption (for example, WEP, SSL) is not used as a security control for authentication or transmission.
Modified
p. 77 → 75
<Report Findings Here> 4.2 Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.).
<Report Findings Here> 4.2 Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.). ☐ ☐ ☐ ☐ ☐ 4.2.a If end-user messaging technologies are used to send cardholder data, observe processes for sending PAN and examine a sample of outbound transmissions as they occur to verify that PAN is rendered unreadable or secured with strong cryptography whenever it is sent via end- user messaging technologies.
Removed
p. 78
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 4.2.a If end-user messaging technologies are used to send cardholder data, observe processes for sending PAN and examine a sample of outbound transmissions as they occur to verify that PAN is rendered unreadable or secured with strong cryptography whenever it is sent via end-user messaging technologies.
Modified
p. 78 → 75
Indicate whether end-user messaging technologies are used to send cardholder data. (yes/no) <Report Findings Here> If “no,” mark the remainder of 4.2.a as “Not Applicable” and proceed to 4.2.b.
Modified
p. 78 → 75
Describe how processes for sending PAN were observed to verify that PAN is rendered unreadable or secured with strong cryptography whenever it is sent via end-user messaging technologies.
Modified
p. 78 → 76
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested Describe how the sample of outbound transmissions observed as they occurred to verify that PAN is rendered unreadable or secured with strong cryptography whenever it is sent via end-user messaging technologies.
Modified
p. 78 → 76
Identify the policy document stating that unprotected PANs must not be sent via end-user messaging technologies.
Modified
p. 78 → 76
Identify the policy document that explicitly prohibits PAN from being sent via end-user messaging technologies under any circumstances.
Removed
p. 79
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 4.3 Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties.
Identify the document reviewed to verify that security policies and operational procedures for encrypting transmissions of cardholder data are documented.
Identify the document reviewed to verify that security policies and operational procedures for encrypting transmissions of cardholder data are documented.
Modified
p. 79 → 76
<Report Findings Here> Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for encrypting transmissions of cardholder data are:
<Report Findings Here> Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for encrypting transmissions of cardholder data are:
Removed
p. 80
Identify the sample of system components selected (including all operating system types commonly affected by malicious software).
Modified
p. 80 → 77
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). ☐ ☐ ☐ ☐ ☐ 5.1 For a sample of system components including all operating system types commonly affected by malicious software, verify that anti-virus software is deployed if applicable anti-virus technology exists.
Modified
p. 80 → 77
<Report Findings Here> For each item in the sample, describe how anti-virus software was observed to be deployed.
<Report Findings Here> For each item in the sample, describe how anti-virus software was observed to be deployed.
Modified
p. 80 → 77
<Report Findings Here> 5.1.1 Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.
<Report Findings Here> 5.1.1 Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software. ☐ ☐ ☐ ☐ ☐ 5.1.1 Review vendor documentation and examine anti-virus configurations to verify that anti-virus programs;
Modified
p. 80 → 77
Identify the vendor documentation reviewed to verify that anti-virus programs:
Modified
p. 80 → 77
• Detect all known types of malicious software,
• Remove all known types of malicious software, and • Protect against all known types of malicious software.
• Remove all known types of malicious software, and • Protect against all known types of malicious software.
Removed
p. 81
Identify the personnel interviewed for this testing procedure.
Modified
p. 81 → 77
<Report Findings Here> For the interview, summarize the relevant details discussed and/or describe how processes were observed to verify that evolving malware threats are monitored and evaluated for systems not currently considered to be commonly affected by malicious software, and that such systems continue to not require anti-virus software.
<Report Findings Here> 5.1.2 For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software. ☐ ☐ ☐ ☐ ☐ 5.1.2 Interview personnel to verify that evolving malware threats are monitored Identify the personnel interviewed for this testing procedure. For the interview, summarize the relevant details discussed and/or describe how processes were observed to verify that evolving …
Modified
p. 81 → 78
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 5.1.2 For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place and evaluated for systems not currently considered to be commonly affected by malicious software, in order to confirm whether such systems continue to not require anti-virus software.
Modified
p. 81 → 78
• Perform periodic scans.
Modified
p. 81 → 78
• Generate audit logs which are retained per PCI DSS Requirement 10.7.
Modified
p. 81 → 78
5.2.a Examine policies and procedures to verify that anti- virus software and definitions are required to be kept up-to-date.
5.2.a Examine policies and procedures to verify that anti-virus software and definitions are required to be kept up-to- date.
Modified
p. 81 → 78
Identify the documented policies and procedures examined to verify that anti-virus software and definitions are required to be kept up to date.
Modified
p. 81 → 78
<Report Findings Here> 5.2.b Examine anti-virus configurations, including the master installation of the Describe how anti-virus configurations, including the master installation of the software, were examined to verify anti-virus mechanisms are:
<Report Findings Here> 5.2.b Examine anti-virus configurations, including the master installation of the software, to verify anti-virus mechanisms are:
Modified
p. 82 → 79
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Configured to perform automatic updates, and <Report Findings Here> Configured to perform periodic scans. <Report Findings Here> 5.2.c Examine a sample of system components, including all operating system types commonly affected by malicious software, to verify that:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Configured to perform automatic updates, and <Report Findings Here> Configured to perform periodic scans. <Report Findings Here> 5.2.c Examine a sample of system components, including all operating system types commonly affected by malicious software, to verify that:
Modified
p. 82 → 79
• The anti-virus software and definitions are current.
Modified
p. 82 → 79
• Periodic scans are performed.
Modified
p. 82 → 79
Identify the sample of system components, including all operating system types commonly affected by malicious software, selected for this testing procedure.
Modified
p. 82 → 79
• Logs are retained in accordance with PCI DSS Requirement 10.7.
Modified
p. 83 → 79
<Report Findings Here> For each item in the sample, describe how anti-virus configurations, including the master installation of the software, were examined to verify that the anti-virus software is actively running.
Identify the sample of system components selected. <Report Findings Here> For each item in the sample, describe how anti-virus configurations, including the master installation of the software, were examined to verify that the anti-virus software is actively running.
Modified
p. 83 → 79
5.3.a Examine anti-virus configurations, including the master installation of the software and a sample of system components, to verify the anti-virus software is actively running.
Modified
p. 83 → 80
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 5.3.a Examine anti-virus configurations, including the master installation of the software and a sample of system components, to verify the anti- virus software is actively running.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 5.3.b Examine anti-virus configurations, including the master installation of the software and a sample of system components, to verify that the anti-virus software cannot be disabled or altered by users.
Modified
p. 83 → 80
For each item in the sample from 5.3.a, describe how anti-virus configurations, including the master installation of the software, were examined to verify that the anti-virus software cannot be disabled or altered by users.
Modified
p. 83 → 80
Identify the responsible personnel interviewed who confirm that anti-virus software cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.
Modified
p. 83 → 80
<Report Findings Here> Describe how the process was observed to verify that anti-virus software cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.
<Report Findings Here> Describe how the process was observed to verify that anti-virus software cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.
Removed
p. 84
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 5.4 Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties.
<Report Findings Here> Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for protecting systems against malware are:
<Report Findings Here> Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for protecting systems against malware are:
Modified
p. 84 → 80
<Report Findings Here> Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for protecting systems against malware are:
Modified
p. 85 → 81
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.
Modified
p. 85 → 81
• To identify new security vulnerabilities.
Modified
p. 85 → 81
• To identify new security vulnerabilities.
Modified
p. 85 → 81
• To assign a risk ranking to vulnerabilities that includes identification of all “high risk” and “critical” vulnerabilities.
Modified
p. 85 → 81
• To assign a risk ranking to vulnerabilities that includes identification of all “high risk” and “critical” vulnerabilities.
Modified
p. 85 → 81
• To include using reputable outside sources for security vulnerability information.
Modified
p. 85 → 81
• To include using reputable outside sources for security vulnerability information.
Modified
p. 85 → 81
Identify the documented policies and procedures examined to confirm that processes are defined:
Removed
p. 86
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 6.1.b Interview responsible personnel and observe processes to verify that:
Processes to identify new security vulnerabilities include using reputable outside sources for security vulnerability information.
Processes to identify new security vulnerabilities include using reputable outside sources for security vulnerability information.
Modified
p. 86 → 81
• New security vulnerabilities are identified.
Modified
p. 86 → 81
• New security vulnerabilities are identified.
Modified
p. 86 → 81
• A risk ranking is assigned to vulnerabilities that includes identification of all “high” risk and “critical” vulnerabilities.
Modified
p. 86 → 81
• A risk ranking is assigned to vulnerabilities that includes identification of all “high” risk and “critical” vulnerabilities.
Modified
p. 86 → 81
• Processes to identify new security vulnerabilities include using reputable outside sources for security vulnerability information.
Modified
p. 86 → 81
• Processes to identify new security vulnerabilities include using reputable outside sources for security Identify the responsible personnel interviewed who confirm that:
Modified
p. 86 → 82
New security vulnerabilities are identified. <Report Findings Here> A risk ranking is assigned to vulnerabilities to include identification of all “high” risk and “critical” vulnerabilities.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place vulnerability information. New security vulnerabilities are identified. <Report Findings Here> A risk ranking is assigned to vulnerabilities to include identification of all “high” risk and “critical” vulnerabilities.
Modified
p. 86 → 82
<Report Findings Here> Identify the outside sources used. <Report Findings Here> 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.
<Report Findings Here> Identify the outside sources used. <Report Findings Here> 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor- supplied security patches. Install critical security patches within one month of release.
Modified
p. 87 → 82
6.2.a Examine policies and procedures related to security-patch installation to verify processes are defined for:
Modified
p. 87 → 82
• Installation of applicable critical vendor-supplied security patches within one month of release.
Modified
p. 87 → 82
• Installation of all applicable vendor- supplied security patches within an appropriate time frame (for example, within three months).
Modified
p. 87 → 82
Identify the documented policies and procedures related to security-patch installation examined to verify processes are defined for:
Modified
p. 87 → 82
• Installation of applicable critical vendor- supplied security patches within one month of release.
Modified
p. 87 → 82
• Installation of all applicable vendor-supplied security patches within an appropriate time frame.
Modified
p. 87 → 82
<Report Findings Here> 6.2.b For a sample of system components and related software, compare the list of i h i ll d Identify the sample of system components and related software selected for this testing procedure.
<Report Findings Here> 6.2.b For a sample of system components and related software, compare the list of security patches installed on each system Identify the sample of system components and related software selected for this testing procedure.
Modified
p. 88 → 83
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Identify the vendor security patch list reviewed. <Report Findings Here> For each item in the sample, describe how the list of security patches installed on each system was compared to the most recent vendor security-patch list to verify that:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Identify the vendor security patch list reviewed. <Report Findings Here> For each item in the sample, describe how the list of security patches installed on each system was compared to the most recent vendor security-patch list to verify that:
Modified
p. 88 → 83
• In accordance with PCI DSS (for example, secure authentication and logging).
Modified
p. 88 → 83
• Based on industry standards and/or best practices.
Modified
p. 88 → 83
• Incorporate information security throughout the software development life cycle.
Modified
p. 88 → 83
Identify the document that defines software development processes based on industry standards and/or best practices.
Modified
p. 88 → 83
<Report Findings Here> Identify the industry standards and/or best practices used.
<Report Findings Here> Identify the industry standards and/or best practices used.
Modified
p. 88 → 83
Identify the documented software development processes examined to verify that information security is included throughout the life cycle.
Modified
p. 88 → 83
Identify the documented software development processes examined to verify that software applications are developed in accordance with PCI DSS.
Removed
p. 89
<Report Findings Here> 6.3.1 Remove development, test and/or custom application accounts, user IDs, and passwords before applications become active or are released to customers.
<Report Findings Here> For the interview, summarize the relevant details discussed to confirm that pre- production and/or custom application accounts, user IDs and/or passwords are removed before an application goes into production or is released to customers.
<Report Findings Here> For the interview, summarize the relevant details discussed to confirm that pre- production and/or custom application accounts, user IDs and/or passwords are removed before an application goes into production or is released to customers.
Modified
p. 89 → 83
<Report Findings Here> 6.3.d Interview software developers to verify that written software development processes are implemented.
Modified
p. 89 → 83
Identify the software developers interviewed for this testing procedure.
Modified
p. 89 → 83
<Report Findings Here> For the interview, summarize the relevant details discussed to verify that written software development processes are implemented.
<Report Findings Here> For the interview, summarize the relevant details discussed to verify that written software development processes are implemented.
Modified
p. 89 → 84
<Report Findings Here> Identify the responsible personnel interviewed for this testing procedure.
<Report Findings Here> Identify the responsible personnel interviewed for this testing procedure.
Modified
p. 89 → 84
<Report Findings Here> For the interview, summarize the relevant details discussed to confirm that pre-production and/or custom application accounts, user IDs and/or passwords are removed before an application goes into production or is released to customers.
Modified
p. 90 → 84
<Report Findings Here> 6.3.2 Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following:
Modified
p. 90 → 84
• Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code review techniques and secure coding practices.
Modified
p. 91 → 85
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 6.3.2.a Examine written software development procedures and interview responsible personnel to verify that all custom application code changes must be reviewed (using either manual or automated processes) as follows:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 6.3.2.a Examine written software development procedures and interview responsible personnel to verify that all custom application code changes must be reviewed (using either manual or automated processes) as follows:
Modified
p. 91 → 85
• Code changes are reviewed by individuals other than the originating code author, and by individuals who are knowledgeable in code review techniques and secure coding practices.
Modified
p. 91 → 85
Identify the documented software-development processes examined to verify processes define that all custom application code changes must be reviewed (using either manual or automated processes) as follows:
Modified
p. 91 → 85
• Code changes are reviewed by individuals other than the originating code author, and by individuals who are knowledgeable in code review techniques and secure coding practices.
Modified
p. 91 → 85
• Code reviews ensure code is developed according to secure coding guidelines (see PCI DSS Requirement 6.5).
Modified
p. 91 → 85
• Appropriate corrections are implemented prior to release.
Modified
p. 91 → 85
• Code-review results are reviewed and approved by management prior to release.
Modified
p. 92 → 85
• Code reviews ensure code is developed according to secure coding guidelines (see PCI DSS Requirement 6.5).
Modified
p. 92 → 85
• Appropriate corrections are implemented prior to release.
Modified
p. 92 → 85
• Code-review results are reviewed and approved by management prior to release.
Modified
p. 92 → 86
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Identify the responsible personnel interviewed for this testing procedure who confirm that all custom application code changes are reviewed as follows:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Identify the responsible personnel interviewed for this testing procedure who confirm that all custom application code changes are reviewed as follows:
Modified
p. 92 → 86
• Code changes are reviewed by individuals other than the originating code author, and by individuals who are knowledgeable in code- review techniques and secure coding practices.
Modified
p. 92 → 86
<Report Findings Here> Describe how all custom application code changes must be reviewed, including whether processes are manual or automated.
<Report Findings Here> Describe how all custom application code changes must be reviewed, including whether processes are manual or automated.
Modified
p. 92 → 86
Identify the sample of recent custom application changes selected for this testing procedure.
Removed
p. 93
Identify the documented policies and procedures examined to verify that the following are defined:
Modified
p. 93 → 86
<Report Findings Here> Code-review results are reviewed and approved by management prior to release.
<Report Findings Here> Appropriate corrections are implemented prior to release.
Modified
p. 93 → 87
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Appropriate corrections are implemented prior to release.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Code-review results are reviewed and approved by management prior to release.
Modified
p. 93 → 87
<Report Findings Here> 6.4 Follow change control processes and procedures for all changes to system components. The processes must include the following:
<Report Findings Here> 6.4 Follow change control processes and procedures for all changes to system components. The processes must include the following: ☐ ☐ ☐ ☐ ☐ 6.4 Examine policies and procedures to verify the following are defined:
Modified
p. 93 → 87
• Development/test environments are separate from production environments with access control in place to enforce separation.
Modified
p. 93 → 87
• Development/test environments are separate from production environments with access control in place to enforce separation.
Modified
p. 93 → 87
• A separation of duties between personnel assigned to the development/test environments and those assigned to the production environment.
Modified
p. 93 → 87
• A separation of duties between personnel assigned to the development/test environments and those assigned to the production environment.
Modified
p. 93 → 87
• Production data (live PANs) are not used for testing or development.
Modified
p. 93 → 87
• Production data (live PANs) are not used for testing or development.
Modified
p. 93 → 87
• Test data and accounts are removed before a production system becomes active.
Modified
p. 93 → 87
• Test data and accounts are removed before a production system becomes active.
Modified
p. 93 → 87
• Change control procedures related to implementing security patches and software modifications are documented.
Modified
p. 93 → 87
• Change-control procedures related to implementing security patches and software modifications are documented.
Removed
p. 94
Identify the personnel assigned to development/test environments interviewed who confirm that separation of duties is in place between development/test environments and the production environment.
Modified
p. 94 → 87
Identify the network documentation that illustrates that the development/test environments are separate from the production environment(s).
Modified
p. 94 → 87
<Report Findings Here> Describe how network device configurations were examined to verify that the development/test environments are separate from the production environment(s).
Modified
p. 94 → 88
<Report Findings Here> Describe how network device configurations were examined to verify that the development/test environments are separate from the production environment(s).
<Report Findings Here> Describe how processes were observed to verify that separation of duties is in place between development/test environments and the production environment.
Modified
p. 94 → 88
<Report Findings Here> 6.4.1.b Examine access controls settings to verify that access controls are in place to enforce separation between the development/test environments and the production environment(s).
<Report Findings Here> Describe how the access control settings were examined to verify that access controls are in place to enforce separation between the development/test environments and the production environment(s).
Modified
p. 94 → 88
Identify the access control settings examined for this testing procedure.
Modified
p. 94 → 88
<Report Findings Here> 6.4.2 Separation of duties between development/test and production environments.
<Report Findings Here> 6.4.2 Separation of duties between development/test and production environments. ☐ ☐ ☐ ☐ ☐ 6.4.2 Observe processes and interview personnel assigned to development/test environments and personnel assigned to production environments to verify that separation of duties is in place between development/test environments and the production environment.
Modified
p. 94 → 88
<Report Findings Here> Identify the personnel assigned to production environments interviewed who confirm that separation of duties is in place between development/test environments and the production environment.
<Report Findings Here> Identify the personnel assigned to production environments interviewed who confirm that separation of duties is in place between development/test environments and the production environment.
Modified
p. 94 → 88
<Report Findings Here> Describe how processes were observed to verify that separation of duties is in place between development/test environments and the production environment.
<Report Findings Here> Describe how testing processes were observed to verify procedures are in place to ensure production data (live PANs) are not used for development.
Modified
p. 94 → 89
<Report Findings Here> Describe how the access control settings were examined to verify that access controls are in place to enforce separation between the development/test environments and the production environment(s).
<Report Findings Here> Describe how testing processes were observed to verify that test accounts are removed before a production system becomes active.
Modified
p. 94 → 92
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 6.4.1 Separate development/test environments from production environments, and enforce the separation with access controls.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 6.5 Address common coding vulnerabilities in software-development processes as follows:
Removed
p. 95
Describe how a sample of test data was examined to verify production data (live PANs) is not used for testing.
<Report Findings Here> Describe how a sample of test data was examined to verify production data (live PANs) is not used for development.
Identify the personnel interviewed who confirm that test data and accounts are removed before a production system becomes active.
<Report Findings Here> Describe how testing processes were observed to verify that test accounts are removed before a production system becomes active.
<Report Findings Here> Describe how a sample of test data was examined to verify production data (live PANs) is not used for development.
Identify the personnel interviewed who confirm that test data and accounts are removed before a production system becomes active.
<Report Findings Here> Describe how testing processes were observed to verify that test accounts are removed before a production system becomes active.
Modified
p. 95 → 88
<Report Findings Here> Describe how testing processes were observed to verify procedures are in place to ensure production data (live PANs) are not used for testing.
Modified
p. 95 → 88
Identify the personnel interviewed who confirm that procedures are in place to ensure production data (live PANs) are not used for testing or development.
Modified
p. 95 → 89
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 6.4.3 Production data (live PANs) are not used for testing or development.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 6.4.3.b Examine a sample of test data to verify production data (live PANs) is not used for testing or development.
Modified
p. 95 → 89
<Report Findings Here> Describe how testing processes were observed to verify procedures are in place to ensure production data (live PANs) are not used for testing.
<Report Findings Here> Describe how testing processes were observed to verify that test data is removed before a production system becomes active.
Modified
p. 95 → 89
<Report Findings Here> Describe how testing processes were observed to verify procedures are in place to ensure production data (live PANs) are not used for development.
<Report Findings Here> Describe how a sample of test data was examined to verify production data (live PANs) is not used for development.
Modified
p. 95 → 89
Describe how a sample of test data was examined to verify production data (live PANs) is not used for testing.
Modified
p. 95 → 89
<Report Findings Here> 6.4.4 Removal of test data and accounts before production systems become active.
<Report Findings Here> 6.4.4 Removal of test data and accounts before production systems become active. ☐ ☐ ☐ ☐ ☐ 6.4.4.a Observe testing processes and interview personnel to verify test data and accounts are removed before a production system becomes active.
Modified
p. 95 → 89
Identify the personnel interviewed who confirm that test data and accounts are removed before a production system becomes active.
Modified
p. 95 → 89
<Report Findings Here> Describe how testing processes were observed to verify that test data is removed before a production system becomes active.
<Report Findings Here> Describe how a sample of accounts from production systems recently installed or updated was examined to verify test accounts are removed before the system becomes active.
Removed
p. 96
<Report Findings Here> Describe how a sample of accounts from production systems recently installed or updated was examined to verify test accounts are removed before the system becomes active.
Modified
p. 96 → 89
<Report Findings Here> 6.4.4.b Examine a sample of data and accounts from production systems recently installed or updated to verify test data and accounts are removed before the system becomes active.
Modified
p. 96 → 89
Describe how a sample of data from production systems recently installed or updated was examined to verify test data is removed before the system becomes active.
Modified
p. 96 → 89
<Report Findings Here> 6.4.5 Change control procedures for the implementation of security patches and software modifications must include the following:
<Report Findings Here> 6.4.5 Change control procedures for the implementation of security patches and software modifications must include the following: ☐ ☐ ☐ ☐ ☐
Modified
p. 96 → 90
Identify the documented change-control procedures related to implementing security patches and software modification examined to verify procedures are defined for:
Modified
p. 96 → 90
• Functionality testing to verify that the change does not adversely impact the security of the system.
Modified
p. 96 → 90
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 6.4.5.a Examine documented change- control procedures related to implementing security patches and software modifications and verify procedures are defined for:
Modified
p. 96 → 90
• Documentation of impact.
Modified
p. 96 → 90
• Documented change approval by authorized parties.
Modified
p. 96 → 90
• Functionality testing to verify that the change does not adversely impact the security of the system.
Modified
p. 96 → 90
• Back-out procedures.
Removed
p. 97
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 6.4.5.b For a sample of system components, interview responsible personnel to determine recent changes/security patches. Trace those changes back to related change control documentation. For each change examined, perform the following:
For each change from 6.4.5.b, describe how the changes were traced back to the identified related change control documentation to verify that documented approval by authorized parties is present in the change control documentation for each sampled change.
<Report Findings Here> 6.4.5.3 Functionality testing to verify that the change does not adversely impact the security of the system.
For each change from 6.4.5.b, describe how the changes were traced back to the identified related change control documentation to verify that documented approval by authorized parties is present in the change control documentation for each sampled change.
<Report Findings Here> 6.4.5.3 Functionality testing to verify that the change does not adversely impact the security of the system.
Modified
p. 97 → 90
<Report Findings Here> Identify the responsible personnel interviewed to determine recent changes/security patches.
Identify the sample of system components selected. <Report Findings Here> Identify the responsible personnel interviewed to determine recent changes/security patches.
Modified
p. 97 → 90
For each change from 6.4.5.b, describe how the changes were traced back to the identified related change control documentation to verify that documented approval by authorized parties is present in the change control documentation for each sampled change.
Modified
p. 97 → 90
• Documented change approval by authorized parties.
Modified
p. 97 → 91
Identify the sample of system components selected for this testing procedure.
Modified
p. 97 → 91
<Report Findings Here> For each item in the sample, identify the sample of changes and the related change control documentation selected for this testing procedure (through 6.4.5.4) <Report Findings Here> 6.4.5.1 Documentation of impact.
<Report Findings Here> For each item in the sample, identify the sample of custom code changes and the related change control documentation selected for this testing procedure.
Modified
p. 97 → 91
For each change from 6.4.5.b, describe how the changes were traced back to the identified related change control documentation to verify that the change control documentation for each sampled change includes evidence that functionality testing is performed to verify that the change does not adversely impact the security of the system.
Removed
p. 98
Identify the sample of system components selected for this testing procedure.
<Report Findings Here> For each item in the sample, identify the sample of custom code changes and the related change control documentation selected for this testing procedure.
<Report Findings Here> 6.5 Address common coding vulnerabilities in software-development processes as follows:
<Report Findings Here> For each item in the sample, identify the sample of custom code changes and the related change control documentation selected for this testing procedure.
<Report Findings Here> 6.5 Address common coding vulnerabilities in software-development processes as follows:
Modified
p. 98 → 91
<Report Findings Here> 6.4.5.3.b For custom code changes, verify that all updates are tested for compliance with PCI DSS Requirement 6.5 before being deployed into production.
Modified
p. 98 → 91
<Report Findings Here> Describe how the custom code changes were traced back to the identified related change control documentation to verify that the change control documentation for each sampled custom code change includes evidence that all updates are tested for compliance with PCI DSS Requirement 6.5 before being deployed into production.
<Report Findings Here> Describe how the custom code changes were traced back to the identified related change control documentation to verify that the change control documentation for each sampled custom code change includes evidence that all updates are tested for compliance with PCI DSS Requirement 6.5 before being deployed into production.
Modified
p. 98 → 91
<Report Findings Here> 6.4.5.4 Back-out procedures.
<Report Findings Here> 6.4.5.4 Back-out procedures. ☐ ☐ ☐ ☐ ☐ 6.4.5.4 Verify that back-out procedures are prepared for each sampled change.
Modified
p. 98 → 91
For each change from 6.4.5.b, describe how the changes were traced back to the identified related change control documentation to verify that back-out procedures are prepared for each sampled change and present in the change control documentation for each sampled change.
Modified
p. 98 → 92
• Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory.
Modified
p. 98 → 92
• Develop applications based on secure coding guidelines.
Modified
p. 99 → 92
6.5.a Examine software development policies and procedures to verify that training in secure coding techniques is required for developers, based on industry best practices and guidance.
Modified
p. 99 → 92
Identify the document reviewed to verify that training in secure coding techniques is required for developers.
Modified
p. 99 → 92
<Report Findings Here> Identify the industry best practices and guidance that training is based on.
<Report Findings Here> Identify the industry best practices and guidance that training is based on.
Modified
p. 99 → 92
Identify the developers interviewed for this testing procedure.
Modified
p. 99 → 92
<Report Findings Here> For the interview, summarize the relevant details discussed to verify that they are knowledgeable in secure coding techniques.
<Report Findings Here> For the interview, summarize the relevant details discussed to verify that they are knowledgeable in secure coding techniques.
Modified
p. 99 → 92
Identify the records of training that were examined to verify that software developers received training on secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory.
Modified
p. 99 → 92
Identify the software-development policies and procedures examined to verify that processes are in place to protect applications from, at a minimum, the following vulnerabilities:
Modified
p. 99 → 92
<Report Findings Here> Identify the responsible personnel interviewed to verify that processes are in place to protect applications from, at a minimum, the following vulnerabilities:
<Report Findings Here> Identify the responsible personnel interviewed to verify that processes are in place to protect applications from, at a minimum, the following vulnerabilities:
Modified
p. 100 → 93
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested
Modified
p. 100 → 93
• Validating input to verify user data cannot modify meaning of commands and queries.
Modified
p. 100 → 93
<Report Findings Here> Utilizing parameterized queries. <Report Findings Here> 6.5.2 Buffer overflow.
<Report Findings Here> Utilizing parameterized queries. <Report Findings Here> 6.5.2 Buffer overflow. ☐ ☐ ☐ ☐ ☐ 6.5.2 Examine software-development policies and procedures and interview responsible personnel to verify that buffer overflows are addressed by coding techniques that include:
Removed
p. 101
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Validating buffer boundaries. <Report Findings Here> Truncating input strings. <Report Findings Here> 6.5.3 Insecure cryptographic storage.
Modified
p. 101 → 93
• Use strong cryptographic algorithms and keys.
Modified
p. 101 → 93
Prevent cryptographic flaws. <Report Findings Here> Use strong cryptographic algorithms and keys. <Report Findings Here> 6.5.4 Insecure communications.
Prevent cryptographic flaws. <Report Findings Here> Use strong cryptographic algorithms and keys. <Report Findings Here> 6.5.4 Insecure communications. ☐ ☐ ☐ ☐ ☐
Modified
p. 101 → 94
Authenticate all sensitive communications. <Report Findings Here> Encrypt all sensitive communications. <Report Findings Here>
Authenticate all sensitive communications. <Report Findings Here> Encrypt all sensitive communications. <Report Findings Here> 6.5.5 Improper error handling. ☐ ☐ ☐ ☐ ☐ 6.5.5 Examine-software development policies and procedures and interview responsible personnel to verify that improper error handling is addressed by coding techniques that do not leak information via error messages (for example, by returning generic rather than specific error details).
Removed
p. 102
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 6.5.5 Improper error handling.
Modified
p. 102 → 94
For the interviews at 6.5.d, summarize the relevant interview details that confirm processes are in place, consistent with the software development documentation at 6.5.d, to ensure that improper error handling is addressed by coding techniques that do not leak information via error messages.
Modified
p. 102 → 94
<Report Findings Here> 6.5.6 All “high risk” vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1).
<Report Findings Here> 6.5.6 All “high risk” vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1). ☐ ☐ ☐ ☐ ☐ 6.5.6 Examine software-development policies and procedures and interview responsible personnel to verify that coding techniques address any “high risk” vulnerabilities that could affect the application, as identified in PCI DSS Requirement 6.1.
Modified
p. 102 → 94
For the interviews at 6.5.d, summarize the relevant interview details that confirm processes are in place, consistent with the software development documentation at 6.5.d, to ensure that applications are not vulnerable to “High” vulnerabilities, as identified in PCI DSS Requirement 6.1.
Modified
p. 102 → 94
Indicate whether web applications and application interfaces are present. (yes/no) If “no,” mark the below 6.5.7-6.5.10 as “Not Applicable.” If “yes,” complete the following:
Modified
p. 102 → 94
<Report Findings Here> 6.5.7 Cross-site scripting (XSS).
<Report Findings Here> 6.5.7 Cross-site scripting (XSS). ☐ ☐ ☐ ☐ ☐
Removed
p. 103
• such as insecure direct object references, failure to restrict URL access, and directory traversal
•is addressed by coding technique that include:
•is addressed by coding technique that include:
Modified
p. 103 → 95
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 6.5.7 Examine software- development policies and procedures and interview responsible personnel to verify that cross-site scripting (XSS) is addressed by coding techniques that include:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 6.5.7 Examine software-development policies and procedures and interview responsible personnel to verify that cross- site scripting (XSS) is addressed by coding techniques that include:
Modified
p. 103 → 95
• Validating all parameters before inclusion.
Modified
p. 103 → 95
Validating all parameters before inclusion. <Report Findings Here> Utilizing context-sensitive escaping. <Report Findings Here> 6.5.8 Improper access control (such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions).
Validating all parameters before inclusion. <Report Findings Here> Utilizing context-sensitive escaping. <Report Findings Here> 6.5.8 Improper access control (such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions). ☐ ☐ ☐ ☐ ☐ 6.5.8 Examine software-development policies and procedures and interview responsible personnel to verify that improper access control
•such as insecure direct object references, failure to restrict URL access, and directory traversal
•is addressed by coding technique that …
•such as insecure direct object references, failure to restrict URL access, and directory traversal
•is addressed by coding technique that …
Modified
p. 103 → 95
• User interfaces that do not permit access to unauthorized functions.
Modified
p. 103 → 95
Proper authentication of users. <Report Findings Here> Sanitizing input. <Report Findings Here> Not exposing internal object references to users.
Proper authentication of users. <Report Findings Here> Sanitizing input. <Report Findings Here> Not exposing internal object references to users. <Report Findings Here> User interfaces that do not permit access to unauthorized functions.
Removed
p. 104
For the interviews at 6.5.d, summarize the relevant interview details that confirm processes are in place, consistent with the software development documentation at 6.5.d, to ensure that cross-site request forgery (CSRF) is addressed by coding techniques that ensure applications do not rely on authorization credentials and tokens automatically submitted by browsers.
<Report Findings Here> 6.5.10 Broken authentication and session management.
<Report Findings Here> 6.5.10 Broken authentication and session management.
Modified
p. 104 → 96
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 6.5.9 Cross-site request forgery (CSRF).
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 6.5.10 Broken authentication and session management.
Modified
p. 104 → 96
Note: Requirement 6.5.10 is a best practice until June 30, 2015, after which it becomes a requirement.
Note: Requirement 6.5.10 is a best practice until June 30, 2015, after which it becomes a requirement. ☐ ☐ ☐ ☐ ☐ 6.5.10 Examine software development policies and procedures and interview responsible personnel to verify that broken authentication and session management are addressed via coding techniques that commonly include:
Modified
p. 104 → 96
• Incorporating appropriate time-outs and rotation of session IDs after a successful login.
Modified
p. 104 → 96
Indicate whether this ROC is being completed prior to June 30, 2015. (yes/no) <Report Findings Here> If “yes” AND the assessed entity does not have this in place ahead of the requirement’s effective date, mark the remainder of 6.5.10 as “Not Applicable.” If “no” OR if the assessed entity has this in place ahead of the requirement’s effective date, complete the following:
Removed
p. 105
• using either manual or automated vulnerability security assessment tools or methods
•as follows:
•as follows:
Modified
p. 105 → 97
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
Modified
p. 105 → 97
• Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes.
Modified
p. 105 → 97
• Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic.
Modified
p. 105 → 97
• Examine documented processes, interview personnel, and examine records of application security assessments to verify that public- facing web applications are reviewed •using either manual or automated vulnerability security assessment tools or methods
•as follows: - At least annually. - After any changes. - By an organization that specializes in application security.
•as follows: - At least annually. - After any changes. - By an organization that specializes in application security.
Modified
p. 105 → 97
For each public-facing web application, identify which of the two methods are implemented:
Modified
p. 105 → 97
• Automated technical solution that detects and prevents web-based attacks, such as web application firewalls.
Modified
p. 105 → 97
Describe the tools and/or methods used (manual or automated, or a combination of both).
Modified
p. 105 → 97
<Report Findings Here> Identify the organization(s) confirmed to specialize in application security that is performing the assessments.
<Report Findings Here> Identify the organization(s) confirmed to specialize in application security that is performing the assessments.
Modified
p. 106 → 98
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Place - At least annually. - After any changes. - By an organization that specializes in application security. - That, at a minimum, all vulnerabilities in Requirement 6.5 are included in the assessment. - That all vulnerabilities are corrected. - That the application is re-evaluated after the corrections.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place - That, at a minimum, all vulnerabilities in Requirement 6.5 are included in the assessment. - That all vulnerabilities are corrected. - That the application is re-evaluated after the corrections.
Modified
p. 106 → 98
• Examine the system configuration settings and interview responsible personnel to verify that an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) is in place as follows: - Is situated in front of public-facing web applications to detect and prevent web-based attacks. - Is actively running and up-to-date as applicable. - Is generating audit logs. - Is configured to either block web- based attacks, or generate an alert that is immediately investigated.
Modified
p. 106 → 98
• By an organization that specializes in application security.
Modified
p. 106 → 98
• By an organization that specializes in application security.
Modified
p. 106 → 98
• That, at a minimum, all vulnerabilities in Requirement 6.5 are included in the assessment.
Modified
p. 106 → 98
Requirement 6.5 are included in the assessment.
• That, at a minimum, all vulnerabilities in Requirement 6.5 are included in the assessment.
Modified
p. 106 → 98
• That the application is re-evaluated after the corrections.
Modified
p. 106 → 98
<Report Findings Here> Identify the responsible personnel interviewed who confirm that public-facing web applications are reviewed, as follows:
<Report Findings Here> Identify the responsible personnel interviewed who confirm that public-facing web applications are reviewed, as follows:
Modified
p. 106 → 98
• That all vulnerabilities are corrected.
Modified
p. 106 → 98
• That the application is re-evaluated after the corrections.
Modified
p. 106 → 98
<Report Findings Here> Identify the records of application security assessments examined for this testing procedure.
<Report Findings Here> Identify the records of application security assessments examined for this testing procedure.
Modified
p. 106 → 99
• That at a minimum, all vulnerabilities in requirement 6.5 are included in the assessment.
Modified
p. 106 → 99
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Describe how the records of application security assessments were examined to verify that public-facing web applications are reviewed as follows:
Removed
p. 107
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Place block web-based attacks, or generate an alert.
<Report Findings Here> That at a minimum, all vulnerabilities in
<Report Findings Here> That at a minimum, all vulnerabilities in
Modified
p. 107 → 99
• By an organization that specialized in application security.
Modified
p. 107 → 99
• That all vulnerabilities are corrected. <Report Findings Here>
Modified
p. 107 → 99
Describe the automated technical solution in use that detects and prevents web-based attacks.
Modified
p. 107 → 99
<Report Findings Here> Identify the responsible personnel interviewed who confirm that the above automated technical solution in use to detect and prevent web-based attacks is in place as follows:
<Report Findings Here> Identify the responsible personnel interviewed who confirm that the above automated technical solution in use to detect and prevent web-based attacks is in place as follows:
Modified
p. 107 → 99
• Is situated in front of public-facing web applications to detect and prevent web-based attacks.
Modified
p. 107 → 99
• Is actively running and up-to-date as applicable.
Modified
p. 107 → 99
• Is generating audit logs.
Modified
p. 107 → 99
• Is configured to either block web-based attacks, or generate an alert that is immediately investigated.
Modified
p. 107 → 99
<Report Findings Here> Identify the system configuration settings examined for this testing procedure.
<Report Findings Here> Identify the system configuration settings examined for this testing procedure.
Removed
p. 108
Identify the document reviewed to verify that security policies and operational procedures for developing and maintaining secure systems and applications are documented.
Modified
p. 108 → 100
• Is situated in front of public-facing web applications to detect and prevent web-based attacks.
Modified
p. 108 → 100
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Place Describe how the system configuration settings were examined to verify that the above automated technical solution is use to detect and prevent web-based attacks is in place as follows:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Describe how the system configuration settings were examined to verify that the above automated technical solution is use to detect and prevent web-based attacks is in place as follows:
Modified
p. 108 → 100
• Is actively running and up-to-date as applicable.
Modified
p. 108 → 100
• Is configured to either block web-based attacks, or generate an alert that is immediately investigated.
Modified
p. 108 → 100
<Report Findings Here> 6.7 Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties.
<Report Findings Here> 6.7 Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties. ☐ ☐ ☐ ☐ ☐ 6.7 Examine documentation and interview personnel to verify that security policies and operational procedures for developing and maintaining secure systems and applications are:
Modified
p. 108 → 100
<Report Findings Here> Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for developing and maintaining secure systems and applications are:
<Report Findings Here> Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for developing and maintaining secure systems and applications are:
Removed
p. 109
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.
Identify the written policy for access control that was examined to verify the policy incorporates 7.1.1 through 7.1.4 as follows:
Identify the written policy for access control that was examined to verify the policy incorporates 7.1.1 through 7.1.4 as follows:
Modified
p. 109 → 101
Identify the written policy for access control that was examined to verify the policy incorporates 7.1.1 through 7.1.4 as follows:
Modified
p. 109 → 101
• Defining access needs and privilege assignments for each role.
Modified
p. 109 → 101
• Defining access needs and privilege assignments for each role.
Modified
p. 109 → 101
• Restriction of access to privileged user IDs to least privileges necessary to perform job responsibilities.
Modified
p. 109 → 101
• Restriction of access to privileged user IDs to least privileges necessary to perform job responsibilities.
Modified
p. 109 → 101
• Assignment of access based on individual personnel’s job classification and function.
Modified
p. 109 → 101
• Documented approval (electronically or in writing) by authorized parties for all access, including listing of specific privileges approved.
Modified
p. 109 → 101
• Documented approval (electronically or in writing) by authorized parties for all access, including listing of specific privileges approved.
Modified
p. 109 → 101
• Level of privilege required (for example, user, administrator, etc.) for accessing resources.
Removed
p. 110
Identify the responsible personnel interviewed who confirm that access to privileged user IDs is:
Modified
p. 110 → 101
• System components and data resources that each role needs to access for their job function.
Modified
p. 110 → 101
For each role in the selected sample, describe how the role was examined to verify access needs for each role are defined and include:
<Report Findings Here> For each role in the selected sample, describe how the role was examined to verify access needs for each role are defined and include:
Modified
p. 110 → 101
• System components and data resources that each role needs to access for their job function.
Modified
p. 110 → 102
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Place each role are defined and include:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested System components and data resources that each role needs to access for their job function.
Modified
p. 110 → 102
<Report Findings Here> 7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.
<Report Findings Here> 7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities. ☐ ☐ ☐ ☐ ☐ 7.1.2.a Interview personnel responsible for assigning access to verify that access to privileged user IDs is:
Modified
p. 110 → 102
Identify the responsible personnel interviewed who confirm that access to privileged user IDs is:
Modified
p. 110 → 102
• Restricted to least privileges necessary to perform job responsibilities.
Modified
p. 110 → 102
• Assigned only to roles that specifically require such privileged access.
Modified
p. 110 → 102
• Restricted to least privileges necessary to perform job responsibilities.
Modified
p. 110 → 102
• Restricted to least privileges necessary to perform job responsibilities.
Modified
p. 110 → 102
• Restricted to least privileges necessary to perform job responsibilities.
Modified
p. 110 → 102
Identify the sample of user IDs with privileged access selected for this testing procedure.
Modified
p. 110 → 102
<Report Findings Here> Identify the responsible management personnel interviewed to confirm that privileges assigned are:
<Report Findings Here> Identify the responsible management personnel interviewed to confirm that privileges assigned are:
Modified
p. 110 → 102
• Necessary for that individual’s job function.
Removed
p. 111
<Report Findings Here> Identify the responsible management personnel interviewed who confirm that privileges assigned are based on that individual’s job classification and function.
<Report Findings Here> Describe how each item in the sample of user IDs was compared with documented approvals to verify that:
<Report Findings Here> Describe how each item in the sample of user IDs was compared with documented approvals to verify that:
Modified
p. 111 → 102
Necessary for that individual’s job function. <Report Findings Here> Restricted to least privileges necessary to perform job responsibilities.
Modified
p. 111 → 102
<Report Findings Here> 7.1.3 Assign access based on individual personnel’s job classification and function.
<Report Findings Here> 7.1.3 Assign access based on individual personnel’s job classification and function. ☐ ☐ ☐ ☐ ☐ 7.1.3 Select a sample of user IDs and interview responsible management personnel to verify that privileges assigned are based on that individual’s job classification and function.
Modified
p. 111 → 102
Identify the sample of user IDs examined for this testing procedure.
Modified
p. 111 → 103
Identify the sample of user IDs examined for this testing procedure.
Modified
p. 111 → 103
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested For the interview, summarize the relevant details discussed to confirm that privileges assigned to each user ID in the selected sample are based on an individual’s job classification and function.
Modified
p. 111 → 103
<Report Findings Here> 7.1.4 Require documented approval by authorized parties specifying required privileges.
<Report Findings Here> 7.1.4 Require documented approval by authorized parties specifying required privileges. ☐ ☐ ☐ ☐ ☐ 7.1.4 Select a sample of user IDs and compare with documented approvals to verify that:
Modified
p. 111 → 103
• That specified privileges match the roles assigned to the individual.
Removed
p. 112
<Report Findings Here> Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for restricting access to cardholder data are:
Modified
p. 112 → 103
Identify vendor documentation examined. <Report Findings Here> Describe how system settings were examined with the vendor documentation to verify that access control systems are in place on all system components.
Modified
p. 112 → 103
<Report Findings Here> 7.2.2 Assignment of privileges to individuals based on job classification and function.
<Report Findings Here> 7.2.2 Assignment of privileges to individuals based on job classification and function. ☐ ☐ ☐ ☐ ☐ 7.2.2 Confirm that access control systems are configured to enforce privileges assigned to individuals based on job classification and function.
Modified
p. 112 → 103
<Report Findings Here> 7.2.3 Default “deny-all” setting.
<Report Findings Here> 7.2.3 Default “deny-all” setting. ☐ ☐ ☐ ☐ ☐
Modified
p. 112 → 104
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 7.2 Examine system settings and vendor documentation to verify that an access control system is implemented as follows:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 7.2.3 Confirm that the access control systems have a default “deny-all” setting.
Modified
p. 112 → 104
Describe how system settings were examined with vendor documentation at 7.2.1 to verify that access control systems have a default “deny-all” setting.
Modified
p. 112 → 104
<Report Findings Here> 7.3 Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties.
<Report Findings Here> 7.3 Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties. ☐ ☐ ☐ ☐ ☐ 7.3 Examine documentation and interview personnel to verify that security policies and operational procedures for restricting access to cardholder data are:
Modified
p. 112 → 104
<Report Findings Here> Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for restricting access to cardholder data are:
Removed
p. 114
Identify the written procedures for user identification management examined to verify processes are defined for each of the items below at 8.1.1 through 8.1.8:
Modified
p. 114 → 105
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 8.1 Define and implement policies and procedures to ensure proper user identification management for non- consumer users and administrators on all system components as follows:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.1 Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components as follows: ☐ ☐ ☐ ☐ ☐ 8.1.a Review procedures and confirm they define processes for each of the items below at 8.1.1 through 8.1.8.
Modified
p. 114 → 105
Identify the written procedures for user identification management examined to verify processes are defined for each of the items below at 8.1.1 through 8.1.8:
Modified
p. 114 → 105
• Assign all users a unique ID before allowing them to access system components or cardholder data.
Modified
p. 114 → 105
• Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.
Modified
p. 114 → 105
• Immediately revoke access for any terminated users.
Modified
p. 114 → 105
• Remove/disable inactive user accounts at least every 90 days.
Modified
p. 114 → 105
• Manage IDs used by vendors to access, support, or maintain system components via remote access as follows: - Enabled only during the time period needed and disabled when not in use. - Monitored when in use.
Modified
p. 114 → 105
• Limit repeated access attempts by locking out the user ID after not more than six attempts.
Modified
p. 114 → 105
• Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.
Modified
p. 114 → 105
• If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.
Removed
p. 115
<Report Findings Here> For the interview, summarize the relevant details discussed to confirm that all users are assigned a unique ID for access to system components or cardholder data.
<Report Findings Here> Describe how the current user access lists for remote access were reviewed to verify that the sampled user IDs have been deactivated or removed from the access lists.
<Report Findings Here> Describe how the current user access lists for remote access were reviewed to verify that the sampled user IDs have been deactivated or removed from the access lists.
Modified
p. 115 → 105
<Report Findings Here> 8.1.b Verify that procedures are implemented for user identification management, by performing the following:
Modified
p. 115 → 106
Identify the responsible administrative personnel interviewed for this testing procedure.
Modified
p. 115 → 106
<Report Findings Here> 8.1.2 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.
<Report Findings Here> 8.1.2 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects. ☐ ☐ ☐ ☐ ☐ 8.1.2 For a sample of privileged user IDs and general user IDs, examine associated authorizations and observe system settings to verify each user ID and privileged user ID has been implemented with only the privileges specified on the documented approval.
Modified
p. 115 → 106
Identify the sample of privileged user IDs selected for this testing procedure.
Modified
p. 115 → 106
<Report Findings Here> Identify the sample of general user IDs selected for this testing procedure.
<Report Findings Here> Identify the sample of general user IDs selected for this testing procedure.
Modified
p. 115 → 106
For the sample of privileged user IDs. <Report Findings Here> For the sample of general user IDs. <Report Findings Here> 8.1.3 Immediately revoke access for any terminated users.
For the sample of privileged user IDs. <Report Findings Here> For the sample of general user IDs. <Report Findings Here> 8.1.3 Immediately revoke access for any terminated users. ☐ ☐ ☐ ☐ ☐ 8.1.3.a Select a sample of users terminated in the past six months, and review current user access lists
•for both local and remote access
•to verify that their IDs have been deactivated or removed from the access lists.
•for both local and remote access
•to verify that their IDs have been deactivated or removed from the access lists.
Modified
p. 115 → 106
<Report Findings Here> Describe how the current user access lists for remote access were reviewed to verify that the sampled user IDs have been deactivated or removed from the access lists.
Modified
p. 115 → 106
Identify the sample of users terminated in the past six months selected.
Modified
p. 115 → 106
<Report Findings Here> Describe how the current user access lists for local access were reviewed to verify that the sampled user IDs have been deactivated or removed from the access lists.
<Report Findings Here> Describe how the current user access lists for local access were reviewed to verify that the sampled user IDs have been deactivated or removed from the access lists.
Removed
p. 116
Describe how user accounts were observed to verify that any inactive accounts over 90 days old are either removed or disabled.
Modified
p. 116 → 106
•such as, smart cards, tokens, etc.
<Report Findings Here> 8.1.3.b Verify all physical authentication methods
•such as, smart cards, tokens, etc.
•such as, smart cards, tokens, etc.
Modified
p. 116 → 106
•have been returned or deactivated.
Modified
p. 116 → 106
For the sample of users terminated in the past six months at 8.1.3.a, describe how it was determined which, if any, physical authentication methods, the terminated users had access to prior to termination.
Modified
p. 116 → 107
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Describe how the physical authentication method(s) for the terminated employees were verified to have been returned or deactivated.
Modified
p. 116 → 107
<Report Findings Here> 8.1.4 Remove/disable inactive user accounts at least every 90 days.
<Report Findings Here> 8.1.4 Remove/disable inactive user accounts within 90 days. ☐ ☐ ☐ ☐ ☐ 8.1.4 Observe user accounts to verify that any inactive accounts over 90 days old are either removed or disabled.
Modified
p. 116 → 107
• Enabled only during the time period needed and disabled when not in use.
Modified
p. 116 → 107
• Enabled only when needed by the vendor, and disabled when not in use.
Modified
p. 116 → 107
Identify the personnel interviewed who confirm that accounts used by vendors for remote access are:
Modified
p. 116 → 107
• Disabled when not in use.
Modified
p. 116 → 107
• Enabled only when needed by the vendor, and disabled when not in use.
Modified
p. 117 → 107
Identify the personnel interviewed who confirm that accounts used by vendors for remote access are monitored while being used.
Modified
p. 117 → 107
<Report Findings Here> Describe how processes for managing accounts used by vendors to access, support, or maintain system components were observed to verify that vendor remote access accounts are monitored while being used.
<Report Findings Here> Describe how processes for managing accounts used by vendors to access, support, or maintain system components were observed to verify that vendor remote access accounts are monitored while being used.
Modified
p. 117 → 107
<Report Findings Here> 8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts.
<Report Findings Here> 8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts. ☐ ☐ ☐ ☐ ☐
Modified
p. 117 → 108
8.1.6.a For a sample of system components, inspect system configuration settings to verify that authentication parameters are set to require that user accounts be locked out after not more than six invalid logon attempts.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.1.6.a For a sample of system components, inspect system configuration settings to verify that authentication parameters are set to require that user accounts be locked out after not more than six invalid logon attempts.
Modified
p. 117 → 108
<Report Findings Here> For each item in the sample, describe how system configuration settings were inspected to verify that authentication parameters are set to require that user accounts be locked after not more than six invalid logon attempts.
<Report Findings Here> For each item in the sample, describe how system configuration settings were inspected to verify that authentication parameters are set to require that user accounts be locked after not more than six invalid logon attempts.
Modified
p. 117 → 108
<Report Findings Here> 8.1.6.b Additional procedure for service providers: Review internal processes and customer/user documentation, and observe implemented processes to verify that non- consumer user accounts are temporarily locked-out after not more than six invalid access attempts.
<Report Findings Here> 8.1.6.b Additional procedure for service provider assessments only: Review internal processes and customer/user documentation, and observe implemented processes to verify that non-consumer customer user accounts are temporarily locked-out after not more than six invalid access attempts.
Modified
p. 117 → 108
Additional procedure for service provider assessments only, identify the documented internal processes and customer/user documentation reviewed to verify that non- consumer customer user accounts are temporarily locked-out after not more than six invalid access attempts.
Modified
p. 117 → 108
<Report Findings Here> Describe the implemented processes that were observed to verify that non-consumer user accounts are temporarily locked-out after not more than six invalid access attempts.
<Report Findings Here> Describe the implemented processes that were observed to verify that non-consumer customer user accounts are temporarily locked-out after not more than six invalid access attempts.
Modified
p. 117 → 108
<Report Findings Here> 8.1.7 Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.
<Report Findings Here> 8.1.7 Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID. ☐ ☐ ☐ ☐ ☐ 8.1.7 For a sample of system components, inspect system configuration settings to verify that password parameters are set to require that once a user account is locked out, it remains locked for a minimum of 30 minutes or until a system administrator resets the account.
Modified
p. 117 → 109
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 8.1.5.b Interview personnel and observe processes to verify that vendor remote access accounts are monitored while being used.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place settings to verify that system/session idle time out features have been set to 15 minutes or less.
Removed
p. 118
Identify the sample of system components selected for this testing procedure.
Removed
p. 118
<Report Findings Here> For each item in the sample, describe how system configuration settings were inspected to verify that system/session idle time out features have been set to 15 minutes or less.
Modified
p. 118 → 108
<Report Findings Here> For each item in the sample, describe how system configuration settings were inspected to verify that password parameters are set to require that once a user account is locked out, it remains locked for a minimum of 30 minutes or until a system administrator resets the account.
Modified
p. 118 → 108
<Report Findings Here> 8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.
<Report Findings Here> 8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session. ☐ ☐ ☐ ☐ ☐ 8.1.8 For a sample of system components, inspect system configuration Identify the sample of system components selected for this testing procedure.
Modified
p. 118 → 109
For each item in the sample, describe how system configuration settings were inspected to verify that system/session idle time out features have been set to 15 minutes or less.
Modified
p. 118 → 109
• Something you know, such as a password or passphrase.
Modified
p. 118 → 109
• Something you have, such as a token device or smart card.
Modified
p. 118 → 109
• Something you are, such as a biometric.
Modified
p. 118 → 109
Identify the document describing the authentication method(s) used that was reviewed to verify that the methods require users to be authenticated using a unique ID and additional authentication for access to the cardholder data environment.
Removed
p. 119
<Report Findings Here> Identify the sample of system components selected.
<Report Findings Here> For each item in the sample, describe how system configuration settings were examined to verify that passwords are protected with strong cryptography during storage.
<Report Findings Here> For each item in the sample, describe how system configuration settings were examined to verify that passwords are protected with strong cryptography during storage.
Modified
p. 119 → 109
<Report Findings Here> Describe the authentication methods used (for example, a password or passphrase, a token device or smart card, a biometric, etc.) for each type of system component.
Modified
p. 119 → 109
<Report Findings Here> 8.2.1 Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components.
<Report Findings Here> 8.2.1 Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. ☐ ☐ ☐ ☐ ☐
Modified
p. 119 → 110
<Report Findings Here> For each item in the sample, describe how system configuration settings were examined to verify that passwords are protected with strong cryptography during storage.
Modified
p. 119 → 110
Identify the vendor documentation reviewed for this testing procedure.
Modified
p. 119 → 110
<Report Findings Here> For each item in the sample, describe how system configuration settings were examined to verify that passwords are protected with strong cryptography during transmission.
<Report Findings Here> Identify the sample of system components selected. <Report Findings Here> For each item in the sample, describe how system configuration settings were examined to verify that passwords are protected with strong cryptography during transmission.
Modified
p. 119 → 110
For each item in the sample at 8.2.1.a, describe how password files were examined to verify that passwords are unreadable during storage.
Modified
p. 120 → 110
<Report Findings Here> 8.2.1.c For a sample of system components, examine data transmissions to verify that passwords are unreadable during transmission.
Modified
p. 120 → 110
For each item in the sample at 8.2.1.a, describe how password files were examined to verify that passwords are unreadable during transmission.
Modified
p. 120 → 110
<Report Findings Here> 8.2.1.d Additional procedure for service providers: Observe password files to verify that customer passwords are unreadable during storage.
<Report Findings Here> 8.2.1.d Additional procedure for service provider assessments only: Observe password files to verify that non-consumer customer passwords are unreadable during storage.
Modified
p. 120 → 110
Additional procedure for service provider assessments only: for each item in the sample at 8.2.1.a, describe how password files were examined to verify that non-consumer customer passwords are unreadable during storage.
Modified
p. 120 → 110
<Report Findings Here> 8.2.1.e Additional procedure for service providers: Observe data transmissions to verify that customer passwords are unreadable during transmission.
<Report Findings Here> 8.2.1.e Additional procedure for service provider assessments only: Observe data transmissions to verify that non- consumer customer passwords are unreadable during transmission.
Modified
p. 120 → 110
Additional procedure for service provider assessments only: for each item in the sample at 8.2.1.a, describe how password files were examined to verify that non-consumer customer passwords are unreadable during transmission.
Modified
p. 120 → 110
<Report Findings Here> 8.2.2 Verify user identity before modifying any authentication credential•for example, performing password resets, provisioning new tokens, or generating new keys.
<Report Findings Here> 8.2.2 Verify user identity before modifying any authentication credential•for example, performing password resets, provisioning new tokens, or generating new keys. ☐ ☐ ☐ ☐ ☐
Modified
p. 120 → 111
Identify the document examined to verify that authentication procedures for modifying authentication credentials define that if a user requests a reset of an authentication credential by a non-face-to-face method, the user’s identity is verified before the authentication credential is modified.
Modified
p. 120 → 111
<Report Findings Here> Describe the non-face-to-face methods used for requesting password resets.
<Report Findings Here> Describe the non-face-to-face methods used for requesting password resets.
Modified
p. 120 → 111
<Report Findings Here> Describe how security personnel were observed to verify that if a user requests a reset of an authentication credential by a non-face-to- face method, the user’s identity is verified before the authentication credential is modified.
<Report Findings Here> Describe how security personnel were observed to verify that if a user requests a reset of an authentication credential by a non-face-to-face method, the user’s identity is verified before the authentication credential is modified.
Removed
p. 121
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 8.2.3 Passwords/phrases must meet the following:
<Report Findings Here> Describe how internal processes were reviewed to verify that non-consumer user passwords are required to meet at least the following strength/complexity:
A minimum length of at least seven characters. <Report Findings Here> Non-consumer user passwords are required to contain both numeric and alphabetic characters.
<Report Findings Here> Describe how internal processes were reviewed to verify that non-consumer user passwords are required to meet at least the following strength/complexity:
A minimum length of at least seven characters. <Report Findings Here> Non-consumer user passwords are required to contain both numeric and alphabetic characters.
Modified
p. 121 → 111
• Require a minimum length of at least seven characters.
Modified
p. 121 → 111
• Require a minimum length of at least seven characters.
Modified
p. 121 → 111
• Contain both numeric and alphabetic characters.
Modified
p. 121 → 112
<Report Findings Here> Contain both numeric and alphabetic characters. <Report Findings Here> 8.2.3.b Additional procedure for service providers: Review internal processes and customer/user documentation to verify that non-consumer user passwords are required to meet at least the following strength/complexity:
<Report Findings Here> Describe how internal processes were reviewed to verify that non-consumer customer passwords are required to meet at least the following strength/complexity:
Modified
p. 121 → 112
A minimum length of at least seven characters. <Report Findings Here> Non-consumer customer passwords are required to contain both numeric and alphabetic characters.
Modified
p. 121 → 112
Additional procedure for service provider assessments only: Identify the documented internal processes and customer/user documentation reviewed to verify that non- consumer customer passwords are required to meet at least the following strength/complexity:
Modified
p. 121 → 112
• A minimum length of at least seven characters.
Modified
p. 121 → 112
• Non-consumer user passwords are required to contain both numeric and alphabetic characters.
Removed
p. 122
8.2.4.a For a sample of system components, inspect system configuration settings to verify that user password parameters are set to require users to change passwords at least every 90 days.
For service providers only, identify the documented internal processes and customer/user documentation reviewed to verify that:
For service providers only, identify the documented internal processes and customer/user documentation reviewed to verify that:
Modified
p. 122 → 112
<Report Findings Here> For each item in the sample, describe how system configuration settings were inspected to verify that user password parameters are set to require users to change passwords at least every 90 days.
<Report Findings Here> For each item in the sample, describe how system configuration settings were inspected to verify that user password parameters are set to require users to change passwords at least once every 90 days.
Modified
p. 122 → 113
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 8.2.4 Change user passwords/passphrases at least every 90 days.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.2.4.b Additional procedure for service provider assessments only: Review internal processes and customer/user documentation to verify that:
Modified
p. 122 → 113
Additional procedure for service provider assessments only, identify the documented internal processes and customer/user documentation reviewed to verify that:
Modified
p. 122 → 113
• Non-consumer customer users are given guidance as to when, and under what circumstances, passwords must change.
Modified
p. 122 → 113
• Non-consumer customer users are given guidance as to when, and under what circumstances, passwords must change.
Modified
p. 122 → 113
Non-consumer user passwords are required to change periodically; and <Report Findings Here> Non-consumer users are given guidance as to when, and under what circumstances, passwords must change.
Non-consumer customer user passwords are required to change periodically; and <Report Findings Here> Non-consumer customer users are given guidance as to when, and under what circumstances, passwords must change.
Modified
p. 122 → 113
<Report Findings Here> 8.2.5 Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used.
<Report Findings Here> 8.2.5 Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used. ☐ ☐ ☐ ☐ ☐ 8.2.5.a For a sample of system components, obtain and inspect system configuration settings to verify that password parameters are set to require that new passwords cannot be the same as the four previously used passwords.
Modified
p. 122 → 113
Identify the sample of system components selected for this testing procedure.
Removed
p. 123
For service providers only, identify the documented internal processes and customer/user documentation reviewed to verify that new non-consumer user passwords cannot be the same as the previous four passwords.
<Report Findings Here> Describe how internal processes were reviewed to verify that new non-consumer user passwords cannot be the same as the previous four passwords.
<Report Findings Here> Describe how internal processes were reviewed to verify that new non-consumer user passwords cannot be the same as the previous four passwords.
Modified
p. 123 → 113
<Report Findings Here> For each item in the sample, describe how system configuration settings were inspected to verify that password parameters are set to require that new passwords cannot be the same as the four previously used passwords.
Modified
p. 123 → 113
<Report Findings Here> 8.2.5.b Additional Procedure for service providers, review internal processes and customer/user documentation to verify that new non- consumer user passwords cannot be the same as the previous four passwords.
<Report Findings Here> 8.2.5.b Additional Procedure for service provider assessments only: Review internal processes and customer/user documentation to verify that new non-consumer customer user passwords cannot be the same as the Additional procedure for service provider assessments only, identify the documented internal processes and customer/user documentation reviewed to verify that new non- consumer customer user passwords cannot be the same as the previous four passwords.
Modified
p. 123 → 114
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Place inspect system configuration settings to verify that password parameters are set to require that new passwords cannot be the same as the four previously used passwords.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place previous four passwords. Describe how internal processes were reviewed to verify that new non-consumer customer user passwords cannot be the same as the previous four passwords.
Modified
p. 123 → 114
<Report Findings Here> 8.2.6 Set passwords/phrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use.
<Report Findings Here> 8.2.6 Set passwords/phrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use. ☐ ☐ ☐ ☐ ☐ 8.2.6 Examine password procedures and observe security personnel to verify that first-time passwords for new users, and reset passwords for existing users, are set to a unique value for each user and changed after first use.
Modified
p. 123 → 114
Identify the documented password procedures examined to verify the procedures define that:
Modified
p. 123 → 114
• First-time passwords must be set to a unique value for each user.
Modified
p. 123 → 114
• First-time passwords must be changed after the first use.
Modified
p. 123 → 114
• Reset passwords must be set to a unique value for each user.
Modified
p. 123 → 114
• Reset passwords must be changed after the first use.
Removed
p. 124
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Set reset passwords to a unique value for each existing user.
Modified
p. 124 → 114
<Report Findings Here> Set reset passwords to be changed after first use.
<Report Findings Here> Set reset passwords to a unique value for each existing user.
Modified
p. 124 → 114
<Report Findings Here> 8.3 Incorporate two-factor authentication for remote network access originating from outside the network, by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance).
<Report Findings Here> Set reset passwords to be changed after first use. <Report Findings Here> 8.3 Incorporate two-factor authentication for remote network access originating from outside the network, by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance).
Modified
p. 124 → 115
8.3.a Examine system configurations for remote access servers and systems to verify two-factor authentication is required for:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.3.a Examine system configurations for remote access servers and systems to verify two-factor authentication is required for:
Modified
p. 124 → 115
• All remote access by personnel.
Modified
p. 124 → 115
• All third-party/vendor remote access (including access to applications and system components for support or maintenance purposes).
Modified
p. 124 → 115
<Report Findings Here> 8.3.b Observe a sample of personnel (for example, users and administrators) connecting remotely to the network and verify that at least two of the Identify the sample of personnel observed connecting remotely to the network selected.
<Report Findings Here> 8.3.b Observe a sample of personnel (for example, users and administrators) connecting remotely to the network and verify that at least two of the three authentication methods are used.
Modified
p. 124 → 115
<Report Findings Here> For each item in the sample, describe how two- factor authentication was observed to be required for remote access to the network.
<Report Findings Here> For each item in the sample, describe how two- factor authentication was observed to be required for remote access to the network.
Modified
p. 125 → 115
<Report Findings Here> Identify which two factors are used:
Modified
p. 125 → 115
• Something you have <Report Findings Here> 8.4 Document and communicate authentication policies and procedures to all users including:
Modified
p. 125 → 115
• Instructions not to reuse previously used passwords.
Modified
p. 125 → 115
• Instructions to change passwords if there is any suspicion the password could be compromised.
Modified
p. 125 → 115
8.4.a Examine procedures and interview personnel to verify that authentication procedures and policies are distributed to all users.
8.4.a Examine procedures and interview personnel to verify that authentication policies and procedures are distributed to all users.
Modified
p. 125 → 115
Identify the documented policies and procedures examined to verify authentication procedures define that authentication procedures and policies are distributed to all users.
Modified
p. 125 → 115
<Report Findings Here> Identify the personnel interviewed who confirm that authentication procedures and policies are distributed to all users.
<Report Findings Here> Identify the personnel interviewed who confirm that authentication policies and procedures are distributed to all users.
Modified
p. 125 → 116
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Place three authentication methods are used.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.4.b Review authentication policies and procedures that are distributed to users and verify they include:
Removed
p. 126
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 8.4.b Review authentication procedures and policies that are distributed to users and verify they include:
Modified
p. 126 → 116
• Instructions to change passwords if there is any suspicion the password could be compromised.
Modified
p. 126 → 116
• Instructions for users not to reuse previously used passwords.
Modified
p. 126 → 116
• Instructions for users not to reuse previously used passwords.
Modified
p. 126 → 116
Identify the documented authentication policies and procedures that are distributed to users reviewed to verify they include:
Modified
p. 126 → 116
• That users should change passwords if there is any suspicion the password could be compromised.
Modified
p. 126 → 116
<Report Findings Here> 8.4.c Interview a sample of users to verify that they are familiar with authentication procedures and policies.
<Report Findings Here> 8.4.c Interview a sample of users to verify that they are familiar with authentication policies and procedures.
Modified
p. 126 → 116
Identify the sample of users interviewed for this testing procedure.
Modified
p. 126 → 116
<Report Findings Here> For the interview, summarize the relevant details discussed that verify that the sampled users are familiar with authentication procedures and policies.
<Report Findings Here> For the interview, summarize the relevant details discussed that verify that the sampled users are familiar with authentication policies and procedures.
Modified
p. 126 → 116
• Generic user IDs are disabled or removed.
Modified
p. 126 → 116
• Generic user IDs are disabled or removed.
Modified
p. 126 → 116
• Shared user IDs do not exist for system administration and other critical functions.
Modified
p. 126 → 116
• Shared and generic user IDs are not used to administer any system components.
Modified
p. 126 → 116
Generic user IDs are disabled or removed. <Report Findings Here>
Generic user IDs are disabled or removed. <Report Findings Here> Shared user IDs for system administration activities and other critical functions do not exist.
Removed
p. 127
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Place Shared user IDs for system administration activities and other critical functions do not exist.
Shared and generic user IDs are not used to administer any system components.
Identify the documented policies/procedures examined to verify authentication policies/procedures define that use of group and shared IDs and/or passwords or other authentication methods are explicitly prohibited.
Shared and generic user IDs are not used to administer any system components.
Identify the documented policies/procedures examined to verify authentication policies/procedures define that use of group and shared IDs and/or passwords or other authentication methods are explicitly prohibited.
Modified
p. 127 → 117
Identify the documented policies and procedures examined to verify authentication policies/procedures define that use of group and shared IDs and/or passwords or other authentication methods are explicitly prohibited.
Modified
p. 127 → 117
Identify the system administrators interviewed who confirm that group and shared IDs and/or passwords or other authentication methods are not distributed, even if requested.
Modified
p. 127 → 117
<Report Findings Here> 8.5.1 Additional requirement for service providers: Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.
<Report Findings Here> 8.5.1 Additional requirement for service providers only: Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.
Removed
p. 128
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Place customer. Identify the documented procedures examined to verify that different authentication is used for access to each customer.
Modified
p. 128 → 117
<Report Findings Here> For the interview, summarize the relevant details discussed to confirm that different authentication is used for access to each customer.
<Report Findings Here> For the interview, summarize the relevant details discussed to confirm that different authentication credentials are used for access to each customer.
Modified
p. 128 → 118
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.6 Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) use of these mechanisms must be assigned as follows:
Modified
p. 128 → 118
• Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts.
Modified
p. 128 → 118
• Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access.
Modified
p. 128 → 118
• Authentication mechanisms are assigned to an individual account and not shared among multiple accounts.
Modified
p. 128 → 118
• Authentication mechanisms are assigned to an individual account and not shared among multiple accounts.
Modified
p. 128 → 118
• Physical and/or logical controls are defined to ensure only the intended account can use that mechanism to gain access.
Modified
p. 128 → 118
• Physical and/or logical controls are defined to ensure only the intended account can use that mechanism to gain access.
Modified
p. 128 → 118
Identify the documented authentication policies and procedures examined to verify the procedures for using authentication mechanisms define that:
Removed
p. 129
Identify all databases containing cardholder data.
<Report Findings Here> Describe how database and/or application configuration settings were observed to verify that all users are authenticated prior to access.
<Report Findings Here> Describe how database and/or application configuration settings were observed to verify that all users are authenticated prior to access.
Modified
p. 129 → 118
<Report Findings Here> 8.6.b Interview security personnel to verify authentication mechanisms are assigned to an account and not shared among multiple accounts.
Modified
p. 129 → 118
Identify the security personnel interviewed who confirm that authentication mechanisms are assigned to an account and not shared among multiple accounts.
Modified
p. 129 → 118
<Report Findings Here> For each item in the sample, describe how system configuration settings and/or physical controls, as applicable, were examined to verify that controls are implemented to ensure only the intended account can use that mechanism to gain access.
<Report Findings Here> For each item in the sample, describe how system configuration settings and/or physical controls, as applicable, were examined to verify that controls are implemented to ensure only the intended account can use that mechanism to gain access.
Modified
p. 129 → 118
• All user access to, user queries of, and user actions on databases are through programmatic methods.
Modified
p. 129 → 118
• Only database administrators have the ability to directly access or query databases.
Modified
p. 129 → 118
• Application IDs for database applications can only be used by the applications (and not by individual users or other non- application processes).
Modified
p. 129 → 119
<Report Findings Here> Describe how database and/or application configuration settings were observed to verify that all users are authenticated prior to access.
Modified
p. 129 → 119
<Report Findings Here> Describe how authentication is managed (for example, via application and/or database interfaces).
Identify all databases containing cardholder data. <Report Findings Here> Describe how authentication is managed (for example, via application and/or database interfaces).
Modified
p. 130 → 119
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 8.7.b Examine database and application configuration settings to verify that all user access to, user queries of, and user actions on (for example, move, copy, delete), the database are through programmatic methods only (for example, through stored procedures).
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.7.a Review database and application configuration settings and verify that all users are authenticated prior to access.
Removed
p. 131
<Report Findings Here> Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for identification and authentication are:
Modified
p. 131 → 120
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 8.7.d Examine database access control settings, database application configuration settings, and the related application IDs to verify that application IDs can only be used by the applications (and not by individual users or other processes).
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.7.d Examine database access control settings, database application configuration settings, and the related application IDs to verify that application IDs can only be used by the applications (and not by individual users or other processes).
Modified
p. 131 → 120
Identify applications with access to the database.
Identify applications with access to the database. <Report Findings Here> Describe the implemented methods for ensuring that application IDs can only be used by the applications.
Modified
p. 131 → 120
<Report Findings Here> 8.8 Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties.
<Report Findings Here> 8.8 Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties. ☐ ☐ ☐ ☐ ☐ 8.8 Examine documentation and interview personnel to verify that security policies and operational procedures for identification and authentication are:
Modified
p. 131 → 120
<Report Findings Here> Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for identification and authentication are:
Modified
p. 132 → 121
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment. ☐ ☐ ☐ ☐ ☐ 9.1 Verify the existence of physical security controls for each computer room, data center, and other physical areas with systems in the cardholder data environment.
Modified
p. 132 → 121
• Verify that access is controlled with badge readers or other devices including authorized badges and lock and key.
Modified
p. 132 → 121
• Observe a system administrator’s attempt to log into consoles for randomly selected systems in the cardholder environment and verify that they are “locked” to prevent unauthorized use.
Modified
p. 132 → 121
Describe the physical security controls to be in place, including authorized badges and lock and key.
Modified
p. 132 → 121
<Report Findings Here> Identify the randomly selected systems in the cardholder environment for which a system administrator login attempt was observed.
<Report Findings Here> Identify the randomly selected systems in the cardholder environment for which a system administrator login attempt was observed.
Modified
p. 132 → 121
<Report Findings Here> Describe how consoles for the randomly selected systems were observed to verify that they are “locked” when not in use to prevent unauthorized use.
<Report Findings Here> Describe how consoles for the randomly selected systems were observed to verify that they are “locked” when not in use to prevent unauthorized use.
Modified
p. 132 → 121
Describe the video cameras and/or access control mechanisms observed to monitor the entry/exit points to sensitive areas.
Modified
p. 133 → 121
Describe how the video cameras and/or access control mechanisms were observed to be protected from tampering and/or disabling.
Modified
p. 133 → 121
<Report Findings Here> 9.1.1.c Verify that video cameras and/or access control mechanisms are monitored and that data from cameras or other mechanisms is stored for at least three months.
<Report Findings Here> 9.1.1.b Verify that video cameras and/or access control mechanisms are protected from tampering or disabling.
Modified
p. 133 → 122
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 9.1.1.b Verify that video cameras and/or access control mechanisms are protected from tampering or disabling.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 9.1.1.c Verify that data from video cameras and/or access control mechanisms is reviewed, and that data is stored for at least three months.
Modified
p. 133 → 122
Describe how the data from video cameras and/or access control mechanisms were observed to be reviewed.
Modified
p. 133 → 122
<Report Findings Here> Describe how data from the cameras and/or access control mechanisms was observed to be stored for at least three months.
<Report Findings Here> Describe how data was observed to be stored for at least three months.
Modified
p. 133 → 122
Identify responsible personnel interviewed who confirm that physical and/or logical controls are in place to restrict access to publicly accessible network jacks.
Modified
p. 133 → 122
<Report Findings Here> Describe the physical and/or logical controls observed at the locations of publicly accessible network jacks to verify the controls are in place restrict access.
<Report Findings Here> Describe the physical and/or logical controls observed at the locations of publicly accessible network jacks to verify the controls are in place restrict access.
Modified
p. 133 → 122
<Report Findings Here> 9.1.3 Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines.
<Report Findings Here> 9.1.3 Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines. ☐ ☐ ☐ ☐ ☐ 9.1.3 Verify that physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines is appropriately restricted.
Modified
p. 133 → 122
Wireless access points <Report Findings Here> Wireless gateways <Report Findings Here> Wireless handheld devices <Report Findings Here> Network/communications hardware <Report Findings Here>
Wireless access points <Report Findings Here> Wireless gateways <Report Findings Here> Wireless handheld devices <Report Findings Here> Network/communications hardware <Report Findings Here> Telecommunication lines <Report Findings Here> 9.2 Develop procedures to easily distinguish between onsite personnel and visitors, to include:
Modified
p. 134 → 122
• Identifying onsite personnel and visitors (for example, assigning badges).
Modified
p. 134 → 122
• Changes to access requirements.
Modified
p. 134 → 122
• Revoking or terminating onsite personnel and expired visitor identification (such as ID badges).
Modified
p. 134 → 123
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Telecommunication lines <Report Findings Here> 9.2 Develop procedures to easily distinguish between onsite personnel and visitors, to include:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 9.2.a Review documented processes to verify that procedures are defined for identifying and distinguishing between onsite personnel and visitors.
Modified
p. 134 → 123
• Revoking terminated onsite personnel and expired visitor identification (such as ID badges).
Modified
p. 134 → 123
• Revoking terminated onsite personnel and expired visitor identification (such as ID badges).
Modified
p. 134 → 123
Identify the documented processes reviewed to verify that procedures are defined for identifying and distinguishing between onsite personnel and visitors, including the following:
Modified
p. 134 → 123
<Report Findings Here> 9.2.b Observe processes for identifying and distinguishing between onsite personnel and visitors to verify that:
<Report Findings Here> 9.2.b Examine identification methods (such as ID badges) and observe processes for identifying and distinguishing between onsite personnel and visitors to verify that:
Modified
p. 134 → 123
• It is easy to distinguish between onsite personnel and visitors.
Modified
p. 134 → 123
Describe how processes for identifying and distinguishing between onsite personnel and visitors were observed to verify that:
Identify the identification methods examined. <Report Findings Here> Describe how processes for identifying and distinguishing between onsite personnel and visitors were observed to verify that:
Removed
p. 135
<Report Findings Here> 9.2.d Examine identification methods (such as ID badges) in use to verify that they clearly identify visitors and it is easy to distinguish between onsite personnel and visitors.
Briefly describe the identification method in use for onsite personnel and visitors.
<Report Findings Here> Describe how the identification methods were examined to verify that:
The identification method(s) clearly identify visitors.
<Report Findings Here> 9.3 Control physical access for onsite personnel to the sensitive areas as follows:
Identify the sample of onsite personnel with physical access to the CDE interviewed for this testing procedure.
Briefly describe the identification method in use for onsite personnel and visitors.
<Report Findings Here> Describe how the identification methods were examined to verify that:
The identification method(s) clearly identify visitors.
<Report Findings Here> 9.3 Control physical access for onsite personnel to the sensitive areas as follows:
Identify the sample of onsite personnel with physical access to the CDE interviewed for this testing procedure.
Modified
p. 135 → 123
Identify the document that defines that access to the identification process is limited to authorized personnel.
Modified
p. 135 → 123
<Report Findings Here> Describe how access to the identification process was observed to be limited to authorized personnel.
<Report Findings Here> Describe how access to the identification process was observed to be limited to authorized personnel.
Modified
p. 135 → 123
<Report Findings Here> It is easy to distinguish between onsite personnel and visitors.
<Report Findings Here> 9.3 Control physical access for onsite personnel to sensitive areas as follows:
Modified
p. 135 → 123
• Access must be authorized and based on individual job function.
Modified
p. 135 → 123
• Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.
Modified
p. 135 → 124
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 9.2.c Verify that access to the identification process (such as a badge system) is limited to authorized personnel.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 9.3.a For a sample of onsite personnel with physical access to sensitive areas, interview responsible personnel and observe access control lists to verify that:
Modified
p. 135 → 124
Identify the sample of onsite personnel with physical access to sensitive areas interviewed for this testing procedure.
Modified
p. 135 → 124
• Access to the sensitive area is authorized.
Modified
p. 135 → 124
• Access is required for the individual’s job function.
Modified
p. 135 → 124
Access to the CDE is authorized. <Report Findings Here> Access is required for the individual’s job function.
Access to the sensitive area is authorized. <Report Findings Here> Access is required for the individual’s job function. <Report Findings Here> 9.3.b Observe personnel accessing sensitive areas to verify that all personnel are authorized before being granted access.
Removed
p. 136
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 9.3.b Observe personnel access the CDE to verify that all personnel are authorized before being granted access.
Identify the sample of users recently terminated.
Are escorted at all times within areas where cardholder data is processed and maintained.
Identify the sample of users recently terminated.
Are escorted at all times within areas where cardholder data is processed and maintained.
Modified
p. 136 → 124
Describe how personnel accessing sensitive areas were observed to verify that all personnel are authorized before being granted access.
Modified
p. 136 → 124
<Report Findings Here> 9.3.c Select a sample of recently terminated employees and review access control lists to verify the personnel do not have physical access to the CDE.
<Report Findings Here> 9.3.c Select a sample of recently terminated employees and review access control lists to verify the personnel do not have physical access to sensitive areas.
Modified
p. 136 → 124
<Report Findings Here> For all items in the sample, provide the name of the assessor who attests that the access control lists were reviewed to verify the personnel do not have physical access to the CDE.
Identify the sample of users recently terminated. <Report Findings Here> For all items in the sample, provide the name of the assessor who attests that the access control lists were reviewed to verify the personnel do not have physical access to sensitive areas.
Modified
p. 136 → 124
Describe how visitor authorization processes were observed to verify that visitors:
Modified
p. 136 → 124
• Must be authorized before they are granted access to areas where cardholder data is processed or maintained.
Modified
p. 136 → 125
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested Identify personnel interviewed who confirm that visitor authorization processes are in place so that visitors must be authorized before they are granted access to, and escorted at all times within, areas where cardholder data is processed or maintained.
Removed
p. 137
<Report Findings Here> Describe how visitors within the facility were observed to be easily distinguishable from onsite personnel.
Describe how visitors leaving the facility were observed to verify they are asked to surrender their badge or other identification upon departure or expiration.
Describe how visitors leaving the facility were observed to verify they are asked to surrender their badge or other identification upon departure or expiration.
Modified
p. 137 → 125
<Report Findings Here> 9.4.1.b Observe the use of visitor badges or other identification to verify that a physical token badge does not permit unescorted access to physical areas where cardholder data is processed or maintained.
Modified
p. 137 → 125
Describe how the use of visitor badges or other identification was observed to verify that a physical token badge does not permit unescorted access to physical areas where cardholder data is processed or maintained.
Modified
p. 137 → 125
<Report Findings Here> 9.4.2 Visitors are identified and given a badge or other identification that expires and that visibly distinguishes the visitors from onsite personnel.
<Report Findings Here> 9.4.2 Visitors are identified and given a badge or other identification that expires and that visibly distinguishes the visitors from onsite personnel. ☐ ☐ ☐ ☐ ☐ 9.4.2.a Observe people within the facility to verify the use of visitor badges or other identification, and that visitors are easily distinguishable from onsite personnel.
Modified
p. 137 → 125
Describe how people within the facility were observed to use visitor badges or other identification.
Modified
p. 137 → 125
<Report Findings Here> Describe how visitors within the facility were observed to be easily distinguishable from onsite personnel.
Modified
p. 137 → 125
Describe how visitor badges or other identification were verified to expire.
Modified
p. 137 → 125
<Report Findings Here> 9.4.3 Visitors are asked to surrender the badge or identification before leaving the facility or at the date of expiration.
<Report Findings Here> 9.4.3 Visitors are asked to surrender the badge or identification before leaving the facility or at the date of expiration. ☐ ☐ ☐ ☐ ☐ 9.4.3 Observe visitors leaving the facility to verify visitors are asked to surrender their badge or other identification upon departure or expiration.
Removed
p. 138
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 9.4.4.a Verify that a visitor log is in use to record physical access to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted.
Identify the defined retention period for visitor logs.
<Report Findings Here> For all types of media used, describe the controls for physically securing the media used.
9.5.1.a Observe the storage location’s physical security to Identify all locations where backup media is stored.
Identify the defined retention period for visitor logs.
<Report Findings Here> For all types of media used, describe the controls for physically securing the media used.
9.5.1.a Observe the storage location’s physical security to Identify all locations where backup media is stored.
Modified
p. 138 → 125
Describe how it was verified that a visitor log is in use to record physical access to:
9.4.4.a Verify that a visitor log is in use to record physical access to the facility as well as computer rooms and data centers Describe how it was verified that a visitor log is in use to record physical access to:
Modified
p. 138 → 126
The facility. <Report Findings Here> Computer rooms and data centers where cardholder data is stored or transmitted.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested The facility. <Report Findings Here> Computer rooms and data centers where cardholder data is stored or transmitted.
Modified
p. 138 → 126
• The onsite personnel authorizing physical access.
Modified
p. 138 → 126
• The onsite personnel authorizing physical access.
Modified
p. 138 → 126
Provide the name of the assessor who attests that the visitor log contains:
Modified
p. 138 → 126
<Report Findings Here> Describe how visitor logs were observed to be retained for at least three months.
Identify the defined retention period for visitor logs. <Report Findings Here> Describe how visitor logs were observed to be retained for at least three months.
Modified
p. 138 → 126
<Report Findings Here> 9.5 Physically secure all media.
<Report Findings Here> For all types of media used, describe the controls for physically securing the media used.
Modified
p. 138 → 126
Identify the documented procedures for protecting cardholder data reviewed to verify controls for physically securing all media are defined.
Modified
p. 138 → 126
<Report Findings Here> 9.5.1 Store media backups in a secure location, preferably an off-site facility, such as an alternate or back-up site, or a commercial storage facility. Review the location’s security at least annually.
<Report Findings Here> 9.5.1 Store media backups in a secure location, preferably an off-site facility, such as an alternate or back-up site, or a commercial storage facility. Review the location’s security at least annually. ☐ ☐ ☐ ☐ ☐ 9.5.1.a Observe the storage location’s physical security to confirm that backup media storage is secure.
Removed
p. 139
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Place confirm that backup media storage is secure.
Identify the documented policy reviewed to verify policy defines how media is classified.
Identify the documented policy reviewed to verify policy defines how media is classified.
Modified
p. 139 → 126
Identify all locations where backup media is stored. <Report Findings Here> Describe how it was observed that backup media storage is stored in a secure location.
Modified
p. 139 → 126
Identify the document reviewed to verify that the storage location must be reviewed at least annually.
Modified
p. 139 → 126
<Report Findings Here> Describe how processes were observed to verify that reviews of the security of each storage location are performed at least annually.
<Report Findings Here> Describe how processes were observed to verify that reviews of the security of each storage location are performed at least annually.
Modified
p. 139 → 126
<Report Findings Here> 9.6 Maintain strict control over the internal or external distribution of any kind of media, including the following:
<Report Findings Here> 9.6 Maintain strict control over the internal or external distribution of any kind of media, including the following: ☐ ☐ ☐ ☐ ☐
Modified
p. 139 → 127
Identify the documented policy reviewed to verify policy defines how media is classified.
Modified
p. 139 → 127
<Report Findings Here> Describe how media distribution is controlled, including distribution to individuals.
<Report Findings Here> Describe how media distribution is controlled, including distribution to individuals.
Modified
p. 139 → 127
<Report Findings Here> 9.6.1 Classify media so the sensitivity of the data can be determined.
<Report Findings Here> 9.6.1 Classify media so the sensitivity of the data can be determined. ☐ ☐ ☐ ☐ ☐ 9.6.1 Verify that all media is classified so the sensitivity of the data can be determined.
Modified
p. 139 → 127
<Report Findings Here> Describe how the classifications were observed to be implemented so the sensitivity of the data can be determined.
<Report Findings Here> Describe how offsite tracking records were examined to verify that all media is logged and sent via secured courier or other delivery method that can be tracked.
Modified
p. 139 → 127
<Report Findings Here> 9.6.2 Send the media by secured courier or other delivery method that can be accurately tracked.
<Report Findings Here> 9.6.2 Send the media by secured courier or other delivery method that can be accurately tracked. ☐ ☐ ☐ ☐ ☐ 9.6.2.a Interview personnel and examine records to verify that all media sent outside the facility is logged and sent via secured courier or other delivery method that can be tracked.
Modified
p. 139 → 127
Identify the personnel interviewed who confirm that all media sent outside the facility is logged and sent via secured courier or other delivery method that can be tracked.
Modified
p. 139 → 127
<Report Findings Here> Identify the record examined for this testing procedure.
<Report Findings Here> Identify the records examined for this testing procedure.
Removed
p. 140
Identify the documented policy for controlling storage and maintenance of all media that was reviewed to verify that the policy defines required periodic media inventories.
Modified
p. 140 → 127
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Place tracked. Describe how offsite tracking records were examined to verify that all media is logged and sent via secured courier or other delivery method that can be tracked.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 9.6 Verify that a policy exists to control distribution of media, and that the policy covers all distributed media including that distributed to individuals.
Modified
p. 140 → 127
Identify the sample of recent offsite tracking logs for all media selected.
Modified
p. 140 → 127
<Report Findings Here> For each item in the sample, describe how the offsite tracking logs were reviewed to verify that tracking details are documented.
<Report Findings Here> For each item in the sample, describe how the offsite tracking logs were reviewed to verify that tracking details are documented.
Modified
p. 140 → 127
<Report Findings Here> 9.6.3 Ensure management approves any and all media that is moved from a secured area (including when media is distributed to individuals).
<Report Findings Here> 9.6.3 Ensure management approves any and all media that is moved from a secured area (including when media is distributed to individuals). ☐ ☐ ☐ ☐ ☐
Modified
p. 140 → 128
Identify responsible personnel interviewed who confirm that proper management authorization is obtained whenever media is moved from a secured area (including when media is distributed to individuals).
Modified
p. 140 → 128
<Report Findings Here> For each item in the sample in 9.6.2.b, describe how offsite tracking logs were examined to verify proper management authorization is obtained whenever media is moved from a secured area (including when media is distributed to individuals).
<Report Findings Here> For each item in the sample in 9.6.2.b, describe how offsite tracking logs were examined to verify proper management authorization is obtained whenever media is moved from a secured area (including when media is distributed to individuals).
Modified
p. 140 → 128
<Report Findings Here> 9.7 Maintain strict control over the storage and accessibility of media.
<Report Findings Here> 9.7 Maintain strict control over the storage and accessibility of media. ☐ ☐ ☐ ☐ ☐ 9.7 Obtain and examine the policy for controlling storage and maintenance of all media and verify that the policy requires periodic media inventories.
Removed
p. 141
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 9.7.1 Properly maintain inventory logs of all media and conduct media inventories at least annually.
Identify the policy document for periodic media destruction that was examined to verify it covers all media and defines requirements for the following:
Identify the policy document for periodic media destruction that was examined to verify it covers all media and defines requirements for the following:
Modified
p. 141 → 128
Identify the media inventories logs reviewed. <Report Findings Here> Describe how the media inventory logs were reviewed to verify that:
Modified
p. 141 → 128
<Report Findings Here> Media inventories are performed at least annually.
<Report Findings Here> Media inventories are performed at least annually. <Report Findings Here> 9.8 Destroy media when it is no longer needed for business or legal reasons as follows: ☐ ☐ ☐ ☐ ☐
Modified
p. 141 → 129
• Hard-copy materials must be crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
Modified
p. 141 → 129
• Storage containers used for materials that are to be destroyed must be secured.
Modified
p. 141 → 129
• Storage containers used for materials that are to be destroyed must be secured.
Modified
p. 141 → 129
• Cardholder data on electronic media must be rendered unrecoverable (e.g. via a secure wipe program in accordance with industry- accepted standards for secure deletion, or by physically destroying the media).
Modified
p. 141 → 129
• Hard-copy materials must be crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
Modified
p. 141 → 129
• Cardholder data on electronic media must be rendered unrecoverable (e.g. via a secure wipe program in accordance with industry-accepted standards for secure deletion, or by physically destroying the media).
Removed
p. 142
Identify personnel interviewed who confirm that hard-copy materials are crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
<Report Findings Here> 9.8.2 Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.
Describe how cardholder data on electronic media is rendered unrecoverable, via secure wiping of media and/or physical destruction of media.
<Report Findings Here> 9.8.2 Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.
Describe how cardholder data on electronic media is rendered unrecoverable, via secure wiping of media and/or physical destruction of media.
Modified
p. 142 → 129
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 9.8.1 Shred, incinerate, or pulp hard-copy materials so that cardholder data cannot be reconstructed. Secure storage containers used for materials that are to be destroyed.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 9.8 Examine the periodic media destruction policy and verify that it covers all media and defines requirements for the following:
Modified
p. 142 → 129
Identify personnel interviewed who confirm that hard-copy materials are crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
Modified
p. 142 → 129
<Report Findings Here> Describe how the procedures were examined to verify that hard-copy materials are crosscut shredded, incinerated, or pulped such that there is reasonable assurance that hardcopy materials cannot be reconstructed.
<Report Findings Here> Describe how the procedures were examined to verify that hard-copy materials are crosscut shredded, incinerated, or pulped such that there is reasonable assurance that hardcopy materials cannot be reconstructed.
Modified
p. 142 → 129
Describe how the storage containers used for materials to be destroyed are secured.
Modified
p. 142 → 130
<Report Findings Here> If data is rendered unrecoverable via secure deletion or a secure wipe program, identify the industry-accepted standards used.
<Report Findings Here> If data is rendered unrecoverable via secure deletion or a secure wipe program, identify the industry- accepted standards used.
Removed
p. 143
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 9.9 Examine documented policies and procedures to verify they include:
Identify the documented up-to-date list of devices examined to verify it includes:
Identify the documented up-to-date list of devices examined to verify it includes:
Modified
p. 143 → 130
• Maintaining a list of devices.
Modified
p. 143 → 130
• Maintaining a list of devices.
Modified
p. 143 → 130
• Periodically inspecting devices to look for tampering or substitution.
Modified
p. 143 → 130
• Periodically inspecting devices to look for tampering or substitution.
Modified
p. 143 → 130
• Training personnel to be aware of suspicious behavior and to report tampering or substitution of POS devices.
Modified
p. 143 → 130
• Training personnel to be aware of suspicious behavior and to report tampering or substitution of POS devices.
Modified
p. 143 → 130
•
Indicate whether this ROC is being completed prior to June 30, 2015. (yes/no) <Report Findings Here> If “yes” AND the assessed entity does not have this in place ahead of the requirement’s effective date, mark 9.9
• 9.9.3.b as “Not Applicable.” If not OR if the assessed entity has this in place ahead of the requirement’s effective date, complete the following:
• 9.9.3.b as “Not Applicable.” If not OR if the assessed entity has this in place ahead of the requirement’s effective date, complete the following:
Modified
p. 143 → 130
Identify the documented policies and procedures examined to verify they include:
Modified
p. 143 → 130
• Location of device (for example, the address of the site or facility where the device is located).
Modified
p. 143 → 130
• Make, model of device.
Modified
p. 143 → 130
• Device serial number or other method of unique identification.
Modified
p. 143 → 131
• Location of device (for example, the address of the site or facility where the device is located).
Modified
p. 143 → 131
Identify the documented up-to-date list of devices examined to verify it includes:
Modified
p. 143 → 131
If “yes” at 9.9 AND the assessed entity does not have this in place ahead of the requirement’s effective date, mark 9.9.1.a - 9.9.1.c as “Not Applicable.” If not OR if the assessed entity has this in place ahead of the requirement’s effective date, complete the following:
If “yes” at 9.9 AND the assessed entity does not have this in place ahead of the requirement’s effective date, mark 9.9.1.a -9.9.1.c as “Not Applicable.” If not OR if the assessed entity has this in place ahead of the requirement’s effective date, complete the following:
Modified
p. 143 → 131
• Location of device (for example, the address of the site or facility where the device is located).
Removed
p. 144
Identify the documented procedures examined to verify that processes are defined to include the following:
Modified
p. 144 → 131
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 9.9.1.b Select a sample of devices from the list and observe device locations to verify that the list is accurate and up-to-date.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 9.9.1.a Examine the list of devices to verify it includes:
Modified
p. 144 → 131
Identify the sample of devices from the list selected for this testing procedure.
Modified
p. 144 → 131
<Report Findings Here> For all items in the sample, describe how the device locations for the sample of devices was observed to verify that the list is accurate and up-to-date.
<Report Findings Here> For all items in the sample, describe how the devices and device locations for the sample of devices were observed to verify that the list is accurate and up-to- date.
Modified
p. 144 → 131
Identify personnel interviewed for this testing procedure.
Modified
p. 144 → 131
<Report Findings Here> For the interview, summarize the relevant details discussed that verify the list of devices is updated when devices are added, relocated, decommissioned, etc.
<Report Findings Here> For the interview, summarize the relevant details discussed that verify the list of devices is updated when devices are added, relocated, decommissioned, etc.
Modified
p. 144 → 132
Identify the documented procedures examined to verify that processes are defined to include the following:
Modified
p. 144 → 132
• Procedures for inspecting devices.
Modified
p. 144 → 132
If “yes” at 9.9 AND the assessed entity does not have this in place ahead of the requirement’s effective date, mark 9.9.2.a - 9.9.2.b as “Not Applicable.” If not OR if the assessed entity has this in place ahead of the requirement’s effective date, complete the following:
If “yes” at 9.9 AND the assessed entity does not have this in place ahead of the requirement’s effective date, mark 9.9.2.a -9.9.2.b as “Not Applicable.” If not OR if the assessed entity has this in place ahead of the requirement’s effective date, complete the following:
Modified
p. 144 → 132
• Procedures for inspecting devices.
Modified
p. 144 → 132
• Frequency of inspections.
Removed
p. 145
Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. Do not install, replace, or return devices without verification. Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).
Modified
p. 145 → 132
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 9.9.2.b Interview responsible personnel and observe inspection processes to verify:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 9.9.2.a Examine documented procedures to verify processes are defined to include the following:
Modified
p. 145 → 132
• All devices are periodically inspected for evidence of tampering and substitution.
Modified
p. 145 → 132
Identify responsible personnel interviewed who confirm that:
Modified
p. 145 → 132
• Personnel are aware of procedures for inspecting devices.
Modified
p. 145 → 132
• All devices are periodically inspected for evidence of tampering and substitution.
Modified
p. 146 → 132
• Verifying the identity of any third-party If “yes” at 9.9 AND the assessed entity does not have this in place ahead of the requirement’s effective date, mark 9.9.3.a -9.9.3.b as “Not Applicable.” If not OR if the assessed entity has this in place ahead of the requirement’s effective date, complete the following:
Modified
p. 146 → 134
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 9.9.3.a Review training materials for personnel at point- of-sale locations to verify it includes training in the following:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 9.9.3.b Interview a sample of personnel at point-of-sale locations to verify they have received training and are aware of the procedures for the following:
Modified
p. 147 → 133
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Place substitution to appropriate personnel (for example, to a manager or security officer).
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested Place persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
Modified
p. 147 → 133
Identify the training materials for personnel at point-of-sale locations that were reviewed to verify the materials include training in the following:
Modified
p. 147 → 133
• Verifying the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
Modified
p. 147 → 133
• Not to install, replace, or return devices without verification.
Modified
p. 147 → 133
• Being aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).
Modified
p. 147 → 133
• Reporting all suspicious behavior to appropriate personnel (for example, a manager or security officer).
Modified
p. 147 → 133
• Reporting tampering or substitution of devices.
Removed
p. 148
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 9.9.3.b Interview a sample of personnel at point-of-sale locations to verify they have received training and are aware of the procedures for the following:
Verifying the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. Not to install, replace, or return devices without verification. Being aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). Reporting suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).
Identify the document reviewed to verify that security policies and operational procedures for restricting physical access to cardholder data are documented.
Verifying the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. Not to install, replace, or return devices without verification. Being aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). Reporting suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).
Identify the document reviewed to verify that security policies and operational procedures for restricting physical access to cardholder data are documented.
Modified
p. 148 → 134
Identify the sample of personnel at point-of-sale locations interviewed to verify they have received training.
Modified
p. 148 → 134
<Report Findings Here> 9.10 Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties.
<Report Findings Here> 9.10 Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties. ☐ ☐ ☐ ☐ ☐ 9.10 Examine documentation and interview personnel to verify that security policies and operational procedures for restricting physical access to cardholder data are:
Removed
p. 149
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Place Documented, In use, and Known to all affected parties.
Modified
p. 150 → 135
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 10.1 Implement audit trails to link all access to system components to each individual user.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 10.1 Implement audit trails to link all access to system components to each individual user. ☐ ☐ ☐ ☐ ☐ 10.1 Verify, through observation and interviewing the system administrator, that:
Modified
p. 150 → 135
• Audit trails are enabled and active for system components.
Modified
p. 150 → 135
• Audit trails are enabled and active for system components.
Modified
p. 150 → 135
• Access to system components is linked to individual users.
Modified
p. 150 → 135
• Access to system components is linked to individual users.
Modified
p. 150 → 135
Identify the system administrator(s) interviewed who confirm that:
Modified
p. 151 → 136
Identify the responsible personnel interviewed who confirm the following from 10.2.1-10.2.7 are logged:
Modified
p. 151 → 136
• All individual access to cardholder data.
Modified
p. 151 → 136
• All actions taken by any individual with root or administrative privileges.
Modified
p. 151 → 136
• Access to all audit trails.
Modified
p. 151 → 136
• Invalid logical access attempts.Use of and changes to identification and authentication mechanisms, including: o All elevation of privileges. o All changes, additions, or deletions to any account with root or administrative privileges.
Modified
p. 151 → 136
• Initialization of audit logs.
Modified
p. 151 → 136
• Stopping or pausing of audit logs.
Modified
p. 151 → 136
• Creation and deletion of system level objects.
Modified
p. 151 → 138
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 10.2 Implement automated audit trails for all system components to reconstruct the following events:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 10.2.4 Verify invalid logical access attempts are logged.
Modified
p. 152 → 137
• All individual access to cardholder data.
Modified
p. 152 → 137
• All actions taken by any individual with root or administrative privileges.
Modified
p. 152 → 137
• Access to all audit trails.
Modified
p. 152 → 137
• Initialization of audit logs.
Modified
p. 152 → 137
• Stopping or pausing of audit logs.
Modified
p. 152 → 137
• Creation and deletion of system level objects.
Modified
p. 152 → 137
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Identify the sample of audit logs observed to verify the following from 10.2.1-10.2.7 are logged:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Identify the sample of audit logs observed to verify the following from 10.2.1-10.2.7 are logged:
Modified
p. 152 → 137
• Invalid logical access attempts.
Modified
p. 152 → 137
• Use of and changes to identification and authentication mechanisms, including. o All elevation of privileges. o All changes, additions, or deletions to any account with root or administrative privileges.
Modified
p. 152 → 137
<Report Findings Here> 10.2.1 All individual user accesses to cardholder data.
<Report Findings Here> 10.2.1 All individual user accesses to cardholder data. ☐ ☐ ☐ ☐ ☐ 10.2.1 Verify all individual access to cardholder data is logged.
Modified
p. 152 → 137
<Report Findings Here> 10.2.2 All actions taken by any individual with root or administrative privileges.
<Report Findings Here> 10.2.2 All actions taken by any individual with root or administrative privileges. ☐ ☐ ☐ ☐ ☐ 10.2.2 Verify all actions taken by any individual with root or administrative privileges are logged.
Modified
p. 152 → 137
For all items in the sample at 10.2, describe how configuration settings were observed to verify access to all audit trails is logged.
Modified
p. 152 → 138
For all items in the sample at 10.2, describe how configuration settings were observed to verify invalid logical access attempts are logged.
Removed
p. 153
For all items in the sample at 10.2, describe how configuration settings were observed to verify invalid logical access attempts are logged.
For all items in the sample at 10.2, describe how configuration settings were observed to verify use of identification and authentication mechanisms is logged.
For all items in the sample at 10.2, describe how configuration settings were observed to verify use of identification and authentication mechanisms is logged.
Modified
p. 153 → 136
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 10.2.3 Access to all audit trails.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 10.2 Implement automated audit trails for all system components to reconstruct the following events: ☐ ☐ ☐ ☐ ☐ 10.2 Through interviews of responsible personnel, observation of audit logs, and examination of audit log settings, perform the following:
Modified
p. 153 → 137
<Report Findings Here> 10.2.4 Invalid logical access attempts.
<Report Findings Here> 10.2.4 Invalid logical access attempts. ☐ ☐ ☐ ☐ ☐
Modified
p. 153 → 138
For all items in the sample at 10.2, describe how configuration settings were observed to verify use of identification and authentication mechanisms is logged.
Modified
p. 153 → 138
<Report Findings Here> 10.2 5 Use of and changes to identification and authentication mechanisms
•including but not limited to creation of new accounts and elevation of privileges
•and all changes, additions, or deletions to accounts with root or administrative privileges.
•including but not limited to creation of new accounts and elevation of privileges
•and all changes, additions, or deletions to accounts with root or administrative privileges.
<Report Findings Here> 10.2.5 Use of and changes to identification and authentication mechanisms
•including but not limited to creation of new accounts and elevation of privileges
•and all changes, additions, or deletions to accounts with root or administrative privileges. ☐ ☐ ☐ ☐ ☐ 10.2.5.a Verify use of identification and authentication mechanisms is logged.
•including but not limited to creation of new accounts and elevation of privileges
•and all changes, additions, or deletions to accounts with root or administrative privileges. ☐ ☐ ☐ ☐ ☐ 10.2.5.a Verify use of identification and authentication mechanisms is logged.
Modified
p. 153 → 138
For all items in the sample at 10.2, describe how configuration settings were observed to verify all elevation of privileges is logged.
Modified
p. 153 → 138
For all items in the sample at 10.2, describe how configuration settings were observed to verify all changes, additions, or deletions to any account with root or administrative privileges are logged.
Modified
p. 153 → 138
<Report Findings Here> 10.2.6 Initialization, stopping, or pausing of the audit logs.
<Report Findings Here> 10.2.6 Initialization, stopping, or pausing of the audit logs. ☐ ☐ ☐ ☐ ☐ 10.2.6 Verify the following are logged:
Removed
p. 154
User identification Type of event Date and time Success or failure indication Origination of event <Report Findings Here>
Modified
p. 154 → 138
• Stopping or pausing of audit logs.
Modified
p. 154 → 138
For all items in the sample at 10.2, describe how configuration settings were observed to verify initialization of audit logs is logged.
Modified
p. 154 → 138
<Report Findings Here> For all items in the sample at 10.2, describe how configuration settings were observed to verify stopping and pausing of audit logs is logged.
<Report Findings Here> For all items in the sample at 10.2, describe how configuration settings were observed to verify stopping and pausing of audit logs is logged.
Modified
p. 154 → 138
<Report Findings Here> 10.2.7 Creation and deletion of system-level objects.
<Report Findings Here> 10.2.7 Creation and deletion of system-level objects. ☐ ☐ ☐ ☐ ☐ 10.2.7 Verify creation and deletion of system level objects are logged.
Modified
p. 154 → 138
<Report Findings Here> 10.3 Record at least the following audit trail entries for all system components for each event:
<Report Findings Here> 10.3 Record at least the following audit trail entries for all system components for each event: ☐ ☐ ☐ ☐ ☐
Modified
p. 154 → 139
Identify the responsible personnel interviewed who confirm that for each auditable event from 10.2.1- 10.2.7, the following are included in log entries:
Modified
p. 154 → 140
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 10.2.6 Verify the following are logged:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 10.3.4 Verify success or failure indication is included in log entries.
Modified
p. 154 → 140
For all logs in the sample at 10.3, describe how the audit logs were observed to verify origination of event is included in log entries.
Modified
p. 155 → 139
• Origination of event <Report Findings Here> Identify the sample of audit logs from 10.2.1-10.2.7 observed to verify the following are included in log entries:
Modified
p. 155 → 139
• Origination of event <Report Findings Here> 10.3.1 User identification ☐ ☐ ☐ ☐ ☐ 10.3.1 Verify user identification is included in log entries.
Modified
p. 155 → 139
For all logs in the sample at 10.3, describe how the audit logs were observed to verify user identification is included in log entries.
Modified
p. 155 → 139
<Report Findings Here> 10.3.2 Type of event 10.3.2 Verify type of event is included in log entries.
<Report Findings Here> 10.3.2 Type of event ☐ ☐ ☐ ☐ ☐ 10.3.2 Verify type of event is included in log entries.
Modified
p. 155 → 139
For all logs in the sample at 10.3, describe how the audit logs were observed to verify type of event is included in log entries.
Modified
p. 155 → 139
<Report Findings Here> 10.3.3 Date and time 10.3.3 Verify date and time stamp is included in log entries.
<Report Findings Here> 10.3.3 Date and time ☐ ☐ ☐ ☐ ☐ 10.3.3 Verify date and time stamp is included in log entries.
Modified
p. 155 → 139
For all logs in the sample at 10.3, describe how the audit logs were observed to verify date and time stamp is included in log entries.
Modified
p. 155 → 139
<Report Findings Here> 10.3.4 Success or failure indication 10.3.4 Verify success or failure indication is included in log entries.
<Report Findings Here> 10.3.4 Success or failure indication ☐ ☐ ☐ ☐ ☐
Modified
p. 155 → 140
For all logs in the sample at 10.3, describe how the audit logs were observed to verify success or failure indication is included in log entries.
Modified
p. 155 → 140
<Report Findings Here> 10.3.5 Origination of event 10.3.5 Verify origination of event is included in log entries.
<Report Findings Here> 10.3.5 Origination of event ☐ ☐ ☐ ☐ ☐ 10.3.5 Verify origination of event is included in log entries.
Modified
p. 155 → 140
For all logs in the sample at 10.3, describe how the audit logs were observed to verify the identity or name of affected data, system component, or resource is included in log entries.
Modified
p. 155 → 140
<Report Findings Here> 10.3.6 Identity or name of affected data, system component, or resource
<Report Findings Here> 10.3.6 Identity or name of affected data, system component, or resource ☐ ☐ ☐ ☐ ☐ 10.3.6 Verify identity or name of affected data, system component, or resources is included in log entries.
Removed
p. 156
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 10.3.6 Verify identity or name of affected data, system component, or resources is included in log entries.
For all logs in the sample at 10.3, describe how the audit logs were observed to verify the identity or name of affected data, system component, or resource is included in log entries.
For all logs in the sample at 10.3, describe how the audit logs were observed to verify the identity or name of affected data, system component, or resource is included in log entries.
Modified
p. 156 → 140
Identify the time synchronization technologies in use. (If NTP, include version) <Report Findings Here> Identify the documented time-synchronization process that defines processes for ensuring the time synchronization technologies are kept current per PCI DSS Requirements 6.1 and 6.2.
Modified
p. 156 → 140
<Report Findings Here> Describe how processes were examined to verify that time synchronization technologies are:
<Report Findings Here> Describe how processes were examined to verify that time synchronization technologies are:
Modified
p. 156 → 140
• Kept current, per the documented process. <Report Findings Here> 10.4.1 Critical systems have the correct and consistent time. ☐ ☐ ☐ ☐ ☐
Modified
p. 157 → 140
<Report Findings Here>
• Implemented. <Report Findings Here>
Modified
p. 157 → 141
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 10.4.1.a Examine the process for acquiring, distributing and storing the correct time within the organization to verify that:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 10.4.1.a Examine the process for acquiring, distributing and storing the correct time within the organization to verify that:
Modified
p. 157 → 141
• Only the designated central time server(s) receive time signals from external sources, and time signals from external sources are based on International Atomic Time or UTC.
Modified
p. 157 → 141
Identify the documented process for acquiring, distributing, and storing the correct time within the organization examined to verify that the process defines the following:
Modified
p. 157 → 141
• Only the designated central time server(s) receive time signals from external sources, and time signals from external sources are based on International Atomic Time or UTC.
Modified
p. 157 → 141
• Where there is more than one designated time server, the time servers peer with one another to keep accurate time.
Modified
p. 157 → 141
• Systems receive time information only from designated central time server(s).
Removed
p. 158
Define which personnel have a business need to access time data.
Modified
p. 158 → 141
<Report Findings Here> 10.4.1.b Observe the time-related system-parameter settings for a sample of system components to verify:
Modified
p. 158 → 141
• Only the designated central time server(s) receive time signals from external sources, and time signals from external sources are based on International Atomic Time or UTC.
Modified
p. 158 → 141
Identify the sample of system components selected for 10.4.1.b-10.4.2.b <Report Findings Here> For all items in the sample, describe how the time-related system-parameter settings for the sample of system components were observed to verify:
Modified
p. 158 → 141
<Report Findings Here> 10.4.2 Time data is protected.
<Report Findings Here> 10.4.2 Time data is protected. ☐ ☐ ☐ ☐ ☐
Modified
p. 158 → 142
• Access to time data is restricted to only personnel with a business need to access time data.
Modified
p. 158 → 142
Identify the documented time-synchronization procedures examined to verify procedures define that:
Modified
p. 158 → 142
• Define which personnel have a business need to access time data.
Removed
p. 159
Logged <Report Findings Here> Monitored <Report Findings Here> Reviewed <Report Findings Here>
Modified
p. 159 → 142
<Report Findings Here> Identify the authorized personnel interviewed who confirm that personnel with access to time data have a business need to access time data.
Modified
p. 159 → 142
<Report Findings Here> For all items in the sample from 10.4.1, describe how configuration settings were examined to restrict access to time data to only personnel with a documented need.
<Report Findings Here> For all items in the sample from 10.4.1, describe how configuration settings were examined to restrict access to time data to only personnel with a documented need.
Modified
p. 159 → 142
Identify the documented time-synchronization procedures examined to verify procedures define that changes to time settings on critical systems must be:
Modified
p. 159 → 142
• Reviewed <Report Findings Here> For all items in the sample from 10.4.1, describe how configuration settings on the sampled system components were examined to log any changes to time settings on critical systems.
Modified
p. 159 → 142
<Report Findings Here> For all items in the sample from 10.4.1, describe how logs were examined to log any changes to time settings on critical systems.
<Report Findings Here> For all items in the sample from 10.4.1, describe how logs were examined to log any changes to time settings on critical systems.
Modified
p. 159 → 142
<Report Findings Here> Describe how time synchronization processes were examined to verify changes to time settings on critical systems are:
<Report Findings Here> Describe how time synchronization processes were examined to verify changes to time settings on critical systems are:
Modified
p. 160 → 143
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 10.4.3 Time settings are received from industry-accepted time sources.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested
Modified
p. 160 → 143
Identify the document reviewed to verify it defines that:
Modified
p. 160 → 143
• The updates are encrypted with a symmetric key and access control lists specify the IP addresses of client machines that will be provided with the time updates.
Modified
p. 160 → 143
<Report Findings Here> Identify the sample of time servers selected. <Report Findings Here> For all items in the sample, describe how configuration settings were examined to verify either of the following:
<Report Findings Here> Identify the sample of time servers selected. <Report Findings Here> For all items in the sample, describe how configuration settings were examined to verify either of the following:
Modified
p. 160 → 143
<Report Findings Here> Identify the industry-accepted time source indicated (if applicable).
<Report Findings Here> Identify the industry-accepted time source indicated (if applicable).
Modified
p. 160 → 143
<Report Findings Here> 10.5 Secure audit trails so they cannot be altered.
<Report Findings Here> 10.5 Secure audit trails so they cannot be altered. ☐ ☐ ☐ ☐ ☐
Modified
p. 161 → 144
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 10.5 Interview system administrators and examine system configurations and permissions to verify that audit trails are secured so that they cannot be altered as follows:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 10.5 Interview system administrators and examine system configurations and permissions to verify that audit trails are secured so that they cannot be altered as follows:
Modified
p. 161 → 144
Identify the system administrators interviewed who confirm that audit trails are secured so that they cannot be altered as follows (from 10.5.1-10.5.5):
Modified
p. 161 → 144
• Only individuals who have a job-related need can view audit trail files.
Modified
p. 161 → 144
• Current audit trail files are protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation.
Modified
p. 161 → 144
• Current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter, including: - That current audit trail files are promptly backed up to the centralized log server or media - The frequency that audit trail files are backed up - That the centralized log server or media is difficult to alter
Modified
p. 161 → 144
• Use file-integrity monitoring or change- detection software on logs to ensure that existing log data cannot be changed without generating alerts.
Modified
p. 161 → 144
<Report Findings Here> Identify the sample of system components selected for this testing procedure from 10.5.1- 10.5.5.
<Report Findings Here> Identify the sample of system components selected for this testing procedure from 10.5.1-10.5.5.
Modified
p. 161 → 144
<Report Findings Here> 10.5.1 Limit viewing of audit trails to those with a job-related need.
<Report Findings Here> 10.5.1 Limit viewing of audit trails to those with a job-related need. ☐ ☐ ☐ ☐ ☐ 10.5.1 Only individuals who have a job- related need can view audit trail files.
Removed
p. 162
<Report Findings Here> 10.5.2 Protect audit trail files from unauthorized modifications.
For each item in the sample at 10.5, describe how system configurations and permissions were examined to verify that current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter.
For each item in the sample at 10.5, describe how system configurations and permissions were examined to verify that current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter.
Modified
p. 162 → 144
For each item in the sample at 10.5, describe how system configurations and permissions were examined to verify they restrict viewing of audit trail files to only individuals who have a documented job-related need.
Modified
p. 162 → 145
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 10.5.1 Only individuals who have a job-related need can view audit trail files.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 10.5.2 Protect audit trail files from unauthorized modifications. ☐ ☐ ☐ ☐ ☐ 10.5.2 Current audit trail files are protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation.
Modified
p. 162 → 145
For each item in the sample at 10.5, describe how system configurations and permissions were examined to verify that current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter.
Modified
p. 162 → 145
<Report Findings Here> 10.5.3 Promptly back up audit trail files to a centralized log server or media that is difficult to alter.
<Report Findings Here> 10.5.3 Promptly back up audit trail files to a centralized log server or media that is difficult to alter. ☐ ☐ ☐ ☐ ☐ 10.5.3 Current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter.
Modified
p. 162 → 145
<Report Findings Here> 10.5.4 Write logs for external-facing technologies onto a secure, centralized, internal log server or media device.
<Report Findings Here> Describe how logs for external-facing technologies are written onto a secure centralized internal log server or media.
Removed
p. 163
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 10.5.4 Logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) are written onto a secure, centralized, internal log server or media.
<Report Findings Here> Describe how logs for external-facing technologies are written onto a secure centralized internal log server or media.
<Report Findings Here> Describe how logs for external-facing technologies are written onto a secure centralized internal log server or media.
Modified
p. 163 → 145
For each item in the sample at 10.5, describe how system configurations and permissions were examined to verify that logs for external-facing technologies are written onto a secure, centralized, internal log server or media.
Modified
p. 163 → 145
<Report Findings Here> 10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).
<Report Findings Here> 10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). ☐ ☐ ☐ ☐ ☐
Modified
p. 163 → 146
For each item in the sample at 10.5, describe how the following were examined to verify the use of file-integrity monitoring or change- detection software on logs:
Modified
p. 163 → 146
• Results from monitoring activities <Report Findings Here> Identify the file-integrity monitoring (FIM) or change- detection software verified to be in use.
Modified
p. 163 → 146
• Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.).
Modified
p. 164 → 146
10.6.1.a Examine security policies and procedures to verify that procedures are defined for, reviewing the following at least daily, either manually or via log tools:
Modified
p. 164 → 146
• Logs of all critical system components Identify the documented security policies and procedures examined to verify that procedures define reviewing the following at least daily, either manually or via log tools:
Modified
p. 164 → 146
• All security events
Modified
p. 164 → 146
• Logs of all system components that store, process, or transmit CHD and/or SAD
Modified
p. 164 → 146
• Logs of all critical system components
Modified
p. 164 → 146
• Logs of all servers and system components that perform security functions.
Modified
p. 164 → 147
• Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion- prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.) Identify the personnel interviewed who confirm that the following are reviewed at least daily:
Modified
p. 164 → 147
Describe the manual or log tools used for daily review of logs.
Removed
p. 165
All security events. Logs of all system components that store, process, or transmit CHD and/or SAD, or that could impact the security of CHD and/or SAD. Logs of all critical system components. Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion- prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.) Identify the personnel interviewed who confirm that the following are reviewed at least daily:
Modified
p. 165 → 146
• All security events
Modified
p. 165 → 146
• Logs of all system components that store, process, or transmit CHD and/or SAD
Modified
p. 165 → 146
• Logs of all critical system components
Modified
p. 165 → 147
• Logs of all servers and system components that perform security functions.
Modified
p. 165 → 147
<Report Findings Here> 10.6.1.b Observe processes and interview personnel to verify that the following are reviewed at least daily:
Modified
p. 165 → 147
All security events. <Report Findings Here> Logs of all system components that store, process, or transmit CHD and/or SAD, or that could impact the security of CHD and/or SAD.
All security events. <Report Findings Here> Logs of all system components that store, process, or transmit CHD and/or SAD.
Modified
p. 165 → 147
<Report Findings Here> 10.6.2 Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment.
<Report Findings Here> 10.6.2 Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment. ☐ ☐ ☐ ☐ ☐
Modified
p. 166 → 148
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 10.6.2.a Examine security policies and procedures to verify that procedures are defined for reviewing logs of all other system components periodically
•either manually or via log tools
•based on the organization’s policies and risk management strategy.
•either manually or via log tools
•based on the organization’s policies and risk management strategy.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 10.6.2.a Examine security policies and procedures to verify that procedures are defined for reviewing logs of all other system components periodically
•either manually or via log tools
•based on the organization’s policies and risk management strategy.
•either manually or via log tools
•based on the organization’s policies and risk management strategy.
Modified
p. 166 → 148
•either manually or via log tools
•based on the organization’s policies and risk management strategy.
Identify the documented security policies and procedures examined to verify that procedures define reviewing logs of all other system components periodically
•either manually or via log tools
•based on the organization’s policies and risk management strategy.
•either manually or via log tools
•based on the organization’s policies and risk management strategy.
Modified
p. 166 → 148
<Report Findings Here> Describe the manual or log tools defined for periodic review of logs of all other system components.
<Report Findings Here> Describe the manual or log tools defined for periodic review of logs of all other system components.
Modified
p. 166 → 148
Identify the organization’s risk assessment documentation examined to verify that reviews are performed in accordance with the organization’s policies and risk management strategy.
Modified
p. 166 → 148
<Report Findings Here> For the interview, summarize the relevant details discussed that verify that reviews are performed in accordance with the organization’s policies and risk management strategy.
<Report Findings Here> For the interview, summarize the relevant details discussed that verify that reviews are performed in accordance with the organization’s policies and risk management strategy.
Modified
p. 166 → 148
<Report Findings Here> 10.6.3 Follow up exceptions and anomalies identified during the review process.
<Report Findings Here> 10.6.3 Follow up exceptions and anomalies identified during the review process. ☐ ☐ ☐ ☐ ☐ 10.6.3.a Examine security policies and procedures to verify that procedures are defined for following up on exceptions and anomalies identified during the review process.
Modified
p. 166 → 148
Identify the documented security policies and procedures examined to verify that procedures define following up on exceptions and anomalies identified during the review process.
Modified
p. 166 → 149
Identify the documented security policies and procedures examined to verify that procedures define the following:
Removed
p. 167
Identify the documented security policies and procedures examined to verify that procedures define the following:
Modified
p. 167 → 148
Describe how processes were observed to verify that follow-up to exceptions and anomalies is performed.
Modified
p. 167 → 148
<Report Findings Here> Identify the personnel interviewed who confirm that follow-up to exceptions and anomalies is performed.
<Report Findings Here> Identify the personnel interviewed who confirm that follow-up to exceptions and anomalies is performed.
Modified
p. 167 → 148
<Report Findings Here> 10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).
<Report Findings Here> 10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup). ☐ ☐ ☐ ☐ ☐
Modified
p. 167 → 149
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 10.6.3.b Observe processes and interview personnel to verify that follow-up to exceptions and anomalies is performed.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 10.7.a Examine security policies and procedures to verify that they define the following:
Modified
p. 167 → 149
• Audit log retention policies.
Modified
p. 167 → 149
• Audit log retention policies.
Modified
p. 167 → 149
• Procedures for retaining audit logs for at least one year, with a minimum of three months immediately available online.
Modified
p. 167 → 149
• Procedures for retaining audit logs for at least one year, with a minimum of three months immediately available online.
Modified
p. 167 → 149
<Report Findings Here> 10.7.b Interview personnel and examine audit logs to verify that audit logs are available for at least one year.
<Report Findings Here> 10.7.b Interview personnel and examine audit logs to verify that audit logs are retained for at least one year.
Modified
p. 167 → 149
Identify the personnel interviewed who confirm that audit logs are retained for at least one year.
Modified
p. 167 → 149
<Report Findings Here> Describe how the audit logs were examined to verify that audit logs are available for at least one year.
<Report Findings Here> Describe how the audit logs were examined to verify that audit logs are retained for at least one year.
Modified
p. 167 → 149
<Report Findings Here> 10.7.c Interview personnel and observe processes to verify that at least the last three months’ logs can be immediately restored for analysis.
<Report Findings Here> 10.7.c Interview personnel and observe processes to verify that at least the last three months’ logs are immediately available for analysis.
Modified
p. 167 → 149
Identify the personnel interviewed who confirm that at least the last three months’ logs are immediately available for analysis.
Modified
p. 167 → 149
<Report Findings Here> Describe the processes observed to verify that at least the last three months’ logs can be immediately restored for analysis.
<Report Findings Here> Describe the processes observed to verify that at least the last three months’ logs are immediately available for analysis.
Removed
p. 168
Identify the document reviewed to verify that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented.
Modified
p. 168 → 149
Identify the document reviewed to verify that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented.
Modified
p. 168 → 149
<Report Findings Here> Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for monitoring all access to network resources and cardholder data are:
<Report Findings Here> Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for monitoring all access to network resources and cardholder data are:
Modified
p. 169 → 150
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 11.1 Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 11.1 Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.
Modified
p. 169 → 150
Identify the documented policies and procedures examined to verify processes are defined for detection and identification of authorized and unauthorized wireless access points on a quarterly basis.
Modified
p. 169 → 150
• WLAN cards inserted into system components.
Modified
p. 169 → 150
• Portable or mobile devices attached to system components to create a wireless access point (for example, by USB, etc.).
Modified
p. 169 → 150
• Wireless devices attached to a network port or network device.
Modified
p. 169 → 150
<Report Findings Here> Any other unauthorized wireless access point. <Report Findings Here>
<Report Findings Here> Any other unauthorized wireless access point. <Report Findings Here> 11.1.c If wireless scanning is utilized, examine output from recent wireless scans to verify that:
Modified
p. 170 → 151
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 11.1.c Examine output from recent wireless scans to verify that:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Place
• Authorized and unauthorized wireless access points are identified, and
• Authorized and unauthorized wireless access points are identified, and
Modified
p. 170 → 151
• The scan is performed at least quarterly for all system components and facilities.
Modified
p. 170 → 151
If ‘yes,’ Identify/describe the output from recent wireless scans examined to verify that:
Modified
p. 170 → 151
• Authorized wireless access points are identified.
Modified
p. 170 → 151
• Unauthorized wireless access points are identified.
Modified
p. 170 → 151
• The scan is performed at least quarterly.
Modified
p. 170 → 151
• The scan covers all system components.
Modified
p. 170 → 151
• The scan covers all facilities.
Modified
p. 170 → 151
Indicate whether automated monitoring is utilized. (yes/no) <Report Findings Here> If “no,” mark the remainder of 11.1.d as “Not Applicable.” If “yes,” complete the following:
Modified
p. 170 → 151
Identify and describe any automated monitoring technologies in use.
Modified
p. 170 → 151
<Report Findings Here> For each monitoring technology in use, describe how the technology generates alerts to personnel.
<Report Findings Here> For each monitoring technology in use, describe how the technology generates alerts to personnel.
Modified
p. 170 → 151
<Report Findings Here> 11.1.1 Maintain an inventory of authorized wireless access points including a documented business justification.
<Report Findings Here> 11.1.1 Maintain an inventory of authorized wireless access points including a documented business justification. ☐ ☐ ☐ ☐ ☐ 11.1.1 Examine documented records to verify that an inventory of authorized wireless access points is maintained and a business justification is documented for all authorized wireless access points.
Modified
p. 170 → 151
Identify the documented inventory records of authorized wireless access points examined to verify that an inventory of authorized wireless access points is maintained and a business justification is documented for all authorized wireless access points.
Modified
p. 170 → 151
<Report Findings Here> 11.1.2 Implement incident response procedures in the event unauthorized wireless access points are detected.
<Report Findings Here> 11.1.2 Implement incident response procedures in the event unauthorized wireless access points are detected. ☐ ☐ ☐ ☐ ☐ 11.1.2.a Examine the organization’s incident response plan (Requirement 12.10) to verify it defines and requires a response in the event that an unauthorized wireless access point is detected.
Removed
p. 171
<Report Findings Here> Describe how the recent wireless scans and related responses were inspected to verify that action is taken when unauthorized wireless access points are found.
Modified
p. 171 → 151
Identify the Incident Response Plan document examined that defines and requires response in the event that an unauthorized wireless access point is detected.
Modified
p. 171 → 152
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 11.1.2.a Examine the organization’s incident response plan (Requirement 12.10) to verify it defines and requires a response in the event that an unauthorized wireless access point is detected.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 11.1.2.b Interview responsible personnel and/or inspect recent wireless scans and related responses to verify action is taken when unauthorized wireless access points are found.
Modified
p. 171 → 152
<Report Findings Here> 11.1.2.b Interview responsible personnel and/or inspect recent wireless scans and related responses to verify action is taken when unauthorized wireless access points are found.
<Report Findings Here> Describe how the recent wireless scans and related responses were inspected to verify that action is taken when unauthorized wireless access points are found.
Modified
p. 171 → 152
Identify the responsible personnel interviewed for this testing procedure.
Modified
p. 171 → 152
<Report Findings Here> For the interview, summarize the relevant details discussed that verify that action is taken when unauthorized wireless access points are found.
<Report Findings Here> For the interview, summarize the relevant details discussed that verify that action is taken when unauthorized wireless access points are found.
Modified
p. 171 → 152
<Report Findings Here> Identify the recent wireless scans inspected for this testing procedure.
<Report Findings Here> Identify the recent wireless scans inspected for this testing procedure.
Removed
p. 172
<Report Findings Here> Provide the name of the assessor who attests that four quarterly internal scans were verified to have occurred in the most recent 12-month period.
Identify the documented process for quarterly internal scanning to verify the process defines performing rescans as part of the quarterly internal scan process.
<Report Findings Here> For each of the four internal quarterly scans indicated at 11.2.1.a, identify whether a rescan was required. (yes/no) <Report Findings Here> If “yes,” describe how rescans were verified to be performed until either:
Identify the documented process for quarterly internal scanning to verify the process defines performing rescans as part of the quarterly internal scan process.
<Report Findings Here> For each of the four internal quarterly scans indicated at 11.2.1.a, identify whether a rescan was required. (yes/no) <Report Findings Here> If “yes,” describe how rescans were verified to be performed until either:
Modified
p. 172 → 152
<Report Findings Here> Provide the name of the assessor who attests that four quarterly internal scans were verified to have occurred in the most recent 12-month period.
Modified
p. 172 → 152
Identify the internal vulnerability scan reports and supporting documentation reviewed.
Modified
p. 172 → 152
<Report Findings Here> 11.2.1.b Review the scan reports and verify that the scan process includes rescans until all “high-risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved.
<Report Findings Here> 11.2.1.b Review the scan reports and verify that the scan process includes rescans until all “high-risk” vulnerabilities as defined in PCI DSS Requirement 6.1 Identify the documented process for quarterly internal scanning to verify the process defines performing rescans as part of the quarterly internal scan process.
Modified
p. 172 → 153
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 11.2.1 Perform quarterly internal vulnerability scans, and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved. Scans must be performed by qualified personnel.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Place are resolved. For each of the four internal quarterly scans indicated at 11.2.1.a, indicate whether a rescan was required. (yes/no) <Report Findings Here> If “yes,” describe how rescans were verified to be performed until either:
Modified
p. 172 → 153
Identify the responsible personnel interviewed who confirm that the scan was performed by a qualified internal resource(s) or qualified external third party.
Modified
p. 172 → 153
<Report Findings Here> Identify whether a qualified internal resource performs the scan. (yes/no) If “no,” mark the remainder of 11.2.1.c as “Not Applicable.” If “yes,” complete the following:
<Report Findings Here> Indicate whether a qualified internal resource performs the scan. (yes/no) If “no,” mark the remainder of 11.2.1.c as “Not Applicable.” If “yes,” complete the following:
Modified
p. 173 → 153
<Report Findings Here> Describe how the personnel who perform the scans demonstrated they are qualified to perform the scans.
Modified
p. 173 → 153
11.2.2.a Review output from the four most recent quarters of external vulnerability scans and verify that four quarterly external vulnerability scans occurred in the most recent 12- month period.
11.2.2.a Review output from the four most recent quarters of external vulnerability scans and verify that four quarterly external vulnerability scans occurred in the most recent 12-month period.
Modified
p. 173 → 153
Identify the external network vulnerability scan reports and supporting documentation reviewed.
Modified
p. 173 → 153
<Report Findings Here> Provide the name of the assessor who attests that four quarterly external vulnerability scans were verified to have occurred in the most recent 12-month period.
<Report Findings Here> Provide the name of the assessor who attests that four quarterly external vulnerability scans were verified to have occurred in the most recent 12-month period.
Modified
p. 173 → 154
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 11.2.2.b Review the results of each quarterly scan and rescan to verify that the ASV Program Guide requirements for a passing scan have been met (for example, no vulnerabilities rated 4.0 or higher by the CVSS, no automatic failures).
Modified
p. 173 → 154
Describe how the results of each quarterly scan were reviewed to verify that the ASV Program Guide requirements for a passing scan have been met.
Modified
p. 173 → 154
<Report Findings Here> For each of the four external quarterly scans indicated at 11.2.2.a, identify whether a rescan was necessary. (yes/no) <Report Findings Here> If “yes,” describe how the results of the rescan were reviewed to verify that the ASV Program Guide requirements for a passing scan have been met.
<Report Findings Here> For each of the four external quarterly scans indicated at 11.2.2.a, indicate whether a rescan was necessary. (yes/no) <Report Findings Here> If “yes,” describe how the results of the rescan were reviewed to verify that the ASV Program Guide requirements for a passing scan have been met.
Removed
p. 174
<Report Findings Here> Describe how the change control documentation and scan reports were inspected and correlated to verify that all system components subject to significant change were scanned after the change.
Modified
p. 174 → 154
<Report Findings Here> 11.2.2.c Review the scan reports to verify that the scans were completed by a PCI SSC Approved Scanning Vendor (ASV).
Modified
p. 174 → 154
Provide the name of the assessor who attests that the external scan reports were reviewed and verified to have been completed by a PCI SSC-Approved Scanning Vendor (ASV).
Modified
p. 174 → 154
<Report Findings Here> 11.2.3 Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel.
<Report Findings Here> 11.2.3 Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel. ☐ ☐ ☐ ☐ ☐ 11.2.3.a Inspect and correlate change control documentation and scan reports to verify that system components subject to any significant change were scanned.
Modified
p. 174 → 154
<Report Findings Here> Describe how the change control documentation and scan reports were inspected and correlated to verify that all system components subject to significant change were scanned after the change.
Modified
p. 174 → 154
Identify the document reviewed to verify processes are defined for performing internal and external scans after any significant change.
Modified
p. 174 → 154
<Report Findings Here> Identify the change control documentation and scan reports reviewed for this testing procedure.
<Report Findings Here> Identify the change control documentation and scan reports reviewed for this testing procedure.
Modified
p. 174 → 154
• For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS.
Modified
p. 174 → 154
• For internal scans, all “high-risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved.
Modified
p. 174 → 154
• for external scans, describe how rescans were performed until no vulnerabilities with a CVSS score greater than 4.0 exist.
For all scans reviewed in 11.2.3.a, indicate whether a rescan was required. (yes/no) <Report Findings Here> If “yes”
• for external scans, describe how rescans were performed until no vulnerabilities with a CVSS score greater than 4.0 exist.
• for external scans, describe how rescans were performed until no vulnerabilities with a CVSS score greater than 4.0 exist.
Modified
p. 174 → 154
<Report Findings Here> If “yes”
• for internal scans, describe how rescans were performed until either passing results were obtained or all “high-risk” vulnerabilities as defined in PCI DSS Requirement 6.1 were resolved.
• for internal scans, describe how rescans were performed until either passing results were obtained or all “high-risk” vulnerabilities as defined in PCI DSS Requirement 6.1 were resolved.
<Report Findings Here> If “yes”
• for internal scans, describe how rescans were performed until either passing results were obtained or all “high-risk” vulnerabilities as defined in PCI DSS Requirement 6.1 were resolved.
• for internal scans, describe how rescans were performed until either passing results were obtained or all “high-risk” vulnerabilities as defined in PCI DSS Requirement 6.1 were resolved.
Modified
p. 174 → 155
Describe how it was validated that the scan was performed by a qualified internal resource(s) or qualified external third party.
Modified
p. 175 → 155
<Report Findings Here> Indicate whether an internal resource performed the scans. (yes/no) If “no,” mark the remainder of 11.2.3.c as “Not Applicable.” If “yes,” complete the following:
Modified
p. 175 → 155
<Report Findings Here> Describe how the personnel who perform the scans demonstrated they are qualified to perform the scans.
<Report Findings Here> Describe how the personnel who perform the scans demonstrated they are qualified to perform the scans.
Modified
p. 175 → 156
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Place external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 11.3 Penetration Testing
Modified
p. 176 → 155
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 11.3 Penetration Testing
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 11.2.3.c Validate that the scan was performed by a qualified internal resource(s) or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).
Modified
p. 176 → 156
Note: The update to Requirement 11.3 is a best practice until June 30, 2015, after which it becomes a requirement. PCI DSS v2.0 requirements for penetration testing must be followed until v3.0 is in place. Do not answer both v2.0 and 3.0 reporting instructions.
Note: The update to Requirement 11.3 is a best practice until June 30, 2015, after which it becomes a requirement. PCI DSS v2.0 requirements for penetration testing must be followed until v3.1 is in place. Do not answer both v2.0 and 3.1 reporting instructions.
Modified
p. 176 → 156
Indicate whether 11.3 for this ROC is being assessed against PCI DSS v2.0 or v3.0 (either is acceptable until June 30, 2015.) (2.0/3.0) <Report Findings Here> If assessing against PCI DSS v2.0 for 11.3, please complete the following section in purple:
Indicate whether 11.3 for this ROC is being assessed against PCI DSS v2.0 or v3.1 (either is acceptable until June 30, 2015.) (2.0/3.1) <Report Findings Here> If assessing against PCI DSS v2.0 for 11.3, please complete the following section in purple:
Modified
p. 177 → 157
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 11.3.b Verify that noted exploitable vulnerabilities were corrected and testing repeated.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 11.3.b Verify that noted exploitable vulnerabilities were corrected and testing repeated.
Modified
p. 178 → 158
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 11.3.1 Network-layer penetration tests.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 11.3.1 Network-layer penetration tests. ☐ ☐ ☐ ☐ ☐ 11.3.1 Verify that the penetration test includes network-layer penetration tests. These tests should include components that support network functions as well as operating systems.
Modified
p. 178 → 158
i. Internal penetration testing includes network-layer penetration tests. ii. External penetration testing includes network-layer penetration tests. iii. The network-layer penetration tests o Components that support network functions o Operating systems Identify the responsible personnel interviewed who confirm that:
i. Internal penetration testing includes network- layer penetration tests. ii. External penetration testing includes network-layer penetration tests. iii. The network-layer penetration tests include: o Components that support network functions o Operating systems Identify the responsible personnel interviewed who confirm that:
Modified
p. 178 → 158
i. Internal penetration testing includes network-layer penetration tests. ii. External penetration testing includes network-layer penetration tests. iii. The network-layer penetration tests o Components that support network functions o Operating systems <Report Findings Here> 11.3.2 Application-layer penetration tests.
i. Internal penetration testing includes network- layer penetration tests. ii. External penetration testing includes network-layer penetration tests. iii. The network-layer penetration tests include: o Components that support network functions o Operating systems <Report Findings Here> 11.3.2 Application-layer penetration tests. ☐ ☐ ☐ ☐ ☐
Modified
p. 179 → 159
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 11.3.2 Verify that the penetration test includes application-layer penetration tests. The tests should include, at a minimum, the vulnerabilities listed in Requirement 6.5.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 11.3.2 Verify that the penetration test includes application-layer penetration tests. The tests should include, at a minimum, the vulnerabilities listed in Requirement 6.5.
Modified
p. 179 → 159
If assessing against PCI DSS v3.0 for 11.3, please complete the following:
If assessing against PCI DSS v3.1 for 11.3, please complete the following:
Modified
p. 180 → 159
• Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115).
Modified
p. 180 → 159
• Includes coverage for the entire CDE perimeter and critical systems.
Modified
p. 180 → 159
• Includes testing from both inside and outside of the network.
Modified
p. 180 → 159
• Includes testing to validate any segmentation and scope reduction controls.
Modified
p. 180 → 159
• Includes review and consideration of threats and vulnerabilities experienced in the last 12 months.
Modified
p. 180 → 159
• Specifies retention of penetration testing results and remediation activities results.
Modified
p. 180 → 160
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 11.3 Implement a methodology for penetration testing that includes at least the following:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 11.3 Examine penetration-testing methodology and interview responsible personnel to verify a methodology is implemented and includes at least the following:
Modified
p. 181 → 160
• Includes coverage for the entire CDE perimeter and critical systems.
Modified
p. 181 → 160
• Includes testing to validate any segmentation and scope reduction controls.
Modified
p. 181 → 160
• Is based on industry-accepted penetration testing approaches.
Modified
p. 181 → 160
• Includes testing from both inside and outside the network.
Modified
p. 181 → 160
Identify the documented penetration-testing methodology examined to verify a methodology is implemented that includes at least the following:
Modified
p. 181 → 160
• Based on industry-accepted penetration testing approaches.
Modified
p. 181 → 160
• Coverage for the entire CDE perimeter and critical systems.
Modified
p. 181 → 160
• Testing from both inside and outside the network.
Modified
p. 181 → 160
• Testing to validate any segmentation and scope reduction controls.
Modified
p. 181 → 160
• Review and consideration of threats and vulnerabilities experienced in the last 12 months.
Modified
p. 181 → 160
• Retention of penetration testing results and remediation activities results.
Modified
p. 181 → 161
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 11.3 Examine penetration- testing methodology and interview responsible personnel to verify a methodology is implemented and includes at least the following:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Place Identify the responsible personnel interviewed who confirm the penetration•testing methodology implemented includes at least the following:
Modified
p. 182 → 160
• Includes review and consideration of threats and vulnerabilities experienced in the last 12 months.
Modified
p. 182 → 160
• Specifies retention of penetration testing results and remediation activities results.
Modified
p. 182 → 160
• Defines network-layer penetration tests to include components that support network functions as well as operating systems.
Modified
p. 182 → 161
• Based on industry-accepted penetration testing approaches.
Modified
p. 182 → 161
• Coverage for the entire CDE perimeter and critical systems.
Modified
p. 182 → 161
• Testing from both inside and outside the network.
Modified
p. 182 → 161
• Testing to validate any segmentation and scope reduction controls.
Modified
p. 182 → 161
• Review and consideration of threats and vulnerabilities experienced in the last 12 months.
Modified
p. 182 → 161
• Retention of penetration testing results and remediation activities results.
Modified
p. 182 → 161
<Report Findings Here> Describe how the penetration-testing methodology was examined to verify that the implemented methodology includes at least the following:
Removed
p. 183
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Place Describe how the penetration-testing methodology was examined to verify that the implemented methodology includes at least the following:
Modified
p. 183 → 161
<Report Findings Here> Testing to validate any segmentation and scope-reduction controls.
<Report Findings Here> Testing to validate any segmentation and scope- reduction controls.
Modified
p. 183 → 162
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5.
Modified
p. 184 → 162
• After any significant changes to the environment Identify the documented external penetration test results reviewed to verify that external penetration testing is performed:
Modified
p. 184 → 162
• At least annually <Report Findings Here> Describe how the scope of work was reviewed to verify that external penetration testing is performed:
Modified
p. 184 → 162
• At least annually <Report Findings Here> Identify whether any significant external infrastructure or application upgrade or modification occurred during the past 12 months.
Modified
p. 184 → 162
<Report Findings Here> Identify the documented penetration test results reviewed to verify that external penetration tests are performed after significant external infrastructure or application upgrade.
<Report Findings Here> Identify the documented penetration test results reviewed to verify that external penetration tests are performed after significant external infrastructure or application upgrade.
Modified
p. 184 → 162
<Report Findings Here> 11.3.1.b Verify that the test was performed by a qualified internal resource or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).
<Report Findings Here> 11.3.1.b Verify that the test was performed by a qualified internal resource or qualified external third party, d if li bl i i l Describe how it was validated that the test was performed by a qualified internal resource(s) or qualified external third party.
Modified
p. 184 → 163
<Report Findings Here> 11.3.2.b Verify that the test was performed by a qualified internal resource or qualified external third party, Describe how it was validated that the test was performed by a qualified internal resource(s) or qualified external third party.
Modified
p. 184 → 163
.<Report Findings Here> Describe how the personnel who perform the penetration tests demonstrated they are qualified to perform the tests.
.<Report Findings Here> Describe how the personnel who perform the penetration tests demonstrated they are qualified to perform the tests.
Modified
p. 184 → 164
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 11.3.1.a Examine the scope of work and results from the most recent external penetration test to verify that penetration testing is performed as follows:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Place and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).
Modified
p. 184 → 164
Indicate whether an internal resource performed the test. (yes/no) If “no,” mark the remainder of 11.3.2.b as “Not Applicable.” If “yes,” complete the following:
Removed
p. 185
<Report Findings Here> 11.3.2.b Verify that the test was performed by a qualified internal resource or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).
Describe how it was validated that the test was performed by a qualified internal resource(s) or qualified external third party.
Describe how it was validated that the test was performed by a qualified internal resource(s) or qualified external third party.
Modified
p. 185 → 163
<Report Findings Here> 11.3.2 Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
Modified
p. 185 → 163
11.3.2.a Examine the scope of work and results from the most recent internal penetration test to verify that penetration testing is performed at least annually and after any significant changes to the environment.
11.3.2.a Examine the scope of work and results from the most recent internal penetration test to verify that penetration testing is performed as follows:
Modified
p. 185 → 163
• After any significant changes to the environment Identify the documented internal penetration test results reviewed to verify that internal penetration testing is performed:
Modified
p. 185 → 163
• At least annually <Report Findings Here> Describe how the scope of work was reviewed to verify that internal penetration testing is performed:
Modified
p. 185 → 163
• At least annually <Report Findings Here> Indicate whether any significant internal infrastructure or application upgrade or modification occurred during the past 12 months. (yes/no) <Report Findings Here> Identify the documented internal penetration test results reviewed to verify that internal penetration tests are performed after significant internal infrastructure or application upgrade.
Modified
p. 185 → 163
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Indicate whether an internal resource performed the test. (yes/no) If “no,” mark the remainder of 11.3.1.b as “Not Applicable.” If “yes,” complete the following:
Removed
p. 186
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Describe how the personnel who perform the penetration tests demonstrated they are qualified to perform the tests <Report Findings Here> Describe how organizational independence of the tester was observed to exist.
Identify the documented penetration testing results examined to verify that noted exploitable vulnerabilities were corrected and that repeated testing confirmed the vulnerability was corrected.
<Report Findings Here> Isolate all out-of-scope systems from in-scope systems.
Identify the documented penetration testing results examined to verify that noted exploitable vulnerabilities were corrected and that repeated testing confirmed the vulnerability was corrected.
<Report Findings Here> Isolate all out-of-scope systems from in-scope systems.
Modified
p. 186 → 164
<Report Findings Here> 11.3.3 Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections.
<Report Findings Here> 11.3.3 Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections. ☐ ☐ ☐ ☐ ☐ 11.3.3 Examine penetration testing results to verify that noted exploitable vulnerabilities were corrected and that repeated testing confirmed the vulnerability was corrected.
Modified
p. 186 → 164
<Report Findings Here> 11.3.4 If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from in-scope systems.
<Report Findings Here> 11.3.4 If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
Modified
p. 186 → 164
11.3.4.a Examine segmentation controls and review penetration- testing methodology to verify that penetration-testing procedures are defined to test all segmentation methods to confirm they are operational and effective, and isolate all out-of-scope systems from in- scope systems.
11.3.4.a Examine segmentation controls and review penetration-testing methodology to verify that penetration- testing procedures are defined to test all segmentation methods to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
Modified
p. 186 → 164
Indicate whether segmentation is used to isolate the CDE from other networks. (yes/no) If “no,” mark the remainder of 11.3.4.a and 11.3.4.b as “Not Applicable.” <Report Findings Here> If “yes,” Describe segmentation controls examined for this testing procedure.
Removed
p. 187
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 11.3.4.b Examine the results from the most recent penetration test to verify that penetration testing to verify segmentation controls:
Modified
p. 187 → 165
• The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
Modified
p. 187 → 165
Identify the documented results from the most recent penetration test examined to verify that:
Modified
p. 187 → 165
• Penetration testing to verify segmentation controls is performed at least annually and after any changes to segmentation controls/methods.
Modified
p. 187 → 165
• The penetration testing covers all segmentation controls/methods in use.
Modified
p. 187 → 165
• the penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
Modified
p. 187 → 165
11.4.a Examine system configurations and network diagrams to verify that techniques (such as intrusion- detection systems and/or intrusion-prevention systems) are in place to monitor all traffic:
11.4.a Examine system configurations and network diagrams to verify that techniques (such as intrusion-detection systems and/or intrusion-prevention systems) are in place to monitor all traffic:
Modified
p. 187 → 165
Identify the network diagrams examined to verify that techniques are in place to monitor all traffic:
Modified
p. 187 → 165
• At critical points in the cardholder data environment.
Removed
p. 188
<Report Findings Here> Describe how system configurations were examined to verify that techniques are in place to monitor all traffic:
<Report Findings Here> Describe how alerts to personnel are generated.
<Report Findings Here> Describe how alerts to personnel are generated.
Modified
p. 188 → 165
• At critical points in the cardholder data environment.
Modified
p. 188 → 165
<Report Findings Here> Identify the techniques observed to be in place to monitor all traffic:
Modified
p. 188 → 166
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested At critical points in the cardholder data environment.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Describe how system configurations were examined to verify that techniques are in place to monitor all traffic:
Modified
p. 188 → 166
Describe how system configurations for intrusion- detection, and/or intrusion-prevention techniques were examined to verify they are configured to alert personnel of suspected compromises.
Modified
p. 188 → 166
<Report Findings Here> Identify the responsible personnel interviewed who confirm that the generated alerts are received as intended.
<Report Findings Here> Describe how alerts to personnel are generated. <Report Findings Here> Identify the responsible personnel interviewed who confirm that the generated alerts are received as intended.
Modified
p. 188 → 166
<Report Findings Here> 11.4.c Examine IDS/IPS configurations and vendor documentation to verify intrusion-detection, and/or intrusion-prevention techniques are configured, maintained, and updated per vendor instructions to ensure optimal protection.
<Report Findings Here> 11.4.c Examine IDS/IPS configurations and vendor documentation to verify intrusion-detection, and/or intrusion- prevention techniques are configured, maintained, and updated per vendor instructions to ensure optimal protection.
Modified
p. 188 → 166
Identify the vendor document(s) examined to verify defined vendor instructions for intrusion-detection and/or intrusion-prevention techniques <Report Findings Here> Describe how IDS/IPS configurations were examined and compared to vendor documentation to verify intrusion-detection, and/or intrusion-prevention techniques are:
Removed
p. 189
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Updated per vendor instructions to ensure optimal protection.
Examples of files that should be monitored: System executables Application executables Configuration and parameter files Centrally stored, historical or archived, log and audit files Additional critical files determined by entity (i.e., through risk assessment or other means) Describe the change-detection mechanism deployed.
<Report Findings Here> Identify the results from monitored files reviewed.
Examples of files that should be monitored: System executables Application executables Configuration and parameter files Centrally stored, historical or archived, log and audit files Additional critical files determined by entity (i.e., through risk assessment or other means) Describe the change-detection mechanism deployed.
<Report Findings Here> Identify the results from monitored files reviewed.
Modified
p. 189 → 166
<Report Findings Here> 11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.
<Report Findings Here> 11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.
Modified
p. 189 → 167
11.5.a Verify the use of a change-detection mechanism within the cardholder data environment by observing system settings and monitored files, as well as reviewing results from monitoring activities.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 11.5.a Verify the use of a change- detection mechanism within the cardholder data environment by observing system settings and monitored files, as well as reviewing results from monitoring activities.
Modified
p. 189 → 167
<Report Findings Here> Describe how change-detection mechanism settings and results from monitored files were observed to monitor changes to:
• Additional critical files determined by entity (i.e., through risk assessment or other means) Describe the change-detection mechanism deployed. <Report Findings Here> Identify the results from monitored files reviewed. <Report Findings Here> Describe how change-detection mechanism settings and results from monitored files were observed to monitor changes to:
Modified
p. 189 → 167
Critical system files <Report Findings Here> Critical configuration files <Report Findings Here> Critical content files <Report Findings Here>
Critical system files <Report Findings Here> Critical configuration files <Report Findings Here> Critical content files <Report Findings Here> 11.5.b Verify the mechanism is configured to alert personnel to unauthorized modification (including changes, additions and deletions) of critical files, and to perform critical file comparisons at least weekly.
Removed
p. 190
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 11.5.b Verify the mechanism is configured to alert personnel to unauthorized modification of critical files, and to perform critical file comparisons at least weekly.
<Report Findings Here> For the interview, summarize details of the interview that verify that all alerts are investigated and resolved.
<Report Findings Here> For the interview, summarize details of the interview that verify that all alerts are investigated and resolved.
Removed
p. 190
<Report Findings Here> Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for security monitoring and testing are:
Modified
p. 190 → 167
Alert personnel to unauthorized modification of critical files.
Alert personnel to unauthorized modification (including changes, additions and deletions) of critical files.
Modified
p. 190 → 167
<Report Findings Here> Perform critical file comparisons at least weekly.
<Report Findings Here> Perform critical file comparisons at least weekly. <Report Findings Here> 11.5.1 Implement a process to respond to any alerts generated by the change-detection solution. ☐ ☐ ☐ ☐ ☐ 11.5.1 Interview personnel to verify that all alerts are investigated and resolved.
Modified
p. 190 → 167
<Report Findings Here> 11.6 Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties.
<Report Findings Here> 11.6 Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties. ☐ ☐ ☐ ☐ ☐ 11.6 Examine documentation and interview personnel to verify that security policies and operational procedures for Identify the document reviewed to verify that security policies and operational procedures for security monitoring and testing are documented.
Modified
p. 190 → 168
Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for security monitoring and testing are:
Removed
p. 191
Identify the document reviewed to verify that the information security policy is reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.
Modified
p. 191 → 169
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 12.1 Establish, publish, maintain, and disseminate a security policy.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 12.1 Establish, publish, maintain, and disseminate a security policy. ☐ ☐ ☐ ☐ ☐ 12.1 Examine the information security policy and verify that the policy is published and disseminated to all relevant personnel (including vendors and business partners).
Modified
p. 191 → 169
Identify the documented information security policy examined.
Modified
p. 191 → 169
All relevant personnel. <Report Findings Here> All relevant vendors and business partners. <Report Findings Here> 12.1.1 Review the security policy at least annually and update the policy when business objectives or the risk environment change.
All relevant personnel. <Report Findings Here> All relevant vendors and business partners. <Report Findings Here> 12.1.1 Review the security policy at least annually and update the policy when business objectives or the risk environment change. ☐ ☐ ☐ ☐ ☐ 12.1.1 Verify that the information security policy is reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.
Modified
p. 191 → 169
• Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.),
Modified
p. 192 → 169
Describe how it was verified that an annual risk process is documented and:
Describe how it was verified that an annual risk-assessment process is documented that:
Modified
p. 192 → 170
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 12.2.a Verify that an annual risk assessment process is documented that identifies assets, threats, vulnerabilities, and results in a formal risk assessment.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Place
• Identifies critical assets, threats, and vulnerabilities
• Identifies critical assets, threats, and vulnerabilities
Modified
p. 192 → 170
Results in formal, documented analysis of risk. <Report Findings Here> 12.2.b Review risk-assessment documentation to verify that the risk- assessment process is performed at least annually and upon significant changes to the environment.
Modified
p. 192 → 170
Identify the risk assessment result documentation reviewed to verify that:
Modified
p. 192 → 170
• The risk assessment process is performed at least annually.
Modified
p. 192 → 170
• The risk assessment is performed upon significant changes to the environment.
Modified
p. 192 → 170
• The documented risk assessment process was followed.
Modified
p. 192 → 170
Identify critical technologies in use.
Modified
p. 193 → 171
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Identify the usage policies for all identified critical technologies reviewed to verify the following policies (12.3.1-12.3.10) are defined:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Identify the usage policies for all identified critical technologies reviewed to verify the following policies (12.3.1-12.3.10) are defined:
Modified
p. 193 → 171
• Explicit approval from authorized parties to use the technologies.
Modified
p. 193 → 171
• All technology use to be authenticated with user ID and password or other authentication item.
Modified
p. 193 → 171
• A list of all devices and personnel authorized to use the devices.
Modified
p. 193 → 171
• A method to accurately and readily determine owner, contact information, and purpose.
Modified
p. 193 → 171
• Acceptable uses for the technology.
Modified
p. 193 → 171
• Acceptable network locations for the technology.
Modified
p. 193 → 171
• A list of company-approved products.
Modified
p. 193 → 171
• Automatic disconnect of sessions for remote- access technologies after a specific period of inactivity.
Modified
p. 193 → 171
• Activation of remote-access technologies used by vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use.
Modified
p. 193 → 171
• Prohibit copying, moving, or storing of cardholder data onto local hard drives and removable electronic media when accessing such data via remote-access technologies.
Modified
p. 194 → 172
• Explicit approval from authorized parties to use the technologies.
Modified
p. 194 → 172
• All technology use to be authenticated with user ID and password or other authentication item.
Modified
p. 194 → 172
• A list of all devices and personnel authorized to use the devices.
Modified
p. 194 → 172
• A method to accurately and readily determine owner, contact information, and purpose.
Modified
p. 194 → 172
• Acceptable uses for the technology.
Modified
p. 194 → 172
• Acceptable network locations for the technology.
Modified
p. 194 → 172
• A list of company-approved products.
Modified
p. 194 → 172
• Automatic disconnect of sessions for remote- access technologies after a specific period of inactivity.
Modified
p. 194 → 172
• Activation of remote-access technologies used by vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use.
Modified
p. 194 → 172
• Prohibit copying, moving, or storing of cardholder data onto local hard drives and removable electronic media when accessing such data via remote-access technologies.
Modified
p. 194 → 172
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Identify the responsible personnel interviewed who confirm usage policies for all identified critical technologies are implemented and followed (for 12.3.1•12.3.10):
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Identify the responsible personnel interviewed who confirm usage policies for all identified critical technologies are implemented and followed (for 12.3.1•12.3.10):
Modified
p. 194 → 172
<Report Findings Here> 12.3.1 Explicit approval by authorized parties.
<Report Findings Here> 12.3.1 Explicit approval by authorized parties. ☐ ☐ ☐ ☐ ☐ 12.3.1 Verify that the usage policies include processes for explicit approval from authorized parties to use the technologies.
Modified
p. 195 → 172
Provide the name of the assessor who attests that the usage policies were verified to include processes for explicit approval from authorized parties to use the technologies.
Modified
p. 195 → 172
<Report Findings Here> 12.3.2 Authentication for use of the technology.
<Report Findings Here> 12.3.2 Authentication for use of the technology. ☐ ☐ ☐ ☐ ☐
Modified
p. 195 → 173
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 12.3.1 Verify that the usage policies include processes for explicit approval from authorized parties to use the technologies.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 12.3.2 Verify that the usage policies include processes for all technology use to be authenticated with user ID and password or other authentication item (for example, token).
Modified
p. 195 → 173
Provide the name of the assessor who attests that the usage policies were verified to include processes define a list of all devices and personnel authorized to use the devices.
Modified
p. 195 → 173
<Report Findings Here> 12.3.3 A list of all such devices and personnel with access.
<Report Findings Here> 12.3.3 A list of all such devices and personnel with access. ☐ ☐ ☐ ☐ ☐ 12.3.3 Verify that the usage policies define a list of all devices and personnel authorized to use the devices.
Modified
p. 195 → 173
Provide the name of the assessor who attests that the usage policies were verified to include a list of company-approved products.
Modified
p. 195 → 173
<Report Findings Here> 12.3.4 A method to accurately and readily determine owner, contact information, and purpose (for example, labeling, coding, and/or inventorying of devices).
<Report Findings Here> 12.3.4 A method to accurately and readily determine owner, contact information, and purpose (for example, labeling, coding, and/or inventorying of devices). ☐ ☐ ☐ ☐ ☐ 12.3.4 Verify that the usage policies define a method to accurately and readily determine owner, contact information, and purpose (for example, labeling, coding, and/or inventorying of devices).
Modified
p. 195 → 173
Provide the name of the assessor who attests that the usage policies were verified to define a method to accurately and readily determine:
Modified
p. 195 → 173
• Contact Information <Report Findings Here> 12.3.5 Acceptable uses of the technology. ☐ ☐ ☐ ☐ ☐ 12.3.5 Verify that the usage policies define acceptable uses for the technology.
Modified
p. 195 → 173
Provide the name of the assessor who attests that the usage policies were verified to define acceptable network locations for the technology.
Removed
p. 196
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 12.3.6 Acceptable network locations for the technologies.
Provide the name of the assessor who attests that the usage policies were verified to include a list of company-approved products.
Provide the name of the assessor who attests that the usage policies were verified to require automatic disconnect of sessions for remote- access technologies after a specific period of inactivity.
<Report Findings Here> Identify any remote access technologies in use.
Provide the name of the assessor who attests that the usage policies were verified to include a list of company-approved products.
Provide the name of the assessor who attests that the usage policies were verified to require automatic disconnect of sessions for remote- access technologies after a specific period of inactivity.
<Report Findings Here> Identify any remote access technologies in use.
Modified
p. 196 → 173
<Report Findings Here> 12.3.7 List of company-approved products.
<Report Findings Here> 12.3.7 List of company-approved products. ☐ ☐ ☐ ☐ ☐ 12.3.7 Verify that the usage policies include a list of company-approved products.
Modified
p. 196 → 173
<Report Findings Here> 12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity.
<Report Findings Here> 12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity. ☐ ☐ ☐ ☐ ☐
Modified
p. 196 → 174
Provide the name of the assessor who attests that the usage policies were verified to require automatic disconnect of sessions for remote-access technologies after a specific period of inactivity.
Modified
p. 196 → 174
12.3.8.a Verify that the usage policies require automatic disconnect of sessions for remote-access technologies after a specific period of inactivity.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 12.3.8.a Verify that the usage policies require automatic disconnect of sessions for remote-access technologies after a specific period of inactivity.
Modified
p. 196 → 174
Describe how configurations for remote access technologies were examined to verify that remote access sessions will be automatically disconnected after a specific period of inactivity.
Modified
p. 196 → 174
<Report Findings Here> Identify the period of inactivity specified. <Report Findings Here> 12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use.
<Report Findings Here> Identify any remote access technologies in use. <Report Findings Here> Identify the period of inactivity specified. <Report Findings Here> 12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use. ☐ ☐ ☐ ☐ ☐ 12.3.9 Verify that the usage policies require activation of remote-access technologies used by vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use.
Removed
p. 197
Provide the name of the assessor who attests that the usage policies were verified to require activation of remote-access technologies used by vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use.
Modified
p. 197 → 174
Provide the name of the assessor who attests that the usage policies were verified to require activation of remote-access technologies used by vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use.
Modified
p. 197 → 174
Provide the name of the assessor who attests that the usage policies were verified to prohibit copying, moving or storing of cardholder data onto local hard drives and removable electronic media when accessing such data via remote-access technologies.
Modified
p. 197 → 174
Provide the name of the assessor who attests that the usage policies were verified to require, for personnel with proper authorization, the protection of cardholder data in accordance with PCI DSS Requirements.
Modified
p. 197 → 175
Identify the information security policy and procedures reviewed to verify that they clearly define information security responsibilities for all personnel.
Modified
p. 197 → 175
Identify the information security policies reviewed to verify the specific and formal assignment of the following (including 12.5.1-12.5.5):
Modified
p. 197 → 176
• Distributing information to appropriate information security and business unit management personnel.
Removed
p. 198
Identify the information security policies reviewed to verify the specific and formal assignment of the following (including 12.5.1- 12.5.5):
Modified
p. 198 → 175
Identify the responsible personnel interviewed for this testing procedure who confirm they understand the security policy.
Modified
p. 198 → 175
<Report Findings Here> Provide the name of the assessor who attests that the interviews of responsible personnel conducted verified that they understand the security policies.
<Report Findings Here> Provide the name of the assessor who attests that the interviews of responsible personnel conducted verified that they understand the security policies.
Modified
p. 198 → 175
<Report Findings Here> 12.5 Assign to an individual or team the following information security management responsibilities:
<Report Findings Here> 12.5 Assign to an individual or team the following information security management responsibilities: ☐ ☐ ☐ ☐ ☐ 12.5 Examine information security policies and procedures to verify:
Modified
p. 198 → 175
• The formal assignment of information security to a Chief Security Officer or other security- knowledgeable member of management.
Modified
p. 198 → 175
• The following information security responsibilities are specifically and formally assigned:
Modified
p. 198 → 175
• Information security to a Chief Security Officer or other security-knowledgeable member of management.
Modified
p. 198 → 175
• Responsibility for establishing, documenting and distributing security policies and procedures.
Modified
p. 198 → 175
• Monitoring and analyzing security alerts and distributing information to appropriate information security and business unit management personnel.
Modified
p. 198 → 175
• Establishing, documenting, and distributing security incident response and escalation procedures.
Modified
p. 198 → 175
• Administering user account and authentication management.
Modified
p. 198 → 175
• Monitoring and controlling all access to data.
Modified
p. 198 → 177
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 12.4.b Interview a sample of responsible personnel to verify they understand the security policies.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 12.5.5 Verify that responsibility for monitoring and controlling all access to data is formally assigned.
Removed
p. 199
Distributing information to appropriate information security and business unit management personnel.
Documenting security incident response and escalation procedures.
Distributing security incident response and escalation procedures.
Documenting security incident response and escalation procedures.
Distributing security incident response and escalation procedures.
Modified
p. 199 → 176
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 12.5.1 Establish, document, and distribute security policies and procedures.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 12.5.1 Verify that responsibility for establishing, documenting and distributing security policies and procedures is formally assigned.
Modified
p. 199 → 176
• Distributing security policies and procedures.
Modified
p. 199 → 176
• Documenting security policies and procedures.
Modified
p. 199 → 176
• Distributing security incident response and escalation procedures.
Modified
p. 199 → 176
<Report Findings Here> 12.5.2 Monitor and analyze security alerts and information, and distribute to appropriate personnel.
<Report Findings Here> 12.5.2 Monitor and analyze security alerts and information, and distribute to appropriate personnel. ☐ ☐ ☐ ☐ ☐ 12.5.2 Verify that responsibility for monitoring and analyzing security alerts and distributing information to appropriate information security and business unit management personnel is formally assigned.
Modified
p. 199 → 176
• Monitoring and analyzing security alerts.
Modified
p. 199 → 176
<Report Findings Here> 12.5.3 Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
<Report Findings Here> 12.5.3 Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations. ☐ ☐ ☐ ☐ ☐ 12.5.3 Verify that responsibility for establishing, documenting, and distributing security incident response and escalation procedures is formally assigned.
Modified
p. 199 → 176
• Documenting security incident response and escalation procedures.
Removed
p. 200
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 12.5.4 Administer user accounts, including additions, deletions, and modifications.
Identify the documented security awareness program reviewed to verify it provides awareness to all personnel about the importance of cardholder data security.
Identify the documented security awareness program reviewed to verify it provides awareness to all personnel about the importance of cardholder data security.
Modified
p. 200 → 176
Provide the name of the assessor who attests that responsibilities were verified to be formally assigned for administering user account and authentication management.
Modified
p. 200 → 176
<Report Findings Here> 12.5.5 Monitor and control all access to data.
<Report Findings Here> 12.5.5 Monitor and control all access to data. ☐ ☐ ☐ ☐ ☐
Modified
p. 200 → 177
• Controlling all access to data <Report Findings Here> 12.6 Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security. ☐ ☐ ☐ ☐ ☐ 12.6.a Review the security awareness program to verify it provides awareness to all personnel about the importance of cardholder data security.
Modified
p. 200 → 177
Identify the documented security awareness program reviewed to verify it provides awareness to all personnel about the importance of cardholder data security.
Removed
p. 201
Describe how the security awareness program provides multiple methods of communicating awareness and educating personnel.
Modified
p. 201 → 177
<Report Findings Here> 12.6.b Examine security awareness program procedures and documentation and perform the following:
Modified
p. 201 → 177
Identify the documented security awareness program procedures and additional documentation examined to verify that:
Modified
p. 201 → 177
• The security awareness program provides multiple methods of communicating awareness and educating personnel.
Modified
p. 201 → 177
• Personnel acknowledge, in writing or electronically and at least annually, that they have read and understand the information security policy.
Modified
p. 201 → 177
Note: Methods can vary depending on the role of the personnel and their level of access to the cardholder data.
Note: Methods can vary depending on the role of the personnel and their level of access to the cardholder data. ☐ ☐ ☐ ☐ ☐ 12.6.1.a Verify that the security awareness program provides multiple methods of communicating awareness and educating personnel (for example, posters, letters, memos, web-based training, meetings, and promotions).
Modified
p. 201 → 177
Describe how the security awareness program provides multiple methods of communicating awareness and educating personnel.
Modified
p. 201 → 177
<Report Findings Here> 12.6.1.b Verify that personnel attend security awareness training upon hire and at least annually.
<Report Findings Here> 12.6.1.b Verify that personnel attend Describe how it was observed that all personnel attend security awareness training:
Modified
p. 201 → 178
Upon hire <Report Findings Here> At least annually <Report Findings Here>
Upon hire <Report Findings Here> At least annually <Report Findings Here> 12.6.1.c Interview a sample of personnel to verify they have completed awareness training and are aware of the importance of cardholder data security.
Modified
p. 202 → 178
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 12.6.1.c Interview a sample of personnel to verify they have completed awareness training and are aware of the importance of cardholder data security.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Place security awareness training upon hire and at least annually.
Modified
p. 202 → 178
Identify the sample of personnel interviewed who confirm they have completed security awareness training.
Modified
p. 202 → 178
<Report Findings Here> For the interview, summarize details of the interview that verify their awareness of the importance of cardholder data security.
<Report Findings Here> For the interview, summarize details of the interview that verify their awareness of the importance of cardholder data security.
Modified
p. 202 → 178
<Report Findings Here> 12.6.2 Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures.
<Report Findings Here> 12.6.2 Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures. ☐ ☐ ☐ ☐ ☐ 12.6.2 Verify that the security awareness program requires personnel to acknowledge, in writing or electronically, at least annually that they have read and understand the information security policy.
Modified
p. 203 → 179
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 12.7 Inquire with Human Resource department management and verify that background checks are conducted (within the constraints of local laws) prior to hire on potential personnel who will have access to cardholder data or the cardholder data environment.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 12.7 Inquire with Human Resource department management and verify that background checks are conducted (within the constraints of local laws) prior to hire on potential personnel who will have access to cardholder data or the cardholder data environment.
Modified
p. 203 → 179
Identify the documented policy reviewed to verify requirement for background checks to be conducted:
Modified
p. 203 → 179
• On potential personnel who will have access to cardholder data or the cardholder data environment.
Modified
p. 203 → 179
• On potential personnel who will have access to cardholder data or the cardholder data environment.
Modified
p. 203 → 179
• Prior to hiring the personnel.
Modified
p. 203 → 179
• Prior to hiring the personnel.
Modified
p. 203 → 179
<Report Findings Here> Identify the Human Resources personnel interviewed who confirm background checks are conducted:
<Report Findings Here> Identify the Human Resources personnel interviewed who confirm background checks are conducted:
Modified
p. 203 → 179
<Report Findings Here> Prior to hiring the personnel. <Report Findings Here> 12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:
<Report Findings Here> Prior to hiring the personnel. <Report Findings Here> 12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: ☐ ☐ ☐ ☐ ☐
Removed
p. 204
Describe how the documented list of service providers was observed to be maintained (kept up-to-date).
Modified
p. 204 → 180
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 12.8 Through observation, review of policies and procedures, and review of supporting documentation, verify that processes are implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data (for example, backup tape storage facilities, managed service providers such as web- hosting companies or security service providers, those …
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 12.8 Through observation, review of policies and procedures, and review of supporting documentation, verify that processes are implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data (for example, backup tape storage facilities, managed service providers such as web-hosting companies or security service providers, those that receive …
Modified
p. 204 → 180
Identify the documented policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, reviewed to verify policy defines the following from 12.8.1•12.8.5:
Modified
p. 204 → 180
• Maintain a list of service providers.
Modified
p. 204 → 180
• Maintain a written agreement that includes an acknowledgement that the service providers will maintain all applicable PCI DSS requirements to the extent the service provider handles, has access to, or otherwise stores, processes, or transmits the customer’s cardholder data or sensitive authentication data, or manages the customer's cardholder data environment on behalf of a customer.
Modified
p. 204 → 180
• Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.
Modified
p. 204 → 180
• Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.
Modified
p. 204 → 180
• Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
Modified
p. 204 → 180
<Report Findings Here> 12.8.1 Maintain a list of service providers.
<Report Findings Here> 12.8.1 Maintain a list of service providers. ☐ ☐ ☐ ☐ ☐ 12.8.1 Verify that a list of service providers is maintained.
Removed
p. 205
Describe how it was verified that the entity maintains a program to monitor its service providers’ PCI DSS compliance status at least annually.
Modified
p. 205 → 180
<Report Findings Here> 12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s CDE.
Modified
p. 205 → 181
Describe how written agreements for each service provider were observed to confirm they include an acknowledgement by service providers that they will maintain all applicable PCI DSS requirements to the extent the service provider handles, has access to, or otherwise stores, processes, or transmits the customer’s cardholder data or sensitive authentication data, or manages the customer's cardholder data environment on behalf of a customer.
Modified
p. 205 → 181
<Report Findings Here> 12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.
<Report Findings Here> 12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement. ☐ ☐ ☐ ☐ ☐ 12.8.3 Verify that policies and procedures are documented and implemented including proper due diligence prior to engaging any service provider.
Modified
p. 205 → 181
Describe how it was verified that the procedures for proper due diligence prior to engaging a service provider are implemented, as documented in the policies and procedures at 12.8.
Modified
p. 205 → 181
<Report Findings Here> 12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.
<Report Findings Here> 12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least annually. ☐ ☐ ☐ ☐ ☐ 12.8.4 Verify that the entity maintains a program to monitor its service providers’ PCI DSS compliance status at least annually.
Removed
p. 206
Describe how it was observed that the entity maintains information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
Modified
p. 206 → 181
Describe how it was observed that the entity maintains information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
Modified
p. 206 → 182
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 12.9 Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.
Removed
p. 207
<Report Findings Here> Describe how written agreement templates were observed to verify that the service provider acknowledges in writing to customers that the service provider will maintain all applicable PCI DSS requirements to the extent the service provider handles, has access to, or otherwise stores, processes, or transmits the customer’s cardholder data or sensitive authentication data, or manages the customer's cardholder data environment on behalf of a customer.
Modified
p. 207 → 182
Indicate whether the assessed entity is a service provider. (yes/no) If “no,” mark the remainder of 12.9 as “Not Applicable.” <Report Findings Here> Indicate whether this ROC is being completed prior to June 30, 2015. (yes/no) <Report Findings Here> If “yes” AND the assessed entity does not have this in place ahead of the requirement’s effective date, mark the remainder of 12.9 as “Not Applicable.” If “no” OR if the assessed entity has this in place ahead of the requirement’s …
Modified
p. 207 → 182
Identify the service provider’s policies and procedures reviewed to verify that the service provider acknowledges in writing to customers that the service provider will maintain all applicable PCI DSS requirements to the extent the service provider possesses or otherwise stores, processes, or transmits cardholder data on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.
Modified
p. 207 → 183
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 12.9 Additional testing procedure for service providers: Review service provider’s policies and procedures and observe written agreement templates to confirm the service provider acknowledges in writing to customers that the service provider will maintain all applicable PCI DSS requirements to the extent the service provider handles, has access to, or otherwise stores, processes, or transmits the …
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Describe how templates used for written agreement were observed to verify that the service provider acknowledges in writing to customers that the service provider will maintain all applicable PCI DSS requirements to the extent the service provider possesses or otherwise stores, processes, or transmits cardholder data on behalf of the customer, or to the extent that they …
Modified
p. 208 → 183
Identify the documented incident response plan and related procedures examined to verify the entity is prepared to respond immediately to a system breach, with defined processes as follows from 12.10.1•12.10.6:
Modified
p. 208 → 183
• Create the incident response plan to be implemented in the event of system breach.
Modified
p. 208 → 183
• Test the plan at least annually.
Modified
p. 208 → 183
• Designate specific personnel to be available on a 24/7 basis to respond to alerts: - 24/7 incident monitoring - 24/7 incident response
Modified
p. 208 → 183
• Include alerts from security monitoring systems, including but not limited to intrusion- detection, intrusion-prevention, firewalls, and file-integrity monitoring systems.
Modified
p. 208 → 183
• Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.
Modified
p. 208 → 184
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 12.10 Implement an incident response plan. Be prepared to respond immediately to a system breach.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 12.10.1 Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum:
Removed
p. 209
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 12.10.1 Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum:
Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum. Specific incident response procedures. Business recovery and continuity procedures. Data back-up processes. Analysis of legal requirements for reporting compromises. Coverage and responses of all critical system components. Reference or inclusion of incident response procedures from the payment brands.
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 12.10.1.a Verify that the incident response plan includes:
Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum. Specific incident response procedures. Business recovery and continuity procedures. Data back-up processes. Analysis of legal requirements for reporting compromises. Coverage and responses of all critical system components. Reference or inclusion of incident response procedures from the payment brands.
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 12.10.1.a Verify that the incident response plan includes:
Modified
p. 210 → 184
• Analysis of legal requirements for reporting compromises (for example, California Bill 1386, which requires notification of affected consumers in the event of an actual or suspected compromise for any business with California residents in their database).
Modified
p. 210 → 184
Provide the name of the assessor who attests that the incident response plan was verified to include:
Modified
p. 210 → 184
• Roles and responsibilities.
Modified
p. 210 → 184
• Communication strategies.
Modified
p. 210 → 184
• Requirement for notification of the payment brands.
Modified
p. 210 → 184
• Specific incident response procedures.
Modified
p. 210 → 184
• Business recovery and continuity procedures.
Modified
p. 210 → 184
• Data back-up processes.
Modified
p. 210 → 184
• Analysis of legal requirements for reporting compromises.
Modified
p. 210 → 184
• Coverage for all critical system components.
Modified
p. 210 → 184
• Responses for all critical system components.
Modified
p. 210 → 184
• Reference or inclusion of incident response procedures from the payment brands.
Modified
p. 210 → 185
Identify the sample of personnel interviewed who confirm that the documented incident response plan and procedures are followed.
Removed
p. 211
Describe how it was observed that the incident response plan is tested at least annually.
Modified
p. 211 → 185
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested Place incidents or alerts to verify that the documented incident response plan and procedures were followed.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 12.10.1.b Interview personnel and review documentation from a sample of previously reported incidents or alerts to verify that the documented incident response plan and procedures were followed.
Modified
p. 211 → 185
<Report Findings Here> Identify the sample of previously reported incidents or alerts reviewed for this testing procedure.
Modified
p. 211 → 185
<Report Findings Here> For each item in the sample, describe how documentation was reviewed to confirm that the documented incident response plan and procedures are followed.
<Report Findings Here> For each item in the sample, describe how documentation was reviewed to confirm that the documented incident response plan and procedures are followed.
Modified
p. 211 → 185
<Report Findings Here> 12.10.2 Test the plan at least annually.
<Report Findings Here> 12.10.2 Test the plan at least annually. ☐ ☐ ☐ ☐ ☐ 12.10.2 Verify that the plan is tested at least annually.
Modified
p. 211 → 185
Identify the document requiring 24/7 incident response and monitoring coverage for:
Modified
p. 211 → 185
• Any evidence of unauthorized activity.
Modified
p. 211 → 185
• Detection of unauthorized wireless access points.
Modified
p. 211 → 185
• Critical IDS alerts.
Modified
p. 211 → 185
• Reports of unauthorized critical system or content file changes.
Modified
p. 212 → 185
• Any evidence of unauthorized activity.
Modified
p. 212 → 185
• Detection of unauthorized wireless access points.
Modified
p. 212 → 185
• Critical IDS alerts.
Modified
p. 212 → 185
• Reports of unauthorized critical system or content file changes.
Modified
p. 212 → 185
<Report Findings Here> Identify the sample of responsible personnel interviewed who confirm 24/7 incident response and monitoring coverage for:
Modified
p. 212 → 186
<Report Findings Here> 12.10.4 Provide appropriate training to staff with security breach response responsibilities.
<Report Findings Here> 12.10.4 Provide appropriate training to staff with security breach response responsibilities. ☐ ☐ ☐ ☐ ☐ 12.10.4 Verify through observation, review of policies, and interviews of responsible personnel that staff with responsibilities for security breach response are periodically trained.
Modified
p. 212 → 186
<Report Findings Here> Identify the documented policy reviewed that defines that staff with responsibilities for security breach response are periodically trained.
Modified
p. 212 → 186
<Report Findings Here> Identify the documented policy reviewed that defines that staff with responsibilities for security breach response are periodically trained.
<Report Findings Here> Describe how it was observed that staff with responsibilities for security breach response are periodically trained.
Modified
p. 212 → 186
<Report Findings Here> Describe how it was observed that staff with responsibilities for security breach response are periodically trained.
<Report Findings Here> Describe how processes were reviewed to verify that responding to alerts from security monitoring systems are covered in the Incident Response Plan.
Removed
p. 213
Describe how processes were reviewed to verify that monitoring alerts from security monitoring systems, including detection of unauthorized wireless access points, are covered in the Incident Response Plan.
<Report Findings Here> Describe how processes were reviewed to verify that responding to alerts from security monitoring systems, including detection of unauthorized wireless access points, are covered in the Incident Response Plan.
<Report Findings Here> Describe how processes were reviewed to verify that responding to alerts from security monitoring systems, including detection of unauthorized wireless access points, are covered in the Incident Response Plan.
Removed
p. 213
<Report Findings Here> Identify the sample of responsible personnel interviewed who confirm that processes are implemented to modify and evolve the incident response plan:
Modified
p. 213 → 186
<Report Findings Here> 12.10.6 Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.
<Report Findings Here> 12.10.6 Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments. ☐ ☐ ☐ ☐ ☐ 12.10.6 Verify through observation, review of policies, and interviews of responsible personnel that there is a process to modify and evolve the incident response plan according to Identify the documented policy reviewed to verify that processes are defined to modify and evolve the incident response plan:
Modified
p. 213 → 186
• According to lessons learned.
Modified
p. 213 → 186
• To incorporate industry developments.
Modified
p. 213 → 187
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) with CCW N/A Not Tested 12.10.5 Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion- prevention, firewalls, and file-integrity monitoring systems.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Place lessons learned and to incorporate industry developments.
Modified
p. 213 → 187
Identify the sample of responsible personnel interviewed who confirm that processes are implemented to modify and evolve the incident response plan:
Modified
p. 213 → 187
• According to lessons learned.
Modified
p. 213 → 187
• To incorporate industry developments.
Modified
p. 214 → 188
<Report Findings Here> A.1 Protect each entity’s (that is, merchant, service provider, or other entity) hosted environment and data, per A.1.1 through A.1.4:
Modified
p. 215 → 188
A.1.1 If a shared hosting provider allows entities (for example, merchants or service providers) to run their own applications, verify these application processes run using the unique ID of the entity. For example:
A.1.1 Ensure that each entity only runs processes that have access to that entity’s cardholder data environment. ☐ ☐ ☐ ☐ ☐ A.1.1 If a shared hosting provider allows entities (for example, merchants or service providers) to run their own applications, verify these application processes run using the unique ID of the entity. For example:
Modified
p. 215 → 188
• No entity on the system can use a shared web server user ID.
Modified
p. 215 → 188
• All CGI scripts used by an entity must Indicate whether the hosting provider allows hosted entities to run their own applications. (yes/no) <Report Findings Here> Identify the document reviewed to verify processes are defined to require that entities must not run their own applications.
Modified
p. 215 → 188
<Report Findings Here> Describe how it was observed that hosted entities are not able to run their own applications.
<Report Findings Here> Describe how it was observed that hosted entities are not able to run their own applications.
Modified
p. 215 → 189
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Summary of Assessment Findings (check one) with CCW N/A Not Tested A.1.1 Ensure that each entity only runs processes that have access to that entity’s cardholder data environment.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details:
Modified
p. 215 → 189
Identify the document requiring that application processes use a unique ID for each entity.
Modified
p. 215 → 189
<Report Findings Here> Identify the sample of servers observed. <Report Findings Here> Identify the sample of hosted merchants and service providers (hosted entities) observed.
<Report Findings Here> Identify the sample of servers observed. <Report Findings Here> Identify the sample of hosted merchants and service providers (hosted entities) observed.
Modified
p. 215 → 189
<Report Findings Here> For each item in the sample, describe how the observed system configurations require that all hosted entities’ application processes are run using the unique ID of that entity.
<Report Findings Here> For each item in the sample, describe how the observed system configurations require that all hosted entities’ application processes are run using the unique ID of that entity.
Modified
p. 216 → 189
A.1.2.a Verify the user ID of any application process is not a privileged user (root/admin).
<Report Findings Here> A.1.2 Restrict each entity’s access and privileges to its own cardholder data environment only. ☐ ☐ ☐ ☐ ☐ A.1.2.a Verify the user ID of any application process is not a privileged user (root/admin).
Modified
p. 216 → 189
Identify the document examined to verify processes require that user IDs for hosted entities’ application processes are not privileged users.
Modified
p. 216 → 190
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Summary of Assessment Findings (check one) with CCW N/A Not Tested A.1.2 Restrict each entity’s access and privileges to its own cardholder data environment only.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details:
Modified
p. 216 → 190
Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Using the sample of servers and hosted merchants and service providers from A.1.1, for each item perform the following:
Modified
p. 216 → 190
Describe the observed system configurations examined to verify that user IDs for hosted entities’ application processes are not privileged users.
Modified
p. 216 → 190
<Report Findings Here> Describe how running application processes IDs were observed to verify that the running application processes IDs are not privileged users.
<Report Findings Here> Describe how running application processes IDs were observed to verify that the running application processes IDs are not privileged users.
Modified
p. 216 → 190
Identify the document examined to verify permissions for hosted entities are defined as follows:
Modified
p. 216 → 190
• Read permissions are only assigned for the files and directories the hosted entity owns, or for necessary systems files.
Modified
p. 216 → 190
• Write permissions are only assigned for the files and directories the hosted entity owns, or for necessary systems files.
Modified
p. 216 → 190
• Access permissions are only assigned for the files and directories the hosted entity owns, or for necessary systems files.
Modified
p. 216 → 190
• Assigned permissions for hosted entities must be restricted.
Modified
p. 216 → 190
• An entity’s files must not be shared by group.
Removed
p. 217
<Report Findings Here> Describe how the entity’s files were observed to verify they are not shared by group.
Modified
p. 217 → 191
• Read permissions are only assigned for the files and directories the hosted entity owns, or for necessary systems files.
Modified
p. 217 → 191
Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Using the sample of servers and hosted merchants and service providers from A.1.1, for each item describe the system configuration setting observed to verify permissions are assigned as follows:
Modified
p. 217 → 191
• Write permissions are only assigned for the files and directories the hosted entity owns, or for necessary systems files.
Modified
p. 217 → 191
• Access permissions are only assigned for the files and directories the hosted entity owns, or for necessary systems files.
Modified
p. 217 → 191
• Assigned permissions for hosted entities must be restricted.
Modified
p. 217 → 191
<Report Findings Here> An entity’s files must not be shared by group.
<Report Findings Here> Describe how the entity’s files were observed to verify they are not shared by group.
Modified
p. 217 → 191
<Report Findings Here> For each item in the sample, perform the following:
• An entity’s files must not be shared by group. <Report Findings Here> For each item in the sample, perform the following:
Modified
p. 217 → 191
Describe permission observed to verify permissions are restricted.
Modified
p. 217 → 191
Identify the document examined to verify processes require a hosted entity’s users do not write access to shared system binaries.
Modified
p. 217 → 191
<Report Findings Here> Using the sample of servers and hosted merchants and service providers from A.1.1, for each item in the summary describe the observed system configurations observed to verify that an entity’s users do not have write access to shared system binaries.
<Report Findings Here> Using the sample of servers and hosted merchants and service providers from A.1.1, for each item in the summary describe the observed system configurations observed to verify that an entity’s users do not have write access to shared system binaries.
Removed
p. 218
Disk space <Report Findings Here> Bandwidth <Report Findings Here> Memory <Report Findings Here> CPU <Report Findings Here>
Modified
p. 218 → 191
Identify the document examined to verify processes require that viewing of log entries is restricted to the owning entity.
Modified
p. 218 → 192
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Summary of Assessment Findings (check one) with CCW N/A Not Tested A.1.2.d Verify that viewing of log entries is restricted to the owning entity.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details:
Modified
p. 218 → 192
Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Using the sample of servers and hosted merchants and service providers from A.1.1, for each item in the summary describe the observed system configurations observed to verify that viewing of log entries is restricted to the owning entity.
Modified
p. 218 → 192
• Bandwidth Identify the document examined to verify processes require restricts for the use of the following to ensure each entity cannot monopolize server resources to exploit vulnerabilities:
Modified
p. 218 → 192
• Bandwidth <Report Findings Here> Using the sample of servers and hosted merchants and service providers from A.1.1, perform the following:
Modified
p. 218 → 192
Describe the system configuration setting observed to verify restriction are implemented for the use of:
Removed
p. 219
Logs are enabled for common third-party applications. Logs are active by default. Logs are available for review by the owning entity. Log locations are clearly communicated to the owning entity.
Modified
p. 219 → 193
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Summary of Assessment Findings (check one) with CCW N/A Not Tested A.1.3 Ensure logging and audit trails are enabled and unique to each entity’s cardholder data environment and consistent with PCI DSS Requirement 10.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details:
Modified
p. 219 → 193
Identify the document examined to verify processes require that logging is enabled for each hosting environment, with the following required for each hosted entity environment:
Modified
p. 219 → 193
• Logs are enabled for common third-party applications.
Modified
p. 219 → 193
• Logs are active by default.
Modified
p. 219 → 193
• Logs are available for review by the owning entity.
Modified
p. 219 → 193
• Log locations are clearly communicated to the owning entity.
Modified
p. 219 → 193
<Report Findings Here> Logs are active by default. <Report Findings Here> Logs are available for review by the owning entity.
<Report Findings Here> Logs are active by default. <Report Findings Here> Logs are available for review by the owning entity. <Report Findings Here> Log locations are clearly communicated to the owning entity.
Removed
p. 220
A.1.4 Verify the shared hosting provider has written policies that provide for a timely forensics investigation of related servers in the event of a compromise.
<Report Findings Here> Describe how processes were observed to verify that processes are implemented to provide for timely forensics investigation in the event of a compromise to any hosted entity.
<Report Findings Here> Describe how processes were observed to verify that processes are implemented to provide for timely forensics investigation in the event of a compromise to any hosted entity.
Modified
p. 220 → 194
PCI DSS Requirements and Testing Procedures Reporting Instruction ROC Reporting Details: Assessor’s Summary of Assessment Findings (check one) with CCW N/A Not Tested A.1.4 Enable processes to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details:
Modified
p. 220 → 194
<Report Findings Here> Describe how processes were observed to verify that processes are implemented to provide for timely forensics investigation in the event of a compromise to any hosted entity.
Modified
p. 220 → 194
Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested servers in the event of a compromise. Identify the responsible personnel interviewed who confirm that processes are implemented in accordance with the documented policies.
Modified
p. 221 → 195
For example, passwords for non-console administrative access must be sent encrypted to mitigate the risk of intercepting clear-text administrative passwords. An entity cannot use other PCI DSS password requirements (intruder lockout, complex passwords, etc.) to compensate for lack of encrypted passwords, since those other password requirements do not mitigate the risk of interception of clear-text passwords. Also, the other password controls are already PCI DSS requirements for the item under review (passwords). b) Existing PCI DSS requirements MAY be considered …
a) Existing PCI DSS requirements CANNOT be considered as compensating controls if they are already required for the item under review. For example, passwords for non-console administrative access must be sent encrypted to mitigate the risk of intercepting clear-text administrative passwords. An entity cannot use other PCI DSS password requirements (intruder lockout, complex passwords, etc.) to compensate for lack of encrypted passwords, since those other password requirements do not mitigate the risk of interception of clear-text passwords. Also, the other …
Modified
p. 223 → 197
Company XYZ is going to require all users to log into the servers from their desktops using the “SU” (substitute user) command. This allows a user to access the “root” account and perform actions under the “root” account but is able to be logged in the SU-log directory. In this way, each user’s actions can be tracked through the SU account, without the “root” password being shared with the users.
Company XYZ is going to require all users to log into the servers using their regular user accounts, and then use the “sudo” command to run any administrative commands. This allows use of the “root” account privileges to run pre-defined commands that are recorded by sudo in the security log. In this way, each user’s actions can be traced to an individual user account, without the “root” password being shared with the users.
Modified
p. 223 → 197
Company XYZ demonstrates to assessor that the SU command is being executed and that all activities performed by those individuals utilizing the command are logged to identify that the individual is performing actions under root privileges.
Company XYZ demonstrates to assessor that the sudo command is configured properly using a “sudoers” file, that only pre-defined commands can be run by specified users, and that all activities performed by those individuals using sudo are logged to identify the individual performing actions using “root” privileges.
Modified
p. 223 → 197
Company XYZ documents processes and procedures to ensure SU configurations are not changed, altered, or removed to allow individual users to execute root commands without being individually identified, tracked and logged.
Company XYZ documents processes and procedures to ensure sudo configurations are not changed, altered, or removed to allow individual users to execute root commands without being individually identified, tracked and logged.