Document Comparison
PCI-DSS-v4-0-SAQ-D-Service-Provider-r3.pdf
→
PCI-DSS-v4-0-1-SAQ-D-Service-Provider-r2.pdf
94% similar
147 → 149
Pages
38131 → 38759
Words
251
Content Changes
Content Changes
251 content changes. 48 administrative changes (dates, page numbers) hidden.
Added
p. 2
Added ASV Resource Guide to section “Additional PCI SSC Resources.”
December 2024 4.0.1 1 Errata Change − Corrected requirement number reference in Requirement 3.6.1.1.
January 2025 4.0.1 2 Errata Change
• In Document Changes table, updated November 2024 date in to reflect the December change date. Fixed Table of Contents so it is clickable.
December 2024 4.0.1 1 Errata Change − Corrected requirement number reference in Requirement 3.6.1.1.
January 2025 4.0.1 2 Errata Change
• In Document Changes table, updated November 2024 date in to reflect the December change date. Fixed Table of Contents so it is clickable.
Added
p. 8
Note: A legal exception is a legal restriction due to a local or regional law, regulation, or regulatory requirement, where meeting a PCI DSS requirement would violate that law, regulation, or regulatory requirement.
(PCI Data Security Standard Requirements and Testing Procedures) Guidance on Scoping Guidance on the intent of all PCI DSS Requirements Details of testing procedures Guidance on Compensating Controls Appendix G: Glossary of Terms, Abbreviations, and Acronyms SAQ Instructions and Guidelines Information about all SAQs and their eligibility criteria How to determine which SAQ is right for your organization Frequently Asked Questions (FAQs) Guidance and information about SAQs.
(PCI Data Security Standard Requirements and Testing Procedures) Guidance on Scoping Guidance on the intent of all PCI DSS Requirements Details of testing procedures Guidance on Compensating Controls Appendix G: Glossary of Terms, Abbreviations, and Acronyms SAQ Instructions and Guidelines Information about all SAQs and their eligibility criteria How to determine which SAQ is right for your organization Frequently Asked Questions (FAQs) Guidance and information about SAQs.
Added
p. 18
Note: Anywhere SAD is stored should be documented in the table above Indicate whether SAD is stored post authorization:
Indicate whether SAD is stored as part of Issuer Functions:
Indicate whether SAD is stored as part of Issuer Functions:
Added
p. 21
☐ Yes ☐ No If yes, Identify the name of the document the assessor verified to include the entity’s documented policies and procedures requiring scanning at least once every three months going forward.
Added
p. 35
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.3.1.1 The full contents of any track are not stored upon completion of the authorization process.
Issuers and companies that support issuing services, where there is a legitimate and documented business need to store SAD, are not required to meet this requirement. A legitimate business need is one that is necessary for the performance of the function being provided by or for the issuer.
Issuers and companies that support issuing services, where there is a legitimate and documented business need to store SAD, are not required to meet this requirement. A legitimate business need is one that is necessary for the performance of the function being provided by or for the issuer.
Added
p. 40
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) This requirement applies to PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception, or troubleshooting logs).
Added
p. 41
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place All Applicability Notes for Requirement 3.5.1 also apply to this requirement.
Key-management processes and procedures (Requirements 3.6 and 3.7) do not apply to system components used to generate individual keyed hashes of a PAN for comparison to another system if:
• The system components only have access to one hash value at a time (hash values are not stored on the system) AND
• There is no other account data stored on the same system as the hashes.
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) This requirement applies to any encryption method that provides clear-text PAN automatically when a system runs, even though an authorized user has not specifically requested that data.
Key-management processes and procedures (Requirements 3.6 and 3.7) do not apply to system components used to generate individual keyed hashes of a PAN for comparison to another system if:
• The system components only have access to one hash value at a time (hash values are not stored on the system) AND
• There is no other account data stored on the same system as the hashes.
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) This requirement applies to any encryption method that provides clear-text PAN automatically when a system runs, even though an authorized user has not specifically requested that data.
Added
p. 53
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Added
p. 66
This requirement also applies to scripts in the entity’s webpage(s) that includes a TPSP’s/payment processor’s embedded payment page/form (for example, one or more inline frames or iframes).
This requirement does not apply to an entity for scripts in a TPSP’s/payment processor’s embedded payment page/form (for example, one or more iframes), where the entity includes a TPSP’s/payment processor’s payment page/form on its webpage.
Scripts in the TPSP’s/payment processor’s embedded payment page/form are the responsibility of the TPSP/payment processor to manage in accordance with this requirement.
This requirement does not apply to an entity for scripts in a TPSP’s/payment processor’s embedded payment page/form (for example, one or more iframes), where the entity includes a TPSP’s/payment processor’s payment page/form on its webpage.
Scripts in the TPSP’s/payment processor’s embedded payment page/form are the responsibility of the TPSP/payment processor to manage in accordance with this requirement.
Added
p. 83
• User accounts that are only authenticated with phishing-resistant authentication factors.
Added
p. 88
♦ Refer to the “Requirement Responses” section (page v) for information about these response options.
Added
p. 94
• Components used only for manual PAN key entry.
Added
p. 119
Scripts in the TPSP’s/payment processor’s embedded payment page/form are the responsibility of the TPSP/payment processor to manage in accordance with this requirement.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place This requirement also applies to entities with a webpage(s) that includes a TPSP’s/payment processor’s embedded payment page/form (for example, one or more inline frames or iframes.) This requirement does not apply to an entity for scripts in a TPSP’s/payment processor’s embedded payment page/form (for example, one or more iframes), where the entity includes a TPSP’s/payment processor’s payment page/form on its webpage.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place This requirement also applies to entities with a webpage(s) that includes a TPSP’s/payment processor’s embedded payment page/form (for example, one or more inline frames or iframes.) This requirement does not apply to an entity for scripts in a TPSP’s/payment processor’s embedded payment page/form (for example, one or more iframes), where the entity includes a TPSP’s/payment processor’s payment page/form on its webpage.
Added
p. 131
The TPSP’s written acknowledgment is a confirmation that states the TPSP is responsible for the security of the account data it may store, process, or transmit on behalf of the customer or to the extent the TPSP may impact the security of a customer’s cardholder data and/or sensitive authentication data.
The TPSP’s written acknowledgment is a confirmation that states the TPSP is responsible for the security of the account data it may store, process, or transmit on behalf of the customer or to the extent the TPSP may impact the security of a customer’s cardholder data and/or sensitive authentication data.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.9 Third-party service providers (TPSPs) support their customers’ PCI DSS compliance.
TPSPs provide written agreements to customers that include acknowledgments that TPSPs are responsible for the security …
The TPSP’s written acknowledgment is a confirmation that states the TPSP is responsible for the security of the account data it may store, process, or transmit on behalf of the customer or to the extent the TPSP may impact the security of a customer’s cardholder data and/or sensitive authentication data.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.9 Third-party service providers (TPSPs) support their customers’ PCI DSS compliance.
TPSPs provide written agreements to customers that include acknowledgments that TPSPs are responsible for the security …
Modified
p. 2
Rearranged, retitled, and expanded information in the “Completing the Self-Assessment Questionnaire” section (previously titled “Before You Begin”).
Rearranged, retitled, and expanded information in the “Completing the Self- Assessment Questionnaire” section (previously titled “Before You Begin”).
Modified
p. 4
PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). Cardholder data and sensitive authentication data are considered account data and are defined as follows:
PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of cardholder data and/or sensitive authentication data. Cardholder data and sensitive authentication data are considered account data and are defined as follows:
Modified
p. 5 → 4
Section 1: Assessment Information (Parts 1 & 2 of the Attestation of Compliance (AOC) • Contact Information and Executive Summary).
Modified
p. 5 → 4
• Details about Reviewed Environment. o 2b
• Self-Assessment Questionnaire D for Service Providers.
Section 2: o 2a
• Details about Reviewed Environment. o 2b
• Self-Assessment Questionnaire D for Service Providers.
• Details about Reviewed Environment. o 2b
• Self-Assessment Questionnaire D for Service Providers.
Modified
p. 5 → 4
Section 3: Validation and Attestation details (Parts 3 & 4 of the AOC • PCI DSS Validation and Action Plan for Non-Compliant Requirements (if Part 4 is applicable)).
Modified
p. 5
5. Submit the SAQ and AOC, along with any other requested documentation•such as ASV scan reports•to the requesting organization (those organizations that manage compliance programs such as payment brands and acquirers).
5. Submit the SAQ and AOC, along with any other requested documentation
•such as ASV scan reports
•to the requesting organization (those organizations that manage compliance programs such as payment brands and acquirers).
•such as ASV scan reports
•to the requesting organization (those organizations that manage compliance programs such as payment brands and acquirers).
Modified
p. 5
Examine: The entity critically evaluates data evidence. Common examples include documents (electronic or physical), screenshots, configuration files, audit logs, and data files.
Modified
p. 5
Observe: The entity watches an action or views something in the environment. Examples of observation subjects include personnel performing a task or process, system components performing a function or responding to input, environmental conditions, and physical controls.
Modified
p. 5
Interview: The entity converses with individual personnel. Interview objectives may include confirmation of whether an activity is performed, descriptions of how an activity is performed, and whether personnel have particular knowledge or understanding.
Modified
p. 6
In Place with (Compensating Controls Worksheet) The expected testing has been performed, and the requirement has been met with the assistance of a compensating control.
In Place with CCW (Compensating Controls Worksheet) The expected testing has been performed, and the requirement has been met with the assistance of a compensating control.
Modified
p. 7
•for
An entity is asked by their acquirer to validate a subset of requirements•for example, using the PCI DSS Prioritized Approach to validate only certain milestones.
Modified
p. 7
•for
An entity is confirming a new security control that impacts only a subset of requirements•for example, implementation of a new encryption methodology that only requires assessment of PCI DSS Requirements 2, 3, and 4.
Modified
p. 7
•for
A service provider organization offers a service which covers only a limited number of PCI DSS requirements•for example, a physical storage provider that is only confirming the physical security controls per PCI DSS Requirement 9 for their storage facility.
Removed
p. 8
Note: A legal restriction is one where meeting the PCI DSS requirement would violate a local or regional law or regulation.
Removed
p. 9
• Guidance on Scoping
• Guidance on the intent of all PCI DSS Requirements
• Details of testing procedures
• Guidance on Compensating Controls
• Information about all SAQs and their eligibility criteria
• How to determine which SAQ is right for your organization Frequently Asked Questions (FAQs)
• Guidance and information about SAQs.
Online PCI DSS Glossary
• PCI DSS Terms, Abbreviations, and Acronyms Information Supplements and Guidelines
• Guidance on a variety of PCI DSS topics including:
• Guidance on the intent of all PCI DSS Requirements
• Details of testing procedures
• Guidance on Compensating Controls
• Information about all SAQs and their eligibility criteria
• How to determine which SAQ is right for your organization Frequently Asked Questions (FAQs)
• Guidance and information about SAQs.
Online PCI DSS Glossary
• PCI DSS Terms, Abbreviations, and Acronyms Information Supplements and Guidelines
• Guidance on a variety of PCI DSS topics including:
Modified
p. 9
Online PCI DSS Glossary PCI DSS Terms, Abbreviations, and Acronyms Information Supplements and Guidelines Guidance on a variety of PCI DSS topics including:
Modified
p. 9
− Understanding PCI DSS Scoping and Network Segmentation − Third-Party Security Assurance − Multi-Factor Authentication Guidance − Best Practices for Maintaining PCI DSS Compliance Getting Started with PCI • Resources for smaller merchants including:
− Understanding PCI DSS Scoping and Network Segmentation − Third-Party Security Assurance − Multi-Factor Authentication Guidance − Best Practices for Maintaining PCI DSS Compliance Getting Started with PCI Resources for smaller merchants including:
Modified
p. 9
− Guide to Safe Payments − Common Payment Systems − Questions to Ask Your Vendors − Glossary of Payment and Information Security Terms − PCI Firewall Basics These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org).
− Guide to Safe Payments − Common Payment Systems − Questions to Ask Your Vendors − Glossary of Payment and Information Security Terms − PCI Firewall Basics − ASV Resource Guide These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org).
Modified
p. 14
Name of PCI SSC- validated Product or Version of Product or
Name of PCI SSC validated Product or Version of Product or
Modified
p. 14
PCI SSC listing Expiry date of listing (YYYY-MM-DD) YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD For purposes of this document, ”Lists of Validated Products and Solutions” means the lists of validated products, solutions, and/or components appearing on the PCI SSC website (www.pcisecuritystandards.org)⎯for example, 3DS Software Development Kits, Approved PTS Devices, Validated Payment Software, Payment Applications (PA- DSS), Point to Point Encryption (P2PE) solutions, Software-Based PIN Entry on COTS (SPoC) solutions, and Contactless Payments on COTS (CPoC) solutions.
PCI SSC listing Expiry date of listing (YYYY-MM-DD) YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD ♦ For purposes of this document, ”Lists of Validated Products and Solutions” means the lists of validated products, solutions, and/or components, appearing on the PCI SSC website (www.pcisecuritystandards.org)for example, 3DS Software Development Kits, Approved PTS Devices, Validated Payment Software, Point to Point Encryption (P2PE) solutions, Software-Based PIN Entry on COTS (SPoC) solutions, Contactless Payments on COTS (CPoC) solutions, and Mobile Payments on COTS …
Modified
p. 15
• Manage system components included in the scope of the entity’s PCI DSS assessment⎯for example, via network security control services, anti-malware services, security incident and event management (SIEM), contact and call centers, web-hosting services, and IaaS, PaaS, SaaS, and FaaS cloud providers.
• Manage system components included in the scope of the entity’s PCI DSS assessmentfor example, via network security control services, anti-malware services, security incident and event management (SIEM), contact and call centers, web-hosting services, and IaaS, PaaS, SaaS, and FaaS cloud providers.
Modified
p. 15
• Could impact the security of the entity’s CDE⎯for example, vendors providing support via remote access, and/or bespoke software developers.
• Could impact the security of the entity’s CDEfor example, vendors providing support via remote access, and/or bespoke software developers.
Modified
p. 17
Shows all connections between the CDE and other networks, including any wireless networks.
Modified
p. 17
Is accurate and up to date with any changes to the environment.
Modified
p. 17
Illustrates all network security controls that are defined for connection points between trusted and untrusted networks.
Modified
p. 17
Illustrates how system components storing cardholder data are not directly accessible from the untrusted networks.
Modified
p. 17
Includes the techniques (such as intrusion-detection systems and/or intrusion-prevention systems) that are in place to monitor all traffic:
Modified
p. 17
<Insert diagram(s) here - one page/image at a time>
<Insert diagram(s) here − one page/image at a time>
Removed
p. 18
Note: The list of files and tables that SAD in the table below must be supported by an inventory created (or obtained from the assessed entity) and retained by the assessor in the workpapers.
Data Store Database name, file server name, etc.
File name(s), Table names(s) and/or Field names Is SAD stored pre- authorization? Is SAD stored as part of Issuer Functions? How data is secured For example, what type of encryption and strength, etc. Yes No Yes No
Data Store Database name, file server name, etc.
File name(s), Table names(s) and/or Field names Is SAD stored pre- authorization? Is SAD stored as part of Issuer Functions? How data is secured For example, what type of encryption and strength, etc. Yes No Yes No
Modified
p. 18
How access to data stores is logged Description of logging mechanism used for logging access to data• for example, describe the enterprise log management solution, application-level logging, operating system logging, etc. in place Storage of SAD Identify all databases, tables, and files storing Sensitive Account Data (SAD) and provide the following details.
How access to data stores is logged Description of logging mechanism used for logging access to data• for example, describe the enterprise log management solution, application-level logging, operating system logging, etc. in place Storage of SAD If SAD is stored complete the following:
Modified
p. 19
Systems that store, process, or transmit account data (for example, payment terminals, authorization systems, clearing systems, payment middleware systems, payment back-office systems, shopping cart and store front systems, payment gateway/switch systems, fraud monitoring systems).
Modified
p. 19
Systems that provide security services (for example, authentication servers, access control servers, security information and event management (SIEM) systems, physical security systems (for example, badge access or CCTV), multi-factor authentication systems, anti-malware systems).
Modified
p. 19
Systems that facilitate segmentation (for example, internal network security controls).
Modified
p. 19
Systems that could impact the security of account data or the CDE (for example, name resolution, or e-commerce (web) redirection servers).
Modified
p. 19
Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors.
Modified
p. 19
Cloud infrastructure and components, both external and on premises, and including instantiations of containers or images, virtual private clouds, cloud-based identity and access management, CDEs residing on premises or in the cloud, service meshes with containerized applications, and container orchestration tools.
Modified
p. 19
Network components, including but not limited to network security controls, switches, routers, CDE network devices, wireless access points, network appliances, and other security appliances.
Modified
p. 19
Server types, including but not limited to web, application, database, authentication, mail, proxy, Network Time Protocol (NTP), and Domain Name System (DNS).
Modified
p. 19
End-user devices, such as computers, laptops, workstations, administrative workstations, tablets, and mobile devices.
Modified
p. 19
Printers, and multi-function devices that scan, print, and fax.
Modified
p. 19
Storage of account data in any format (for example, paper, data files, audio files, images, and video recordings).
Modified
p. 19
Applications, software, and software components, serverless applications, including all purchased, subscribed (for example, Software-as-a- Service), bespoke and custom software, including internal and external (for example, Internet) applications.
Modified
p. 19
Tools, code repositories, and systems that implement software configuration management or for deployment of objects to the CDE or to systems that can impact the CDE.
Removed
p. 21
Note: It is not required that four passing quarterly scans must be completed for initial PCI DSS compliance if the assessor verified:
− The most recent scan result was a passing scan, − The entity has documented policies and procedures requiring quarterly scanning going forward, and − Any vulnerabilities noted in the initial scan have been corrected as shown in a re-scan.
For subsequent years after the initial PCI DSS review, four passing quarterly scans must have occurred.
− The most recent scan result was a passing scan, − The entity has documented policies and procedures requiring quarterly scanning going forward, and − Any vulnerabilities noted in the initial scan have been corrected as shown in a re-scan.
For subsequent years after the initial PCI DSS review, four passing quarterly scans must have occurred.
Modified
p. 21
Date of the scan(s) Name of ASV that performed the scan Were any vulnerabilities found that resulted in a failed initial scan? For all scans resulting in a Fail, provide date(s) of re-scans showing that the vulnerabilities have been corrected Indicate whether this is the assessed entity’s initial PCI DSS compliance validation ☐ Yes ☐ No If yes, Identify the name of the document the assessor verified to include the entity’s documented policies and procedures requiring quarterly scanning going forward.
Date of the scan(s) Name of ASV that performed the scan Were any vulnerabilities found that resulted in a failed initial scan? For all scans resulting in a Fail, provide date(s) of re-scans showing that the vulnerabilities have been corrected Indicate whether this is the assessed entity’s initial PCI DSS assessment against the ASV scan requirements.
Modified
p. 21
Attestations of scan compliance Scan must cover all externally accessible (Internet-facing) IP addresses in existence at the entity, in accordance with the PCI DSS Approved Scanning Vendors (ASV) Program Guide.
Attestations of Scan Compliance The scan must cover all externally accessible (Internet-facing) IP addresses in existence at the entity, in accordance with the PCI DSS Approved Scanning Vendors (ASV) Program Guide.
Modified
p. 22
PCI DSS Requirement Expected Testing Response1F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 1.1 Processes and mechanisms for installing and maintaining network security controls are defined and understood.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 1.1 Processes and mechanisms for installing and maintaining network security controls are defined and understood.
Modified
p. 23
PCI DSS Requirement Expected Testing Response1F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 1.2.2 All changes to network connections and to configurations of NSCs are approved and managed in accordance with the change control process defined at Requirement 6.5.1.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 1.2.2 All changes to network connections and to configurations of NSCs are approved and managed in accordance with the change control process defined at Requirement 6.5.1.
Modified
p. 24
PCI DSS Requirement Expected Testing Response1F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 1.2.4 An accurate data-flow diagram(s) is maintained that meets the following:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 1.2.4 An accurate data-flow diagram(s) is maintained that meets the following:
Modified
p. 25
PCI DSS Requirement Expected Testing Response1F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 1.2.8 Configuration files for NSCs are:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 1.2.8 Configuration files for NSCs are:
Modified
p. 26
PCI DSS Requirement Expected Testing Response1F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted to:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted to:
Modified
p. 27
PCI DSS Requirement Expected Testing Response1F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 1.4.5 The disclosure of internal IP addresses and routing information is limited to only authorized parties.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 1.4.5 The disclosure of internal IP addresses and routing information is limited to only authorized parties.
Modified
p. 28
PCI DSS Requirement Expected Testing Response2F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 2.1 Processes and mechanisms for applying secure configurations to all system components are defined and understood.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 2.1 Processes and mechanisms for applying secure configurations to all system components are defined and understood.
Modified
p. 29
PCI DSS Requirement Expected Testing Response2F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 2.2.2 Vendor default accounts are managed as follows:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 2.2.2 Vendor default accounts are managed as follows:
Modified
p. 30
PCI DSS Requirement Expected Testing Response2F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 2.2.4 Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 2.2.4 Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled.
Modified
p. 30
• Examine vendor documentation.
• Examine vendor documentation. Interview personnel.
Modified
p. 31
PCI DSS Requirement Expected Testing Response2F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 2.3 Wireless environments are configured and managed securely.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 2.3 Wireless environments are configured and managed securely.
Modified
p. 31
• Examine wireless configuration settings.
• Examine wireless configuration settings. Interview personnel.
Modified
p. 32
PCI DSS Requirement Expected Testing Response3F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.1 Processes and mechanisms for protecting stored account data are defined and understood.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.1 Processes and mechanisms for protecting stored account data are defined and understood.
Modified
p. 33
PCI DSS Requirement Expected Testing Response3F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.2 Storage of account data is kept to a minimum.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.2 Storage of account data is kept to a minimum.
Modified
p. 34
PCI DSS Requirement Expected Testing Response3F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place Applicability Notes (continued) Describe results as instructed in “Requirement Responses” (page v) Where account data is stored by a TPSP (for example, in a cloud environment), entities are responsible for working with their service providers to understand how the TPSP meets this requirement for the entity. Considerations include ensuring that all geographic instances of a …
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place Applicability Notes (continued) Describe results as instructed in “Requirement Responses” (page v) Where account data is stored by a TPSP (for example, in a cloud environment), entities are responsible for working with their service providers to understand how the TPSP meets this requirement for the entity. Considerations include ensuring that all geographic instances of …
Modified
p. 34
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) This requirement does not apply to issuers and companies that support issuing services (where SAD is needed for a legitimate issuing business need) and have a business justification to store the sensitive authentication data. Refer to Requirement 3.3.3 for additional requirements specifically for issuers.
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) Issuers and companies that support issuing services, where there is a legitimate and documented business need to store SAD, are not required to meet this requirement. A legitimate business need is one that is necessary for the performance of the function being provided by or for the issuer. Refer to Requirement 3.3.3 for additional requirements specifically for these entities.
Removed
p. 35
PCI DSS Requirement Expected Testing Response3F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.3.1.1 The full contents of any track are not retained upon completion of the authorization process.
Removed
p. 36
This requirement does not apply to issuers and companies that support issuing services where there is a legitimate issuing business justification to store SAD).
Modified
p. 36
PCI DSS Requirement Expected Testing Response3F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.
Modified
p. 36
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) Whether SAD is permitted to be stored prior to authorization is determined by the organizations that manage compliance programs (for example, payment brands and acquirers). Contact the organizations of interest for any additional criteria.
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) Whether SAD is permitted to be stored prior to authorization is determined by the organizations that manage compliance programs (for example, payment brands and acquirers). Contact these organizations for any additional criteria.
Modified
p. 36
Refer to Requirement 3.3.3 for requirements specifically for issuers.
Refer to Requirement 3.3.3 for requirements specifically for these entities.
Modified
p. 37
PCI DSS Requirement Expected Testing Response3F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.3.3 Additional requirement for issuers and companies that support issuing services and store sensitive authentication data: Any storage of sensitive authentication data is:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.3.3 Additional requirement for issuers and companies that support issuing services and store sensitive authentication data: Any storage of sensitive authentication data is:
Modified
p. 37
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) This requirement applies only to issuers and companies that support issuing services and store sensitive authentication data. Entities that issue payment cards or that perform or support issuing services will often create and control sensitive authentication data as part of the issuing function. It is allowable for companies that perform, facilitate, or support issuing services to store sensitive authentication data ONLY IF they have a legitimate business need to …
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) This requirement applies only to issuers and companies that support issuing services and store sensitive authentication data. Entities that issue payment cards or that perform or support issuing services will often create and control sensitive authentication data as part of the issuing function. It is allowable for companies that perform, facilitate, or support issuing services to store sensitive authentication data ONLY IF they have a legitimate business need to …
Modified
p. 38
PCI DSS Requirement Expected Testing Response3F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.4 Access to displays of full PAN and ability to copy PAN is restricted.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.4 Access to displays of full PAN and ability to copy PAN are restricted.
Modified
p. 39
PCI DSS Requirement Expected Testing Response3F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.4.2 When using remote-access technologies, technical controls prevent copy and/or relocation of PAN for all personnel, except for those with documented, explicit authorization and a legitimate, defined business need.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.4.2 When using remote-access technologies, technical controls prevent copy and/or relocation of PAN for all personnel, except for those with documented, explicit authorization and a legitimate, defined business need.
Removed
p. 40
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. This requirement applies to PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception, or troubleshooting logs) must all be protected.
Modified
p. 40
PCI DSS Requirement Expected Testing Response3F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.5 Primary account number (PAN) is secured wherever it is stored.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.5 Primary account number (PAN) is secured wherever it is stored.
Removed
p. 41
This requirement does not preclude the use of temporary files containing cleartext PAN while encrypting and decrypting PAN.
Modified
p. 41 → 40
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) This requirement applies to PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception, or troubleshooting logs) must all be protected.
Applicability Notes Describe results as instructed in “Requirement Responses” (page v)
Modified
p. 41
This requirement is considered a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
This requirement is considered a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment. This requirement will replace the bullet in Requirement 3.5.1 for one-way hashes once its effective date is reached.
Modified
p. 42
PCI DSS Requirement Expected Testing Response3F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.5.1.2 If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to render PAN unreadable, it is implemented only as follows:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.5.1.2 If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to render PAN unreadable, it is implemented only as follows:
Modified
p. 42
While disk or partition encryption may still be present on these types of devices, it cannot be the only mechanism used to protect PAN stored on those systems. Any stored PAN must also be rendered unreadable per Requirement 3.5.1•for example, through truncation or a data-level encryption mechanism. Full disk encryption helps to protect data in the event of physical loss of a disk and therefore its use is appropriate only for removable electronic media storage devices.
Modified
p. 42
Media that is part of a data center architecture (for example, hot-swappable drives, bulk tape-backups) is considered non-removable electronic media to which Requirement 3.5.1 applies. Disk or partition encryption implementations must also meet all other PCI DSS encryption and key-management requirements.
Media that is part of a data center architecture (for example, hot-swappable drives, bulk tape-backups) is considered non-removable electronic media to which Requirement 3.5.1 applies. Disk or partition encryption implementations must also meet all other PCI DSS encryption and key-management requirements. For issuers and companies that support issuing services: This requirement does not apply to PANs being accessed for real-time transaction processing. However, it does apply to PANs stored for other purposes.
Modified
p. 43
PCI DSS Requirement Expected Testing Response3F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable, it is managed as follows:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable, it is managed as follows:
Modified
p. 44
PCI DSS Requirement Expected Testing Response3F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.6 Cryptographic keys used to protect stored account data are secured.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.6 Cryptographic keys used to protect stored account data are secured.
Modified
p. 44
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) This requirement applies to keys used to encrypt stored account data and to key- encrypting keys used to protect data-encrypting keys.
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) This requirement applies to keys used to protect stored account data and to key- encrypting keys used to protect data-encrypting keys.
Modified
p. 45
PCI DSS Requirement Expected Testing Response3F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.6.1.1 Additional requirement for service providers only: A documented description of the cryptographic architecture is maintained that includes:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.6.1.1 Additional requirement for service providers only: A documented description of the cryptographic architecture is maintained that includes:
Modified
p. 45
• Inventory of any hardware security modules (HSMs), key-management systems (KMS), and other secure cryptographic devices (SCDs) used for key management, including type and location of devices, as outlined in Requirement 12.3.3.
• Inventory of any hardware security modules (HSMs), key-management systems (KMS), and other secure cryptographic devices (SCDs) used for key management, including type and location of devices, to support meeting Requirement 12.3.4.
Modified
p. 46
PCI DSS Requirement Expected Testing Response3F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.6.1.2 Secret and private keys used to encrypt/decrypt stored account data are stored in one (or more) of the following forms at all times:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.6.1.2 Secret and private keys used to protect stored account data are stored in one (or more) of the following forms at all times:
Modified
p. 47
PCI DSS Requirement Expected Testing Response3F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.7 Where cryptography is used to protect stored account data, key-management processes and procedures covering all aspects of the key lifecycle are defined and implemented.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.7 Where cryptography is used to protect stored account data, key-management processes and procedures covering all aspects of the key lifecycle are defined and implemented.
Modified
p. 48
PCI DSS Requirement Expected Testing Response3F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.7.5 Key-management policies procedures are implemented to include the retirement, replacement, or destruction of keys used to protect stored account data, as deemed necessary when:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.7.5 Key-management policies procedures are implemented to include the retirement, replacement, or destruction of keys used to protect stored account data, as deemed necessary when:
Modified
p. 49
PCI DSS Requirement Expected Testing Response3F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.7.6 Where manual cleartext cryptographic key- management operations are performed by personnel, key-management policies and procedures are implemented include managing these operations using split knowledge and dual control.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.7.6 Where manual cleartext cryptographic key- management operations are performed by personnel, key-management policies and procedures are implemented including managing these operations using split knowledge and dual control.
Modified
p. 49
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) This control is applicable for manual key-management operations or where key management is not controlled by the encryption product.
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) This control is applicable for manual key-management operations.
Modified
p. 50
PCI DSS Requirement Expected Testing Response3F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.7.9 Additional requirement for service providers only:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.7.9 Additional requirement for service providers only:
Modified
p. 51
Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public
Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
Modified
p. 51
PCI DSS Requirement Expected Testing Response4F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 4.1 Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open, public networks are defined and documented.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 4.1 Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open, public networks are defined and understood.
Modified
p. 51
• Interview responsible personnel Describe results as instructed in “Requirement Responses” (page v) Refer to the “Requirement Responses” section (page v) for information about these response options.
• Interview responsible personnel Describe results as instructed in “Requirement Responses” (page v) ♦ Refer to the “Requirement Responses” section (page v) for information about these response options.
Removed
p. 52
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) There could be occurrences where an entity receives cardholder data unsolicited via an insecure communication channel that was not intended for the purpose of receiving sensitive data. In this situation, the entity can choose to either include the channel in the scope of their CDE and secure it according to PCI DSS or implement measures to prevent the channel from being used for cardholder data.
Modified
p. 52
PCI DSS Requirement Expected Testing Response4F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 4.2 PAN is protected with strong cryptography during transmission.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 4.2 PAN is protected with strong cryptography during transmission.
Modified
p. 52
A self-signed certificate may also be acceptable if the certificate is issued by an internal CA within the organization, the certificate’s author is confirmed, and the certificate is verified
•for example, via hash or signature
•and has notexpired. Note that self-signed certificates where the Distinguished Name (DN) field in the “issued by” and “issued to” field is the same are not acceptable.
•for example, via hash or signature
•and has not
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) A self-signed certificate may also be acceptable if the certificate is issued by an internal CA within the organization, the certificate’s author is confirmed, and the certificate is verified
•for example, via hash or signature
•and has not expired..
•for example, via hash or signature
•and has not expired..
Modified
p. 53 → 52
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Applicability Notes Describe results as instructed in “Requirement Responses” (page v)
Modified
p. 54
PCI DSS Requirement Expected Testing Response5F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 5.1 Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 5.1 Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood.
Modified
p. 55
PCI DSS Requirement Expected Testing Response5F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 5.2.3 Any system components that are not at risk for malware are evaluated periodically to include the following:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 5.2.3 Any system components that are not at risk for malware are evaluated periodically to include the following:
Modified
p. 56
PCI DSS Requirement Expected Testing Response5F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 5.3.2 The anti-malware solution(s):
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 5.3.2 The anti-malware solution(s):
Modified
p. 57
PCI DSS Requirement Expected Testing Response5F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 5.3.5 Anti-malware mechanisms cannot be disabled or altered by users, unless specifically documented, and authorized by management on a case-by-case basis for a limited time period.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 5.3.5 Anti-malware mechanisms cannot be disabled or altered by users, unless specifically documented, and authorized by management on a case-by-case basis for a limited time period.
Modified
p. 57
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) This requirement applies to the automated mechanism. It is not intended that the systems and services providing such automated mechanisms (such as e-mail servers) are brought into scope for PCI DSS. The focus of this requirement is on protecting personnel with access to system components in-scope for PCI DSS. Meeting this requirement for technical and automated controls to detect and protect personnel against phishing is not the same as …
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) The focus of this requirement is on protecting personnel with access to system components in-scope for PCI DSS. Meeting this requirement for technical and automated controls to detect and protect personnel against phishing is not the same as Requirement 12.6.3.1 for security awareness training. Meeting this requirement does not also meet the requirement for providing personnel with security awareness training, and vice versa.
Modified
p. 58
PCI DSS Requirement Expected Testing Response6F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 6.1 Processes and mechanisms for developing and maintaining secure systems and software are defined and understood.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 6.1 Processes and mechanisms for developing and maintaining secure systems and software are defined and understood.
Modified
p. 59
PCI DSS Requirement Expected Testing Response6F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 6.2.2 Software development personnel working on bespoke and custom software are trained at least once every 12 months as follows:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 6.2.2 Software development personnel working on bespoke and custom software are trained at least once every 12 months as follows:
Modified
p. 59
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) This requirement for code reviews applies to all bespoke and custom software (both internal and public-facing), as part of the system development lifecycle. Public-facing web applications are also subject to additional controls, to address ongoing threats and vulnerabilities after implementation, as defined at PCI DSS Requirement 6.4.
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) This requirement for code reviews applies to all bespoke and custom software (both internal and public facing), as part of the system development lifecycle. Public-facing web applications are also subject to additional controls, to address ongoing threats and vulnerabilities after implementation, as defined at PCI DSS Requirement 6.4.
Modified
p. 60
PCI DSS Requirement Expected Testing Response6F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place If manual code reviews are performed for bespoke and custom software prior to release to production, code changes are:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place If manual code reviews are performed for bespoke and custom software prior to release to production, code changes are:
Modified
p. 61
PCI DSS Requirement Expected Testing Response6F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 6.2.4 (cont.)
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 6.2.4 (cont.)
Modified
p. 62
PCI DSS Requirement Expected Testing Response6F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 6.3 Security vulnerabilities are identified and addressed.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 6.3 Security vulnerabilities are identified and addressed.
Modified
p. 62
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) This requirement is not achieved by, nor is it the same as, vulnerability scans performed for Requirements 11.3.1 and 11.3.2. This requirement is for a process to actively monitor industry sources for vulnerability information and for the entity to determine the risk ranking to be associated with each vulnerability.
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) This requirement is not achieved by, and is in addition to, performing vulnerability scans according to Requirements 11.3.1 and 11.3.2. This requirement is for a process to actively monitor industry sources for vulnerability information and for the entity to determine the risk ranking to be associated with each vulnerability.
Modified
p. 63
PCI DSS Requirement Expected Testing Response6F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 6.3.3 All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 6.3.3 All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows:
Modified
p. 63
• Critical or high-security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release.
• Patches/updates for critical vulnerabilities (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release.
Modified
p. 63
• All other applicable security patches/updates are installed within an appropriate time frame as determined by the entity (for example, within three months of release).
• All other applicable security patches/updates are installed within an appropriate time frame as determined by the entity’s assessment of the criticality of the risk to the environment as identified according to the risk ranking process at Requirement 6.3.1
Modified
p. 63
• The application is re-evaluated after the corrections OR
• The application is re-evaluated after the corrections. OR
Modified
p. 64
PCI DSS Requirement Expected Testing Response6F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 6.4.1 (cont.) (continued)
• Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows:
• Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 6.4.1 (cont.) (continued)
• Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows:
• Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows:
Modified
p. 64 → 65
Applicability Notes (continued) Describe results as instructed in “Requirement Responses” (page v) (continued)
Applicability Notes (continued) Describe results as instructed in “Requirement Responses” (page v) (continued) This new requirement will replace Requirement 6.4.1 once its effective date is reached.
Removed
p. 65
PCI DSS Requirement Expected Testing Response6F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 6.4.2 (cont.) This new requirement will replace Requirement 6.4.1 once its effective date is reached.
Modified
p. 65 → 66
• An inventory of all scripts is maintained with written justification as to why each is necessary.
• An inventory of all scripts is maintained with written business or technical justification as to why each is necessary.
Modified
p. 66 → 67
PCI DSS Requirement Expected Testing Response6F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 6.5 Changes to all system components are managed securely.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 6.5 Changes to all system components are managed securely.
Modified
p. 67 → 68
PCI DSS Requirement Expected Testing Response6F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 6.5.4 Roles and functions are separated between production and pre-production environments to provide accountability such that only reviewed and approved changes are deployed.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 6.5.4 Roles and functions are separated between production and pre-production environments to provide accountability such that only reviewed and approved changes are deployed.
Modified
p. 68 → 69
PCI DSS Requirement Expected Testing Response7F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 7.1 Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 7.1 Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood.
Modified
p. 69 → 70
PCI DSS Requirement Expected Testing Response7F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 7.2.2 Access is assigned to users, including privileged users, based on:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 7.2.2 Access is assigned to users, including privileged users, based on:
Modified
p. 70 → 71
PCI DSS Requirement Expected Testing Response7F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 7.2.5 All application and system accounts and related access privileges are assigned and managed as follows:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 7.2.5 All application and system accounts and related access privileges are assigned and managed as follows:
Modified
p. 71 → 72
PCI DSS Requirement Expected Testing Response7F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 7.2.6 All user access to query repositories of stored cardholder data is restricted as follows:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 7.2.6 All user access to query repositories of stored cardholder data is restricted as follows:
Modified
p. 72 → 73
PCI DSS Requirement Expected Testing Response8F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.1 Processes and mechanisms for identifying users and authenticating access to system components are defined and understood.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.1 Processes and mechanisms for identifying users and authenticating access to system components are defined and understood.
Modified
p. 73 → 74
PCI DSS Requirement Expected Testing Response8F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.2.2 Group, shared, or generic accounts, or other shared authentication credentials are only used when necessary on an exception basis, and are managed as follows:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.2.2 Group, shared, or generic IDs, or other shared authentication credentials are only used when necessary on an exception basis, and are managed as follows:
Modified
p. 73 → 74
• Account use is prevented unless needed for an exceptional circumstance.
• ID use is prevented unless needed for an exceptional circumstance.
Modified
p. 74 → 75
PCI DSS Requirement Expected Testing Response8F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.2.4 Addition, deletion, and modification of user IDs, authentication factors, and other identifier objects are managed as follows:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.2.4 Addition, deletion, and modification of user IDs, authentication factors, and other identifier objects are managed as follows:
Modified
p. 75 → 76
PCI DSS Requirement Expected Testing Response8F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.2.8 If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re- activate the terminal or session.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.2.8 If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re- activate the terminal or session.
Modified
p. 75 → 76
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) This requirement is not intended to apply to user accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals).
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) This requirement is not intended to apply to user accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction .
Modified
p. 75 → 76
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) This requirement is not intended to apply to user accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals).
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) This requirement is not intended to apply to user accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction.
Modified
p. 76 → 77
PCI DSS Requirement Expected Testing Response8F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.
Modified
p. 77 → 78
PCI DSS Requirement Expected Testing Response8F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.3.6 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.3.6 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity:
Modified
p. 77 → 78
• User accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals).
• User accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction .
Modified
p. 78 → 79
PCI DSS Requirement Expected Testing Response8F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.3.8 Authentication policies and procedures are documented and communicated to all users including:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.3.8 Authentication policies and procedures are documented and communicated to all users including:
Modified
p. 78 → 79
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) This requirement applies to in-scope system components that are not in the CDE because these components are not subject to MFA requirements. This requirement is not intended to apply to user accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals).
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) This requirement does not apply to in-scope system components where MFA is used. This requirement is not intended to apply to user accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction.
Modified
p. 79 → 80
PCI DSS Requirement Expected Testing Response8F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.3.10 Additional requirement for service providers only:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.3.10 Additional requirement for service providers only:
Modified
p. 80 → 81
PCI DSS Requirement Expected Testing Response8F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.3.10.1 Additional requirement for service providers only:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.3.10.1 Additional requirement for service providers only:
Removed
p. 81
MFA is considered a best practice for non-console administrative access to in-scope system components that are not part of the CDE.
Modified
p. 81 → 82
PCI DSS Requirement Expected Testing Response8F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.4 Multi-factor authentication (MFA) is implemented to secure access into the CDE.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.4 Multi-factor authentication (MFA) is implemented to secure access into the CDE.
Modified
p. 82 → 83
PCI DSS Requirement Expected Testing Response8F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.4.2 MFA is implemented for all access into the CDE.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.4.2 MFA is implemented for all non-console access into the CDE.
Modified
p. 82 → 83
• User accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals).
• User accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction.
Modified
p. 82 → 83
MFA is required for both types of access specified in Requirements 8.4.2 and 8.4.3. Therefore, applying MFA to one type of access does not replace the need to apply another instance of MFA to the other type of access. If an individual first connects to the entity’s network via remote access, and then later initiates a connection into the CDE from within the network, per this requirement the individual would authenticate using MFA twice, once when connecting via remote access …
MFA is required for both types of access specified in Requirements 8.4.2 and 8.4.3. Therefore, applying MFA to one type of access does not replace the need to apply another instance of MFA to the other type of access. If an individual first connects to the entity’s network via remote access, and then later initiates a connection into the CDE from within the network, per this requirement the individual would authenticate using MFA twice, once when connecting via remote access …
Modified
p. 82 → 83
MFA for remote access into the CDE can be implemented at the network or system/application level; it does not have to be applied at both levels. For example, if MFA is used when a user connects to the CDE network, it does not have to be used when the user logs into each system or application within the CDE.
MFA for access into the CDE can be implemented at the network or system/application level; it does not have to be applied at both levels. For example, if MFA is used when a user connects to the CDE network, it does not have to be used when the user logs into each system or application within the CDE.
Removed
p. 83
• All remote access by all personnel, both users and administrators, originating from outside the entity’s network.
• All remote access by third parties and vendors.
• All remote access by third parties and vendors.
Modified
p. 83 → 84
PCI DSS Requirement Expected Testing Response8F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.4.3 MFA is implemented for all remote network access originating from outside the entity’s network that could access or impact the CDE as follows:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.4.3 MFA is implemented for all remote access originating from outside the entity’s network that could access or impact the CDE.
Modified
p. 83 → 84
• Observe personnel (for example, users and administrators) connecting remotely to the network.
• Observe personnel (for example, users and administrators) and third parties connecting remotely to the network.
Modified
p. 83 → 84
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) The requirement for MFA for remote access originating from outside the entity’s network applies to all user accounts that can access the network remotely, where that remote access leads to or could lead to access into the CDE.
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) The requirement for MFA for remote access originating from outside the entity’s network applies to all user accounts that can access the network remotely, where that remote access leads to or could lead to access into the CDE. This includes all remote access by personnel (users and administrators), and third parties (including, but not limited to, vendors, suppliers, service providers, and customers).
Modified
p. 84 → 85
PCI DSS Requirement Expected Testing Response8F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.5 Multi-factor authentication (MFA) systems are configured to prevent misuse.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.5 Multi-factor authentication (MFA) systems are configured to prevent misuse.
Modified
p. 85 → 86
PCI DSS Requirement Expected Testing Response8F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.6 Use of application and system accounts and associated authentication factors is strictly managed.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.6 Use of application and system accounts and associated authentication factors is strictly managed.
Modified
p. 85 → 86
• Examine application and system accounts that can be used interactively.
• Examine application and system accounts that can be used for interactive login.
Modified
p. 86 → 87
PCI DSS Requirement Expected Testing Response8F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.6.2 Passwords/passphrases for any application and system accounts that can be used for interactive login are not hard coded in scripts, configuration/property files, or bespoke and custom source code.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.6.2 Passwords/passphrases for any application and system accounts that can be used for interactive login are not hard coded in scripts, configuration/property files, or bespoke and custom source code.
Modified
p. 87 → 88
PCI DSS Requirement Expected Testing Response9F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.1 Processes and mechanisms for restricting physical access to cardholder data are defined and understood.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.1 Processes and mechanisms for restricting physical access to cardholder data are defined and understood.
Modified
p. 87 → 88
Describe results as instructed in “Requirement Responses” (page v) Refer to the “Requirement Responses” section (page v) for information about these response options.
Describe results as instructed in “Requirement Responses” (page v) Applicability Notes This requirement does not apply to locations that are publicly accessible by consumers (cardholders).
Modified
p. 88 → 89
PCI DSS Requirement Expected Testing Response9F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.2.1.1 Individual physical access to sensitive areas within the CDE is monitored with either video cameras or physical access control mechanisms (or both) as follows:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.2.1.1 Individual physical access to sensitive areas within the CDE is monitored with either video cameras or physical access control mechanisms (or both) as follows:
Modified
p. 89 → 90
PCI DSS Requirement Expected Testing Response9F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.3 Physical access for personnel and visitors is authorized and managed.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.3 Physical access for personnel and visitors is authorized and managed.
Modified
p. 90 → 91
PCI DSS Requirement Expected Testing Response9F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.3.4 A visitor log is used to maintain a physical record of visitor activity within the facility and within sensitive areas, including:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.3.4 Visitor logs are used to maintain a physical record of visitor activity both within the facility and within sensitive areas, including:
Modified
p. 90 → 91
• Examine the visitor log.
• Examine the visitor logs.
Modified
p. 91 → 92
PCI DSS Requirement Expected Testing Response9F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.4.3 Media with cardholder data sent outside the facility is secured as follows:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.4.3 Media with cardholder data sent outside the facility is secured as follows:
Modified
p. 92 → 93
PCI DSS Requirement Expected Testing Response9F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.4.6 Hard-copy materials with cardholder data are destroyed when no longer needed for business or legal reasons, as follows:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.4.6 Hard-copy materials with cardholder data are destroyed when no longer needed for business or legal reasons, as follows:
Modified
p. 92 → 93
• Examine the periodic media destruction policy.
• Examine the media destruction policy.
Modified
p. 92 → 93
• Examine the periodic media destruction policy.
• Examine the media destruction policy.
Removed
p. 93
This requirement is recommended, but not required, for manual PAN key-entry components such as computer keyboards.
Modified
p. 93 → 94
PCI DSS Requirement Expected Testing Response9F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.5 Point-of-interaction (POI) devices are protected from tampering and unauthorized substitution.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.5 Point-of-interaction (POI) devices are protected from tampering and unauthorized substitution.
Modified
p. 93 → 94
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) These requirements apply to deployed POI devices used in card-present transactions (that is, a payment card form factor such as a card that is swiped, tapped, or dipped). This requirement is not intended to apply to manual PAN key-entry components such as computer keyboards.
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) These requirements apply to deployed POI devices used in card-present transactions (that is, a payment card form factor such as a card that is swiped, tapped, or dipped). These requirements do not apply to:
Modified
p. 93 → 94
• Commercial off-the-shelf (COTS) devices (for example, smartphones or tablets), which are mobile merchant-owned devices designed for mass-market distribution.
Modified
p. 93 → 94
Describe results as instructed in “Requirement Responses” (page v)
Describe results as instructed in “Requirement Responses” (page v) 9.5.1.2 POI device surfaces are periodically inspected to detect tampering and unauthorized substitution.
Removed
p. 94
PCI DSS Requirement Expected Testing Response9F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.5.1.2 POI device surfaces are periodically inspected to detect tampering and unauthorized substitution.
Modified
p. 94 → 95
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.5.1.2.1 The frequency of periodic POI device inspections and the type of inspections performed is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.
Modified
p. 95 → 96
PCI DSS Requirement Expected Testing Response10F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.1 Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.1 Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and understood.
Modified
p. 96 → 97
PCI DSS Requirement Expected Testing Response10F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.2.1.2 Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.2.1.2 Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.
Modified
p. 97 → 98
PCI DSS Requirement Expected Testing Response10F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.2.2 Audit logs record the following details for each auditable event:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.2.2 Audit logs record the following details for each auditable event:
Modified
p. 98 → 99
PCI DSS Requirement Expected Testing Response10F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.4 Audit logs are reviewed to identify anomalies or suspicious activity.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.4 Audit logs are reviewed to identify anomalies or suspicious activity.
Modified
p. 99 → 100
PCI DSS Requirement Expected Testing Response10F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.4.2.1 The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.4.2.1 The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.
Modified
p. 100 → 101
PCI DSS Requirement Expected Testing Response10F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.6.2 Systems are configured to the correct and consistent time as follows:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.6.2 Systems are configured to the correct and consistent time as follows:
Modified
p. 101 → 102
PCI DSS Requirement Expected Testing Response10F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.7 Failures of critical security control systems are detected, reported, and responded to promptly.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.7 Failures of critical security control systems are detected, reported, and responded to promptly.
Modified
p. 102 → 103
PCI DSS Requirement Expected Testing Response10F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.7.2 Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of the following critical security control systems:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.7.2 Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of the following critical security control systems:
Modified
p. 103 → 104
PCI DSS Requirement Expected Testing Response10F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.7.3 Failures of any critical security controls systems are responded to promptly, including but not limited to:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.7.3 Failures of any critical security control systems are responded to promptly, including but not limited to:
Modified
p. 104 → 105
PCI DSS Requirement Expected Testing Response1F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.1 Processes and mechanisms for regularly testing security of systems and networks are defined and understood.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.1 Processes and mechanisms for regularly testing security of systems and networks are defined and understood.
Modified
p. 105 → 106
PCI DSS Requirement Expected Testing Response1F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.2 Wireless access points are identified and monitored, and unauthorized wireless access points are addressed.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.2 Wireless access points are identified and monitored, and unauthorized wireless access points are addressed.
Modified
p. 105 → 106
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) The requirement applies even when a policy exists that prohibits the use of wireless technology since attackers do not read and follow company policy.
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) The requirement applies even when a policy exists that prohibits the use of wireless technology.
Modified
p. 106 → 107
PCI DSS Requirement Expected Testing Response1F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.3 External and internal vulnerabilities are regularly identified, prioritized, and addressed.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.3 External and internal vulnerabilities are regularly identified, prioritized, and addressed.
Modified
p. 106 → 107
• High-risk and critical vulnerabilities (per the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are resolved.
• Vulnerabilities that are either high-risk or critical (according to the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are resolved.
Modified
p. 106 → 107
• Rescans are performed that confirm all high- risk and critical vulnerabilities (as noted above) have been resolved.
• Rescans are performed that confirm all high- risk and all critical vulnerabilities (as noted above) have been resolved.
Modified
p. 107 → 108
PCI DSS Requirement Expected Testing Response1F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.3.1.1 All other applicable vulnerabilities (those not ranked as high-risk or critical (per the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are managed as follows:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.3.1.1 All other applicable vulnerabilities (those not ranked as high-risk vulnerabilities or critical vulnerabilities according to the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are managed as follows:
Modified
p. 108 → 109
• High-risk and critical vulnerabilities (per the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are resolved.
• Vulnerabilities that are either high-risk or critical (according to the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are resolved.
Modified
p. 108 → 109
PCI DSS Requirement Expected Testing Response1F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.3.1.2 Internal vulnerability scans are performed via authenticated scanning as follows:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.3.1.2 Internal vulnerability scans are performed via authenticated scanning as follows:
Modified
p. 109 → 110
PCI DSS Requirement Expected Testing Response1F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.3.2 External vulnerability scans are performed as follows:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.3.2 External vulnerability scans are performed as follows:
Modified
p. 109 → 110
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) For initial PCI DSS compliance, it is not required that four passing scans be completed within 12 months if the assessor verifies: 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring scanning at least once every three months, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s).
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) For the initial PCI DSS assessment against this requirement, it is not required that four passing scans be completed within 12 months if the assessor verifies: 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring scanning at least once every three months, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s).
Modified
p. 110 → 111
PCI DSS Requirement Expected Testing Response1F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.4 External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.4 External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected.
Modified
p. 111 → 112
PCI DSS Requirement Expected Testing Response1F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.4.1 (cont.) Testing from inside the network (or “internal penetration testing”) means testing from both inside the CDE and into the CDE from trusted and untrusted internal networks.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.4.1 (cont.) Testing from inside the network (or “internal penetration testing”) means testing from both inside the CDE and into the CDE from trusted and untrusted internal networks.
Modified
p. 112 → 113
PCI DSS Requirement Expected Testing Response1F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.4.5 If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls as follows:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.4.5 If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls as follows:
Modified
p. 113 → 114
PCI DSS Requirement Expected Testing Response1F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.4.6 Additional requirement for service providers only: If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls as follows:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.4.6 Additional requirement for service providers only: If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls as follows:
Modified
p. 114 → 115
PCI DSS Requirement Expected Testing Response1F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.4.7 Additional requirement for multi-tenant service providers only:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.4.7 Additional requirement for multi-tenant service providers only:
Modified
p. 115 → 116
PCI DSS Requirement Expected Testing Response1F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.5 Network intrusions and unexpected file changes are detected and responded to.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.5 Network intrusions and unexpected file changes are detected and responded to.
Modified
p. 116 → 117
PCI DSS Requirement Expected Testing Response1F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.5.2 A change-detection mechanism (for example, file integrity monitoring tools) is deployed as follows:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.5.2 A change-detection mechanism (for example, file integrity monitoring tools) is deployed as follows:
Modified
p. 117 → 118
PCI DSS Requirement Expected Testing Response1F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.6 Unauthorized changes on payment pages are detected and responded to.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.6 Unauthorized changes on payment pages are detected and responded to.
Modified
p. 117 → 118
• To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the HTTP headers and the contents of payment pages as received by the consumer browser.
• To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the security-impacting HTTP headers and the script contents of payment pages as received by the consumer browser.
Modified
p. 117 → 118
• The mechanism is configured to evaluate the received HTTP header and payment page.
• The mechanism is configured to evaluate the received HTTP headers and payment pages.
Modified
p. 117 → 118
• At least once every seven days, OR
• At least once weekly, OR
Modified
p. 117 → 119
The intention of this requirement is not that an entity installs software in the systems or browsers of its consumers, but rather that the entity uses techniques such as those described under Examples in the PCI DSS Guidance column to prevent and detect unexpected script activities.
Modified
p. 118 → 120
PCI DSS Requirement Expected Testing Response12F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.1 A comprehensive information security policy that governs and provides direction for protection of the entity’s information assets is known and current.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.1 A comprehensive information security policy that governs and provides direction for protection of the entity’s information assets is known and current.
Modified
p. 119 → 121
PCI DSS Requirement Expected Testing Response12F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.2 Acceptable use policies for end-user technologies are defined and implemented.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.2 Acceptable use policies for end-user technologies are defined and implemented.
Removed
p. 120
PCI DSS Requirement Expected Testing Response12F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.3 Risks to the cardholder data environment are formally identified, evaluated, and managed.
Modified
p. 120 → 121
• Resulting analysis that determines, and includes justification for, how frequently the requirement must be performed to minimize the likelihood of the threat being realized.
• Resulting analysis that determines, and includes justification for, how the frequency or processes defined by the entity to meet the requirement minimize the likelihood and/or impact of the threat being realized.
Modified
p. 120 → 122
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place Applicability Notes Describe results as instructed in “Requirement Responses” (page v) This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Modified
p. 121 → 122
• A documented strategy to respond to anticipated changes in cryptographic vulnerabilities.
• Documentation of a plan to respond to anticipated changes in cryptographic vulnerabilities.
Modified
p. 121 → 122
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) The requirement applies to all cryptographic suites and protocols used to meet PCI DSS requirements.
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) The requirement applies to all cryptographic cipher suites and protocols used to meet PCI DSS requirements, including, but not limited to, those used to render PAN unreadable in storage and transmission, to protect passwords, and as part of authenticating access.
Modified
p. 122 → 123
PCI DSS Requirement Expected Testing Response12F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.3.4 Hardware and software technologies in use are reviewed at least once every 12 months, including at least the following:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.3.4 Hardware and software technologies in use are reviewed at least once every 12 months, including at least the following:
Modified
p. 123 → 124
PCI DSS Requirement Expected Testing Response12F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.4 PCI DSS compliance is managed.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.4 PCI DSS compliance is managed.
Modified
p. 124 → 125
PCI DSS Requirement Expected Testing Response12F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.4.2 Additional requirement for service providers only:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.4.2 Additional requirement for service providers only:
Modified
p. 125 → 126
PCI DSS Requirement Expected Testing Response12F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.4.2.1 Additional requirement for service providers only:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.4.2.1 Additional requirement for service providers only:
Modified
p. 126 → 127
PCI DSS Requirement Expected Testing Response12F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.5.2 (cont.)
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.5.2 (cont.)
Modified
p. 127 → 128
PCI DSS Requirement Expected Testing Response12F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.5.2.1 Additional requirement for service providers only: PCI DSS scope is documented and confirmed by the entity at least once every six months and upon significant change to the in-scope environment.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.5.2.1 Additional requirement for service providers only: PCI DSS scope is documented and confirmed by the entity at least once every six months and upon significant change to the in-scope environment.
Modified
p. 128 → 129
PCI DSS Requirement Expected Testing Response12F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.6.2 The security awareness program is:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.6.2 The security awareness program is:
Modified
p. 128 → 129
• Updated as needed to address any new threats and vulnerabilities that may impact the security of the entity’s CDE, or the information provided to personnel about their role in protecting cardholder data.
• Updated as needed to address any new threats and vulnerabilities that may impact the security of the entity’s cardholder data and/or sensitive authentication data, or the information provided to personnel about their role in protecting cardholder data.
Modified
p. 128 → 129
Describe results as instructed in “Requirement Responses” (page v) 12.6.3.1 Security awareness training includes awareness of threats and vulnerabilities that could impact the security of the CDE, including but not limited to:
Describe results as instructed in “Requirement Responses” (page v) 12.6.3.1 Security awareness training includes awareness of threats and vulnerabilities that could impact the security of cardholder data and/or sensitive authentication data, including but not limited to:
Modified
p. 129 → 130
PCI DSS Requirement Expected Testing Response12F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.6.3.2 Security awareness training includes awareness about the acceptable use of end-user technologies in accordance with Requirement 12.2.1.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.6.3.2 Security awareness training includes awareness about the acceptable use of end-user technologies in accordance with Requirement 12.2.1.
Modified
p. 130 → 131
PCI DSS Requirement Expected Testing Response12F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.8.2 Written agreements with TPSPs are maintained as follows:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.8.2 Written agreements with TPSPs are maintained as follows:
Modified
p. 130 → 131
• Written agreements include acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE.
• Written agreements include acknowledgments from TPSPs that TPSPs are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that the TPSP could impact the security of the entity’s cardholder data and/or sensitive authentication data.
Modified
p. 130 → 131
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) The exact wording of an acknowledgment will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgment does not have to include the exact wording provided in this requirement.
Applicability Notes Describe results as instructed in “Requirement Responses” (page v) The exact wording of an agreement will depend on the details of the service being provided, and the responsibilities assigned to each party. The agreement does not have to include the exact wording provided in this requirement.
Modified
p. 130 → 131
Evidence that a TPSP is meeting PCI DSS requirements (for example, a PCI DSS Attestation of Compliance (AOC) or a declaration on a company’s website) is not the same as a written agreement specified in this requirement.
Evidence that a TPSP is meeting PCI DSS requirements (is not the same as a written acknowledgment specified in this requirement. For example, a PCI DSS Attestation of Compliance (AOC), a declaration on a company’s website, a policy statement, a responsibility matrix, or other evidence not included in a written agreement is not a written acknowledgment.
Removed
p. 131
TPSPs acknowledge in writing to customers that they are responsible for the security of account data the TPSP possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s CDE.
Modified
p. 131 → 132
PCI DSS Requirement Expected Testing Response12F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.8.4 A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.8.4 A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months.
Modified
p. 131 → 132
Describe results as instructed in “Requirement Responses” (page v) 12.9 Third-party service providers (TPSPs) support their customers’ PCI DSS compliance.
Describe results as instructed in “Requirement Responses” (page v)
Modified
p. 131 → 133
The exact wording of an acknowledgment will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgment does not have to include the exact wording provided in this requirement.
The exact wording of an agreement will depend on the details of the service being provided, and the responsibilities assigned to each party. The agreement does not have to include the exact wording provided in this requirement.
Modified
p. 132 → 134
PCI DSS Requirement Expected Testing Response12F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.9.2 Additional requirement for service providers only:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.9.2 Additional requirement for service providers only:
Modified
p. 132 → 134
• PCI DSS compliance status information for any service the TPSP performs on behalf of customers (Requirement 12.8.4).
• PCI DSS compliance status information (Requirement 12.8.4).
Modified
p. 132 → 134
Information about which PCI DSS requirements are the responsibility of the TPSP and which are the responsibility of the customer, including any shared responsibilities (Requirement 12.8.5).
• Information about which PCI DSS requirements are the responsibility of the TPSP and which are the responsibility of the customer, including any shared responsibilities (Requirement 12.8.5), for any service the TPSP provides that meets a PCI DSS requirement(s) on behalf of customers or that can impact security of customers’ cardholder data and/or sensitive authentication data.
Modified
p. 133 → 135
PCI DSS Requirement Expected Testing Response12F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.10 Suspected and confirmed security incidents that could impact the CDE are responded to immediately.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.10 Suspected and confirmed security incidents that could impact the CDE are responded to immediately.
Modified
p. 134 → 136
PCI DSS Requirement Expected Testing Response12F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.10.4 Personnel responsible for responding to suspected and confirmed security incidents are appropriately and periodically trained on their incident response responsibilities.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.10.4 Personnel responsible for responding to suspected and confirmed security incidents are appropriately and periodically trained on their incident response responsibilities.
Modified
p. 135 → 137
PCI DSS Requirement Expected Testing Response12F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.10.6 The security incident response plan is modified and evolved according to lessons learned and to incorporate industry developments.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.10.6 The security incident response plan is modified and evolved according to lessons learned and to incorporate industry developments.
Modified
p. 136 → 138
PCI DSS Requirement Expected Testing Response13F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place A1.1 Multi-tenant service providers protect and separate all customer environments and data.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place A1.1 Multi-tenant service providers protect and separate all customer environments and data.
Modified
p. 137 → 139
PCI DSS Requirement Expected Testing Response13F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place A1.1.4 The effectiveness of logical separation controls used to separate customer environments is confirmed at least once every six months via penetration testing.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place A1.1.4 The effectiveness of logical separation controls used to separate customer environments is confirmed at least once every six months via penetration testing.
Modified
p. 138 → 140
PCI DSS Requirement Expected Testing Response13F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place A1.2.3 Processes or mechanisms are implemented for reporting and addressing suspected or confirmed security incidents and vulnerabilities, including:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place A1.2.3 Processes or mechanisms are implemented for reporting and addressing suspected or confirmed security incidents and vulnerabilities, including:
Modified
p. 139 → 141
PCI DSS Requirement Expected Testing Response14F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place A2.1 POI terminals using SSL and/or early TLS are not susceptible to known SSL/TLS exploits.
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place A2.1 POI terminals using SSL and/or early TLS are not susceptible to known SSL/TLS exploits.
Modified
p. 140 → 142
PCI DSS Requirement Expected Testing Response14F (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place A2.1.2 Additional requirement for service providers only:
PCI DSS Requirement Expected Testing Response ♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place A2.1.2 Additional requirement for service providers only:
Modified
p. 146 → 148
PCI DSS Self-Assessment Questionnaire D, Version 4.0, was completed according to the instructions therein.
PCI DSS Self-Assessment Questionnaire D, Version 4.0.1, was completed according to the instructions therein.