Document Comparison
PCI-DSS-v3_2_1-SAQ-D_ServiceProvider.pdf
→
PCI-DSS-v3-2-1-SAQ-D_ServiceProvider-r2.pdf
93% similar
95 → 92
Pages
23709 → 23239
Words
409
Content Changes
Content Changes
409 content changes. 57 administrative changes (dates, page numbers) hidden.
Added
p. 2
This document aligns with PCI DSS v3.2.1 r1.
(PCI Data Security Standard Requirements and Security Assessment Procedures) Guidance on Scoping Guidance on the intent of all PCI DSS Requirements Details of testing procedures Guidance on Compensating Controls SAQ Instructions and Guidelines documents Information about all SAQs and their eligibility criteria How to determine which SAQ is right for your organization
(PCI Data Security Standard Requirements and Security Assessment Procedures) Guidance on Scoping Guidance on the intent of all PCI DSS Requirements Details of testing procedures Guidance on Compensating Controls SAQ Instructions and Guidelines documents Information about all SAQs and their eligibility criteria How to determine which SAQ is right for your organization
Added
p. 16
Network Address Translation (NAT) Placing servers containing cardholder data behind proxy servers/firewalls, Removal or filtering of route advertisements for private networks that employ registered addressing, Internal use of RFC1918 address space instead of registered addresses.
Added
p. 20
Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server? Enabling only necessary services, protocols, daemons, etc., as required for the function of the system? Implementing additional security features for any required services, protocols or daemons that are considered to be insecure? Configuring system security parameters to prevent misuse? Removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers? Review system configuration standards.
Added
p. 22
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.3 Is non-console administrative access encrypted as follows:
Added
p. 42
Is situated in front of public-facing web applications to detect and prevent web-based attacks. Is actively running and up to date as applicable. Is generating audit logs. Is configured to either block web-based attacks, or generate an alert that is immediately investigated.
Added
p. 49
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested Do authentication policies and procedures include the following? Guidance on selecting strong authentication credentials Guidance for how users should protect their authentication credentials Instructions not to reuse previously used passwords Instructions that users should change passwords if there is any suspicion the password could be compromised Review policies and procedures.
Generic user IDs and accounts are disabled or removed; Shared user IDs for system administration activities and other critical functions do not exist; and Shared and generic user IDs are not used to administer any system components? Review policies and procedures.
Generic user IDs and accounts are disabled or removed; Shared user IDs for system administration activities and other critical functions do not exist; and Shared and generic user IDs are not used to administer any system components? Review policies and procedures.
Added
p. 73
System executables Application executables Configuration and parameter files Centrally stored, historical or archived, log, and audit files Additional critical files determined by entity (for example, through risk assessment or other means) Observe system settings and monitored files.
Added
p. 82
Daily log reviews Firewall rule-set reviews Applying configuration standards to new systems Responding to security alerts Change management processes Examine policies and procedures for performing quarterly reviews.
Added
p. 85
Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in place; Description of processes to monitor for new vulnerabilities associated with SSL/early TLS; Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new environments; Overview of migration project plan to replace SSL/early TLS at a future date? Review the documented Risk Mitigation and Migration Plan.
Modified
p. 1
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers SAQ-Eligible Service Providers For use with PCI DSS Version 3.2.1
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers SAQ-Eligible Service Providers For use with PCI DSS Version 3.2.1 Revision 2
Removed
p. 4
1. Confirm that your environment is properly scoped.
• Section 3 (Parts 3 & 4 of the AOC)
• Validation and Attestation Details and Action Plan for Non- Compliant Requirements (if applicable)
• Guidance on Scoping
• Guidance on the intent of all PCI DSS Requirements
• Details of testing procedures
• Guidance on Compensating Controls SAQ Instructions and Guidelines documents
• Information about all SAQs and their eligibility criteria
• How to determine which SAQ is right for your organization
• Section 3 (Parts 3 & 4 of the AOC)
• Validation and Attestation Details and Action Plan for Non- Compliant Requirements (if applicable)
• Guidance on Scoping
• Guidance on the intent of all PCI DSS Requirements
• Details of testing procedures
• Guidance on Compensating Controls SAQ Instructions and Guidelines documents
• Information about all SAQs and their eligibility criteria
• How to determine which SAQ is right for your organization
Modified
p. 4
PCI DSS Self-Assessment Completion Steps
PCI DSS Self-Assessment Completion Steps Confirm that your environment is properly scoped.
Modified
p. 4
Assess your environment for compliance with PCI DSS requirements.
Modified
p. 4
Complete all sections of this document:
Modified
p. 4
Section 1 (Parts 1 & 2 of the AOC) • Assessment Information and Executive Summary
Modified
p. 4
• PCI DSS Self-Assessment Questionnaire (SAQ D)
Section 2
• PCI DSS Self-Assessment Questionnaire (SAQ D)
• PCI DSS Self-Assessment Questionnaire (SAQ D)
Modified
p. 4
•such as ASV scan reports
•to the payment brand, or other requester.
Section 3 (Parts 3 & 4 of the AOC)
• Validation and Attestation Details and Action Plan for Non-Compliant Requirements (if applicable) Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation
•such as ASV scan reports
•to the payment brand, or other requester.
• Validation and Attestation Details and Action Plan for Non-Compliant Requirements (if applicable) Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation
•such as ASV scan reports
•to the payment brand, or other requester.
Modified
p. 4
PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org). Organizations are encouraged to review the PCI DSS and other supporting documents before beginning an assessment.
Modified
p. 6
The questions specific to securing wireless technologies (for example, Requirements 1.2.3, 2.1.1, and 4.1.1) only need to be answered if wireless is present anywhere in your network. Note that Requirement 11.1 (use of processes to identify unauthorized wireless access points) must still be answered even if you don’t use wireless technologies in your network, since the process detects any rogue or unauthorized devices that may have been added without your knowledge.
Modified
p. 6
The questions specific to application development and secure coding (Requirements 6.3 and 6.5) only need to be answered if your organization develops its own custom applications.
Modified
p. 6
The questions for Requirements 9.1.1 and 9.3 only need to be answered for facilities with “sensitive areas” as defined here: “Sensitive areas” refers to any data center, server room, or any area that houses systems that store, process, or transmit cardholder data. This excludes the areas where only point-of-sale terminals are present, such as the cashier areas in a retail store, but does include retail store back-office server rooms that store cardholder data, and storage areas for large quantities of …
Modified
p. 6
•for
An organization may be asked by their acquirer to validate a subset of requirements•for example: using the prioritized approach to validate certain milestones.
Modified
p. 6
•for
An organization may wish to validate a new security control that impacts only a subset of requirements•for example, implementation of a new encryption methodology that requires assessment of PCI DSS Requirements 2, 3 and 4.
Modified
p. 6
•for
A service provider organization might offer a service which covers only a limited number of PCI DSS requirements•for example, a physical storage provider may only wish to validate the physical security controls per PCI DSS Requirement 9 for their storage facility.
Modified
p. 10
For example: • Connections into and out of the cardholder data environment (CDE). • Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
For example: Connections into and out of the cardholder data environment (CDE). Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
Removed
p. 12
• Reason why sub-requirement(s) were not tested or not applicable
Modified
p. 12
• The requirement and all sub-requirements were assessed for that Requirement, and no sub- requirements were marked as “Not Tested” or “Not Applicable” in the SAQ.
Full
• The requirement and all sub-requirements were assessed for that Requirement, and no sub- requirements were marked as “Not Tested” or “Not Applicable” in the SAQ.
• The requirement and all sub-requirements were assessed for that Requirement, and no sub- requirements were marked as “Not Tested” or “Not Applicable” in the SAQ.
Modified
p. 12
• One or more sub-requirements of that Requirement were marked as “Not Tested” or “Not Applicable” in the SAQ.
Partial
• One or more sub-requirements of that Requirement were marked as “Not Tested” or “Not Applicable” in the SAQ.
• One or more sub-requirements of that Requirement were marked as “Not Tested” or “Not Applicable” in the SAQ.
Modified
p. 12
• All sub-requirements of that Requirement were marked as “Not Tested” and/or “Not Applicable” in the SAQ.
None
• All sub-requirements of that Requirement were marked as “Not Tested” and/or “Not Applicable” in the SAQ.
• All sub-requirements of that Requirement were marked as “Not Tested” and/or “Not Applicable” in the SAQ.
Modified
p. 12
Details of specific sub-requirements that were marked as either “Not Tested” and/or “Not Applicable” in the SAQ Reason why sub-requirement(s) were not tested or not applicable
Removed
p. 13
(b) Is there a process to ensure the diagram is kept current?
• Interview personnel.
• Interview personnel.
Modified
p. 13
Is there a process to ensure the diagram is kept current? Interview responsible personnel.
Modified
p. 14
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.1.4 (a) Is a firewall required and implemented at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone? • Review firewall configuration standards.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.1.4 Is a firewall required and implemented at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone? Review firewall configuration standards.
Modified
p. 14
Observe network configurations to verify that a firewall(s) is in place.
Modified
p. 14
Is the current network diagram consistent with the firewall configuration standards? • Compare firewall configuration standards to current network diagram.
Is the current network diagram consistent with the firewall configuration standards? Compare firewall configuration standards to current network diagram.
Modified
p. 14
Are all insecure services, protocols, and ports identified, and are security features documented and implemented for each identified service? • Review firewall and router configuration standards.
Are all insecure services, protocols, and ports identified, and are security features documented and implemented for each identified service? Review firewall and router configuration standards.
Modified
p. 14
(b) Are firewall and router rule sets reviewed at least every six months? • Examine documentation from firewall reviews.
(b) Are firewall and router rule sets reviewed at least every six months? Examine documentation from firewall reviews.
Modified
p. 15
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.2.1 (a) Is inbound and outbound traffic restricted to that which is necessary for the cardholder data environment? • Review firewall and router configuration standards.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.2.1 Is inbound and outbound traffic restricted to that which is necessary for the cardholder data environment? Review firewall and router configuration standards.
Modified
p. 15
Is all other inbound and outbound traffic specifically denied (for example by using an explicit “deny all” or an implicit deny after allow statement)? • Review firewall and router configuration standards.
Is all other inbound and outbound traffic specifically denied (for example by using an explicit “deny all” or an implicit deny after allow statement)? Review firewall and router configuration standards.
Modified
p. 15
Examine router configuration files and router configurations.
Removed
p. 16
• Network Address Translation (NAT)
• Placing servers containing cardholder data behind proxy servers/firewalls,
• Removal or filtering of route advertisements for private networks that employ registered addressing,
• Internal use of RFC1918 address space instead of registered addresses.
• Examine firewall and router configurations.
• Placing servers containing cardholder data behind proxy servers/firewalls,
• Removal or filtering of route advertisements for private networks that employ registered addressing,
• Internal use of RFC1918 address space instead of registered addresses.
• Examine firewall and router configurations.
Modified
p. 16
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.3.4 Is outbound traffic from the cardholder data environment to the Internet explicitly authorized? • Examine firewall and router configurations.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.3.4 Is outbound traffic from the cardholder data environment to the Internet explicitly authorized? Examine firewall and router configurations.
Modified
p. 16
Is any disclosure of private IP addresses and routing information to external entities authorized? • Examine firewall and router configurations.
Is any disclosure of private IP addresses and routing information to external entities authorized? Examine firewall and router configurations.
Removed
p. 17
• Examine mobile and/or employee- owned devices.
Modified
p. 17 → 16
Examine mobile and/or employee- owned devices.
Modified
p. 17 → 16
(b) Is the personal firewall software (or equivalent functionality) configured to specific configuration settings, actively running, and not alterable by users of mobile and/or employee-owned devices? • Review policies and configuration standards.
(b) Is the personal firewall software (or equivalent functionality) configured to specific configuration settings, actively running, and not alterable by users of mobile and/or employee-owned devices? Review policies and configuration standards.
Modified
p. 18
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.1 (a) Are vendor-supplied defaults always changed before installing a system on the network? This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.1 Are vendor-supplied defaults always changed before installing a system on the network? This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).
Modified
p. 18
Observe system configurations and account settings.
Modified
p. 18
Are unnecessary default accounts removed or disabled before installing a system on the network? • Review policies and procedures.
Are unnecessary default accounts removed or disabled before installing a system on the network? Review policies and procedures.
Modified
p. 18
Examine system configurations and account settings.
Modified
p. 18
Are encryption keys changed from default at installation, and changed anytime anyone with knowledge of the keys leaves the company or changes positions? Review policies and procedures.
Modified
p. 18
Are default SNMP community strings on wireless devices changed at installation? Review policies and procedures.
Modified
p. 18
Are default passwords/passphrases on access points changed at installation? Review policies and procedures.
Modified
p. 19
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.1.1 (cont.) (d) Is firmware on wireless devices updated to support strong encryption for authentication and transmission over wireless networks? • Review policies and procedures.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.1.1 (cont.) Is firmware on wireless devices updated to support strong encryption for authentication and transmission over wireless networks? Review policies and procedures.
Modified
p. 19
Are other security-related wireless vendor defaults changed, if applicable? Review policies and procedures.
Modified
p. 19
Review system configuration standards.
Modified
p. 19
Review industry-accepted hardening standards.
Modified
p. 19
Are system configuration standards updated as new vulnerability issues are identified, as defined in Requirement 6.1? Review policies and procedures.
Modified
p. 19
Are system configuration standards applied when new systems are configured? Review policies and procedures.
Removed
p. 20
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.2 (cont.) (d) Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server? - Enabling only necessary services, protocols, daemons, etc., as required for the function of the system? - Implementing additional security features for any required services, protocols or daemons that are considered to be insecure? - Configuring system security parameters to prevent misuse? - Removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers?
• Review system configuration standards.
• Review system configuration standards.
Modified
p. 20
If virtualization technologies are used, is only one primary function implemented per virtual system component or device? • Examine system configurations.
If virtualization technologies are used, is only one primary function implemented per virtual system component or device? Examine system configurations.
Removed
p. 21
• Compare enabled services, etc. to documented justifications.
Modified
p. 21
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.2.2 (a) Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)? • Review configuration standards.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.2.2 Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)? Review configuration standards.
Modified
p. 21
(b) Are all enabled insecure services, daemons, or protocols justified per documented configuration standards? • Review configuration standards
(b) Are all enabled insecure services, daemons, or protocols justified per documented configuration standards? Review configuration standards Interview personnel. Examine configuration settings. Compare enabled services, etc. to documented justifications.
Modified
p. 21
Examine security parameter settings.
Modified
p. 21
Are common system security parameters settings included in the system configuration standards? • Review system configuration standards.
Are common system security parameters settings included in the system configuration standards? Review system configuration standards.
Modified
p. 21
Are security parameter settings set appropriately on system components? Examine system components.
Modified
p. 21
Examine security parameters on system components.
Modified
p. 21
Compare settings to system configuration standards.
Modified
p. 21
Are enabled functions documented and do they support secure configuration? • Review documentation.
Are enabled functions documented and do they support secure configuration? Review documentation.
Modified
p. 21
Examine security parameters on system components.
Modified
p. 21 → 22
Examine system configurations.
Removed
p. 22
• Examine security parameters on system components.
• Examine system configurations.
• Examine system configurations.
Modified
p. 22 → 20
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.2.5 (cont.) (c) Is only documented functionality present on system components?
• Review documentation.
• Review documentation.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.2 (cont.) Do system configuration standards include all of the following:
Modified
p. 22
Is all non-console administrative access encrypted with strong cryptography, and is a strong encryption method invoked before the administrator’s password is requested? Examine system components.
Modified
p. 22
Observe an administrator log on.
Modified
p. 22
Observe an administrator log on.
Modified
p. 22
Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? Examine system components.
Modified
p. 22
Examine services and files.
Modified
p. 22
Is administrator access to web-based management interfaces encrypted with strong cryptography? Examine system components.
Modified
p. 22
For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? Examine system components.
Modified
p. 22
(b) Is the documented inventory kept current? • Interview personnel.
(b) Is the documented inventory kept current? Interview personnel.
Removed
p. 23
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.6 If you are a shared hosting provider, are your systems configured to protect each entity’s (your customers’) hosted environment and cardholder data? See Appendix A1: Additional PCI DSS Requirements for Shared Hosting Providers for specific requirements that must be met.
Modified
p. 23 → 22
Complete Appendix A1 testing procedures.
Modified
p. 24 → 23
Is data storage amount and retention time limited to that required for legal, regulatory, and/or business requirements? Review data retention and disposal policies and procedures.
Modified
p. 24 → 23
Are there defined processes in place for securely deleting cardholder data when no longer needed for legal, regulatory, and/or business reasons? Review policies and procedures.
Modified
p. 24 → 23
Examine deletion mechanism.
Modified
p. 24 → 23
Are there specific retention requirements for cardholder data? For example, cardholder data needs to be held for X period for Y business reasons.
Modified
p. 24 → 23
Examine retention requirements.
Modified
p. 24 → 23
Is there a quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements? Review policies and procedures.
Modified
p. 24 → 23
Observe deletion processes.
Modified
p. 24 → 23
Does all stored cardholder data meet the requirements defined in the data-retention policy? Examine files and system records.
Modified
p. 24 → 23
Review documented business justification.
Removed
p. 25
• The cardholder’s name,
• Primary account number (PAN),
• Expiration date, and
• Primary account number (PAN),
• Expiration date, and
Modified
p. 25 → 24
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested For all other entities: Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process? Review policies and procedures.
Modified
p. 25 → 24
Examine deletion processes.
Modified
p. 25 → 24
The cardholder’s name, Primary account number (PAN), Expiration date, and Service code To minimize risk, store only these data elements as needed for business.
Modified
p. 25 → 24
Examine data sources including:
Modified
p. 25 → 24
Incoming transaction data All logs History files Trace files Database schema Database contents
Modified
p. 26 → 24
Incoming transaction data All logs History files Trace files Database schema Database contents 3.2.2 The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored after authorization? Examine data sources including:
Modified
p. 26 → 25
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.2.2 The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored after authorization? • Examine data sources including:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization? Examine data sources including:
Modified
p. 26 → 25
Incoming transaction data All logs History files Trace files Database schema Database contents 3.3 Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN? Note: This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, legal or payment card brand requirements for …
Modified
p. 26 → 25
Review roles that need access to displays of full PAN.
Modified
p. 26 → 25
Observe displays of PAN.
Removed
p. 27
• Truncation (hashing cannot be used to replace the truncated segment of PAN)
• Index tokens and pads (pads must be securely stored)
• Strong cryptography with associated key management processes and procedures.
• Index tokens and pads (pads must be securely stored)
• Strong cryptography with associated key management processes and procedures.
Modified
p. 27 → 26
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.4 Is PAN rendered unreadable anywhere it is stored (including data repositories, portable digital media, backup media, and in audit logs), by using any of the following approaches? • One-way hashes based on strong cryptography (hash must be of the entire PAN)
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.4 Is PAN rendered unreadable anywhere it is stored (including data repositories, portable digital media, backup media, and in audit logs), by using any of the following approaches? One-way hashes based on strong cryptography (hash must be of the entire PAN) Truncation (hashing cannot be used to replace the truncated segment of PAN) Index tokens and pads (pads must be securely …
Modified
p. 27 → 26
Examine data repositories.
Modified
p. 27 → 26
Examine removable media.
Modified
p. 27 → 26
Examine audit logs, including payment application logs.
Modified
p. 27 → 26
Is logical access to encrypted file systems managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials)? Examine system configurations.
Modified
p. 27 → 26
Observe the authentication process.
Removed
p. 28
• Review documentation.
Modified
p. 28 → 27
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.4.1 (cont.) (c) Is cardholder data on removable media encrypted wherever stored? Note: If disk encryption is not used to encrypt removable media, the data stored on this media will need to be rendered unreadable through some other method.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.4.1 (cont.) Is cardholder data on removable media encrypted wherever stored? Note: If disk encryption is not used to encrypt removable media, the data stored on this media will need to be rendered unreadable through some other method.
Modified
p. 28 → 27
• Inventory of any HSMs and other SCDs used for key management? • Interview personnel.
• Inventory of any HSMs and other SCDs used for key management? Review documentation.
Removed
p. 29
• Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS- approved point-of-interaction device)
• As at least two full-length key components or key shares, in accordance with an industry-accepted method.
• As at least two full-length key components or key shares, in accordance with an industry-accepted method.
Modified
p. 29 → 28
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.5.3 Are secret and private cryptographic keys used to encrypt/decrypt cardholder data stored in one (or more) of the following forms at all times? • Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.5.3 Are secret and private cryptographic keys used to encrypt/decrypt cardholder data stored in one (or more) of the following forms at all times? Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key Within a secure cryptographic device (such as a hardware (host) security module (HSM) …
Modified
p. 29 → 28
Review documented procedures.
Modified
p. 29 → 28
Examine system configurations and key storage locations, including for key-encrypting keys.
Modified
p. 29 → 28
For service providers only: If keys are shared with customers for transmission or storage of cardholder data, is documentation provided to customers that includes guidance on how to securely transmit, store and update customer’s keys, in accordance with requirements 3.6.1 through 3.6.8 below? Review documentation provided to customers.
Modified
p. 29 → 28
Observe key-generation procedures.
Modified
p. 30 → 29
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.6.2 Do cryptographic key procedures include secure cryptographic key distribution? • Review key management procedures.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.6.2 Do cryptographic key procedures include secure cryptographic key distribution? Review key management procedures.
Modified
p. 30 → 29
Observe the key-distribution method.
Modified
p. 30 → 29
Observe the method for secure storage of keys.
Modified
p. 30 → 29
Do cryptographic key procedures include replacement of known or suspected compromised keys? • Review key-management procedures.
Do cryptographic key procedures include replacement of known or suspected compromised keys? Review key-management procedures.
Modified
p. 30 → 29
(c) If retired or replaced cryptographic keys are retained, are these keys only used for decryption/verification purposes, and not used for encryption operations? • Review key-management procedures.
(c) If retired or replaced cryptographic keys are retained, are these keys only used for decryption/verification purposes, and not used for encryption operations? Review key-management procedures.
Modified
p. 31 → 30
Do split knowledge procedures require that key components are under the control of at least two people who only have knowledge of their own key components?
Modified
p. 31 → 30
Do dual control procedures require that at least two people are required to perform any key management operations and no one person has access to the authentication materials (for example, passwords or keys) of another? Note: Examples of manual key management operations include, but are not limited to: key generation, transmission, loading, storage and destruction.
Modified
p. 31 → 30
Review key-management procedures.
Modified
p. 31 → 30
Interview personnel and/or.
Removed
p. 32
• Cardholder data is only requested if “HTTPS” appears as part of the URL.
Modified
p. 32 → 31
Review documented standards.
Modified
p. 32 → 31
Review all locations where CHD is transmitted or received.
Modified
p. 32 → 31
(b) Are only trusted keys and/or certificates accepted? • Observe inbound and outbound transmissions.
(b) Are only trusted keys and/or certificates accepted? Observe inbound and outbound transmissions.
Modified
p. 32 → 31
Examine keys and certificates.
Modified
p. 32 → 31
(c) Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations? • Examine system configurations.
(c) Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations? Examine system configurations.
Modified
p. 32 → 31
(d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)? • Review vendor documentation.
(d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)? Review vendor documentation.
Modified
p. 32 → 31
“HTTPS” appears as the browser Universal Record Locator (URL) protocol, and Cardholder data is only requested if “HTTPS” appears as part of the URL.
Modified
p. 33 → 31
Review wireless networks.
Modified
p. 33 → 32
Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies? • Review policies and procedures.
Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies? Review policies and procedures.
Modified
p. 34 → 33
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 5.1 Is anti-virus software deployed on all systems commonly affected by malicious software? • Examine system configurations.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 5.1 Is anti-virus software deployed on all systems commonly affected by malicious software? Examine system configurations.
Modified
p. 34 → 33
Are all anti-virus software and definitions kept current? Examine policies and procedures.
Modified
p. 34 → 33
Examine anti-virus configurations, including the master installation.
Modified
p. 34 → 33
Are automatic updates and periodic scans enabled and being performed? Examine anti-virus configurations, including the master installation.
Modified
p. 34 → 33
Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? Examine anti-virus configurations.
Modified
p. 34 → 33
Review log retention processes.
Modified
p. 35 → 34
Unable to be disabled or altered by users? Note: Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not active.
Modified
p. 35 → 34
Examine anti-virus configurations.
Modified
p. 36 → 35
Using reputable outside sources for vulnerability information?
Modified
p. 36 → 35
Assigning a risk ranking to vulnerabilities that includes identification of all “high” risk and “critical” vulnerabilities? Note: Risk rankings should be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the CVSS base score and/or the classification by the vendor, and/or type of systems affected.
Modified
p. 37 → 36
Compare list of security patches installed to recent vendor patch lists.
Modified
p. 37 → 36
Is information security included throughout the software-development life cycle? • Review software development processes.
Is information security included throughout the software- development life cycle? Review software development processes.
Modified
p. 37 → 36
Are software applications developed in accordance with PCI DSS (for example, secure authentication and logging)? Review software development processes.
Modified
p. 37 → 36
Do software development processes ensure the following at 6.3.1 - 6.3.2:
Modified
p. 38 → 37
Are code changes reviewed by individuals other than the originating code author, and by individuals who are knowledgeable about code review techniques and secure coding practices?
Modified
p. 38 → 37
Do code reviews ensure code is developed according to secure coding guidelines?
Modified
p. 38 → 37
Are appropriate corrections are implemented prior to release?
Modified
p. 38 → 37
Are code review results are reviewed and approved by management prior to release? Note: This requirement for code reviews applies to all custom code (both internal and public-facing), as part of the system development life cycle. Code reviews can be conducted by knowledgeable internal personnel or third parties. Public-facing web applications are also subject to additional controls, to address ongoing threats and vulnerabilities after implementation, as defined at PCI DSS Requirement 6.6.
Modified
p. 38 → 37
Examine recent changes and change records.
Modified
p. 38 → 37
Examine network documentation and network device configurations.
Modified
p. 38 → 37
Is access control in place to enforce the separation between the development/test environments and the production environment? • Review change control processes and procedures.
Is access control in place to enforce the separation between the development/test environments and the production environment? Review change control processes and procedures.
Modified
p. 38 → 37
Examine access control settings.
Removed
p. 39
• Review change control processes and procedures.
Modified
p. 39 → 38
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.4.2 Is there separation of duties between personnel assigned to the development/test environments and those assigned to the production environment? • Review change control processes and procedures.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.4.2 Is there separation of duties between personnel assigned to the development/test environments and those assigned to the production environment? Review change control processes and procedures.
Modified
p. 39 → 38
Examine production systems.
Modified
p. 39 → 38
Are the following performed and documented for all 6.4.5.1 Documentation of impact?
• Trace changes to change control documentation.
• Trace changes to change control documentation.
Are the following performed and documented for all changes:
Modified
p. 40 → 39
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.4.5.2 Documented approval by authorized parties? • Trace changes to change control documentation.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.4.5.2 Documented approval by authorized parties? Trace changes to change control documentation.
Modified
p. 40 → 39
(b) For custom code changes, testing of updates for compliance with PCI DSS Requirement 6.5 before being deployed into production? • Trace changes to change control documentation.
(b) For custom code changes, testing of updates for compliance with PCI DSS Requirement 6.5 before being deployed into production? Trace changes to change control documentation.
Modified
p. 40 → 39
Observe affected systems or networks.
Modified
p. 41 → 40
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.5 (a) Do software-development processes address common coding vulnerabilities? • Review software-development policies and procedures.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.5 Do software-development processes address common coding vulnerabilities? Review software-development policies and procedures.
Modified
p. 41 → 40
Are developers trained at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities? Examine software-development policies and procedures.
Modified
p. 41 → 40
Examine training records.
Modified
p. 41 → 40
Are applications developed based on secure coding guidelines to protect applications from, at a minimum, the following vulnerabilities:
Modified
p. 41 → 40
Examine software-development policies and procedures.
Modified
p. 42 → 41
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.5.5 Do coding techniques address improper error handling? • Examine software-development policies and procedures.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.5.5 Do coding techniques address improper error handling? Examine software-development policies and procedures.
Removed
p. 43
- At least annually - After any changes - By an organization that specializes in application security - That, at a minimum, all vulnerabilities in
- Is situated in front of public-facing web applications to detect and prevent web-based attacks. - Is actively running and up to date as applicable. - Is generating audit logs. - Is configured to either block web-based attacks, or generate an alert that is immediately investigated.
- Is situated in front of public-facing web applications to detect and prevent web-based attacks. - Is actively running and up to date as applicable. - Is generating audit logs. - Is configured to either block web-based attacks, or generate an alert that is immediately investigated.
Modified
p. 43 → 42
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.6 For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods? • Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.6 For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods? Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, as follows:
Modified
p. 43 → 42
Requirement 6.5 are included in the assessment - That all vulnerabilities are corrected - That the application is re-evaluated after the corrections Note: This assessment is not the same as the vulnerability scans performed for Requirement 11.2.
At least annually After any changes By an organization that specializes in application security That, at a minimum, all vulnerabilities in Requirement 6.5 are included in the assessment That all vulnerabilities are corrected That the application is re-evaluated after the corrections Note: This assessment is not the same as the vulnerability scans performed for Requirement 11.2.
Modified
p. 43 → 42
Installing an automated technical solution that detects and prevents web-based attacks (for example, a web- application firewall) as follows:
Modified
p. 43 → 42
Review documented processes.
Modified
p. 43 → 42
Examine records of application security assessments.
Removed
p. 45
• Examine written access control policy.
• Interview management.
• Interview management.
Modified
p. 45 → 43
Is there a written policy for access control that incorporates the following? Defining access needs and privilege assignments for each role Restriction of access to privileged user IDs to least privileges necessary to perform job responsibilities, Assignment of access based on individual personnel’s job classification and function Documented approval (electronically or in writing) by authorized parties for all access, including listing of specific privileges approved Examine written access control policy.
Modified
p. 45 → 43
System components and data resources that each role needs to access for their job function?
Modified
p. 45 → 43
Level of privilege required (for example, user, administrator, etc.) for accessing resources? Examine roles and access need.
Modified
p. 45 → 43
To least privileges necessary to perform job responsibilities?
Modified
p. 45 → 43
Assigned only to roles that specifically require that privileged access? Interview management.
Modified
p. 45 → 43
Review privileged user IDs.
Modified
p. 46 → 44
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 7.1.4 Is documented approval by authorized parties required, specifying required privileges? • Compare with documented approvals.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 7.1.4 Is documented approval by authorized parties required, specifying required privileges? Compare with documented approvals.
Modified
p. 46 → 44
Compare assigned privileges with documented approvals.
Removed
p. 47
Are third-party remote access accounts monitored when in use?
• Interview personnel.
• Interview personnel.
Modified
p. 47 → 45
Examine privileged and general user IDs and associated authorizations.
Modified
p. 47 → 45
Observe system settings.
Modified
p. 47 → 45
Examine terminated users accounts.
Modified
p. 47 → 45
Review current access lists.
Modified
p. 47 → 45
Observe returned physical authentication devices.
Modified
p. 47 → 45
Observe user accounts.
Removed
p. 48
• Something you have, such as a token device or smart card
• Something you are, such as a biometric
• Observe password files.
• Something you are, such as a biometric
• Observe password files.
Modified
p. 48 → 46
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.1.6 (a) Are repeated access attempts limited by locking out the user ID after no more than six attempts? • Review password procedures.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.1.6 Are repeated access attempts limited by locking out the user ID after no more than six attempts? Review password procedures.
Modified
p. 48 → 46
For service providers only: Are non-consumer customer passwords temporarily locked-out after not more than six invalid access attempts? • Review policies and procedures.
For service providers only: Are non-consumer customer passwords temporarily locked-out after not more than six invalid access attempts? Review policies and procedures.
Modified
p. 48 → 46
Review documentation.
Modified
p. 48 → 46
In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users? • Something you know, such as a password or passphrase
In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users? Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric Review password procedures.
Modified
p. 48 → 46
Observe password files.
Modified
p. 48 → 46
Observe authentication processes.
Modified
p. 48 → 46
Observe data transmissions.
Removed
p. 49
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.2.1 (cont.) For service providers only: Is strong cryptography used to render all non-consumer customers’ authentication credentials (such as passwords/passphrases) unreadable during transmission and storage on all system components?
• Observe password files.
• Review customer/user documentation.
• Observe password files.
• Review customer/user documentation.
Modified
p. 49 → 46
Observe data transmissions.
Modified
p. 49 → 47
Examine system configuration settings to verify password parameters.
Modified
p. 49 → 47
For service providers only: Are non-consumer customer passwords required to meet the following minimum length and complexity requirements? - A minimum password length of at least seven characters - Contain both numeric and alphabetic characters
For service providers only: Are non-consumer customer passwords required to meet the following minimum length and complexity requirements? A minimum password length of at least seven characters Contain both numeric and alphabetic characters Review customer/user documentation.
Modified
p. 49 → 47
Review customer/user documentation.
Modified
p. 50 → 47
Sample system components.
Modified
p. 50 → 47
For service providers only: Are new, non-consumer customer passwords required to be different from any of the last four passwords used? • Review customer/user documentation.
For service providers only: Are new, non-consumer customer passwords required to be different from any of the last four passwords used? Review customer/user documentation.
Modified
p. 50 → 48
Observe security personnel.
Modified
p. 50 → 48
Observe administrator logging into CDE.
Modified
p. 50 → 48
Observe personnel connecting remotely.
Removed
p. 51
Do authentication policies and procedures include the following? - Guidance on selecting strong authentication credentials
- Guidance for how users should protect their authentication credentials
- Instructions not to reuse previously used passwords
- Instructions that users should change passwords if there is any suspicion the password could be compromised
• Review documentation provided to users.
• Generic user IDs and accounts are disabled or removed;
• Shared user IDs for system administration activities and other critical functions do not exist; and
• Shared and generic user IDs are not used to administer any system components?
• Review policies and procedures.
- Guidance for how users should protect their authentication credentials
- Instructions not to reuse previously used passwords
- Instructions that users should change passwords if there is any suspicion the password could be compromised
• Review documentation provided to users.
• Generic user IDs and accounts are disabled or removed;
• Shared user IDs for system administration activities and other critical functions do not exist; and
• Shared and generic user IDs are not used to administer any system components?
• Review policies and procedures.
Modified
p. 51 → 48
Review distribution method.
Modified
p. 51 → 49
Review documentation provided to users.
Modified
p. 51 → 49
Examine user ID lists.
Removed
p. 52
• Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access
• Review policies and procedures.
• Review policies and procedures.
Modified
p. 52 → 50
Examine system configuration settings and/or physical controls.
Modified
p. 53 → 50
Is all user access to, user queries of, and user actions on (for example, move, copy, delete), the database through programmatic methods only (for example, through stored procedures)? Review database authentication policies and procedures.
Modified
p. 53 → 50
Examine database and application configuration settings.
Modified
p. 53 → 50
Is user direct access to or queries to of databases restricted to database administrators? • Review database authentication policies and procedures.
Is user direct access to or queries to of databases restricted to database administrators? Review database authentication policies and procedures.
Modified
p. 53 → 50
Examine database access control settings.
Modified
p. 53 → 50
Examine database access control settings.
Modified
p. 53 → 50
Examine database application configuration settings.
Modified
p. 53 → 50
Examine database application configuration settings.
Modified
p. 53 → 50
(c) Are application IDs only able to be used by the applications (and not by individual users or other processes)? • Review database authentication policies and procedures.
(c) Are application IDs only able to be used by the applications (and not by individual users or other processes)? Review database authentication policies and procedures.
Modified
p. 54 → 52
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.1 Are appropriate facility entry controls in place to limit and monitor physical access to systems in the cardholder data environment? • Observe physical access controls.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.1 Are appropriate facility entry controls in place to limit and monitor physical access to systems in the cardholder data environment? Observe physical access controls.
Modified
p. 54 → 52
Observe physical monitoring mechanisms.
Modified
p. 54 → 52
Observe security features.
Modified
p. 54 → 52
Are either video cameras or access control mechanisms (or both) protected from tampering or disabling? • Interview personnel.
Are either video cameras or access control mechanisms (or both) protected from tampering or disabling?
Modified
p. 54 → 52
(c) Is data collected from video cameras and/or access control mechanisms reviewed and correlated with other entries? • Review policies and procedures.
(c) Is data collected from video cameras and/or access control mechanisms reviewed and correlated with other entries? Review policies and procedures.
Modified
p. 54 → 52
(d) Is data collected from video cameras and/or access control mechanisms stored for at least three months unless otherwise restricted by law? • Review data retention processes.
(d) Is data collected from video cameras and/or access control mechanisms stored for at least three months unless otherwise restricted by law? Review data retention processes.
Modified
p. 54 → 52
Observe data storage.
Removed
p. 55
• Compare lists of terminated employees to access control lists.
Modified
p. 55 → 53
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.1.3 Is physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines restricted? • Review policies and procedures.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.1.3 Is physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines restricted? Review policies and procedures.
Modified
p. 55 → 53
Observe identification methods (e.g. badges).
Modified
p. 55 → 53
Observe visitor processes.
Modified
p. 55 → 53
Do identification methods (such as ID badges) clearly identify visitors and easily distinguish between onsite personnel and visitors? • Observe identification methods.
Do identification methods (such as ID badges) clearly identify visitors and easily distinguish between onsite personnel and visitors? Observe identification methods.
Modified
p. 55 → 53
(c) Is access to the badge system limited to authorized personnel? • Observe physical controls and access controls for the badge system.
(c) Is access to the badge system limited to authorized personnel? Observe physical controls and access controls for the badge system.
Modified
p. 55 → 53
Is access authorized and based on individual job function?
Modified
p. 55 → 53
Is access revoked immediately upon termination Upon termination, are all physical access mechanisms, such as keys, access cards, etc., returned or disabled? Examine access control lists.
Modified
p. 55 → 53
Compare lists of terminated employees to access control lists.
Modified
p. 55 → 53
Observe onsite personnel.
Modified
p. 56 → 54
Observe visitor processes.
Modified
p. 56 → 54
Observe visitor processes including how access is controlled.
Modified
p. 56 → 54
Observe visitors and badge use.
Modified
p. 56 → 54
Examine identification.
Modified
p. 56 → 54
Examine identification.
Modified
p. 56 → 54
Do visitor badges or other identification expire? • Observe process.
Do visitor badges or other identification expire? Observe process.
Modified
p. 56 → 54
Examine the visitor log.
Modified
p. 56 → 54
Examine the visitor log.
Modified
p. 56 → 54
Examine log retention.
Modified
p. 56 → 54
Does the visitor log contain the visitor’s name, the firm represented, and the onsite personnel authorizing physical access? • Review policies and procedures.
Does the visitor log contain the visitor’s name, the firm represented, and the onsite personnel authorizing physical access? Review policies and procedures.
Modified
p. 56 → 54
(c) Is the visitor log retained for at least three months? • Review policies and procedures.
(c) Is the visitor log retained for at least three months? Review policies and procedures.
Modified
p. 56 → 54
Examine visitor log retention.
Modified
p. 56 → 54
Review policies and procedures for physically securing media.
Modified
p. 56 → 55
Interview security personnel.
Removed
p. 57
• Interview security personnel.
• Examine media distribution tracking logs and documentation.
• Examine media distribution tracking logs and documentation.
• Examine media distribution tracking logs and documentation.
• Examine media distribution tracking logs and documentation.
Modified
p. 57 → 55
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.5.1 Is the location where media back-ups are stored reviewed at least annually to confirm storage is secure? • Review policies and procedures for reviewing offsite media locations.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.5.1 Is the location where media back-ups are stored reviewed at least annually to confirm storage is secure? Review policies and procedures for reviewing offsite media locations.
Modified
p. 57 → 55
Are periodic media inventories conducted at least annually? • Examine inventory logs.
Are periodic media inventories conducted at least annually? Examine inventory logs.
Removed
p. 58
• Examine procedures.
Modified
p. 58 → 56
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.8 (a) Is all media destroyed when it is no longer needed for business or legal reasons? • Review periodic media destruction policies and procedures.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.8 Is all media destroyed when it is no longer needed for business or legal reasons? Review periodic media destruction policies and procedures.
Modified
p. 58 → 56
Is there a periodic media destruction policy that defines requirements for the following? - Hard-copy materials must be crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
Is there a periodic media destruction policy that defines requirements for the following? Hard-copy materials must be crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
Modified
p. 58 → 56
Storage containers used for materials that are to be destroyed must be secured.
Modified
p. 58 → 56
Cardholder data on electronic media must be rendered unrecoverable (e.g., via a secure wipe program in accordance with industry-accepted standards for secure deletion, or by physically destroying the media).
Modified
p. 58 → 56
Review periodic media destruction policies and procedures.
Modified
p. 58 → 56
Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents? • Examine security of storage containers.
Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents? Examine security of storage containers.
Removed
p. 59
• Examine the list of devices.
(c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.?
• Interview personnel.
(c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.?
• Interview personnel.
Modified
p. 59 → 57
Do policies and procedures require that a list of such devices be maintained? Review policies and procedures.
Modified
p. 59 → 57
Do policies and procedures require that devices are periodically inspected to look for tampering or substitution? Review policies and procedures.
Modified
p. 59 → 57
Do policies and procedures require that personnel are trained to be aware of suspicious behavior and to report tampering or substitution of devices? Review policies and procedures.
Modified
p. 59 → 57
Is the list accurate and up to date? Observe devices and device locations and compare to list.
Modified
p. 60 → 58
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.9.2 (a) Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.9.2 Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments or …
Modified
p. 60 → 58
Observe inspection processes and compare to defined processes.
Modified
p. 60 → 58
Are personnel aware of procedures for inspecting devices? • Interview personnel.
Are personnel aware of procedures for inspecting devices?
Modified
p. 60 → 58
(a) Do training materials for personnel at point-of-sale locations include the following? - Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
(a) Do training materials for personnel at point-of-sale locations include the following? Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
Modified
p. 60 → 58
Do not install, replace, or return devices without verification.
Modified
p. 60 → 58
Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).
Modified
p. 60 → 58
Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).
Modified
p. 60 → 58
Review training materials.
Modified
p. 61 → 59
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.9.3 (cont.) (b) Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices? • Interview personnel at POS locations.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.9.3 (cont.) (b) Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices? Interview personnel at POS locations.
Modified
p. 62 → 60
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 10.1 (a) Are audit trails enabled and active for system components? • Interview system administrator.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 10.1 Are audit trails enabled and active for system components? Observe processes.
Modified
p. 62 → 60
Is access to system components linked to individual users? • Interview system administrator.
Is access to system components linked to individual users? Observe processes.
Modified
p. 63 → 61
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 10.2.6 Initialization, stopping, or pausing of the audit logs? • Interview personnel.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 10.2.6 Initialization, stopping, or pausing of the audit logs? Interview personnel.
Modified
p. 64 → 62
Review time configuration standards and processes.
Modified
p. 64 → 62
Do only designated central time server(s) receive time signals from external sources, and are time signals from external sources based on International Atomic Time or UTC? Review time configuration standards and processes.
Modified
p. 64 → 62
Where there is more than one designated time server, do the time servers peer with each other to keep accurate time? • Review time configuration standards and processes.
Where there is more than one designated time server, do the time servers peer with each other to keep accurate time? Review time configuration standards and processes.
Modified
p. 64 → 62
(c) Do systems receive time only from designated central time server(s)? • Review time configuration standards and processes.
(c) Do systems receive time only from designated central time server(s)? Review time configuration standards and processes.
Modified
p. 64 → 62
Is access to time data restricted to only personnel with a business need to access time data? Examine system configurations and time-synchronization settings.
Modified
p. 64 → 62
Are changes to time settings on critical systems logged, monitored, and reviewed? Examine system configurations and time-synchronization settings and logs.
Modified
p. 65 → 63
Are logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) written onto a secure, centralized, internal log server or media? • Interview system administrators.
Are logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) written onto a secure, centralized, internal log server or media? Interview system administrators.
Removed
p. 66
• Review security policies and procedures.
Modified
p. 66 → 64
Are the above logs and security events reviewed at least daily? • Interview personnel.
Are the above logs and security events reviewed at least daily?
Modified
p. 66 → 64
Are reviews of all other system components performed in accordance with organization’s policies and risk management strategy? • Review risk assessment documentation.
Are reviews of all other system components performed in accordance with organization’s policies and risk management strategy? Review risk assessment documentation.
Removed
p. 67
• Review policies and procedures.
• Examine audit logs.
(c) Are at least the last three months’ logs immediately available for analysis?
• Interview personnel.
- Firewalls - IDS/IPS - FIM - Anti-virus - Physical access controls - Logical access controls - Audit logging mechanisms - Segmentation controls (if used)
• Examine audit logs.
(c) Are at least the last three months’ logs immediately available for analysis?
• Interview personnel.
- Firewalls - IDS/IPS - FIM - Anti-virus - Physical access controls - Logical access controls - Audit logging mechanisms - Segmentation controls (if used)
Modified
p. 67 → 64
Is follow up to exceptions and anomalies performed? • Observe processes.
Is follow up to exceptions and anomalies performed? Observe processes.
Modified
p. 67 → 65
Are audit logs retained for at least one year? • Interview personnel.
Are audit logs retained for at least one year? Interview personnel.
Modified
p. 67 → 65
(a) Are processes implemented for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of:
(a) Are processes implemented for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of: Firewalls IDS/IPS FIM Anti-virus Physical access controls Logical access controls Audit logging mechanisms Segmentation controls (if used) Review policies and procedures.
Modified
p. 67 → 65
(b) Does the failure of a critical security control result in the generation of an alert? • Interview personnel.
(b) Does the failure of a critical security control result in the generation of an alert? 10.8.1 For service providers only: Are failures of any critical security controls responded to in a timely manner, as follows:
Removed
p. 68
(b) Are failures in critical security controls documented, including:
Modified
p. 68 → 66
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 10.8.1 For service providers only: Are failures of any critical security controls responded to in a timely manner, as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested Are processes for responding to critical security control failures defined and implemented, and include:
Modified
p. 68 → 66
- Resuming monitoring of security controls? • Review policies and procedures.
- Resuming monitoring of security controls? Review policies and procedures.
Modified
p. 68 → 66
Are failures in critical security controls documented, including: Identification of cause(s) of the failure, including root cause Duration (date and time start and end) of the security failure Details of the remediation required to address the root cause? Examine records of security control failures.
Modified
p. 69 → 67
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.1 (a) Are processes implemented for detection and identification of both authorized and unauthorized wireless access points on a quarterly basis? Note: Methods that may be used in the process include, but are not limited to, wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.1 Are processes implemented for detection and identification of both authorized and unauthorized wireless access points on a quarterly basis? Note: Methods that may be used in the process include, but are not limited to, wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS.
Modified
p. 69 → 67
Does the methodology detect and identify any unauthorized wireless access points, including at least the following? - WLAN cards inserted into system components; - Portable or mobile devices attached to system components to create a wireless access point (for example, by USB, etc.); and - Wireless devices attached to a network port or network device.
Does the methodology detect and identify any unauthorized wireless access points, including at least the following? WLAN cards inserted into system components; Portable or mobile devices attached to system components to create a wireless access point (for example, by USB, etc.); and Wireless devices attached to a network port or network device.
Modified
p. 69 → 67
Evaluate the methodology.
Modified
p. 69 → 67
(c) If wireless scanning is utilized to identify authorized and unauthorized wireless access points, is the scan performed at least quarterly for all system components and facilities? • Examine output from recent wireless scans.
(c) If wireless scanning is utilized to identify authorized and unauthorized wireless access points, is the scan performed at least quarterly for all system components and facilities? Examine output from recent wireless scans.
Modified
p. 69 → 67
If automated monitoring is utilized (for example, wireless IDS/IPS, NAC, etc.), is monitoring configured to generate alerts to notify personnel? Examine configuration settings.
Modified
p. 70 → 68
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.1.2 (a) Does the incident response plan define and require a response in the event that an unauthorized wireless access point is detected? • Examine incident response plan (see Requirement 12.10).
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.1.2 Does the incident response plan define and require a response in the event that an unauthorized wireless access point is detected? Examine incident response plan (see Requirement 12.10).
Modified
p. 70 → 68
Is action taken when unauthorized wireless access points are found? • Interview responsible personnel.
Is action taken when unauthorized wireless access points are found? Interview responsible personnel.
Modified
p. 70 → 68
Inspect recent wireless scans and related responses.
Removed
p. 71
(b) Does the scan process include rescans until:
Modified
p. 71 → 69
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.2.1 (cont.) (c) Are quarterly internal scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? • Interview personnel.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.2.1 (cont.) Are quarterly internal scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?
Modified
p. 71 → 69
Review results from the four most recent quarters of external vulnerability scans.
Modified
p. 71 → 69
Do external quarterly scan and rescan results satisfy the ASV Program Guide requirements for a passing scan (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic failures)? Review results of each external quarterly scan and rescan.
Modified
p. 71 → 69
Are quarterly external vulnerability scans performed by a PCI SSC Approved Scanning Vendor (ASV? Review results of each external quarterly scan and rescan.
Modified
p. 71 → 69
Examine and correlate change control documentation and scan reports.
Modified
p. 71 → 69
Does the scan process include rescans until: For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS, For internal scans, a passing result is obtained or all “high- risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved?
Modified
p. 71 → 70
Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? Interview responsible personnel.
Removed
p. 72
• Includes coverage for the entire CDE perimeter and critical systems
• Includes testing from both inside and outside the network
• Includes testing to validate any segmentation and scope- reduction controls
• Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
• Defines network-layer penetration tests to include components that support network functions as well as operating systems
• Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
• Specifies retention of penetration testing results and remediation activities results
• Examine penetration-testing methodology.
• Includes testing from both inside and outside the network
• Includes testing to validate any segmentation and scope- reduction controls
• Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
• Defines network-layer penetration tests to include components that support network functions as well as operating systems
• Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
• Specifies retention of penetration testing results and remediation activities results
• Examine penetration-testing methodology.
Modified
p. 72 → 70
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.3 Does the penetration-testing methodology include the following? • Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.3 Does the penetration-testing methodology include the following? Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) Includes coverage for the entire CDE perimeter and critical systems Includes testing from both inside and outside the network Includes testing to validate any segmentation and scope- reduction controls Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in …
Modified
p. 72 → 70
Examine results from the most recent external penetration test.
Modified
p. 72 → 71
Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? Interview responsible personnel.
Modified
p. 73 → 71
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.3.2 (a) Is internal penetration testing performed per the defined methodology, at least annually, and after any significant infrastructure or application changes to the environment (such as an operating system upgrade, a sub-network added to the environment, or an added web server)? • Examine scope of work.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.3.2 Is internal penetration testing performed per the defined methodology, at least annually, and after any significant infrastructure or application changes to the environment (such as an operating system upgrade, a sub-network added to the environment, or an added web server)? Examine scope of work.
Modified
p. 73 → 71
Examine results from the most recent internal penetration test.
Modified
p. 73 → 71
Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE? Examine segmentation controls.
Modified
p. 73 → 71
Review penetration-testing methodology.
Modified
p. 73 → 71
Does penetration testing to verify segmentation controls meet the following? Performed at least annually and after any changes to segmentation controls/methods.
Modified
p. 73 → 71
Covers all segmentation controls/methods in use.
Modified
p. 73 → 71
Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
Modified
p. 73 → 71
Examine results from the most recent penetration test.
Modified
p. 73 → 71
Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? Interview responsible personnel.
Removed
p. 74
• Examine results of penetration tests on segmentation controls.
Modified
p. 74 → 72
Is PCI DSS scope confirmed by performing penetration tests on segmentation controls at least every six months and after any changes to segmentation controls/methods? Examine results of penetration tests on segmentation controls.
Modified
p. 74 → 72
Does penetration testing cover all segmentation controls/methods in use? Examine results of penetration tests on segmentation controls.
Modified
p. 74 → 72
Does penetration testing verify that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE Examine results of penetration tests on segmentation controls.
Modified
p. 74 → 72
Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? Interview responsible personnel.
Modified
p. 74 → 72
At the perimeter of the cardholder data environment, and At critical points in the cardholder data environment.
Modified
p. 74 → 72
Examine network diagrams.
Modified
p. 74 → 72
Are intrusion-detection and/or intrusion-prevention techniques configured to alert personnel of suspected compromises? Examine system configurations.
Modified
p. 74 → 72
Are all intrusion-detection and prevention engines, baselines, and signatures kept up-to-date? Examine IDS/IPS configurations.
Removed
p. 75
• Application executables
• Configuration and parameter files
• Centrally stored, historical or archived, log, and audit files
• Additional critical files determined by entity (for example, through risk assessment or other means)
• Observe system settings and monitored files.
• Configuration and parameter files
• Centrally stored, historical or archived, log, and audit files
• Additional critical files determined by entity (for example, through risk assessment or other means)
• Observe system settings and monitored files.
Modified
p. 75 → 73
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.5 (a) Is a change-detection mechanism (for example, file- integrity monitoring tools) deployed to detect unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files? Examples of files that should be monitored include:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.5 Is a change-detection mechanism (for example, file-integrity monitoring tools) deployed to detect unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files? Examples of files that should be monitored include:
Modified
p. 75 → 73
Observe system settings and monitored files.
Modified
p. 75 → 73
Is the change-detection mechanism configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files or content files, and do the tools perform critical file comparisons at least weekly? Note: For change detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change detection mechanisms such as file- integrity monitoring products usually come pre-configured with critical files …
Modified
p. 75 → 73
Review results from monitoring activities.
Removed
p. 77
• Review annual risk assessment process.
• Interview responsible personnel.
• Interview responsible personnel.
Modified
p. 77 → 75
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel? • Review the information security policy.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel? Review the information security policy.
Modified
p. 77 → 75
Interview responsible personnel.
Modified
p. 77 → 75
(b) Is the risk assessment process performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.)? • Review risk assessment documentation.
(b) Is the risk assessment process performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.)? Review risk assessment documentation.
Modified
p. 78 → 76
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.3.1 Explicit approval by authorized parties to use the technologies?
• Review usage policies.
•
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.3.2 Authentication for use of the technology? Review usage policies.
Modified
p. 79 → 76
Review usage policies.
Modified
p. 79 → 76
For personnel with proper authorization, does the policy require the protection of cardholder data in accordance with PCI DSS Requirements? Review usage policies.
Modified
p. 79 → 77
Interview a sample of responsible personnel.
Modified
p. 79 → 77
Has executive management assigned overall accountability for maintaining the entity’s PCI DSS compliance? • Examine documentation.
Has executive management assigned overall accountability for maintaining the entity’s PCI DSS compliance? Examine documentation.
Modified
p. 79 → 77
PCI DSS compliance program and communication to executive management? • Examine PCI DSS charter.
PCI DSS compliance program and communication to executive management? Examine PCI DSS charter.
Modified
p. 79 → 77
Are the following information security management responsibilities formally assigned to an individual or team:
Modified
p. 80 → 78
Do security awareness program procedures include the following:
Modified
p. 80 → 78
Review security awareness program.
Modified
p. 80 → 78
Review security awareness program procedures.
Modified
p. 80 → 78
Review security awareness program attendance records.
Modified
p. 80 → 78
Are personnel educated upon hire and at least annually? Examine security awareness program procedures and documentation.
Modified
p. 80 → 78
Have employees completed awareness training and are they aware of the importance of cardholder data security?
Modified
p. 81 → 78
Interview Human Resource department management.
Modified
p. 81 → 79
Review list of service providers.
Modified
p. 82 → 79
Observe written agreements.
Modified
p. 83 → 80
Review service provider’s policies and procedures.
Modified
p. 83 → 80
Observe templates used for written agreements.
Modified
p. 83 → 80
Review incident response plan procedures.
Modified
p. 83 → 80
Does the plan address the following, at a minimum:
Modified
p. 83 → 80
Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum? Review incident response plan procedures.
Modified
p. 83 → 80
Specific incident response procedures? Review incident response plan procedures.
Modified
p. 83 → 80
Business recovery and continuity procedures? Review incident response plan procedures.
Modified
p. 84 → 81
•
Analysis of legal requirements for reporting compromises? Review incident response plan procedures.
Modified
p. 84 → 81
•
Coverage and responses of all critical system components? Review incident response plan procedures.
Modified
p. 84 → 81
•
Reference or inclusion of incident response procedures from the payment brands? Review incident response plan procedures.
Modified
p. 84 → 82
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.10.1(b) (cont.)
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (a) Do reviews cover the following processes:
Removed
p. 85
- Firewall rule-set reviews
- Applying configuration standards to new systems
- Responding to security alerts
- Change management processes
• Examine policies and procedures for performing quarterly reviews.
- Documenting results of the reviews
• Examine documentation from the quarterly reviews.
- Applying configuration standards to new systems
- Responding to security alerts
- Change management processes
• Examine policies and procedures for performing quarterly reviews.
- Documenting results of the reviews
• Examine documentation from the quarterly reviews.
Modified
p. 85 → 81
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.11 For service providers only: Are reviews performed at least quarterly to confirm personnel are following security policies and operational procedures, as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.10.1(b) (cont.) Data backup processes? Review incident response plan procedures.
Modified
p. 85 → 82
(b) Are reviews performed at least quarterly? • Interview personnel.
(b) Are reviews performed at least quarterly? Interview personnel.
Modified
p. 85 → 82
Examine records of reviews.
Modified
p. 85 → 82
Documenting results of the reviews Review and sign off of results by personnel assigned responsibility for the PCI DSS compliance program Examine documentation from the quarterly reviews.
Removed
p. 86
• Examine system configurations and related unique IDs for hosted entities.
Modified
p. 86 → 83
A1.1 Does each entity run processes that have access to only that entity’s cardholder data environment, and are these application processes run using the unique ID of the entity? • No entity on the system can use a shared web server user ID.
A1.1 Does each entity run processes that have access to only that entity’s cardholder data environment, and are these application processes run using the unique ID of the entity? No entity on the system can use a shared web server user ID.
Modified
p. 86 → 83
All CGI scripts used by an entity must be created and run as the entity’s unique user ID Examine system configurations and related unique IDs for hosted entities.
Modified
p. 86 → 83
Are the user IDs for application processes not privileged users (root/admin)? Examine system configurations for application user IDs.
Modified
p. 86 → 83
Does each entity have read, write, or execute permissions only for files and directories it owns or for necessary system files (restricted via file system permissions, access control lists, chroot, jailshell, etc.)? Important: An entity’s files may not be shared by group.
Modified
p. 86 → 83
Examine system configurations and file permissions for hosted entities.
Modified
p. 87 → 84
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested A1.2 (cont.) (c) Do all entities’ users not have write access to shared system binaries? • Examine system configurations and file permissions for shared system binaries.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested A1.2 (cont.) Do all entities’ users not have write access to shared system binaries? Examine system configurations and file permissions for shared system binaries.
Modified
p. 87 → 84
Is viewing of log entries restricted to the owning entity? Examine system configurations and file permissions for viewing log entries.
Modified
p. 87 → 84
(e) Are restrictions in place for the use of these system resources? - Disk space, - Bandwidth, - Memory, - CPU This ensures that each entity cannot monopolize server resources to exploit vulnerabilities (for example, error, race, and restart conditions, resulting in, for example, buffer overflows).
(e) Are restrictions in place for the use of these system resources? Disk space, Bandwidth, Memory, CPU This ensures that each entity cannot monopolize server resources to exploit vulnerabilities (for example, error, race, and restart conditions, resulting in, for example, buffer overflows).
Modified
p. 87 → 84
Examine system configurations and file permissions for use of: Disk space Bandwidth Memory CPU A1.3 Are logging and audit trails enabled and unique to each entity’s cardholder data environment and consistent with PCI DSS Requirement 10? Examine log settings.
Modified
p. 87 → 84
Is logging enabled as follows, for each merchant and service provider environment as follows:
Modified
p. 87 → 84
Logs are enabled for common third-party applications? Examine log settings.
Modified
p. 87 → 84
Logs are active by default? Examine log settings.
Modified
p. 87 → 84
Logs are available for review by the owning entity? Examine log settings.
Modified
p. 87 → 84
Log locations are clearly communicated to the owning entity? Examine log settings.
Modified
p. 87 → 84
A1.4 Are written policies and processes enabled to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider? • Review written policies and procedures.
A1.4 Are written policies and processes enabled to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider? Review written policies and procedures.
Removed
p. 88
• Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment;
• Risk assessment results and risk reduction controls in place;
• Description of processes to monitor for new vulnerabilities associated with SSL/early TLS;
• Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new environments;
• Overview of migration project plan to replace SSL/early TLS at a future date?
• Review the documented Risk Mitigation and Migration Plan.
• Risk assessment results and risk reduction controls in place;
• Description of processes to monitor for new vulnerabilities associated with SSL/early TLS;
• Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new environments;
• Overview of migration project plan to replace SSL/early TLS at a future date?
• Review the documented Risk Mitigation and Migration Plan.
Modified
p. 88 → 85
Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS.
Modified
p. 88 → 85
A2.3 For service providers only: Is there a secure service offering in place? • Examine system configurations and supporting documentation.
A2.3 For service providers only: Is there a secure service offering in place? Examine system configurations and supporting documentation.
Modified
p. 90 → 87
Information Required Explanation Constraints List constraints precluding compliance with the original requirement.
Modified
p. 90 → 87
Objective Define the objective of the original control; identify the objective met by the compensating control.
Modified
p. 90 → 87
Identified Risk Identify any additional risk posed by the lack of the original control.
Modified
p. 90 → 87
Definition of Compensating Controls Define the compensating controls and explain how they address the objectives of the original control and the increased risk, if any.
Modified
p. 90 → 87
Validation of Compensating Controls Define how the compensating controls were validated and tested.
Modified
p. 90 → 87
Maintenance Define process and controls in place to maintain compensating controls.