Document Comparison
pci_dss_saq_instr_guide.pdf
→
pci_dss_saq_instr_guide_v2.0.pdf
77% similar
15 → 17
Pages
3926 → 4713
Words
38
Content Changes
Content Changes
38 content changes. 17 administrative changes (dates, page numbers) hidden.
Added
p. 2
October 28, 2010 2.0 To align content with new PCI DSS v2.0 and clarify SAQ environment types and eligibility criteria.
Addition of SAQ C-VT for Web-based Virtual Terminal merchants
Addition of SAQ C-VT for Web-based Virtual Terminal merchants
Added
p. 6
Self-Assessment Questionnaire D and Attestation Eligible merchants and service providers1
The PCI DSS SAQ is a validation tool for merchants and service providers not required to submit an on- site data security assessment Report on Compliance (ROC) per the PCI DSS Requirements and Security Assessment Procedures, and as may be required by your acquirer or payment brand. Please consult your acquirer or payment brand for details regarding PCI DSS validation requirements.
1. Sensitive Authentication Data (includes the full track contents of the magnetic stripe or chip, card verification codes and values, PINs and PIN blocks): a. Make sure you never store this data. b. If you don’t know for sure, ask your POS vendor whether the software product and version you use stores this data. Alternatively, consider hiring a Qualified Security Assessor that can assist you in determining whether sensitive authentication data is being stored, logged, or captured anywhere in your systems.
2. …
The PCI DSS SAQ is a validation tool for merchants and service providers not required to submit an on- site data security assessment Report on Compliance (ROC) per the PCI DSS Requirements and Security Assessment Procedures, and as may be required by your acquirer or payment brand. Please consult your acquirer or payment brand for details regarding PCI DSS validation requirements.
1. Sensitive Authentication Data (includes the full track contents of the magnetic stripe or chip, card verification codes and values, PINs and PIN blocks): a. Make sure you never store this data. b. If you don’t know for sure, ask your POS vendor whether the software product and version you use stores this data. Alternatively, consider hiring a Qualified Security Assessor that can assist you in determining whether sensitive authentication data is being stored, logged, or captured anywhere in your systems.
2. …
Added
p. 11
• The Navigating PCI DSS Guide
• The PCI DSS Glossary of Terms, Abbreviations and Acronyms
• Frequently Asked Questions (FAQs)
• Information Supplements and Guidelines
• Attestations of Compliance Please refer to www.pcisecuritystandards.org for more information.
Note: Information Supplements complement the PCI DSS and identify additional considerations and recommendations for meeting PCI DSS requirements•they do not change, eliminate or supersede the PCI DSS or any of its requirements.
SAQ A merchants do not store cardholder data in electronic format, do not process or transmit any cardholder data on their systems or premises, and validate compliance by completing SAQ A and the associated Attestation of Compliance, confirming that:
SAQ B merchants only process cardholder data via imprint machines or via standalone, dial-out terminals, and may be either brick-and-mortar (card-present) or e-commerce or mail/telephone order (card-not-present) merchants. Such merchants validate compliance by completing SAQ B and the associated Attestation of Compliance, confirming that:
SAQ C-VT
• Merchants with Web-Based Virtual …
• The PCI DSS Glossary of Terms, Abbreviations and Acronyms
• Frequently Asked Questions (FAQs)
• Information Supplements and Guidelines
• Attestations of Compliance Please refer to www.pcisecuritystandards.org for more information.
Note: Information Supplements complement the PCI DSS and identify additional considerations and recommendations for meeting PCI DSS requirements•they do not change, eliminate or supersede the PCI DSS or any of its requirements.
SAQ A merchants do not store cardholder data in electronic format, do not process or transmit any cardholder data on their systems or premises, and validate compliance by completing SAQ A and the associated Attestation of Compliance, confirming that:
SAQ B merchants only process cardholder data via imprint machines or via standalone, dial-out terminals, and may be either brick-and-mortar (card-present) or e-commerce or mail/telephone order (card-not-present) merchants. Such merchants validate compliance by completing SAQ B and the associated Attestation of Compliance, confirming that:
SAQ C-VT
• Merchants with Web-Based Virtual …
Added
p. 14
Your company’s only payment processing is done via a virtual terminal accessed by an Internet- connected web browser; Your company’s virtual terminal solution is provided and hosted by a PCI DSS validated third- party service provider; Your company accesses the PCI DSS compliant virtual terminal solution via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment (this can be achieved via a firewall or network segmentation to isolate the computer from other systems); Your company’s computer does not have software installed that causes cardholder data to be stored (for example, there is no software for batch processing or store-and-forward); Your company’s computer does not have any attached hardware devices that are used to capture or store cardholder data (for example, there are no card readers attached); Your company does not otherwise receive …
Modified
p. 1
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 1.2
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 2.0
Modified
p. 5
PCI Data Security Standard Self-Assessment: How it All Fits Together The PCI Data Security Standard and supporting documents represent a common set of industry tools and measurements to help ensure the safe handling of sensitive information. The standard provides an actionable framework for developing a robust account data security process•including preventing, detecting and reacting to security incidents. To reduce the risk of compromise and mitigate its impacts if it does occur, it is important that all entities storing, processing, or …
PCI DSS Self-Assessment: How it All Fits Together The PCI DSS and supporting documents represent a common set of industry tools and measurements to help ensure the safe handling of sensitive information. The standard provides an actionable framework for developing a robust account data security process•including preventing, detecting and reacting to security incidents. To reduce the risk of compromise and mitigate its impacts if it does occur, it is important that all entities storing, processing, or transmitting cardholder data be …
Modified
p. 6
PCI Data Security Standard: Related Documents The following documents were created to assist merchants and service providers in understanding the PCI Data Security Standard and the PCI DSS SAQ.
PCI Data Security Standard: Related Documents The following documents were created to assist merchants and service providers in understanding the PCI DSS and the PCI DSS SAQ.
Modified
p. 6
PCI Data Security Standard: Self-Assessment Questionnaire A and Attestation Merchants1
PCI Data Security Standard: Self-Assessment Questionnaire A and Attestation Eligible merchants1
Modified
p. 6
PCI Data Security Standard: Self-Assessment Questionnaire B and Attestation Merchants1
PCI Data Security Standard: Self-Assessment Questionnaire B and Attestation Eligible merchants1
Modified
p. 6
PCI Data Security Standard: Self-Assessment Questionnaire C and Attestation Merchants1
PCI Data Security Standard: Self-Assessment Questionnaire C-VT and Attestation Eligible merchants1
Modified
p. 6
PCI Data Security Standard: Self-Assessment Questionnaire D and Attestation Merchants1 and all service providers
PCI Data Security Standard: Self-Assessment Questionnaire C and Attestation Eligible merchants1
Modified
p. 6
PCI Data Security Standard and Payment Application Data Security Standard Glossary of Terms, Abbreviations, and Acronyms All merchants and service providers 1 To determine the appropriate Self-Assessment Questionnaire, see PCI Data Security Standard: Self- Assessment Guidelines and Instructions, “Selecting the SAQ and Attestation That Best Apply To Your Organization.”
PCI Data Security Standard and Payment Application Data Security Standard: Glossary of Terms, Abbreviations, and Acronyms All merchants and service providers 1 To determine the appropriate Self-Assessment Questionnaire, see “Selecting the SAQ and Attestation That Best Apply to Your Organization,” on page 12 of this document.
Modified
p. 7
2. Attestation of Compliance: The Attestation is your certification that you are eligible to perform and have performed the appropriate Self-Assessment.
2. Attestation of Compliance: The Attestation is your self-certification that you are eligible to perform and have actually performed a PCI DSS self-assessment.
Modified
p. 8
Post-mortem compromise analysis has shown common security weaknesses that are addressed by PCI DSS, but were not in place in the organizations when the compromises occurred. PCI DSS was designed and includes detailed requirements for exactly this reason•to minimize the chance of compromise and the effects if a compromise does occur.
Modified
p. 8
Storage of magnetic stripe data (Requirement 3.2). It is important to note that many compromised entities are unaware that their systems are storing this data.
Modified
p. 8
Inadequate access controls due to improperly installed merchant POS systems, allowing malicious users in via paths intended for POS vendors (Requirements 7.1, 7.2, 8.2 and 8.3) Default system settings and passwords not changed when system was set up (Requirement 2.1) Unnecessary and insecure services not removed or secured when system was set up (Requirements 2.2.2 and 2.2.4) Poorly coded web applications resulting in SQL injection and other vulnerabilities, which allow access to the database storing cardholder …
Removed
p. 9
2. If you are a merchant, ask your POS vendor about the security of your system, with the following suggested questions: a. Is my POS software validated to the Payment Application Data Security Standard (refer to PCI SSC’s list of Validated Payment Applications)? b. Does my POS software store magnetic-stripe data (track data) or PIN blocks? If so, this storage is prohibited, so how quickly can you help me remove it? c. Will you document the list of files written by the application with a summary of the content of each file, to verify that the above-mentioned, prohibited data is not stored? d. Does your POS system require me to install a firewall to protect my systems from unauthorized access? e. Are complex and unique passwords required to access my systems? Can you confirm that you do not use common or default passwords for mine as well as other merchant …
Removed
p. 10
i. Respond to the SAQ question as “YES” and in the ”Special” column, note the use of each compensating control used to satisfy a requirement.
ii. Review “Compensating Controls” in the Appendix, and document the use of compensating controls by completing the Compensating Controls Worksheet.
a) Complete a Compensating Controls Worksheet for each requirement that is met with a compensating control.
iii. Submit all completed Compensating Controls Worksheets, along with your completed SAQ and/or Attestation, according to instructions from your acquirer or payment brand.
ii. Review “Compensating Controls” in the Appendix, and document the use of compensating controls by completing the Compensating Controls Worksheet.
a) Complete a Compensating Controls Worksheet for each requirement that is met with a compensating control.
iii. Submit all completed Compensating Controls Worksheets, along with your completed SAQ and/or Attestation, according to instructions from your acquirer or payment brand.
Modified
p. 10
You can limit the scope of a PCI DSS assessment by consolidating data storage in a defined environment and isolating the data through the use of proper network segmentation. For example, if your employees browse the Internet and receive e-mail on the same machine or network segment as cardholder data, consider segmenting (isolating) the cardholder data onto its own machine or network segment (for example, via routers or firewalls). If you can isolate the cardholder data effectively, you may be …
Modified
p. 10
5. Consider Compensating Controls a. Compensating controls may be considered for most PCI DSS requirements when an organization cannot meet the technical specification of a requirement, but has sufficiently mitigated the associated risk. If your company does not have the exact control specified in PCI DSS but has other controls in place that satisfy the PCI DSS definition of compensating controls (see “Compensating Controls” in your applicable SAQ Appendix and the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and …
5. Compensating Controls Compensating controls may be considered for most PCI DSS requirements when an organization cannot meet the technical specification of a requirement, but has sufficiently mitigated the associated risk through alternative controls. If your company does not have the exact control specified in PCI DSS but has other controls in place that satisfy the PCI DSS definition of compensating controls (see “Compensating Controls” in your applicable SAQ Appendix and the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, …
Modified
p. 10 → 11
6. Professional Assistance a. If you would like to have a security professional’s guidance to achieve compliance and complete the SAQ, you are encouraged to do so. Please recognize that, while you are free to use any security professional of your choosing, only those included on PCI SSC’s list of Qualified Security Assessors (QSAs) are recognized as QSAs and are trained by PCI SSC. This list is available at https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf.
6. Professional Assistance and Training a. If you would like to have a security professional’s guidance to achieve compliance and complete the SAQ, you are encouraged to do so. Please recognize that, while you are free to use any security professional of your choosing, only those included on PCI SSC’s list of Qualified Security Assessors (QSAs) are recognized as QSAs and are trained by PCI SSC. This list is available at https://www.pcisecuritystandards.org. b. The PCI Security Standards Council (SSC) provides …
Modified
p. 11 → 12
SAQ Validation Description 1 Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face- to-face merchants.
SAQ Description A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
Modified
p. 11 → 12
SAQ Validation Type 1 / SAQ A: Card-not-present, All Cardholder Data Functions Outsourced SAQ A has been developed to address requirements applicable to merchants who retain only paper reports or receipts with cardholder data, do not store cardholder data in electronic format and do not process or transmit any cardholder data on their premises. Merchants in Validation Type 1 do not store cardholder data in electronic format and do not process or transmit any cardholder data on their premises, and …
SAQ A
• Card-not-present Merchants, All Cardholder Data Functions Outsourced SAQ A has been developed to address requirements applicable to merchants who retain only paper reports or receipts with cardholder data, do not store cardholder data in electronic format and do not process or transmit any cardholder data on their systems or premises.
• Card-not-present Merchants, All Cardholder Data Functions Outsourced SAQ A has been developed to address requirements applicable to merchants who retain only paper reports or receipts with cardholder data, do not store cardholder data in electronic format and do not process or transmit any cardholder data on their systems or premises.
Modified
p. 11 → 12
For a graphical guide to choosing your validation type, please see “SAQ Instructions and Guidelines• What is my Validation Type” on page 12.
For a graphical guide to choosing your SAQ type, please see “Which SAQ Best Applies to My Environment?” on page17.
Modified
p. 11 → 12
Your company accepts only card-not-present (e-commerce or mail/telephone-order) transactions; Your company does not store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions; Your company has confirmed that the third party(s) handling storage, processing, and/or transmission of cardholder data is PCI DSS compliant; Your company retains only paper reports or receipts with cardholder data, and these documents are not received electronically; and …
Removed
p. 12
SAQ Validation Type 3 / SAQ B: Standalone, Dial-out Terminal Merchant, no Electronic Cardholder Data Storage SAQ B has been developed to address requirements applicable to merchants who process cardholder data only via imprint machines or stand-alone dial-up terminals. Merchants in Validation Type 3 process cardholder data via stand-alone, dial-out terminals, and may be either brick-and-mortar (card-present) or e-commerce or mail/telephone order (card-not-present) merchants. Merchants in Validation Type 3 must validate compliance by completing SAQ B and the associated Attestation of Compliance, confirming that:
Your company uses only standalone, dial-out terminals (connected via a phone line to your processor); The standalone, dial-out terminals are not connected to any other systems within your environment; The standalone, dial-out terminals are not connected to the Internet; Your company retains only paper reports or paper copies of receipts; and Your company does not store cardholder data in electronic format.
2. The …
Your company uses only standalone, dial-out terminals (connected via a phone line to your processor); The standalone, dial-out terminals are not connected to any other systems within your environment; The standalone, dial-out terminals are not connected to the Internet; Your company retains only paper reports or paper copies of receipts; and Your company does not store cardholder data in electronic format.
2. The …
Modified
p. 12 → 13
SAQ B has been developed to address requirements applicable to merchants who process cardholder data only via imprint machines or stand-alone dial-up terminals. Merchants in Validation Type 2 only process cardholder data via imprint machines, and must validate compliance by completing SAQ B and the associated Attestation of Compliance, confirming that:
SAQ B has been developed to address requirements applicable to merchants who process cardholder data only via imprint machines or standalone, dial-out terminals.
Modified
p. 12 → 13
Your company uses only an imprint machine and/or uses only standalone, dial-out terminals (connected via a phone line to your processor) to take your customers’ payment card information; The standalone, dial-out terminals are not connected to any other systems within your environment; The standalone, dial-out terminals are not connected to the Internet; Your company does not transmit cardholder data over a network (either an internal network or the Internet); Your company retains only paper reports …
Modified
p. 12 → 14
SAQ Validation Type 4 / SAQ C: Merchants with Payment Application Systems Connected to the Internet SAQ C has been developed to address requirements applicable to merchants whose payment application systems (for example, point-of-sale or shopping cart systems) are connected to the Internet (via high- speed connection, DSL, cable modem, etc.) either because:
SAQ C
• Merchants with Payment Application Systems Connected to the Internet, No Electronic Cardholder Data Storage SAQ C has been developed to address requirements applicable to merchants whose payment application systems (for example, point-of-sale systems) are connected to the Internet (for example, via DSL, cable modem, etc.) either because:
• Merchants with Payment Application Systems Connected to the Internet, No Electronic Cardholder Data Storage SAQ C has been developed to address requirements applicable to merchants whose payment application systems (for example, point-of-sale systems) are connected to the Internet (for example, via DSL, cable modem, etc.) either because:
Removed
p. 13
Your company has a payment application system and an Internet connection on the same device; The payment application system/Internet device is not connected to any other systems within your environment; Your company retains only paper reports or paper copies of receipts; Your company does not store cardholder data in electronic format; and Your company’s payment application software vendor uses secure techniques to provide remote support to your payment application system.
Guidance for Non-Applicability and Exclusion of Certain, Specific Requirements Exclusion: If you are required to answer SAQ C or D to validate your PCI DSS compliance, the following exceptions may be considered. See “Non-Applicability” below for the appropriate SAQ response.
Guidance for Non-Applicability and Exclusion of Certain, Specific Requirements Exclusion: If you are required to answer SAQ C or D to validate your PCI DSS compliance, the following exceptions may be considered. See “Non-Applicability” below for the appropriate SAQ response.
Modified
p. 13 → 14
For a graphical guide to choosing your validation type, please see “SAQ Instructions and Guidelines• What is my Validation Type” on page 12.
For a graphical guide to choosing your SAQ type, please see “Which SAQ Best Applies to My Environment?” on page 17.
Modified
p. 13 → 15
While many of the organizations completing SAQ D will need to validate compliance with every PCI DSS requirement, some organizations with very specific business models may find that some requirements do not apply. For example, a company that does not use wireless technology in any capacity would not be expected to validate compliance with the sections of the PCI DSS that are specific to managing wireless technology. See the guidance below for information about the exclusion of wireless technology and …
Modified
p. 13 → 16
Requirements 1.2.3, 2.1.1 and 4.1.1 (SAQs C and D): These questions specific to wireless only need to be answered if wireless is present anywhere in your network. Note that Requirement 11.1 (use of a process to identify unauthorized wireless access points) must still be answered even if wireless is not in your network, since the process detects any rogue or unauthorized devices that may have been added without your knowledge.
Modified
p. 13 → 16
Requirements 6.3 and 6.5 (SAQ D): These questions are specific to custom applications and code, and only need to be answered if your organization develops its own custom applications.
Modified
p. 13 → 16
Requirements 9.1 through 9.4 (SAQ D): These questions only need to be answered for facilities with “sensitive areas” as defined here. “Sensitive areas” refers to any data center, server room, or any area that houses systems that store, process, or transmit cardholder data. This excludes the areas where only point-of-sale terminals are present, such as the cashier areas in a retail store, but does include retail store back-office server rooms that store cardholder data, and storage areas for large …
Modified
p. 13 → 16
Non-Applicability: For all SAQs, these and any other requirements deemed not applicable to your environment must be indicated with “N/A” in the “Special” column of the SAQ. Accordingly, complete the “Explanation of Non-Applicability” worksheet in the Appendix for each “N/A” entry.
Non-Applicability: For all SAQs, these and any other requirements deemed not applicable to your environment must be indicated with “N/A” in the “Special” column of the SAQ. Accordingly, complete the “Explanation of Non-Applicability” worksheet in the SAQ Appendix for each “N/A” entry.
Modified
p. 14 → 16
4. Use the appropriate Self Assessment Questionnaire as a tool to validate compliance with the PCI DSS.
Modified
p. 14 → 16
• Completion
5. Follow the instructions in the appropriate Self-Assessment Questionnaire at “PCI DSS Compliance
• Completion Steps,” and provide all required documentation to your acquirer or payment brand as appropriate.
• Completion Steps,” and provide all required documentation to your acquirer or payment brand as appropriate.