Document Comparison
aoc_saq_a.pdf
→
AOC_SAQ_A_v3-1_rev1-1.pdf
40% similar
4 → 8
Pages
705 → 1649
Words
18
Content Changes
Content Changes
18 content changes. 9 administrative changes (dates, page numbers) hidden.
Added
p. 2
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.
ISA Name(s) (if applicable): Title:
Part 1b. Qualified Security Assessor Company Information (if applicable) Company Name:
Lead QSA Contact Name: Title:
What types of payment channels does your business serve?
Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face) Which payment channels are covered by this SAQ? Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face)
Note: If your organization has a payment channel or process that is not covered by this SAQ, consult your acquirer or payment brand about validation for the other channels.
ISA Name(s) (if applicable): Title:
Part 1b. Qualified Security Assessor Company Information (if applicable) Company Name:
Lead QSA Contact Name: Title:
What types of payment channels does your business serve?
Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face) Which payment channels are covered by this SAQ? Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face)
Note: If your organization has a payment channel or process that is not covered by this SAQ, consult your acquirer or payment brand about validation for the other channels.
Added
p. 3
Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. Payment Application Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses:
Payment Application Version Number Application Is application PA-DSS Listed? PA-DSS Listing Expiry date (if applicable) Part 2e. Description of Environment Provide a high-level description of the environment covered by this assessment.
For example:
• Connections into and out of the cardholder data environment (CDE).
• Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation)
Payment Application Version Number Application Is application PA-DSS Listed? PA-DSS Listing Expiry date (if applicable) Part 2e. Description of Environment Provide a high-level description of the environment covered by this assessment.
For example:
• Connections into and out of the cardholder data environment (CDE).
• Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation)
Added
p. 4
Note: Requirement 12.8 applies to all entities in this list.
Merchant accepts only card-not-present (e-commerce or mail/telephone-order) transactions); All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service providers; Merchant does not electronically store, process, or transmit any cardholder data on merchant systems or premises, but relies entirely on a third party(s) to handle all these functions; Merchant has confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and Merchant retains only paper reports or receipts with cardholder data, and these documents are not received electronically.
Additionally, for e-commerce channels:
All elements of the payment page(s) delivered to the consumer’s browser originate only and directly from a PCI DSS validated third-party service provider(s).
Section 2: Self-Assessment Questionnaire A This Attestation of Compliance reflects the results of a self-assessment, which is documented in an accompanying SAQ.
The assessment documented in this attestation and in …
Merchant accepts only card-not-present (e-commerce or mail/telephone-order) transactions); All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service providers; Merchant does not electronically store, process, or transmit any cardholder data on merchant systems or premises, but relies entirely on a third party(s) to handle all these functions; Merchant has confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and Merchant retains only paper reports or receipts with cardholder data, and these documents are not received electronically.
Additionally, for e-commerce channels:
All elements of the payment page(s) delivered to the consumer’s browser originate only and directly from a PCI DSS validated third-party service provider(s).
Section 2: Self-Assessment Questionnaire A This Attestation of Compliance reflects the results of a self-assessment, which is documented in an accompanying SAQ.
The assessment documented in this attestation and in …
Added
p. 7
ASV scans are being completed by the PCI SSC Approved Scanning Vendor (ASV Name) Part 3b. Merchant Attestation Signature of Merchant Executive Officer Date:
Merchant Executive Officer Name: Title:
Part 3c. QSA Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Signature of Duly Authorized Officer of QSA Company Date:
Duly Authorized Officer Name: QSA Company:
Part 3d. ISA Acknowledgement (if applicable) If a ISA was involved or assisted with this assessment, describe the role performed:
Signature of ISA Date:
Merchant Executive Officer Name: Title:
Part 3c. QSA Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Signature of Duly Authorized Officer of QSA Company Date:
Duly Authorized Officer Name: QSA Company:
Part 3d. ISA Acknowledgement (if applicable) If a ISA was involved or assisted with this assessment, describe the role performed:
Signature of ISA Date:
Added
p. 8
Check with your acquirer or the payment brand(s) before completing Part 4.
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 9 Restrict physical access to cardholder data Maintain a policy that addresses information security for all personnel * PCI DSS Requirements indicated here refer to the questions in Section 2 of the SAQ.
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 9 Restrict physical access to cardholder data Maintain a policy that addresses information security for all personnel * PCI DSS Requirements indicated here refer to the questions in Section 2 of the SAQ.
Removed
p. 2
Part 2. Merchant Organization Information Company Name: DBA(S):
Part 2a. Type of merchant business (check all that apply):
List facilities and locations included in PCI DSS review:
Part 2b. Relationships Does your company have a relationship with one or more third-party service providers (for example, gateways, web- hosting companies, airline booking agents, loyalty program agents, etc)? Yes No Does your company have a relationship with more than one acquirer? Yes No
Part 2a. Type of merchant business (check all that apply):
List facilities and locations included in PCI DSS review:
Part 2b. Relationships Does your company have a relationship with one or more third-party service providers (for example, gateways, web- hosting companies, airline booking agents, loyalty program agents, etc)? Yes No Does your company have a relationship with more than one acquirer? Yes No
Modified
p. 2
Part 1. Qualified Security Assessor Company Information (if applicable) Company Name:
Part 1. Merchant and Qualified Security Assessor Information Part 1a. Merchant Organization Information Company Name: DBA (doing business as):
Modified
p. 2
State/Province: Country: ZIP:
State/Province: Country: Zip:
Modified
p. 2
State/Province: Country: ZIP:
State/Province: Country: Zip:
Modified
p. 2
Retailer Telecommunication Grocery and Supermarkets Petroleum E-Commerce Mail/Telephone-Order Others (please specify):
Part 2. Executive Summary Part 2a. Type of Merchant Business (check all that apply) Retailer Telecommunication Grocery and Supermarkets Petroleum E-Commerce Mail order/telephone order (MOTO) Others (please specify):
Removed
p. 3
Merchant does not store, process, or transmit any cardholder data on merchant premises but relies entirely on third party service provider(s) to handle these functions; The third-party service provider(s) handling storage, processing, and/or transmission of cardholder data is confirmed to be PCI DSS compliant; Merchant does not store any cardholder data in electronic format; and If Merchant does store cardholder data, such data is only in paper reports or copies of receipts and is not received electronically.
Part 3. PCI DSS Validation Based on the results noted in the SAQ A dated (completion date), (Merchant Company Name) asserts the following compliance status (check one):
Part 3a. Confirmation of Compliant Status Merchant confirms:
Part 3b. Merchant Acknowledgement Signature of Merchant Executive Officer Date Merchant Executive Officer Name Title Merchant Company Represented
Part 3. PCI DSS Validation Based on the results noted in the SAQ A dated (completion date), (Merchant Company Name) asserts the following compliance status (check one):
Part 3a. Confirmation of Compliant Status Merchant confirms:
Part 3b. Merchant Acknowledgement Signature of Merchant Executive Officer Date Merchant Executive Officer Name Title Merchant Company Represented
Modified
p. 3 → 6
Compliant: All sections of the PCI SAQ are complete, and all questions answered “yes,” resulting in an overall COMPLIANT rating, thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Compliant: All sections of the PCI DSS SAQ are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Modified
p. 3 → 6
Non-Compliant: Not all sections of the PCI SAQ are complete, or some questions are answered “no,” resulting in an overall NON-COMPLIANT rating, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
Modified
p. 3 → 6
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before completing Part 4, since not all payment brands require this section.
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before completing Part 4.
Modified
p. 3 → 6
PCI DSS Self-Assessment Questionnaire A, Version (SAQ version #), was completed according to the instructions therein.
PCI DSS Self-Assessment Questionnaire A, Version (version of SAQ), was completed according to the instructions therein.
Modified
p. 3 → 6
All information within the above-referenced SAQ and in this attestation fairly represents the results of my assessment.
All information within the above-referenced SAQ and in this attestation fairly represents the results of my assessment in all material respects.
Modified
p. 3 → 6
I have read the PCI DSS and I recognize that I must maintain full PCI DSS compliance at all times.
I have read the PCI DSS and I recognize that I must maintain PCI DSS compliance, as applicable to my environment, at all times.
Removed
p. 4
PCI DSS Requirement Description of Requirement Compliance Status (Select One) Remediation Date and Actions (if Compliance Status is “NO”) YES NO 9 Restrict physical access to cardholder data 12 Maintain a policy that addresses information security