Document Comparison
SAQ_D_v3_ServiceProvider.pdf
→
PCI_DSS_v3-1_SAQ_D_ServiceProvider_rev1-1.pdf
89% similar
87 → 92
Pages
21700 → 23001
Words
114
Content Changes
Content Changes
114 content changes. 33 administrative changes (dates, page numbers) hidden.
Added
p. 2
July 2015 3.1 1.1 Updated to remove references to “best practices” prior to June 30, 2015, and remove the PCI DSS v2 reporting option for Requirement 11.3.
Added
p. 9
Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA
Added
p. 13
Review firewall configuration standards Observe network configurations to verify that a firewall(s) is in place (b) Is the current network diagram consistent with the firewall configuration standards?
Added
p. 14
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.2 Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.3 Is direct public access prohibited between the Internet and any system component in the cardholder data environment, as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.3 Is direct public access prohibited between the Internet and any system component in the cardholder data environment, as follows:
Added
p. 20
Review configuration standards Examine configuration settings If SSL/early TLS is used:
Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS Review Risk Mitigation and Migration Plan
Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS Review Risk Mitigation and Migration Plan
Added
p. 23
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (e) For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols: Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies the devices are not susceptible to any known exploits for SSL/early TLS? Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS (f) For all other environments using SSL and/or early TLS:
Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in …
Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in …
Added
p. 29
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.5 Are keys used to secure stored cardholder data protected against disclosure and misuse as follows:
Added
p. 32
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.6.7 Do cryptographic key procedures include the prevention of unauthorized substitution of cryptographic keys?
Examine system configurations (f) For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols:
Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies the devices are not susceptible to any known exploits for SSL/early TLS? Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS (g) For all other environments using SSL and/or early TLS:
Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use …
Examine system configurations (f) For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols:
Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies the devices are not susceptible to any known exploits for SSL/early TLS? Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS (g) For all other environments using SSL and/or early TLS:
Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use …
Added
p. 43
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.5 (a) Do software-development processes address common coding vulnerabilities?
- At least annually - After any changes - By an organization that specializes in application security - That, at a minimum, all vulnerabilities in
- Is situated in front of public-facing web applications to detect and prevent web-based attacks. - Is actively running and up to date as applicable. - Is generating audit logs. - Is configured to either block web-based attacks, or generate an alert that is immediately investigated.
- At least annually - After any changes - By an organization that specializes in application security - That, at a minimum, all vulnerabilities in
- Is situated in front of public-facing web applications to detect and prevent web-based attacks. - Is actively running and up to date as applicable. - Is generating audit logs. - Is configured to either block web-based attacks, or generate an alert that is immediately investigated.
Added
p. 60
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.8 (a) Is all media destroyed when it is no longer needed for business or legal reasons?
Added
p. 78
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.3.1 Explicit approval by authorized parties to use the technologies?
Added
p. 82
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.8.3 Is there an established process for engaging service providers, including proper due diligence prior to engagement?
Review incident response plan procedures Specific incident response procedures? Review incident response plan procedures Business recovery and continuity procedures? Review incident response plan procedures Data backup processes? Review incident response plan procedures Analysis of legal requirements for reporting compromises?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.10.4 Is appropriate training provided to staff with security breach response responsibilities?
Review incident response plan procedures Specific incident response procedures? Review incident response plan procedures Business recovery and continuity procedures? Review incident response plan procedures Data backup processes? Review incident response plan procedures Analysis of legal requirements for reporting compromises?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.10.4 Is appropriate training provided to staff with security breach response responsibilities?
Modified
p. 5 → 6
The questions specific to securing wireless technologies (for example, Requirements 1.2.3, 2.1.1, and 4.1.1) only need to be answered if wireless is present anywhere in your network. Note that Requirement 11.1 (use of processes to identify unauthorized wireless access points) must still be
The questions specific to securing wireless technologies (for example, Requirements 1.2.3, 2.1.1, and 4.1.1) only need to be answered if wireless is present anywhere in your network. Note that Requirement 11.1 (use of processes to identify unauthorized wireless access points) must still be answered even if you don’t use wireless technologies in your network, since the process detects any rogue or unauthorized devices that may have been added without your knowledge.
Modified
p. 9
Part 2c. Locations List types of facilities and a summary of locations included in the PCI DSS review (for example, retail outlets, corporate offices, data centers, call centers, etc.) Type of facility: Location(s) of facility (city, country):
Part 2c. Locations List types of facilities (for example, retail outlets, corporate offices, data centers, call centers, etc.) and a summary of locations included in the PCI DSS review.
Removed
p. 12
Interview personnel 1.1.4 (a) Is a firewall required and implemented at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone? Review firewall configuration standards Observe network configurations to verify that a firewall(s) is in place
Modified
p. 12
(b) Is there a process to ensure the diagram is kept current?
(b) Is there a process to ensure the diagram is kept current? Interview personnel
Modified
p. 13
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Is the current network diagram consistent with the firewall configuration standards?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.1.4 (a) Is a firewall required and implemented at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone?
Modified
p. 13
Review firewall and router configuration standards (b) Are firewall and router rule sets reviewed at least every six months? Examine documentation from firewall reviews 1.2 Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows:
Review firewall and router configuration standards (b) Are firewall and router rule sets reviewed at least every six months? Examine documentation from firewall reviews
Modified
p. 14
Review firewall and router configuration standards Examine router configuration files and router configurations 1.2.3 Are perimeter firewalls installed between all wireless networks and the cardholder data environment, and are these firewalls configured to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment? Review firewall and router configuration standards Examine firewall and router configurations 1.3 Is direct public access prohibited between the Internet and …
Review firewall and router configuration standards Examine router configuration files and router configurations 1.2.3 Are perimeter firewalls installed between all wireless networks and the cardholder data environment, and are these firewalls configured to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment? Review firewall and router configuration standards Examine firewall and router configurations
Modified
p. 14 → 15
Examine firewall and router configurations 1.3.3 Are direct connections prohibited for inbound or outbound traffic between the Internet and the cardholder data environment? Examine firewall and router configurations
Examine firewall and router configurations 1.3.3 Are direct connections prohibited for inbound or outbound traffic between the Internet and the cardholder data environment?
Modified
p. 15
Examine firewall and router configurations 1.3.4 Are anti-spoofing measures implemented to detect and block forged sourced IP addresses from entering the network?
Modified
p. 15
Examine firewall and router configurations 1.3.7 Are system components that store cardholder data (such as a database) placed in an internal network zone, segregated from the DMZ and other untrusted networks?
Examine firewall and router configurations 1.3.7 Are system components that store cardholder data (such as a database) placed in an internal network zone, segregated from the DMZ and other untrusted networks? Examine firewall and router configurations
Modified
p. 15 → 16
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.3.8 (a) Are methods in place to prevent the disclosure of private IP addresses and routing information to the Internet? Note: Methods to obscure IP addressing may include, but are not limited to:
Modified
p. 15 → 16
Examine firewall and router configurations (b) Is any disclosure of private IP addresses and routing information to external entities authorized? Examine firewall and router configurations Interview personnel
Examine firewall and router configurations (b) Is any disclosure of private IP addresses and routing information to external entities authorized?
Modified
p. 16
Examine firewall and router configurations Interview personnel 1.4 (a) Is personal firewall software installed and active on any mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network?
Modified
p. 19
Examine system configurations (b) If virtualization technologies are used, is only one primary function implemented per virtual system component or device?
Examine system configurations (b) If virtualization technologies are used, is only one primary function implemented per virtual system component or device? Examine system configurations
Modified
p. 19 → 20
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.2.2 (a) Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)?
Modified
p. 20
Review configuration standards Examine system configurations (b) Are all enabled insecure services, daemons, or protocols justified per documented configuration standards?
Modified
p. 20
Review configuration standards Interview personnel Examine configuration settings Compare enabled services, etc. to documented justifications 2.2.3 Are additional security features documented and implemented for any required services, protocols or daemons that are considered to be insecure? For example, use secured technologies such as SSH, S- FTP, SSL or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.
Review configuration standards Interview personnel Examine configuration settings Compare enabled services, etc. to documented justifications 2.2.3 Are additional security features documented and implemented for any required services, protocols or daemons that are considered to be insecure? For example, use secured technologies such as SSH, S- FTP, TLS, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.
Modified
p. 20 → 21
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.2.4 (a) Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components?
Modified
p. 21 → 22
Use technologies such as SSH, VPN, or SSL/TLS for web- based management and other non-console administrative access.
Use technologies such as SSH, VPN, or TLS for web- based management and other non-console administrative access.
Modified
p. 21 → 22
Examine system components Observe an administrator log on (d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations?
Examine system components Observe an administrator log on (d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? Examine system components Review vendor documentation Interview personnel
Modified
p. 21 → 23
Review Risk Mitigation and Migration Plan 2.4 (a) Is an inventory maintained for systems components that are in scope for PCI DSS, including a list of hardware and software components and a description of function/use for each? Examine system inventory (b) Is the documented inventory kept current? Interview personnel
Modified
p. 21 → 24
Documented Known to all affected parties? Review security policies and operational procedures Interview personnel
Documented Known to all affected parties?
Removed
p. 22
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.6 If you are a shared hosting provider, are your systems configured to protect each entity’s (your customers’) hosted environment and cardholder data? See Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers for specific requirements that must be met.
Modified
p. 23 → 25
(a) Is data storage amount and retention time limited to that required for legal, regulatory, and business requirements?
(a) Is data storage amount and retention time limited to that required for legal, regulatory, and/or business requirements?
Modified
p. 23 → 25
Review data retention and disposal policies and procedures Interview personnel (b) Are there defined processes in place for securely deleting cardholder data when no longer needed for legal, regulatory, or business reasons?
Review data retention and disposal policies and procedures Interview personnel (b) Are there defined processes in place for securely deleting cardholder data when no longer needed for legal, regulatory, and/or business reasons?
Modified
p. 26 → 28
Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity’s environment, additional controls should be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN.
Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity’s environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN.
Modified
p. 26 → 28
Examine system configurations Observe the authentication process (b) Are cryptographic keys stored securely (for example, stored on removable media that is adequately protected with strong access controls)? Observe processes Interview personnel
Examine system configurations Observe the authentication process (b) Are cryptographic keys stored securely (for example, stored on removable media that is adequately protected with strong access controls)?
Modified
p. 27 → 28
Observe processes Interview personnel (c) Is cardholder data on removable media encrypted wherever stored? Note: If disk encryption is not used to encrypt removable media, the data stored on this media will need to be rendered unreadable through some other method.
Modified
p. 27 → 28
Examine system configurations Observe processes 3.5 Are keys used to secure stored cardholder data protected against disclosure and misuse as follows:
Examine system configurations Observe processes
Modified
p. 27 → 29
Examine user access lists 3.5.2 Are secret and private cryptographic keys used to encrypt/decrypt cardholder data stored in in one (or more) of the following forms at all times? Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key Within a secure cryptographic device (such as a host security module (HSM) or PTS-approved point-of- interaction device) As at least two full-length key …
Examine user access lists 3.5.2 Are secret and private cryptographic keys used to encrypt/decrypt cardholder data stored in one (or more) of the following forms at all times? Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS- approved point-of-interaction device) As at least two full-length key …
Modified
p. 29 → 31
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.6.5 (a) Do cryptographic key procedures include retirement or replacement (for example, archiving, destruction, and/or revocation) of cryptographic keys when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear- text key)?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.6.5 (a) Do cryptographic key procedures include retirement or replacement (for example, archiving, destruction, and/or revocation) of cryptographic keys when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key)?
Modified
p. 29 → 31
Review key-management procedures Interview personnel and/or Observe processes 3.6.7 Do cryptographic key procedures include the prevention of unauthorized substitution of cryptographic keys? Review procedures Interview personnel and/or Observe processes
Review key-management procedures Interview personnel and/or Observe processes
Modified
p. 30 → 32
Review procedures Interview personnel and/or Observe processes 3.6.8 Are cryptographic key custodians required to formally acknowledge (in writing or electronically) that they understand and accept their key-custodian responsibilities? Review procedures Review documentation or other evidence 3.7 Are security policies and operational procedures for protecting stored cardholder data:
Modified
p. 31 → 33
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 4.1 (a) Are strong cryptography and security protocols, such as SSL/TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 4.1 (a) Are strong cryptography and security protocols, such as TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and …
Modified
p. 31 → 33
Examine system configurations (d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)?
Examine system configurations (d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)? Review vendor documentation Examine system configurations
Modified
p. 31 → 34
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (e) For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? For example, for browser-based implementations:
Modified
p. 32 → 35
Review documented standards Review wireless networks Examine system configuration settings 4.2 (a) Are PANs rendered unreadable or secured with strong cryptography whenever they are sent via end- user messaging technologies (for example, e-mail, instant messaging, or chat)?
Review documented standards Review wireless networks Examine system configuration settings 4.2 (a) Are PANs rendered unreadable or secured with strong cryptography whenever they are sent via end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.)?
Removed
p. 39
Trace changes to change control documentation Examine change control documentation 6.4.5.4 Back-out procedures? Trace changes to change control documentation Examine change control documentation 6.5 (a) Do software-development processes address common coding vulnerabilities?
Modified
p. 39 → 42
Trace changes to change control documentation Examine change control documentation (b) For custom code changes, testing of updates for compliance with PCI DSS Requirement 6.5 before being deployed into production?
Trace changes to change control documentation Examine change control documentation (b) For custom code changes, testing of updates for compliance with PCI DSS Requirement 6.5 before being deployed into production? Trace changes to change control documentation Examine change control documentation 6.4.5.4 Back-out procedures? Trace changes to change control documentation Examine change control documentation
Modified
p. 40 → 43
Examine software-development policies and procedures Interview responsible personnel 6.5.3 Do coding techniques address insecure cryptographic storage?
Examine software-development policies and procedures Interview responsible personnel 6.5.3 Do coding techniques address insecure cryptographic storage? Examine software-development policies and procedures Interview responsible personnel 6.5.4 Do coding techniques address insecure communications? Examine software-development policies and procedures Interview responsible personnel
Modified
p. 40 → 44
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.5.5 Do coding techniques address improper error handling? Examine software-development policies and procedures Interview responsible personnel 6.5.6 Do coding techniques address all “high risk” vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1)? Examine software-development policies and procedures Interview responsible personnel For web applications and application interfaces (internal or external), are applications …
Modified
p. 40 → 44
Examine software-development policies and procedures Interview responsible personnel 6.5.8 Do coding techniques address improper access control such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions? Examine software-development policies and procedures Interview responsible personnel
Examine software-development policies and procedures Interview responsible personnel 6.5.8 Do coding techniques address improper access control such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions?
Modified
p. 41 → 44
Examine software-development policies and procedures Interview responsible personnel 6.5.9 Do coding techniques address cross-site request forgery (CSRF)?
Modified
p. 41 → 44
Examine software-development policies and procedures Interview responsible personnel 6.5.10 Do coding techniques address broken authentication and session management? Note: Requirement 6.5.10 is a best practice until June 30, 2015, after which it becomes a requirement.
Examine software-development policies and procedures Interview responsible personnel 6.5.10 Do coding techniques address broken authentication and session management? Examine software-development policies and procedures Interview responsible personnel
Modified
p. 41 → 45
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.6 For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods? Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, as follows:
Modified
p. 41 → 45
Note: This assessment is not the same as the vulnerability scans performed for Requirement 11.2.
Requirement 6.5 are included in the assessment - That all vulnerabilities are corrected - That the application is re-evaluated after the corrections Note: This assessment is not the same as the vulnerability scans performed for Requirement 11.2.
Modified
p. 41 → 45
Installing an automated technical solution that detects and prevents web-based attacks (for example, a web- application firewall) in front of public-facing web applications to continually check all traffic.
Installing an automated technical solution that detects and prevents web-based attacks (for example, a web- application firewall) as follows:
Modified
p. 45 → 49
Review password procedures Examine terminated users accounts Review current access lists Observe returned physical authentication devices 8.1.4 Are inactive user accounts over 90 days old either removed or disabled?
Review password procedures Examine terminated users accounts Review current access lists Observe returned physical authentication devices 8.1.4 Are inactive user accounts either removed or disabled within 90 days?
Modified
p. 47 → 51
A minimum password length of at least seven characters Contain both numeric and alphabetic characters Review customer/user documentation Observe internal processes 8.2.4 (a) Are user passwords/passphrases changed at least every 90 days? Review password procedures Examine system configuration settings (b) For service providers only: Are non-consumer customer passwords required to be changed periodically, and are non-consumer customers given guidance as to when, and under what circumstances, passwords must change.
A minimum password length of at least seven characters Contain both numeric and alphabetic characters Review customer/user documentation Observe internal processes 8.2.4 (a) Are user passwords/passphrases changed at least once every 90 days? Review password procedures Examine system configuration settings (b) For service providers only: Are non-consumer customer passwords required to be changed periodically, and are non-consumer customers given guidance as to when, and under what circumstances, passwords must change.
Modified
p. 48 → 52
Review policies and procedures Examine system configurations Observe personnel 8.4 (a) Are authentication procedures and policies documented and communicated to all users? Review policies and procedures Review distribution method Interview personnel Interview users
Review policies and procedures Examine system configurations Observe personnel 8.4 (a) Are authentication policies and procedures documented and communicated to all users? Review policies and procedures Review distribution method Interview personnel Interview users
Removed
p. 49
Note: Requirement 8.5.1 is a best practice until June 30, 2015, after which it becomes a requirement.
Modified
p. 49 → 53
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Do authentication procedures and policies include the following? Guidance on selecting strong authentication credentials Guidance for how users should protect their authentication credentials Instructions not to reuse previously used passwords Instructions that users should change passwords if there is any suspicion the password could be compromised Review policies and procedures Review documentation provided to …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Do authentication policies and procedures include the following? Guidance on selecting strong authentication credentials Guidance for how users should protect their authentication credentials Instructions not to reuse previously used passwords Instructions that users should change passwords if there is any suspicion the password could be compromised Review policies and procedures Review documentation provided to …
Modified
p. 49 → 53
Generic user IDs and accounts are disabled or removed; Shared user IDs for system administration activities and other critical functions do not exist; and Shared and generic user IDs are not used to administer any system components?
Modified
p. 50 → 54
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.6 Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, and certificates, etc.), is the use of these mechanisms assigned as follows? Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts Physical and/or logical controls must be in place to ensure only the intended account can use …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.6 Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, and certificates, etc.), is the use of these mechanisms assigned as follows? Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts Physical and/or logical controls must be in place to ensure only the intended account can use …
Modified
p. 52 → 56
Observe physical access controls Observe personnel 9.1.1 (a) Are video cameras and/or access-control mechanisms in place to monitor individual physical access to sensitive areas? Note: “Sensitive areas” refers to any data center, server room, or any area that houses systems that store cardholder data. This excludes pubic-facing areas where only point-of-sale terminals are present such as the cashier areas in a retail store.
Observe physical access controls Observe personnel 9.1.1 (a) Are video cameras and/or access-control mechanisms in place to monitor individual physical access to sensitive areas? Note: “Sensitive areas” refers to any data center, server room, or any area that houses systems that store, process, or transmit cardholder data. This excludes public-facing areas where only point-of-sale terminals are present such as the cashier areas in a retail store.
Modified
p. 53 → 57
Identifying new onsite personnel or visitors (for example, assigning badges), Changing access requirements, and Revoking terminated onsite personnel and expired visitor identification (such as ID badges) For the purposes of Requirement 9, “onsite personnel” refers to full-time and part-time employees, temporary employees, contractors and consultants who are physically present on the entity’s premises. A “visitor” refers to a vendor, guest of any onsite personnel, service workers, or anyone who needs to enter the facility for a short …
Identifying onsite personnel and visitors (for example, assigning badges), Changing access requirements, and Revoking terminated onsite personnel and expired visitor identification (such as ID badges) For the purposes of Requirement 9, “onsite personnel” refers to full-time and part-time employees, temporary employees, contractors and consultants who are physically present on the entity’s premises. A “visitor” refers to a vendor, guest of any onsite personnel, service workers, or anyone who needs to enter the facility for a short duration, …
Removed
p. 55
Examine inventory logs Interview personnel 9.8 (a) Is all media destroyed when it is no longer needed for business or legal reasons? Review periodic media destruction policies and procedures
Modified
p. 55 → 59
Review policies and procedures 9.7.1 (a) Are inventory logs of all media properly maintained? Examine inventory logs (b) Are periodic media inventories conducted at least annually?
Review policies and procedures 9.7.1 (a) Are inventory logs of all media properly maintained? Examine inventory logs (b) Are periodic media inventories conducted at least annually? Examine inventory logs Interview personnel
Modified
p. 56 → 60
Review periodic media destruction policies and procedures (b) Is there a periodic media destruction policy that defines requirements for the following? Hard-copy materials must be crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
Modified
p. 56 → 60
Cardholder data on electronic media must be rendered unrecoverable via a secure wipe program (in accordance with industry-accepted standards for secure deletion), or by physically destroying the media.
Cardholder data on electronic media must be rendered unrecoverable (e.g., via a secure wipe program in accordance with industry-accepted standards for secure deletion, or by physically destroying the media).
Modified
p. 56 → 60
Examine security of storage containers 9.8.2 Is cardholder data on electronic media rendered unrecoverable via a secure wipe program in accordance with industry-accepted standards for secure deletion, or otherwise by physically destroying the media, so that cardholder data cannot be reconstructed? Observe processes Interview personnel
Examine security of storage containers 9.8.2 Is cardholder data on electronic media rendered unrecoverable (e.g. via a secure wipe program in accordance with industry-accepted standards for secure deletion, or otherwise by physically destroying the media), so that cardholder data cannot be reconstructed? Observe processes Interview personnel
Removed
p. 57
Note: Requirement 9.9 is a best practice until June 30, 2015, after which it becomes a requirement.
Modified
p. 57 → 61
(a) Do policies and procedures require that a list of such devices maintained?
(a) Do policies and procedures require that a list of such devices be maintained?
Modified
p. 57 → 61
Make, model of device Location of device (for example, the address of the site or facility where the device is located) Device serial number or other method of unique identification Examine the list of devices (b) Is the list accurate and up to date? Observe device locations and compare to list (c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.? Interview personnel
Make, model of device Location of device (for example, the address of the site or facility where the device is located) Device serial number or other method of unique identification Examine the list of devices (b) Is the list accurate and up to date? Observe devices and device locations and compare to list (c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.? Interview personnel
Modified
p. 64 → 68
All security events Logs of all system components that store, process, or transmit CHD and/or SAD, or that could impact the security of CHD and/or SAD Logs of all critical system components Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e- commerce redirection servers, etc.) Review security policies and procedures (b) Are the above logs and security events reviewed at least daily?
All security events Logs of all system components that store, process, or transmit CHD and/or SAD Logs of all critical system components Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e- commerce redirection servers, etc.) Review security policies and procedures (b) Are the above logs and security events reviewed at least daily?
Modified
p. 66 → 70
Evaluate the methodology (c) Is the scan to identify authorized and unauthorized wireless access points performed at least quarterly for all system components and facilities?
Evaluate the methodology (c) If wireless scanning is utilized to identify authorized and unauthorized wireless access points, is the scan performed at least quarterly for all system components and facilities?
Modified
p. 66 → 70
Examine configuration settings 11.1.1 Is an inventory of authorized wireless access points maintained and a business justification documented for all authorized wireless access points?
Examine configuration settings 11.1.1 Is an inventory of authorized wireless access points maintained and a business justification documented for all authorized wireless access points? Examine inventory records
Modified
p. 66 → 71
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.1.2 (a) Does the incident response plan define and require a response in the event that an unauthorized wireless access point is detected?
Modified
p. 67 → 71
Examine incident response plan (see Requirement 12.10) (b) Is action taken when unauthorized wireless access points are found? Interview responsible personnel Inspect recent wireless scans and related responses 11.2 Are internal and external network vulnerability scans run at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades), as follows:
Modified
p. 67 → 71
For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterly scanning, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re- scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred.
For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterly scanning, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred.
Modified
p. 68 → 72
Review results from the four most recent quarters of external vulnerability scans (b) Do external quarterly scan and rescan results satisfy the ASV Program Guide requirements for a passing scan (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic failures)?
Review results from the four most recent quarters of external vulnerability scans (b) Do external quarterly scan and rescan results satisfy the ASV Program Guide requirements for a passing scan (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic failures)? Review results of each external quarterly scan and rescan (c) Are quarterly external vulnerability scans performed by a
Modified
p. 69 → 73
Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) Includes coverage for the entire CDE perimeter and critical systems Includes testing from both inside and outside the network Includes testing to validate any segmentation and scope-reduction controls Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 Defines network-layer penetration tests to include components that support network functions as well as operating systems Includes review and …
Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) Includes coverage for the entire CDE perimeter and critical systems Includes testing from both inside and outside the network Includes testing to validate any segmentation and scope- reduction controls Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 Defines network-layer penetration tests to include components that support network functions as well as operating systems Includes review …
Modified
p. 69 → 73
Examine scope of work Examine results from the most recent external penetration test (b) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? Examine scope of work Interview responsible personnel
Examine scope of work Examine results from the most recent external penetration test (b) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? Interview responsible personnel
Modified
p. 70 → 74
Interview responsible personnel 11.3.3 Are exploitable vulnerabilities found during penetration testing corrected, followed by repeated testing to verify the corrections? Examine penetration testing results If segmentation is used to isolate the CDE from other networks:
Modified
p. 70 → 74
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from in-scope systems?
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE?
Modified
p. 70 → 74
Examine segmentation controls Review penetration-testing methodology (b) Does penetration testing to verify segmentation controls meet the following? Performed at least annually and after any changes to segmentation controls/methods Covers all segmentation controls/methods in use Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from in-scope systems.
Examine segmentation controls Review penetration-testing methodology (b) Does penetration testing to verify segmentation controls meet the following? Performed at least annually and after any changes to segmentation controls/methods Covers all segmentation controls/methods in use Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
Modified
p. 71 → 75
Examine system configurations Interview responsible personnel (c) Are all intrusion-detection and prevention engines, baselines, and signatures kept up-to-date? Examine IDS/IPS configurations Examine vendor documentation 11.5 (a) Is a change-detection mechanism (for example, file- integrity monitoring tools) deployed within the cardholder data environment to detect unauthorized modification of critical system files, configuration files, or content files? Examples of files that should be monitored include:
Examine system configurations Interview responsible personnel (c) Are all intrusion-detection and prevention engines, baselines, and signatures kept up-to-date? Examine IDS/IPS configurations Examine vendor documentation 11.5 (a) Is a change-detection mechanism (for example, file- integrity monitoring tools) deployed within the cardholder data environment to detect unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files? Examples of files that should be monitored include:
Modified
p. 72 → 76
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Is the change-detection mechanism configured to alert personnel to unauthorized modification of critical system files, configuration files or content files, and do the tools perform critical file comparisons at least weekly? Note: For change detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Is the change-detection mechanism configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files or content files, and do the tools perform critical file comparisons at least weekly? Note: For change detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system …
Modified
p. 72 → 76
Documented Known to all affected parties? Examine security policies and operational procedures Interview personnel
Removed
p. 73
Review annual risk assessment process Interview personnel (b) Does the risk assessment process result in a formal risk assessment?
Modified
p. 73 → 77
Review the information security policy Interview responsible personnel 12.2 (a) Is an annual risk assessment process implemented that identifies assets, threats, and vulnerabilities? Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30.
Review the information security policy Interview responsible personnel 12.2 (a) Is an annual risk assessment process implemented Identifies critical assets, threats, and vulnerabilities, Results in a formal, documented analysis of risk? Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800- 30.
Modified
p. 73 → 77
Review the formal risk assessment (c) Is the risk assessment process performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.)? Review risk assessment documentation Interview responsible personnel 12.3 Are usage policies for critical technologies developed to define proper use of these technologies and require the following:
Review annual risk assessment process Interview personnel (b) Is the risk assessment process performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.)? Review risk assessment documentation Interview responsible personnel 12.3 Are usage policies for critical technologies developed to define proper use of these technologies and require the following:
Modified
p. 74 → 78
Review usage policies Interview responsible personnel 12.3.2 Authentication for use of the technology? Review usage policies Interview responsible personnel 12.3.3 A list of all such devices and personnel with access? Review usage policies Interview responsible personnel 12.3.4 A method to accurately and readily determine owner, contact information, and purpose (for example, labeling, coding, and/or inventorying of devices)?
Modified
p. 74 → 78
Review usage policies Interview responsible personnel 12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use?
Review usage policies Interview responsible personnel 12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use? Review usage policies Interview responsible personnel
Modified
p. 74 → 79
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.3.10 (a) For personnel accessing cardholder data via remote- access technologies, does the policy specify the prohibition of copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need? Where there is an authorized business need, the usage policies must require the data be protected in accordance with all …
Modified
p. 74 → 79
Review usage policies Interview responsible personnel
Review usage policies Interview responsible personnel (b) For personnel with proper authorization, does the policy require the protection of cardholder data in accordance with PCI DSS Requirements?
Removed
p. 75
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) For personnel with proper authorization, does the policy require the protection of cardholder data in accordance with PCI DSS Requirements?
Modified
p. 75 → 79
Review information security policy and procedures 12.5.4 Administering user accounts, including additions, deletions, and modifications?
Review information security policy and procedures 12.5.4 Administering user accounts, including additions, deletions, and modifications? Review information security policy and procedures
Modified
p. 75 → 80
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.5.5 Monitoring and controlling all access to data? Review information security policy and procedures 12.6 (a) Is a formal security awareness program in place to make all personnel aware of the importance of cardholder data security? Review security awareness program (b) Do security awareness program procedures include the following:
Modified
p. 76 → 80
Interview personnel 12.6.2 Are personnel required to acknowledge at least annually that they have read and understood the security policy and procedures?
Interview personnel 12.6.2 Are personnel required to acknowledge at least annually that they have read and understood the security policy and procedures? Examine security awareness program procedures and documentation
Modified
p. 76 → 81
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.7 Are potential personnel (see definition of “personnel” above) screened prior to hire to minimize the risk of attacks from internal sources? Examples of background checks include previous employment history, criminal record, credit history and reference checks.
Modified
p. 77 → 81
Observe written agreements Review policies and procedures 12.8.3 Is there an established process for engaging service providers, including proper due diligence prior to engagement?
Observe written agreements Review policies and procedures
Modified
p. 77 → 82
Observe processes Review policies and procedures and supporting documentation 12.8.5 Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity? Observe processes Review policies and procedures and supporting documentation
Observe processes Review policies and procedures and supporting documentation 12.8.5 Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity?
Modified
p. 78 → 82
Observe processes Review policies and procedures and supporting documentation 12.9 For service providers only: Do service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment? Note: The exact wording of an acknowledgement will depend on the agreement between the two …
Modified
p. 78 → 82
Review service provider’s policies and procedures Observe written agreement templates 12.10 Has an incident response plan been implemented in preparation to respond immediately to a system breach, as follows:
Review service provider’s policies and procedures Observe templates used for written agreeements 12.10 Has an incident response plan been implemented in preparation to respond immediately to a system breach, as follows:
Modified
p. 78 → 83
Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum? Review incident response plan procedures Specific incident response procedures? Review incident response plan procedures Business recovery and continuity procedures? Review incident response plan procedures
Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum?
Removed
p. 79
Observe processes Review incident response plan procedures Interview responsible personnel 12.10.5 Are alerts from security monitoring systems, including intrusion-detection, intrusion-prevention, and file-integrity monitoring systems, included in the incident response plan?
Modified
p. 79 → 83
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested Data backup processes? Review incident response plan procedures Analysis of legal requirements for reporting compromises?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Does the plan address the following, at a minimum:
Modified
p. 79 → 83
Review incident response plan procedures 12.10.2 Is the plan tested at least annually? Review incident response plan procedures Interview responsible personnel 12.10.3 Are specific personnel designated to be available on a 24/7 basis to respond to alerts?
Review incident response plan procedures 12.10.2 Is the plan tested at least annually? Review incident response plan procedures Interview responsible personnel 12.10.3 Are specific personnel designated to be available on a 24/7 basis to respond to alerts? Observe processes Review policies Interview responsible personnel
Modified
p. 79 → 84
Observe processes Review policies Interview responsible personnel 12.10.4 Is appropriate training provided to staff with security breach response responsibilities?
Observe processes Review incident response plan procedures Interview responsible personnel 12.10.5 Are alerts from security monitoring systems included in the incident response plan?
Modified
p. 86 → 91
Signature of QSA Date:
Signature of Duly Authorized Officer of QSA Company Date:
Modified
p. 86 → 91
Duly Authorized Officer Name: QSA Company: