Document Comparison
PCI-DSS-v3_2-SAQ-D_ServiceProvider-rev1_1.pdf
→
PCI-DSS-v3-2-1-SAQ-D_ServiceProvider-r2.pdf
91% similar
96 → 92
Pages
23777 → 23239
Words
299
Content Changes
Content Changes
299 content changes. 54 administrative changes (dates, page numbers) hidden.
Added
p. 2
This document aligns with PCI DSS v3.2.1 r1.
Added
p. 14
Observe network configurations to verify that a firewall(s) is in place.
Is the current network diagram consistent with the firewall configuration standards? Compare firewall configuration standards to current network diagram.
Is the current network diagram consistent with the firewall configuration standards? Compare firewall configuration standards to current network diagram.
Added
p. 14
(b) Are firewall and router rule sets reviewed at least every six months? Examine documentation from firewall reviews.
Examine router configuration files and router configurations.
Examine router configuration files and router configurations.
Added
p. 16
(b) Is the personal firewall software (or equivalent functionality) configured to specific configuration settings, actively running, and not alterable by users of mobile and/or employee-owned devices? Review policies and configuration standards.
Examine mobile and/or employee- owned devices.
Examine mobile and/or employee- owned devices.
Added
p. 18
Observe system configurations and account settings.
Are unnecessary default accounts removed or disabled before installing a system on the network? Review policies and procedures.
Are unnecessary default accounts removed or disabled before installing a system on the network? Review policies and procedures.
Added
p. 18
Examine system configurations and account settings.
Added
p. 18
Are default passwords/passphrases on access points changed at installation? Review policies and procedures.
Are other security-related wireless vendor defaults changed, if applicable? Review policies and procedures.
Review system configuration standards.
Review industry-accepted hardening standards.
(b) Are all enabled insecure services, daemons, or protocols justified per documented configuration standards? Review configuration standards Interview personnel. Examine configuration settings. Compare enabled services, etc. to documented justifications.
Are other security-related wireless vendor defaults changed, if applicable? Review policies and procedures.
Review system configuration standards.
Review industry-accepted hardening standards.
(b) Are all enabled insecure services, daemons, or protocols justified per documented configuration standards? Review configuration standards Interview personnel. Examine configuration settings. Compare enabled services, etc. to documented justifications.
Added
p. 21
Examine security parameter settings.
Compare settings to system configuration standards.
Examine security parameters on system components.
Examine security parameters on system components.
Compare settings to system configuration standards.
Examine security parameters on system components.
Examine security parameters on system components.
Added
p. 22
Observe an administrator log on.
Observe an administrator log on.
Examine services and files.
(b) Is the documented inventory kept current? Interview personnel.
Observe an administrator log on.
Examine services and files.
(b) Is the documented inventory kept current? Interview personnel.
Added
p. 23
Examine deletion mechanism.
Examine retention requirements.
Observe deletion processes.
Review documented business justification.
Examine retention requirements.
Observe deletion processes.
Review documented business justification.
Added
p. 24
Examine deletion processes.
Review roles that need access to displays of full PAN.
Observe displays of PAN.
Examine data repositories.
Examine removable media.
Examine audit logs, including payment application logs.
Observe the authentication process.
• Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date,
• Description of the key usage for each key,
• Inventory of any HSMs and other SCDs used for key management? Review documentation.
Review documented procedures.
Review roles that need access to displays of full PAN.
Observe displays of PAN.
Examine data repositories.
Examine removable media.
Examine audit logs, including payment application logs.
Observe the authentication process.
• Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date,
• Description of the key usage for each key,
• Inventory of any HSMs and other SCDs used for key management? Review documentation.
Review documented procedures.
Added
p. 28
Observe key-generation procedures.
Observe the key-distribution method.
Observe the method for secure storage of keys.
Observe the key-distribution method.
Observe the method for secure storage of keys.
Added
p. 30
Review key-management procedures.
Interview personnel and/or.
Review documented standards.
Review all locations where CHD is transmitted or received.
(b) Are only trusted keys and/or certificates accepted? Observe inbound and outbound transmissions.
Examine keys and certificates.
(c) Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations? Examine system configurations.
Review wireless networks.
Interview personnel and/or.
Review documented standards.
Review all locations where CHD is transmitted or received.
(b) Are only trusted keys and/or certificates accepted? Observe inbound and outbound transmissions.
Examine keys and certificates.
(c) Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations? Examine system configurations.
Review wireless networks.
Added
p. 33
Are all anti-virus software and definitions kept current? Examine policies and procedures.
Examine anti-virus configurations, including the master installation.
Examine anti-virus configurations, including the master installation.
Added
p. 33
Are automatic updates and periodic scans enabled and being performed? Examine anti-virus configurations, including the master installation.
Review log retention processes.
Examine anti-virus configurations.
Compare list of security patches installed to recent vendor patch lists.
Review log retention processes.
Examine anti-virus configurations.
Compare list of security patches installed to recent vendor patch lists.
Added
p. 37
Examine recent changes and change records.
Examine network documentation and network device configurations.
Examine access control settings.
Examine network documentation and network device configurations.
Examine access control settings.
Added
p. 38
Examine production systems.
Are the following performed and documented for all changes:
Are the following performed and documented for all changes:
Added
p. 39
Observe affected systems or networks.
Examine training records.
Examine software-development policies and procedures.
Examine training records.
Examine software-development policies and procedures.
Added
p. 42
Is situated in front of public-facing web applications to detect and prevent web-based attacks. Is actively running and up to date as applicable. Is generating audit logs. Is configured to either block web-based attacks, or generate an alert that is immediately investigated.
Review documented processes.
Examine records of application security assessments.
Review privileged user IDs.
Compare assigned privileges with documented approvals.
Review documented processes.
Examine records of application security assessments.
Review privileged user IDs.
Compare assigned privileges with documented approvals.
Added
p. 45
Examine privileged and general user IDs and associated authorizations.
Observe system settings.
Observe system settings.
Added
p. 45
Examine terminated users accounts.
Review current access lists.
Observe returned physical authentication devices.
Review current access lists.
Observe returned physical authentication devices.
Added
p. 45
Observe user accounts.
Review documentation.
In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users? Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric Review password procedures.
Observe authentication processes.
Review documentation.
In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users? Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric Review password procedures.
Observe authentication processes.
Added
p. 46
Observe password files.
Observe data transmissions.
Observe data transmissions.
Observe data transmissions.
Observe data transmissions.
Added
p. 47
Examine system configuration settings to verify password parameters.
Added
p. 47
Sample system components.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.2.6 Are passwords/passphrases set to a unique value for each user for first-time use and upon reset, and must each user change their password immediately after the first use? Review password procedures.
Observe security personnel.
Observe administrator logging into CDE.
Observe personnel connecting remotely.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.2.6 Are passwords/passphrases set to a unique value for each user for first-time use and upon reset, and must each user change their password immediately after the first use? Review password procedures.
Observe security personnel.
Observe administrator logging into CDE.
Observe personnel connecting remotely.
Added
p. 48
Review distribution method.
Review documentation provided to users.
Examine user ID lists.
Examine system configuration settings and/or physical controls.
Examine database and application configuration settings.
Is user direct access to or queries to of databases restricted to database administrators? Review database authentication policies and procedures.
Examine database access control settings.
Examine database access control settings.
Examine database application configuration settings.
Examine database application configuration settings.
(c) Are application IDs only able to be used by the applications (and not by individual users or other processes)? Review database authentication policies and procedures.
Observe physical monitoring mechanisms.
Observe security features.
Review documentation provided to users.
Examine user ID lists.
Examine system configuration settings and/or physical controls.
Examine database and application configuration settings.
Is user direct access to or queries to of databases restricted to database administrators? Review database authentication policies and procedures.
Examine database access control settings.
Examine database access control settings.
Examine database application configuration settings.
Examine database application configuration settings.
(c) Are application IDs only able to be used by the applications (and not by individual users or other processes)? Review database authentication policies and procedures.
Observe physical monitoring mechanisms.
Observe security features.
Added
p. 52
Observe data storage.
Observe identification methods (e.g. badges).
Observe visitor processes.
Observe onsite personnel.
Compare lists of terminated employees to access control lists.
Observe visitor processes.
Observe visitor processes including how access is controlled.
Observe visitors and badge use.
Examine identification.
Examine identification.
Do visitor badges or other identification expire? Observe process.
Examine the visitor log.
Examine the visitor log.
Examine log retention.
(c) Is the visitor log retained for at least three months? Review policies and procedures.
Examine visitor log retention.
Observe identification methods (e.g. badges).
Observe visitor processes.
Observe onsite personnel.
Compare lists of terminated employees to access control lists.
Observe visitor processes.
Observe visitor processes including how access is controlled.
Observe visitors and badge use.
Examine identification.
Examine identification.
Do visitor badges or other identification expire? Observe process.
Examine the visitor log.
Examine the visitor log.
Examine log retention.
(c) Is the visitor log retained for at least three months? Review policies and procedures.
Examine visitor log retention.
Added
p. 55
Are periodic media inventories conducted at least annually? Examine inventory logs.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.8 Is all media destroyed when it is no longer needed for business or legal reasons? Review periodic media destruction policies and procedures.
Is the list accurate and up to date? Observe devices and device locations and compare to list.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.8 Is all media destroyed when it is no longer needed for business or legal reasons? Review periodic media destruction policies and procedures.
Is the list accurate and up to date? Observe devices and device locations and compare to list.
Added
p. 60
Interview system administrator.
Interview system administrator.
Is access to system components linked to individual users? Observe processes.
Interview system administrator.
Is access to system components linked to individual users? Observe processes.
Added
p. 62
Review time configuration standards and processes.
Added
p. 64
Is follow up to exceptions and anomalies performed? Observe processes.
Are audit logs retained for at least one year? Interview personnel.
Are at least the last three months’ logs immediately available for analysis? 10.8 For service providers only: Is a process implemented for the timely detection and reporting of failures of critical security control systems as follows:
- Restoring security functions
- Identifying and documenting the duration (date and time start to end) of the security failure
- Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause
- Identifying and addressing any security issues that arose during the failure
- Implementing controls to prevent cause of failure from reoccurring
- Resuming monitoring of security controls? Review policies and procedures.
Evaluate the methodology.
(c) If wireless scanning is utilized to identify authorized and unauthorized wireless access points, is the scan performed at least quarterly for all system components and facilities? Examine output from …
Are audit logs retained for at least one year? Interview personnel.
Are at least the last three months’ logs immediately available for analysis? 10.8 For service providers only: Is a process implemented for the timely detection and reporting of failures of critical security control systems as follows:
- Restoring security functions
- Identifying and documenting the duration (date and time start to end) of the security failure
- Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause
- Identifying and addressing any security issues that arose during the failure
- Implementing controls to prevent cause of failure from reoccurring
- Resuming monitoring of security controls? Review policies and procedures.
Evaluate the methodology.
(c) If wireless scanning is utilized to identify authorized and unauthorized wireless access points, is the scan performed at least quarterly for all system components and facilities? Examine output from …
Added
p. 69
Review results from the four most recent quarters of external vulnerability scans.
Examine results from the most recent external penetration test.
Examine results from the most recent internal penetration test.
Review penetration-testing methodology.
Covers all segmentation controls/methods in use.
Examine results from the most recent penetration test.
Does penetration testing cover all segmentation controls/methods in use? Examine results of penetration tests on segmentation controls.
Does penetration testing verify that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE Examine results of penetration tests on segmentation controls.
Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? Interview responsible personnel.
Examine results from the most recent external penetration test.
Examine results from the most recent internal penetration test.
Review penetration-testing methodology.
Covers all segmentation controls/methods in use.
Examine results from the most recent penetration test.
Does penetration testing cover all segmentation controls/methods in use? Examine results of penetration tests on segmentation controls.
Does penetration testing verify that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE Examine results of penetration tests on segmentation controls.
Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? Interview responsible personnel.
Added
p. 72
Examine network diagrams.
System executables Application executables Configuration and parameter files Centrally stored, historical or archived, log, and audit files Additional critical files determined by entity (for example, through risk assessment or other means) Observe system settings and monitored files.
Observe system settings and monitored files.
Review results from monitoring activities.
Review annual risk assessment process.
System executables Application executables Configuration and parameter files Centrally stored, historical or archived, log, and audit files Additional critical files determined by entity (for example, through risk assessment or other means) Observe system settings and monitored files.
Observe system settings and monitored files.
Review results from monitoring activities.
Review annual risk assessment process.
Added
p. 76
Review usage policies.
Interview a sample of responsible personnel.
Interview a sample of responsible personnel.
Added
p. 78
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.6 Is a formal security awareness program in place to make all personnel aware of the cardholder data security policy and procedures? Review security awareness program.
Review security awareness program.
Review security awareness program procedures.
Review security awareness program attendance records.
Interview Human Resource department management.
Review list of service providers.
Observe written agreements.
Review service provider’s policies and procedures.
Observe templates used for written agreements.
Review incident response plan procedures.
Specific incident response procedures? Review incident response plan procedures.
Business recovery and continuity procedures? Review incident response plan procedures.
Analysis of legal requirements for reporting compromises? Review incident response plan procedures.
(b) Are reviews performed at least quarterly? Interview personnel.
Examine records of reviews.
(e) Are restrictions in place for the use of these system resources? Disk space, Bandwidth, Memory, CPU This ensures that each entity cannot monopolize server resources to exploit vulnerabilities (for example, …
Review security awareness program.
Review security awareness program procedures.
Review security awareness program attendance records.
Interview Human Resource department management.
Review list of service providers.
Observe written agreements.
Review service provider’s policies and procedures.
Observe templates used for written agreements.
Review incident response plan procedures.
Specific incident response procedures? Review incident response plan procedures.
Business recovery and continuity procedures? Review incident response plan procedures.
Analysis of legal requirements for reporting compromises? Review incident response plan procedures.
(b) Are reviews performed at least quarterly? Interview personnel.
Examine records of reviews.
(e) Are restrictions in place for the use of these system resources? Disk space, Bandwidth, Memory, CPU This ensures that each entity cannot monopolize server resources to exploit vulnerabilities (for example, …
Added
p. 92
Do not use vendor-supplied defaults for system passwords and other security parameters.
Added
p. 92
Protect all systems against malware and regularly update anti-virus software or programs.
Added
p. 92
Appendix A1 Additional PCI DSS Requirements for Shared Hosting Providers.
Appendix A2 Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card- Present POS POI Terminal Connections.
Appendix A2 Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card- Present POS POI Terminal Connections.
Modified
p. 1
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers SAQ-Eligible Service Providers For use with PCI DSS Version 3.2 Revision 1.1
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers SAQ-Eligible Service Providers For use with PCI DSS Version 3.2.1 Revision 2
Removed
p. 4
1. Confirm that your environment is properly scoped.
Section 1 (Parts 1 & 2 of the AOC)
• Assessment Information and Executive Summary Section 2
• PCI DSS Self-Assessment Questionnaire (SAQ D) Section 3 (Parts 3 & 4 of the AOC)
• Validation and Attestation Details and Action Plan for Non- Compliant Requirements (if applicable)
Section 1 (Parts 1 & 2 of the AOC)
• Assessment Information and Executive Summary Section 2
• PCI DSS Self-Assessment Questionnaire (SAQ D) Section 3 (Parts 3 & 4 of the AOC)
• Validation and Attestation Details and Action Plan for Non- Compliant Requirements (if applicable)
Modified
p. 4
PCI DSS Self-Assessment Completion Steps
PCI DSS Self-Assessment Completion Steps Confirm that your environment is properly scoped.
Modified
p. 4
Assess your environment for compliance with PCI DSS requirements.
Modified
p. 4
Complete all sections of this document:
Modified
p. 4
•such as ASV scan reports
•to the payment brand, or other requester.
Section 3 (Parts 3 & 4 of the AOC)
• Validation and Attestation Details and Action Plan for Non-Compliant Requirements (if applicable) Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation
•such as ASV scan reports
•to the payment brand, or other requester.
• Validation and Attestation Details and Action Plan for Non-Compliant Requirements (if applicable) Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation
•such as ASV scan reports
•to the payment brand, or other requester.
Modified
p. 4
(PCI Data Security Standard Requirements and Security Assessment Procedures) Guidance on Scoping Guidance on the intent of all PCI DSS Requirements Details of testing procedures Guidance on Compensating Controls SAQ Instructions and Guidelines documents Information about all SAQs and their eligibility criteria How to determine which SAQ is right for your organization
(PCI Data Security Standard Requirements and Security Assessment Procedures) Guidance on Scoping Guidance on the intent of all PCI DSS Requirements Details of testing procedures Guidance on Compensating Controls SAQ Instructions and Guidelines documents Information about all SAQs and their eligibility criteria How to determine which SAQ is right for your organization
Modified
p. 4
PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org). Organizations are encouraged to review the PCI DSS and other supporting documents before beginning an assessment.
PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org). Organizations are encouraged to review the PCI DSS and other supporting documents before beginning an assessment.
Modified
p. 6
The questions specific to securing wireless technologies (for example, Requirements 1.2.3, 2.1.1, and 4.1.1) only need to be answered if wireless is present anywhere in your network. Note that Requirement 11.1 (use of processes to identify unauthorized wireless access points) must still be answered even if you don’t use wireless technologies in your network, since the process detects any rogue or unauthorized devices that may have been added without your knowledge.
Modified
p. 6
The questions specific to application development and secure coding (Requirements 6.3 and 6.5) only need to be answered if your organization develops its own custom applications.
Modified
p. 6
The questions for Requirements 9.1.1 and 9.3 only need to be answered for facilities with “sensitive areas” as defined here: “Sensitive areas” refers to any data center, server room, or any area that houses systems that store, process, or transmit cardholder data. This excludes the areas where only point-of-sale terminals are present, such as the cashier areas in a retail store, but does include retail store back-office server rooms that store cardholder data, and storage areas for large quantities of …
Modified
p. 6
Understanding the difference between Not Applicable and Not Tested Requirements that are deemed to be not applicable to an environment must be verified as such. Using the wireless example above, for an organization to select “N/A” for Requirements 1.2.3, 2.1.1, and 4.1.1, the organization would first need to confirm that there are no wireless technologies used in their CDE or that connect to their CDE. Once this has been confirmed, the organization may select “N/A” for those specific requirements, If …
Understanding the difference between Not Applicable and Not Tested Requirements that are deemed to be not applicable to an environment must be verified as such. Using the wireless example above, for an organization to select “N/A” for Requirements 1.2.3, 2.1.1, and 4.1.1, the organization would first need to confirm that there are no wireless technologies used in their cardholder data environment (CDE) or that connect to their CDE. Once this has been confirmed, the organization may select “N/A” for those …
Modified
p. 6
An organization may be asked by their acquirer to validate a subset of requirements•for example: using the prioritized approach to validate certain milestones.
Modified
p. 6
An organization may wish to validate a new security control that impacts only a subset of requirements•for example, implementation of a new encryption methodology that requires assessment of PCI DSS Requirements 2, 3 and 4.
Modified
p. 6
A service provider organization might offer a service which covers only a limited number of PCI DSS requirements•for example, a physical storage provider may only wish to validate the physical security controls per PCI DSS Requirement 9 for their storage facility.
Modified
p. 10
For example: • Connections into and out of the cardholder data environment (CDE). • Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
For example: Connections into and out of the cardholder data environment (CDE). Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
Modified
p. 10
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation) Part 2f. Third-Party Service Providers Does your company have a relationship with a Qualified Integrator Reseller (QIR) for the purpose of the services being validated? Description of services provided by QIR:
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation.) Part 2f. Third-Party Service Providers Does your company have a relationship with a Qualified Integrator Reseller (QIR) for the purpose of the services being validated? Description of services provided by QIR:
Modified
p. 12
• The requirement and all sub-requirements were assessed for that Requirement, and no sub- requirements were marked as “Not Tested” or “Not Applicable” in the SAQ.
Full
• The requirement and all sub-requirements were assessed for that Requirement, and no sub- requirements were marked as “Not Tested” or “Not Applicable” in the SAQ.
• The requirement and all sub-requirements were assessed for that Requirement, and no sub- requirements were marked as “Not Tested” or “Not Applicable” in the SAQ.
Modified
p. 12
• One or more sub-requirements of that Requirement were marked as “Not Tested” or “Not Applicable” in the SAQ.
Partial
• One or more sub-requirements of that Requirement were marked as “Not Tested” or “Not Applicable” in the SAQ.
• One or more sub-requirements of that Requirement were marked as “Not Tested” or “Not Applicable” in the SAQ.
Modified
p. 12
• All sub-requirements of that Requirement were marked as “Not Tested” and/or “Not Applicable” in the SAQ.
None
• All sub-requirements of that Requirement were marked as “Not Tested” and/or “Not Applicable” in the SAQ.
• All sub-requirements of that Requirement were marked as “Not Tested” and/or “Not Applicable” in the SAQ.
Modified
p. 12
Details of specific sub-requirements that were marked as either “Not Tested” and/or “Not Applicable” in the SAQ Reason why sub-requirement(s) were not tested or not applicable
Removed
p. 13
Review current network diagram Examine network configurations (b) Is there a process to ensure the diagram is kept current?
Modified
p. 13
Is there a process to ensure the diagram is kept current? Interview responsible personnel.
Removed
p. 14
Review firewall configuration standards Observe network configurations to verify that a firewall(s) is in place Is the current network diagram consistent with the firewall configuration standards?
Modified
p. 14
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.1.4 (a) Is a firewall required and implemented at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.1.4 Is a firewall required and implemented at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone? Review firewall configuration standards.
Modified
p. 14
Are all insecure services, protocols, and ports identified, and are security features documented and implemented for each identified service? Review firewall and router configuration standards.
Removed
p. 15
Examine firewall and router configurations 1.3.3 Are anti-spoofing measures implemented to detect and block forged sourced IP addresses from entering the network? (For example, block traffic originating from the internet with an internal address.) Examine firewall and router configurations
Modified
p. 15
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.2.1 (a) Is inbound and outbound traffic restricted to that which is necessary for the cardholder data environment?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.2.1 Is inbound and outbound traffic restricted to that which is necessary for the cardholder data environment? Review firewall and router configuration standards.
Modified
p. 15
Is all other inbound and outbound traffic specifically denied (for example by using an explicit “deny all” or an implicit deny after allow statement)? Review firewall and router configuration standards.
Modified
p. 16
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.3.4 Is outbound traffic from the cardholder data environment to the Internet explicitly authorized?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.3.4 Is outbound traffic from the cardholder data environment to the Internet explicitly authorized? Examine firewall and router configurations.
Modified
p. 16
Network Address Translation (NAT) Placing servers containing cardholder data behind proxy servers/firewalls, Removal or filtering of route advertisements for private networks that employ registered addressing, Internal use of RFC1918 address space instead of registered addresses.
Modified
p. 16
Is any disclosure of private IP addresses and routing information to external entities authorized? Examine firewall and router configurations.
Modified
p. 17
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Is the personal firewall software (or equivalent functionality) configured to specific configuration settings, actively running, and not alterable by users of mobile and/or employee-owned devices? Review policies and configuration standards Examine mobile and/or employee- owned devices 1.5 Are security policies and operational procedures for managing firewalls:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.5 Are security policies and operational procedures for managing firewalls:
Removed
p. 18
Review policies and procedures Examine vendor documentation Observe system configurations and account settings Interview personnel Are unnecessary default accounts removed or disabled before installing a system on the network? Review policies and procedures Review vendor documentation Examine system configurations and account settings Interview personnel 2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, are ALL wireless vendor defaults changed at installations, as follows:
Review policies and procedures Review vendor documentation Interview personnel Examine system configurations (c) Are default passwords/passphrases on access points changed at installation? Review policies and procedures Interview personnel Examine system configurations
Review policies and procedures Review vendor documentation Interview personnel Examine system configurations (c) Are default passwords/passphrases on access points changed at installation? Review policies and procedures Interview personnel Examine system configurations
Modified
p. 18
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.1 (a) Are vendor-supplied defaults always changed before installing a system on the network? This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.1 Are vendor-supplied defaults always changed before installing a system on the network? This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).
Modified
p. 18
Are encryption keys changed from default at installation, and changed anytime anyone with knowledge of the keys leaves the company or changes positions? Review policies and procedures.
Modified
p. 18
Are default SNMP community strings on wireless devices changed at installation? Review policies and procedures.
Removed
p. 19
Review policies and procedures Review vendor documentation Examine system configurations (e) Are other security-related wireless vendor defaults changed, if applicable?
Modified
p. 19
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (d) Is firmware on wireless devices updated to support strong encryption for authentication and transmission over wireless networks?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.1.1 (cont.) Is firmware on wireless devices updated to support strong encryption for authentication and transmission over wireless networks? Review policies and procedures.
Modified
p. 19
Are system configuration standards updated as new vulnerability issues are identified, as defined in Requirement 6.1? Review policies and procedures.
Modified
p. 19
Are system configuration standards applied when new systems are configured? Review policies and procedures.
Modified
p. 20
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (d) Do system configuration standards include all of the following:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.2 (cont.) Do system configuration standards include all of the following:
Modified
p. 20
Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server? Enabling only necessary services, protocols, daemons, etc., as required for the function of the system? Implementing additional security features for any required services, protocols or daemons that are considered to be insecure? Configuring system security parameters to prevent misuse? Removing all unnecessary functionality, such as scripts, drivers, features, …
Modified
p. 20
If virtualization technologies are used, is only one primary function implemented per virtual system component or device? Examine system configurations.
Removed
p. 21
Review configuration standards Examine system configurations (b) Are all enabled insecure services, daemons, or protocols justified per documented configuration standards?
Review configuration standards Interview personnel Examine configuration settings Compare enabled services, etc. to documented justifications 2.2.3 Are additional security features documented and implemented for any required services, protocols or daemons that are considered to be insecure? Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
Review configuration standards Interview personnel Examine configuration settings Compare enabled services, etc. to documented justifications 2.2.3 Are additional security features documented and implemented for any required services, protocols or daemons that are considered to be insecure? Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
Modified
p. 21
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.2.2 (a) Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.2.2 Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)? Review configuration standards.
Modified
p. 21
Are common system security parameters settings included in the system configuration standards? Review system configuration standards.
Modified
p. 21
Are security parameter settings set appropriately on system components? Examine system components.
Modified
p. 21
Are enabled functions documented and do they support secure configuration? Review documentation.
Removed
p. 22
Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
Modified
p. 22
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (c) Is only documented functionality present on system components? Review documentation Examine security parameters on system components 2.3 Is non-console administrative access encrypted as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.3 Is non-console administrative access encrypted as follows:
Modified
p. 22
Is all non-console administrative access encrypted with strong cryptography, and is a strong encryption method invoked before the administrator’s password is requested? Examine system components.
Modified
p. 22
Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? Examine system components.
Modified
p. 22
Is administrator access to web-based management interfaces encrypted with strong cryptography? Examine system components.
Modified
p. 22
For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? Examine system components.
Removed
p. 23
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.6 If you are a shared hosting provider, are your systems configured to protect each entity’s (your customers’) hosted environment and cardholder data? See Appendix A1: Additional PCI DSS Requirements for Shared Hosting Providers for specific requirements that must be met.
Modified
p. 23 → 22
Complete Appendix A1 testing procedures.
Modified
p. 24 → 23
Is data storage amount and retention time limited to that required for legal, regulatory, and/or business requirements? Review data retention and disposal policies and procedures.
Modified
p. 24 → 23
Are there defined processes in place for securely deleting cardholder data when no longer needed for legal, regulatory, and/or business reasons? Review policies and procedures.
Modified
p. 24 → 23
Are there specific retention requirements for cardholder data? For example, cardholder data needs to be held for X period for Y business reasons.
Modified
p. 24 → 23
Is there a quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements? Review policies and procedures.
Modified
p. 24 → 23
Does all stored cardholder data meet the requirements defined in the data-retention policy? Examine files and system records.
Removed
p. 25
Examine data stores and system configuration files (c) For all other entities: Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process? Review policies and procedures Examine system configurations Examine deletion processes (d) Do all systems adhere to the following requirements regarding non-storage of sensitive authentication data after authorization (even if encrypted):
Modified
p. 25 → 24
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) For issuers and/or companies that support issuing services and store sensitive authentication data: Is the data secured?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested For all other entities: Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process? Review policies and procedures.
Modified
p. 25 → 24
The cardholder’s name, Primary account number (PAN), Expiration date, and Service code To minimize risk, store only these data elements as needed for business.
Modified
p. 25 → 24
Examine data sources including:
Modified
p. 25 → 24
Incoming transaction data All logs History files Trace files Database schema Database contents
Removed
p. 26
Review policies and procedures Review roles that need access to displays of full PAN Examine system configurations Observe displays of PAN
Modified
p. 26 → 24
Incoming transaction data All logs History files Trace files Database schema Database contents 3.2.2 The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored after authorization? Examine data sources including:
Modified
p. 26 → 25
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.2.2 The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored after authorization? Examine data sources including:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization? Examine data sources including:
Modified
p. 26 → 25
Incoming transaction data All logs History files Trace files Database schema Database contents 3.3 Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN? Note: This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, legal or payment card brand requirements for …
Removed
p. 27
Examine system configurations Observe the authentication process (b) Are cryptographic keys stored securely (for example, stored on removable media that is adequately protected with strong access controls)? Observe processes Interview personnel
Modified
p. 27 → 26
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.4 Is PAN rendered unreadable anywhere it is stored (including data repositories, portable digital media, backup media, and in audit logs), by using any of the following approaches? One-way hashes based on strong cryptography (hash must be of the entire PAN) Truncation (hashing cannot be used to replace the truncated segment of PAN) Index tokens and pads (pads …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.4 Is PAN rendered unreadable anywhere it is stored (including data repositories, portable digital media, backup media, and in audit logs), by using any of the following approaches? One-way hashes based on strong cryptography (hash must be of the entire PAN) Truncation (hashing cannot be used to replace the truncated segment of PAN) Index tokens and pads (pads must be securely …
Modified
p. 27 → 26
Is logical access to encrypted file systems managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials)? Examine system configurations.
Removed
p. 28
Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date, Description of the key usage for each key, Inventory of any HSMs and other SCDs used for key management? Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
Modified
p. 28 → 27
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (c) Is cardholder data on removable media encrypted wherever stored? Note: If disk encryption is not used to encrypt removable media, the data stored on this media will need to be rendered unreadable through some other method.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.4.1 (cont.) Is cardholder data on removable media encrypted wherever stored? Note: If disk encryption is not used to encrypt removable media, the data stored on this media will need to be rendered unreadable through some other method.
Modified
p. 29 → 28
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.5.3 Are secret and private cryptographic keys used to encrypt/decrypt cardholder data stored in one (or more) of the following forms at all times? Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key Within a secure cryptographic device (such as a hardware (host) security …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.5.3 Are secret and private cryptographic keys used to encrypt/decrypt cardholder data stored in one (or more) of the following forms at all times? Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key Within a secure cryptographic device (such as a hardware (host) security module (HSM) …
Modified
p. 29 → 28
Examine system configurations and key storage locations, including for key-encrypting keys.
Modified
p. 29 → 28
For service providers only: If keys are shared with customers for transmission or storage of cardholder data, is documentation provided to customers that includes guidance on how to securely transmit, store and update customer’s keys, in accordance with requirements 3.6.1 through 3.6.8 below? Review documentation provided to customers.
Removed
p. 30
Review key-management procedures Interview personnel 3.6.5 (a) Do cryptographic key procedures include retirement or replacement (for example, archiving, destruction, and/or revocation) of cryptographic keys when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear- text key)?
Modified
p. 30 → 29
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.6.2 Do cryptographic key procedures include secure cryptographic key distribution?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.6.2 Do cryptographic key procedures include secure cryptographic key distribution? Review key management procedures.
Modified
p. 30 → 29
Do cryptographic key procedures include replacement of known or suspected compromised keys? Review key-management procedures.
Modified
p. 30 → 29
(c) If retired or replaced cryptographic keys are retained, are these keys only used for decryption/verification purposes, and not used for encryption operations? Review key-management procedures.
Modified
p. 31 → 30
Do split knowledge procedures require that key components are under the control of at least two people who only have knowledge of their own key components?
Modified
p. 31 → 30
Do dual control procedures require that at least two people are required to perform any key management operations and no one person has access to the authentication materials (for example, passwords or keys) of another? Note: Examples of manual key management operations include, but are not limited to: key generation, transmission, loading, storage and destruction.
Removed
p. 32
Review documented standards Review policies and procedures Review all locations where CHD is transmitted or received Examine system configurations (b) Are only trusted keys and/or certificates accepted? Observe inbound and outbound transmissions Examine keys and certificates (c) Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations?
Modified
p. 32 → 31
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 4.1 (a) Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 4.1 (a) Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? Note: Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and General Packet Radio Service (GPRS).
Modified
p. 32 → 31
(d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)? Review vendor documentation.
Modified
p. 32 → 31
(e) For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? For example, for browser-based implementations:
Modified
p. 32 → 31
“HTTPS” appears as the browser Universal Record Locator (URL) protocol, and Cardholder data is only requested if “HTTPS” appears as part of the URL.
Modified
p. 32 → 31
Examine system configurations.
Modified
p. 33 → 32
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 4.2 Are PANs rendered unreadable or secured with strong cryptography whenever they are sent via end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.)? Review outbound transmissions.
Modified
p. 33 → 32
Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies? Review policies and procedures.
Removed
p. 34
(a) Are all anti-virus software and definitions kept current? Examine policies and procedures Examine anti-virus configurations, including the master installation Examine system components (b) Are automatic updates and periodic scans enabled and being performed?
Modified
p. 34 → 33
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 5.1 Is anti-virus software deployed on all systems commonly affected by malicious software?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 5.1 Is anti-virus software deployed on all systems commonly affected by malicious software? Examine system configurations.
Modified
p. 34 → 33
Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? Examine anti-virus configurations.
Modified
p. 35 → 34
Unable to be disabled or altered by users? Note: Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not active.
Modified
p. 36 → 35
Using reputable outside sources for vulnerability information?
Modified
p. 36 → 35
Assigning a risk ranking to vulnerabilities that includes identification of all “high” risk and “critical” vulnerabilities? Note: Risk rankings should be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the CVSS base score and/or the classification by the vendor, and/or type of systems affected.
Removed
p. 37
Review policies and procedures Examine system components Compare list of security patches installed to recent vendor patch lists 6.3 (a) Are software- development processes based on industry standards and/or best practices?
Modified
p. 37 → 36
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested Are critical security patches installed within one month of release? Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.2 (cont.) Are critical security patches installed within one month of release? Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1.
Modified
p. 37 → 36
Is information security included throughout the software- development life cycle? Review software development processes.
Modified
p. 37 → 36
Are software applications developed in accordance with PCI DSS (for example, secure authentication and logging)? Review software development processes.
Modified
p. 38 → 37
Are code changes reviewed by individuals other than the originating code author, and by individuals who are knowledgeable about code review techniques and secure coding practices?
Modified
p. 38 → 37
Do code reviews ensure code is developed according to secure coding guidelines?
Modified
p. 38 → 37
Are appropriate corrections are implemented prior to release?
Modified
p. 38 → 37
Are code review results are reviewed and approved by management prior to release? Note: This requirement for code reviews applies to all custom code (both internal and public-facing), as part of the system development life cycle. Code reviews can be conducted by knowledgeable internal personnel or third parties. Public-facing web applications are also subject to additional controls, to address ongoing threats and vulnerabilities after implementation, as defined at PCI DSS Requirement 6.6.
Modified
p. 38 → 37
Is access control in place to enforce the separation between the development/test environments and the production environment? Review change control processes and procedures.
Removed
p. 39
Review change control processes and procedures Observe processes Interview personnel 6.4.3 Are production data (live PANs) not used for testing or development?
Modified
p. 39 → 38
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.4.2 Is there separation of duties between personnel assigned to the development/test environments and those assigned to the production environment?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.4.2 Is there separation of duties between personnel assigned to the development/test environments and those assigned to the production environment? Review change control processes and procedures.
Removed
p. 40
Trace changes to change control documentation Examine change control documentation 6.4.5.4 Back-out procedures? Trace changes to change control documentation Examine change control documentation 6.4.6 Upon completion of a significant change, are all relevant PCI DSS requirements implemented on all new or changed systems and networks, and documentation updated as applicable? Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
Trace changes to change control documentation Examine change control documentation Interview personnel Observe affected systems or networks
Trace changes to change control documentation Examine change control documentation Interview personnel Observe affected systems or networks
Modified
p. 40 → 39
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.4.5.2 Documented approval by authorized parties? Trace changes to change control documentation Examine change control documentation 6.4.5.3 (a) Functionality testing to verify that the change does not adversely impact the security of the system?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.4.5.2 Documented approval by authorized parties? Trace changes to change control documentation.
Modified
p. 40 → 39
(b) For custom code changes, testing of updates for compliance with PCI DSS Requirement 6.5 before being deployed into production? Trace changes to change control documentation.
Removed
p. 41
Examine software-development policies and procedures Interview responsible personnel 6.5.2 Do coding techniques address buffer overflow vulnerabilities?
Examine software-development policies and procedures Interview responsible personnel 6.5.3 Do coding techniques address insecure cryptographic storage? Examine software-development policies and procedures Interview responsible personnel 6.5.4 Do coding techniques address insecure communications? Examine software-development policies and procedures Interview responsible personnel
Examine software-development policies and procedures Interview responsible personnel 6.5.3 Do coding techniques address insecure cryptographic storage? Examine software-development policies and procedures Interview responsible personnel 6.5.4 Do coding techniques address insecure communications? Examine software-development policies and procedures Interview responsible personnel
Modified
p. 41 → 40
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.5 (a) Do software-development processes address common coding vulnerabilities?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.5 Do software-development processes address common coding vulnerabilities? Review software-development policies and procedures.
Modified
p. 41 → 40
Are developers trained at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities? Examine software-development policies and procedures.
Removed
p. 42
Examine software-development policies and procedures Interview responsible personnel 6.5.9 Do coding techniques address cross-site request forgery (CSRF)?
Modified
p. 42 → 41
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.5.5 Do coding techniques address improper error handling? Examine software-development policies and procedures Interview responsible personnel 6.5.6 Do coding techniques address all “high risk” vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1)? Examine software-development policies and procedures Interview responsible personnel For web applications and application interfaces (internal or external), are applications …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.5.5 Do coding techniques address improper error handling? Examine software-development policies and procedures.
Removed
p. 43
- At least annually - After any changes - By an organization that specializes in application security - That, at a minimum, all vulnerabilities in
- Is situated in front of public-facing web applications to detect and prevent web-based attacks. - Is actively running and up to date as applicable. - Is generating audit logs. - Is configured to either block web-based attacks, or generate an alert that is immediately investigated.
Review documented processes Interview personnel Examine records of application security assessments Examine system configuration settings
- Is situated in front of public-facing web applications to detect and prevent web-based attacks. - Is actively running and up to date as applicable. - Is generating audit logs. - Is configured to either block web-based attacks, or generate an alert that is immediately investigated.
Review documented processes Interview personnel Examine records of application security assessments Examine system configuration settings
Modified
p. 43 → 42
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.6 For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods? Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.6 For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods? Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, as follows:
Modified
p. 43 → 42
Requirement 6.5 are included in the assessment - That all vulnerabilities are corrected - That the application is re-evaluated after the corrections Note: This assessment is not the same as the vulnerability scans performed for Requirement 11.2.
At least annually After any changes By an organization that specializes in application security That, at a minimum, all vulnerabilities in Requirement 6.5 are included in the assessment That all vulnerabilities are corrected That the application is re-evaluated after the corrections Note: This assessment is not the same as the vulnerability scans performed for Requirement 11.2.
Modified
p. 43 → 42
Installing an automated technical solution that detects and prevents web-based attacks (for example, a web- application firewall) as follows:
Modified
p. 45 → 43
Is there a written policy for access control that incorporates the following? Defining access needs and privilege assignments for each role Restriction of access to privileged user IDs to least privileges necessary to perform job responsibilities, Assignment of access based on individual personnel’s job classification and function Documented approval (electronically or in writing) by authorized parties for all access, including listing of specific privileges approved Examine written access control policy.
Modified
p. 45 → 43
System components and data resources that each role needs to access for their job function?
Modified
p. 45 → 43
Level of privilege required (for example, user, administrator, etc.) for accessing resources? Examine roles and access need.
Modified
p. 45 → 43
To least privileges necessary to perform job responsibilities?
Modified
p. 45 → 43
Assigned only to roles that specifically require that privileged access? Interview management.
Removed
p. 46
Review vendor documentation Examine configuration settings 7.2.3 Does the access control system(s) have a default “deny- all” setting? Review vendor documentation Examine configuration settings 7.3 Are security policies and operational procedures for restricting access to cardholder data:
Modified
p. 46 → 44
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 7.1.4 Is documented approval by authorized parties required, specifying required privileges? Review user IDs Compare with documented approvals Compare assigned privileges with documented approvals 7.2 Is an access control system(s) in place for system components to restrict access based on a user’s need to know, and is it set to “deny all” unless specifically allowed, as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 7.1.4 Is documented approval by authorized parties required, specifying required privileges? Compare with documented approvals.
Removed
p. 47
Review password procedures Examine privileged and general user IDs and associated authorizations Observe system settings 8.1.3 Is access for any terminated users immediately deactivated or removed?
Review password procedures Examine terminated users accounts Review current access lists Observe returned physical authentication devices 8.1.4 Are inactive user accounts either removed or disabled within 90 days?
Review password procedures Interview personnel Observe processes Are third party remote access accounts monitored when in use? Interview personnel Observe processes
Review password procedures Examine terminated users accounts Review current access lists Observe returned physical authentication devices 8.1.4 Are inactive user accounts either removed or disabled within 90 days?
Review password procedures Interview personnel Observe processes Are third party remote access accounts monitored when in use? Interview personnel Observe processes
Removed
p. 48
Review password procedures Examine system configuration settings In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users?
Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric Review password procedures Observe authentication processes 8.2.1 (a) Is strong cryptography used to render all authentication credentials (such as passwords/passphrases) unreadable during transmission and storage on all system components? Review password procedures Review vendor documentation Examine system configuration settings Observe password files Observe data transmissions
Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric Review password procedures Observe authentication processes 8.2.1 (a) Is strong cryptography used to render all authentication credentials (such as passwords/passphrases) unreadable during transmission and storage on all system components? Review password procedures Review vendor documentation Examine system configuration settings Observe password files Observe data transmissions
Modified
p. 48 → 46
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.1.6 (a) Are repeated access attempts limited by locking out the user ID after no more than six attempts?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.1.6 Are repeated access attempts limited by locking out the user ID after no more than six attempts? Review password procedures.
Modified
p. 48 → 46
For service providers only: Are non-consumer customer passwords temporarily locked-out after not more than six invalid access attempts? Review policies and procedures.
Removed
p. 49
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested For service providers only: Is strong cryptography used to render all non-consumer customers’ authentication credentials (such as passwords/passphrases) unreadable during transmission and storage on all system components?
Modified
p. 49 → 47
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.2.2 Is user identity verified before modifying any authentication credential (for example, performing password resets, provisioning new tokens, or generating new keys)? Review authentication procedures.
Modified
p. 49 → 47
For service providers only: Are non-consumer customer passwords required to meet the following minimum length and complexity requirements? A minimum password length of at least seven characters Contain both numeric and alphabetic characters Review customer/user documentation.
Modified
p. 49 → 47
For service providers only: Are non-consumer customer passwords required to be changed periodically, and are non-consumer customers given guidance as to when, and under what circumstances, passwords must change.
Modified
p. 49 → 47
Review customer/user documentation.
Removed
p. 50
Review customer/user documentation Observe internal processes 8.2.6 Are passwords/passphrases set to a unique value for each user for first-time use and upon reset, and must each user change their password immediately after the first use? Review password procedures Examine system configuration settings Observe security personnel 8.3 Is all individual non-console administrative access and all remote access to the CDE secured using multi-factor authentication, as follows:
Modified
p. 50 → 47
For service providers only: Are new, non-consumer customer passwords required to be different from any of the last four passwords used? Review customer/user documentation.
Modified
p. 51 → 49
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested Do authentication policies and procedures include the following? Guidance on selecting strong authentication credentials Guidance for how users should protect their authentication credentials Instructions not to reuse previously used passwords Instructions that users should change passwords if there is any suspicion the password could be compromised Review policies and procedures.
Modified
p. 51 → 49
Generic user IDs and accounts are disabled or removed; Shared user IDs for system administration activities and other critical functions do not exist; and Shared and generic user IDs are not used to administer any system components? Review policies and procedures.
Modified
p. 51
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.4 (a) Are authentication policies and procedures documented and communicated to all users?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.8 Are security policies and operational procedures for identification and authentication:
Modified
p. 52 → 50
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.6 Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, and certificates, etc.), is the use of these mechanisms assigned as follows? Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism …
Removed
p. 53
Review database authentication policies and procedures Examine database and application configuration settings Is user direct access to or queries to of databases restricted to database administrators?
Review database authentication policies and procedures Examine database access control settings Examine database application configuration settings (c) Are application IDs only able to be used by the applications (and not by individual users or other processes)? Review database authentication policies and procedures Examine database access control settings Examine database application configuration settings 8.8 Are security policies and operational procedures for identification and authentication:
Review database authentication policies and procedures Examine database access control settings Examine database application configuration settings (c) Are application IDs only able to be used by the applications (and not by individual users or other processes)? Review database authentication policies and procedures Examine database access control settings Examine database application configuration settings 8.8 Are security policies and operational procedures for identification and authentication:
Modified
p. 53 → 50
Is all user access to, user queries of, and user actions on (for example, move, copy, delete), the database through programmatic methods only (for example, through stored procedures)? Review database authentication policies and procedures.
Modified
p. 54 → 52
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.1 Are appropriate facility entry controls in place to limit and monitor physical access to systems in the cardholder data environment?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.1 Are appropriate facility entry controls in place to limit and monitor physical access to systems in the cardholder data environment? Observe physical access controls.
Modified
p. 54 → 52
Are either video cameras or access control mechanisms (or both) protected from tampering or disabling?
Modified
p. 54 → 52
(c) Is data collected from video cameras and/or access control mechanisms reviewed and correlated with other entries? Review policies and procedures.
Modified
p. 54 → 52
(d) Is data collected from video cameras and/or access control mechanisms stored for at least three months unless otherwise restricted by law? Review data retention processes.
Modified
p. 54
Review policies and procedures for physically securing media.
Modified
p. 55 → 53
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.1.3 Is physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines restricted? Review policies and procedures Interview personnel Observe devices 9.2 (a) Are procedures developed to easily distinguish between onsite personnel and visitors, which include:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.1.3 Is physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines restricted? Review policies and procedures.
Modified
p. 55 → 53
Do identification methods (such as ID badges) clearly identify visitors and easily distinguish between onsite personnel and visitors? Observe identification methods.
Modified
p. 55 → 53
(c) Is access to the badge system limited to authorized personnel? Observe physical controls and access controls for the badge system.
Modified
p. 56 → 53
Is access authorized and based on individual job function?
Modified
p. 56 → 53
Is access revoked immediately upon termination Upon termination, are all physical access mechanisms, such as keys, access cards, etc., returned or disabled? Examine access control lists.
Modified
p. 56 → 54
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.3 Is physical access to sensitive areas controlled for onsite personnel, as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.4 Is visitor identification and access handled as follows:
Modified
p. 56 → 54
Does the visitor log contain the visitor’s name, the firm represented, and the onsite personnel authorizing physical access? Review policies and procedures.
Removed
p. 57
Review policies and procedures for physically securing media Interview personnel 9.5.1 Is the location where media back-ups are stored reviewed at least annually to confirm storage is secure?
Removed
p. 58
Examine inventory logs Interview personnel 9.8 (a) Is all media destroyed when it is no longer needed for business or legal reasons?
Modified
p. 58 → 55
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested Are periodic media inventories conducted at least annually?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.5.1 Is the location where media back-ups are stored reviewed at least annually to confirm storage is secure? Review policies and procedures for reviewing offsite media locations.
Modified
p. 58 → 56
Is there a periodic media destruction policy that defines requirements for the following? Hard-copy materials must be crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
Modified
p. 58 → 56
Storage containers used for materials that are to be destroyed must be secured.
Modified
p. 58 → 56
Cardholder data on electronic media must be rendered unrecoverable (e.g., via a secure wipe program in accordance with industry-accepted standards for secure deletion, or by physically destroying the media).
Modified
p. 58 → 56
Review periodic media destruction policies and procedures.
Modified
p. 58 → 56
Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents? Examine security of storage containers.
Removed
p. 59
Review policies and procedures 9.9.1 (a) Does the list of devices include the following?
Modified
p. 59 → 57
Do policies and procedures require that a list of such devices be maintained? Review policies and procedures.
Modified
p. 59 → 57
Do policies and procedures require that devices are periodically inspected to look for tampering or substitution? Review policies and procedures.
Modified
p. 59 → 57
Do policies and procedures require that personnel are trained to be aware of suspicious behavior and to report tampering or substitution of devices? Review policies and procedures.
Modified
p. 60 → 58
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.9.2 (a) Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.9.2 Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments or …
Modified
p. 60 → 58
Observe inspection processes and compare to defined processes.
Modified
p. 60 → 58
(a) Do training materials for personnel at point-of-sale locations include the following? Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. Do not install, replace, or return devices without verification. Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). Report suspicious behavior and indications of device tampering or substitution to appropriate personnel …
(a) Do training materials for personnel at point-of-sale locations include the following? Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
Modified
p. 60 → 58
Review training materials.
Modified
p. 61 → 59
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices? Interview personnel at POS locations 9.10 Are security policies and operational procedures for restricting physical access to cardholder data:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.9.3 (cont.) (b) Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices? Interview personnel at POS locations.
Modified
p. 62 → 60
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 10.1 (a) Are audit trails enabled and active for system components?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 10.1 Are audit trails enabled and active for system components? Observe processes.
Modified
p. 63 → 61
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 10.2.6 Initialization, stopping, or pausing of the audit logs? Interview personnel Observe audit logs Examine audit log settings 10.2.7 Creation and deletion of system-level objects? Interview personnel Observe audit logs Examine audit log settings 10.3 Are the following audit trail entries recorded for all system components for each event:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 10.2.6 Initialization, stopping, or pausing of the audit logs? Interview personnel.
Modified
p. 64 → 62
Do only designated central time server(s) receive time signals from external sources, and are time signals from external sources based on International Atomic Time or UTC? Review time configuration standards and processes.
Modified
p. 64 → 62
Where there is more than one designated time server, do the time servers peer with each other to keep accurate time? Review time configuration standards and processes.
Modified
p. 64 → 62
(c) Do systems receive time only from designated central time server(s)? Review time configuration standards and processes.
Modified
p. 64 → 62
Is access to time data restricted to only personnel with a business need to access time data? Examine system configurations and time-synchronization settings.
Modified
p. 64 → 62
Are changes to time settings on critical systems logged, monitored, and reviewed? Examine system configurations and time-synchronization settings and logs.
Modified
p. 65 → 63
Are logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) written onto a secure, centralized, internal log server or media? Interview system administrators.
Modified
p. 66 → 64
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 10.6 Are logs and security events for all system components reviewed to identify anomalies or suspicious activity as follows? Note: Log harvesting, parsing, and alerting tools may be used to achieve compliance with Requirement 10.6.
Modified
p. 66 → 64
Are reviews of all other system components performed in accordance with organization’s policies and risk management strategy? Review risk assessment documentation.
Removed
p. 67
Review security policies and procedures Are audit logs retained for at least one year? Interview personnel Examine audit logs (c) Are at least the last three months’ logs immediately available for analysis? Interview personnel Observe processes 10.8 For service providers only: Is a process implemented for the timely detection and reporting of failures of critical security control systems as follows:
Removed
p. 67
Firewalls IDS/IPS FIM Anti-virus Physical access controls Logical access controls Audit logging mechanisms Segmentation controls (if used) Review policies and procedures
Modified
p. 67 → 65
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 10.7 Are audit log retention policies and procedures in place and do they require that logs are retained for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup)? Review security policies and procedures.
Modified
p. 67 → 65
(a) Are processes implemented for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of:
(a) Are processes implemented for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of: Firewalls IDS/IPS FIM Anti-virus Physical access controls Logical access controls Audit logging mechanisms Segmentation controls (if used) Review policies and procedures.
Modified
p. 67 → 66
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 10.6.3 (a) Are written policies and procedures defined for following up on exceptions and anomalies identified during the review process?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested Are processes for responding to critical security control failures defined and implemented, and include:
Removed
p. 68
Restoring security functions Identifying and documenting the duration (date and time start to end) of the security failure Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause Identifying and addressing any security issues that arose during the failure Implementing controls to prevent cause of failure from reoccurring Resuming monitoring of security controls? Review policies and procedures Interview personnel (b) Are failures in critical security controls documented, including:
Modified
p. 68 → 65
(b) Does the failure of a critical security control result in the generation of an alert? 10.8.1 For service providers only: Are failures of any critical security controls responded to in a timely manner, as follows:
Modified
p. 68 → 66
Are failures in critical security controls documented, including: Identification of cause(s) of the failure, including root cause Duration (date and time start and end) of the security failure Details of the remediation required to address the root cause? Examine records of security control failures.
Removed
p. 70
Evaluate the methodology (c) If wireless scanning is utilized to identify authorized and unauthorized wireless access points, is the scan performed at least quarterly for all system components and facilities?
Modified
p. 70 → 67
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.1 (a) Are processes implemented for detection and identification of both authorized and unauthorized wireless access points on a quarterly basis? Note: Methods that may be used in the process include, but are not limited to, wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.1 Are processes implemented for detection and identification of both authorized and unauthorized wireless access points on a quarterly basis? Note: Methods that may be used in the process include, but are not limited to, wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS.
Modified
p. 70 → 67
Does the methodology detect and identify any unauthorized wireless access points, including at least the following? WLAN cards inserted into system components; Portable or mobile devices attached to system components to create a wireless access point (for example, by USB, etc.); and Wireless devices attached to a network port or network device.
Modified
p. 70 → 67
If automated monitoring is utilized (for example, wireless IDS/IPS, NAC, etc.), is monitoring configured to generate alerts to notify personnel? Examine configuration settings.
Modified
p. 71 → 68
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.1.2 (a) Does the incident response plan define and require a response in the event that an unauthorized wireless access point is detected?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.1.2 Does the incident response plan define and require a response in the event that an unauthorized wireless access point is detected? Examine incident response plan (see Requirement 12.10).
Modified
p. 72 → 69
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (c) Are quarterly internal scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.2.1 (cont.) Are quarterly internal scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?
Modified
p. 72 → 69
Do external quarterly scan and rescan results satisfy the ASV Program Guide requirements for a passing scan (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic failures)? Review results of each external quarterly scan and rescan.
Modified
p. 72 → 69
Are quarterly external vulnerability scans performed by a PCI SSC Approved Scanning Vendor (ASV? Review results of each external quarterly scan and rescan.
Modified
p. 72 → 69
Examine and correlate change control documentation and scan reports.
Modified
p. 72 → 69
Does the scan process include rescans until: For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS, For internal scans, a passing result is obtained or all “high- risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved?
Modified
p. 72 → 70
Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? Interview responsible personnel.
Modified
p. 73 → 70
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.3 Does the penetration-testing methodology include the following? Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) Includes coverage for the entire CDE perimeter and critical systems Includes testing from both inside and outside the network Includes testing to validate any segmentation and scope- reduction controls Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in …
Modified
p. 73 → 71
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.3 Does the penetration-testing methodology include the following?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.3.2 Is internal penetration testing performed per the defined methodology, at least annually, and after any significant infrastructure or application changes to the environment (such as an operating system upgrade, a sub-network added to the environment, or an added web server)? Examine scope of work.
Modified
p. 73 → 71
Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? Interview responsible personnel.
Modified
p. 74 → 71
Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? Interview responsible personnel.
Modified
p. 74 → 71
Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE? Examine segmentation controls.
Modified
p. 74 → 71
Does penetration testing to verify segmentation controls meet the following? Performed at least annually and after any changes to segmentation controls/methods.
Removed
p. 75
Examine results of penetration tests on segmentation controls (b) Does penetration testing cover all segmentation controls/methods in use?
Examine results of penetration tests on segmentation controls (c) Does penetration testing verify that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE Examine results of penetration tests on segmentation controls (d) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? Interview responsible personnel 11.4 (a) Are intrusion-detection and/or intrusion-prevention techniques that detect and/or prevent intrusions into the network in place to monitor all traffic:
Examine results of penetration tests on segmentation controls (c) Does penetration testing verify that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE Examine results of penetration tests on segmentation controls (d) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? Interview responsible personnel 11.4 (a) Are intrusion-detection and/or intrusion-prevention techniques that detect and/or prevent intrusions into the network in place to monitor all traffic:
Modified
p. 75 → 72
Is PCI DSS scope confirmed by performing penetration tests on segmentation controls at least every six months and after any changes to segmentation controls/methods? Examine results of penetration tests on segmentation controls.
Modified
p. 75 → 72
At the perimeter of the cardholder data environment, and At critical points in the cardholder data environment.
Modified
p. 75 → 72
Are intrusion-detection and/or intrusion-prevention techniques configured to alert personnel of suspected compromises? Examine system configurations.
Modified
p. 75 → 72
Are all intrusion-detection and prevention engines, baselines, and signatures kept up-to-date? Examine IDS/IPS configurations.
Modified
p. 76 → 73
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.5 (a) Is a change-detection mechanism (for example, file- integrity monitoring tools) deployed to detect unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files? Examples of files that should be monitored include:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.5 Is a change-detection mechanism (for example, file-integrity monitoring tools) deployed to detect unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files? Examples of files that should be monitored include:
Modified
p. 76 → 73
Is the change-detection mechanism configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files or content files, and do the tools perform critical file comparisons at least weekly? Note: For change detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change detection mechanisms such as file- integrity monitoring products usually come pre-configured with critical files …
Modified
p. 78 → 75
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel? Review the information security policy.
Modified
p. 78 → 75
(b) Is the risk assessment process performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.)? Review risk assessment documentation.
Removed
p. 79
Review usage policies Interview responsible personnel 12.3.2 Authentication for use of the technology? Review usage policies Interview responsible personnel 12.3.3 A list of all such devices and personnel with access? Review usage policies Interview responsible personnel 12.3.4 A method to accurately and readily determine owner, contact information, and purpose (for example, labeling, coding, and/or inventorying of devices)?
Review usage policies Interview responsible personnel 12.3.5 Acceptable uses of the technologies? Review usage policies Interview responsible personnel 12.3.6 Acceptable network locations for the technologies? Review usage policies Interview responsible personnel 12.3.7 List of company-approved products? Review usage policies Interview responsible personnel 12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity?
Review usage policies Interview responsible personnel 12.3.5 Acceptable uses of the technologies? Review usage policies Interview responsible personnel 12.3.6 Acceptable network locations for the technologies? Review usage policies Interview responsible personnel 12.3.7 List of company-approved products? Review usage policies Interview responsible personnel 12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity?
Modified
p. 79 → 76
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.3.1 Explicit approval by authorized parties to use the technologies?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.3.2 Authentication for use of the technology? Review usage policies.
Modified
p. 80 → 76
For personnel with proper authorization, does the policy require the protection of cardholder data in accordance with PCI DSS Requirements? Review usage policies.
Modified
p. 80 → 77
Has executive management assigned overall accountability for maintaining the entity’s PCI DSS compliance? Examine documentation (b) Has executive management defined a charter for the
Has executive management assigned overall accountability for maintaining the entity’s PCI DSS compliance? Examine documentation.
Modified
p. 80 → 77
PCI DSS compliance program and communication to executive management?
PCI DSS compliance program and communication to executive management? Examine PCI DSS charter.
Removed
p. 81
Review information security policy and procedures 12.5.5 Monitoring and controlling all access to data? Review information security policy and procedures 12.6 (a) Is a formal security awareness program in place to make all personnel aware of the cardholder data security policy and procedures? Review security awareness program (b) Do security awareness program procedures include the following:
Modified
p. 81 → 77
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Are the following information security management responsibilities formally assigned to an individual or team:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.4 Do security policy and procedures clearly define information security responsibilities for all personnel? Review information security policy and procedures.
Modified
p. 81 → 78
Are personnel educated upon hire and at least annually? Examine security awareness program procedures and documentation.
Modified
p. 82 → 78
Have employees completed awareness training and are they aware of the importance of cardholder data security?
Modified
p. 82 → 79
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.8 Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:
Modified
p. 84 → 80
Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum? Review incident response plan procedures.
Modified
p. 85 → 81
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested Data backup processes? Review incident response plan procedures Analysis of legal requirements for reporting compromises?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.10.1(b) (cont.) Data backup processes? Review incident response plan procedures.
Modified
p. 85 → 81
Coverage and responses of all critical system components? Review incident response plan procedures.
Modified
p. 85 → 81
Reference or inclusion of incident response procedures from the payment brands? Review incident response plan procedures.
Removed
p. 86
Examine documentation from the quarterly reviews
Modified
p. 86 → 82
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.11 For service providers only: Are reviews performed at least quarterly to confirm personnel are following security policies and operational procedures, as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (a) Do reviews cover the following processes:
Modified
p. 86 → 82
Daily log reviews Firewall rule-set reviews Applying configuration standards to new systems Responding to security alerts Change management processes Examine policies and procedures for performing quarterly reviews.
Modified
p. 86 → 82
Documenting results of the reviews Review and sign off of results by personnel assigned responsibility for the PCI DSS compliance program Examine documentation from the quarterly reviews.
Modified
p. 87 → 83
A1.1 Does each entity run processes that have access to only that entity’s cardholder data environment, and are these application processes run using the unique ID of the entity? No entity on the system can use a shared web server user ID.
A1.1 Does each entity run processes that have access to only that entity’s cardholder data environment, and are these application processes run using the unique ID of the entity? No entity on the system can use a shared web server user ID.
Modified
p. 87 → 83
All CGI scripts used by an entity must be created and run as the entity’s unique user ID Examine system configurations and related unique IDs for hosted entities.
Modified
p. 87 → 83
Are the user IDs for application processes not privileged users (root/admin)? Examine system configurations for application user IDs.
Modified
p. 87 → 83
Does each entity have read, write, or execute permissions only for files and directories it owns or for necessary system files (restricted via file system permissions, access control lists, chroot, jailshell, etc.)? Important: An entity’s files may not be shared by group.
Modified
p. 87 → 83
Examine system configurations and file permissions for hosted entities.
Removed
p. 88
Examine system configurations and file permissions for shared system binaries (d) Is viewing of log entries restricted to the owning entity? Examine system configurations and file permissions for viewing log entries (e) Are restrictions in place for the use of these system resources? Disk space, Bandwidth, Memory, CPU This ensures that each entity cannot monopolize server resources to exploit vulnerabilities (for example, error, race, and restart conditions, resulting in, for example, buffer overflows).
Examine log settings Logs are active by default? Examine log settings Logs are available for review by the owning entity? Examine log settings Log locations are clearly communicated to the owning entity?
Examine log settings Logs are active by default? Examine log settings Logs are available for review by the owning entity? Examine log settings Log locations are clearly communicated to the owning entity?
Modified
p. 88 → 84
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (c) Do all entities’ users not have write access to shared system binaries?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested A1.2 (cont.) Do all entities’ users not have write access to shared system binaries? Examine system configurations and file permissions for shared system binaries.
Modified
p. 88 → 84
Is viewing of log entries restricted to the owning entity? Examine system configurations and file permissions for viewing log entries.
Modified
p. 88 → 84
Examine system configurations and file permissions for use of: Disk space Bandwidth Memory CPU A1.3 Are logging and audit trails enabled and unique to each entity’s cardholder data environment and consistent with PCI DSS Requirement 10? Examine log settings.
Modified
p. 88 → 84
Logs are enabled for common third-party applications? Examine log settings.
Modified
p. 88 → 84
A1.4 Are written policies and processes enabled to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider? Review written policies and procedures.
Removed
p. 89
Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS Is there a formal Risk Mitigation and Migration Plan in place per Requirement A2.2? Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS A2.2 Is there a formal Risk Mitigation and Migration Plan in place for all implementations that use SSL and/or early TLS (other than as allowed in A2.1), that includes:
Modified
p. 89 → 85
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested A2.1 For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested A2.1 For POS POI terminals (at the merchant or payment- acceptance location) using SSL and/or early TLS: Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS
Modified
p. 89 → 85
Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in place; Description of processes to monitor for new vulnerabilities associated with SSL/early TLS; Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new environments; Overview of migration project plan to replace SSL/early TLS at a future date? Review the documented Risk Mitigation …
Removed
p. 90
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested A2.3 For service providers only: Is there a secure service offering in place? Note: Prior to June 30, 2016, the service provider must either have a secure protocol option included in their service offering, or have a documented Risk Mitigation and Migration Plan (per A2.2) that includes a target date for provision of a secure protocol option no later than June 30, 2016. After this date, all service providers must offer a secure protocol option for their service.
Modified
p. 91 → 87
Information Required Explanation Constraints List constraints precluding compliance with the original requirement.
Modified
p. 91 → 87
Objective Define the objective of the original control; identify the objective met by the compensating control.
Modified
p. 91 → 87
Identified Risk Identify any additional risk posed by the lack of the original control.
Modified
p. 91 → 87
Definition of Compensating Controls Define the compensating controls and explain how they address the objectives of the original control and the increased risk, if any.
Modified
p. 91 → 87
Validation of Compensating Controls Define how the compensating controls were validated and tested.
Modified
p. 91 → 87
Maintenance Define process and controls in place to maintain compensating controls.
Modified
p. 94 → 90
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Service Provide Company Name) has not demonstrated full compliance with the PCI DSS.
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Service Provider Company Name) has not demonstrated full compliance with the PCI DSS.
Modified
p. 95 → 91
ASV scans are being completed by the PCI SSC Approved Scanning Vendor (ASV Name) Part 3b. Service Provider Attestation Signature of Service Provider Executive Officer Date:
ASV scans are being completed by the PCI SSC Approved Scanning Vendor (ASV Name).
Modified
p. 96 → 92
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 1 Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti-virus software or programs 6 Develop and maintain secure …
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 1 Install and maintain a firewall configuration to protect cardholder data.