Document Comparison
PCI_DSS_v3-1_SAQ_A-EP_rev1-1.pdf
→
PCI-DSS-v3_2-SAQ-A_EP.pdf
79% similar
49 → 56
Pages
11860 → 13550
Words
78
Content Changes
Content Changes
78 content changes. 29 administrative changes (dates, page numbers) hidden.
Added
p. 10
Review documented process Interview personnel Examine network configurations 1.1.2 (a) Is there a current network diagram that documents all connections between the cardholder data environment and other networks, including any wireless networks?
Review current network diagram Examine network configurations (b) Is there a process to ensure the diagram is kept current?
Interview responsible personnel 1.1.3 (a) Is there a current diagram that shows all cardholder data flows across systems and networks? Review current dataflow diagram Examine network configurations.
(b) Is there a process to ensure the diagram is kept current?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 1.1.6 (a) Do firewall and router configuration standards include a documented list of services, protocols, and ports, including business justification and approval for each?
Review firewall and router configuration (b) Are firewall and router rule sets reviewed at least …
Review current network diagram Examine network configurations (b) Is there a process to ensure the diagram is kept current?
Interview responsible personnel 1.1.3 (a) Is there a current diagram that shows all cardholder data flows across systems and networks? Review current dataflow diagram Examine network configurations.
(b) Is there a process to ensure the diagram is kept current?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 1.1.6 (a) Do firewall and router configuration standards include a documented list of services, protocols, and ports, including business justification and approval for each?
Review firewall and router configuration (b) Are firewall and router rule sets reviewed at least …
Added
p. 12
Examine firewall and router configurations 1.3.2 Is inbound Internet traffic limited to IP addresses within the DMZ?
Added
p. 13
Examine firewall and router configurations Interview personnel 1.4 (a) Is personal firewall software (or equivalent functionality) installed and active on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE?
Review policies and configuration Examine mobile and/or employee- owned devices (b) Is the personal firewall software (or equivalent functionality) configured to specific configuration settings, actively running, and not alterable by users of mobile and/or employee-owned devices? Review policies and configuration Examine mobile and/or employee- owned devices 1.5 Are security policies and operational procedures for managing firewalls:
Review policies and configuration Examine mobile and/or employee- owned devices (b) Is the personal firewall software (or equivalent functionality) configured to specific configuration settings, actively running, and not alterable by users of mobile and/or employee-owned devices? Review policies and configuration Examine mobile and/or employee- owned devices 1.5 Are security policies and operational procedures for managing firewalls:
Added
p. 17
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.3 Is non-console administrative access encrypted as follows:
Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1 (a) Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.3 Are security policies and operational procedures for encrypting transmissions of cardholder data:
Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1 (a) Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.3 Are security policies and operational procedures for encrypting transmissions of cardholder data:
Added
p. 24
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.4.5 (a) Are change-control procedures documented and require the following? Documentation of impact Documented change control approval by authorized parties Functionality testing to verify that the change does not adversely impact the security of the system Back-out procedures Review change control processes and procedures (b) Are the following performed and documented for all changes:
Examine software-development policies and procedures Interview responsible personnel 6.5.4 Do coding techniques address insecure communications?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.5.6 Do coding techniques address all “high risk” vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1)? Examine software-development policies and procedures Interview responsible personnel For web applications and application interfaces (internal or external), are applications developed based on …
Examine software-development policies and procedures Interview responsible personnel 6.5.4 Do coding techniques address insecure communications?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.5.6 Do coding techniques address all “high risk” vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1)? Examine software-development policies and procedures Interview responsible personnel For web applications and application interfaces (internal or external), are applications developed based on …
Added
p. 32
Examine system configurations Observe administrator logging into 8.3.2 Is multi-factor authentication incorporated for all remote network access (both user and administrator, and including third party access for support or maintenance) originating from outside the entity’s network? Examine system configurations Observe personnel connecting
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.4 (a) Are authentication policies and procedures documented and communicated to all users?
Review policies and procedures Review distribution method Interview personnel Interview users Do authentication policies and procedures include the following? Guidance on selecting strong authentication credentials Guidance for how users should protect their authentication credentials Instructions not to reuse previously used passwords Instructions that users should change passwords if there is any suspicion the password could be compromised Review policies and procedures Review documentation provided to 8.5 Are group, …
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.4 (a) Are authentication policies and procedures documented and communicated to all users?
Review policies and procedures Review distribution method Interview personnel Interview users Do authentication policies and procedures include the following? Guidance on selecting strong authentication credentials Guidance for how users should protect their authentication credentials Instructions not to reuse previously used passwords Instructions that users should change passwords if there is any suspicion the password could be compromised Review policies and procedures Review documentation provided to 8.5 Are group, …
Added
p. 37
Observe processes Interview system administrator Is access to system components linked to individual users? Observe processes Interview system administrator 10.2 Are automated audit trails implemented for all system components to reconstruct the following events:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 10.2.7 Creation and deletion of system-level objects? Interview personnel Observe audit logs Examine audit log settings 10.3 Are the following audit trail entries recorded for all system components for each event:
Interview personnel Observe audit logs Examine audit log settings 10.4 Are all critical system clocks and times synchronized through use of time synchronization technology, and is the technology kept current? Note: One example of time synchronization technology is Network Time Protocol (NTP).
Review time configuration standards and processes
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A …
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 10.2.7 Creation and deletion of system-level objects? Interview personnel Observe audit logs Examine audit log settings 10.3 Are the following audit trail entries recorded for all system components for each event:
Interview personnel Observe audit logs Examine audit log settings 10.4 Are all critical system clocks and times synchronized through use of time synchronization technology, and is the technology kept current? Note: One example of time synchronization technology is Network Time Protocol (NTP).
Review time configuration standards and processes
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A …
Added
p. 44
Examine results from the most recent penetration test (c) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? Interview responsible personnel
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.4 (a) Are intrusion-detection and/or intrusion-prevention techniques that detect and/or prevent intrusions into the network in place to monitor all traffic:
At the perimeter of the cardholder data environment, and At critical points in the cardholder data environment.
Examine system configurations Examine network diagrams (b) Are intrusion-detection and/or intrusion-prevention techniques configured to alert personnel of suspected compromises?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.4 (a) Are intrusion-detection and/or intrusion-prevention techniques that detect and/or prevent intrusions into the network in place to monitor all traffic:
At the perimeter of the cardholder data environment, and At critical points in the cardholder data environment.
Examine system configurations Examine network diagrams (b) Are intrusion-detection and/or intrusion-prevention techniques configured to alert personnel of suspected compromises?
Added
p. 50
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A A2.1 For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS:
Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS Is there a formal Risk Mitigation and Migration Plan in place per Requirement A2.2? Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS A2.2 Is there a formal Risk Mitigation and Migration Plan in place for all implementations that use SSL and/or early TLS (other than as allowed in A2.1), that includes:
Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type …
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A A2.1 For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS:
Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS Is there a formal Risk Mitigation and Migration Plan in place per Requirement A2.2? Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS A2.2 Is there a formal Risk Mitigation and Migration Plan in place for all implementations that use SSL and/or early TLS (other than as allowed in A2.1), that includes:
Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type …
Added
p. 54
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation This AOC is based on results noted in SAQ A-EP (Section 2), dated (SAQ completion date).
Modified
p. 1
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A-EP and Attestation of Compliance Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing For use with PCI DSS Version 3.1 Revision 1.1
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A-EP and Attestation of Compliance Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing For use with PCI DSS Version 3.2
Modified
p. 4
Your company accepts only e-commerce transactions; All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a PCI DSS validated third-party payment processor; Your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor; If merchant website is hosted by a third-party provider, the provider is validated to all applicable PCI DSS requirements (e.g., including …
Your company accepts only e-commerce transactions; All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a PCI DSS validated third-party payment processor; Your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor; If merchant website is hosted by a third-party provider, the provider is validated to all applicable PCI DSS requirements (e.g., including …
Modified
p. 5
Section 1 (Part 1 & 2 of the AOC)
• Assessment Information and Executive Summary.
• Assessment Information and Executive Summary.
Section 1 (Parts 1 & 2 of the AOC)
• Assessment Information and Executive Summary.
• Assessment Information and Executive Summary.
Modified
p. 5
5. Submit the SAQ and Attestation of Compliance, along with any other requested documentation• such as ASV scan reports•to your acquirer, payment brand or other requester.
5. Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation
•such as ASV scan reports
•to your acquirer, payment brand or other requester.
•such as ASV scan reports
•to your acquirer, payment brand or other requester.
Removed
p. 7
ISA Name(s) (if applicable): Title:
Modified
p. 9
Merchant accepts only e-commerce transactions; All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a PCI DSS validated third-party payment processor; Merchant’s e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor; If merchant website is hosted by a third-party provider, the provider is validated to all applicable PCI DSS requirements (e.g., including PCI DSS Appendix A if …
Merchant accepts only e-commerce transactions; All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a PCI DSS validated third-party payment processor; Merchant’s e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor; If merchant website is hosted by a third-party provider, the provider is validated to all applicable PCI DSS requirements (e.g., including PCI DSS Appendix A if …
Removed
p. 10
Compare firewall configuration standards to current network diagram 1.1.6 (a) Do firewall and router configuration standards include a documented list of services, protocols, and ports, including business justification (for example, hypertext transfer protocol (HTTP), Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols)?
Modified
p. 10
Interview personnel 1.1.4 (a) Is a firewall required and implemented at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone?
Modified
p. 10
Review firewall configuration standards Observe network configurations to verify that a firewall(s) is in place (b) Is the current network diagram consistent with the firewall configuration standards?
Review firewall configuration standards Observe network configurations to verify that a firewall(s) is in place (b) Is the current network diagram consistent with the firewall configuration standards? Compare firewall configuration standards to current network diagram
Modified
p. 10 → 11
Review firewall and router configuration (b) Are all insecure services, protocols, and ports identified, and are security features documented and implemented for each identified service? Note: Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP.
Review firewall and router configuration (b) Are all insecure services, protocols, and ports identified, and are security features documented and implemented for each identified service?
Modified
p. 10 → 11
Review firewall and router configuration Examine firewall and router configurations
Review firewall and router configuration Examine firewall and router configurations 1.1.7 (a) Do firewall and router configuration standards require review of firewall and router rule sets at least every six months?
Modified
p. 11 → 10
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 1.2 Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 1.1 Are firewall and router configuration standards established and implemented to include the following:
Modified
p. 11
Review firewall and router configuration Examine firewall and router configurations (b) Is all other inbound and outbound traffic specifically denied (for example by using an explicit “deny all” or an implicit deny after allow statement)?
Review firewall and router configuration Examine firewall and router configurations (b) Is all other inbound and outbound traffic specifically denied (for example by using an explicit “deny all” or an implicit deny after allow statement)? Review firewall and router configuration Examine firewall and router configurations
Modified
p. 11 → 12
Examine firewall and router configurations 1.3.3 Are anti-spoofing measures implemented to detect and block forged sourced IP addresses from entering the network?
Modified
p. 11 → 12
(For example, block traffic originating from the internet with an internal address) Examine firewall and router configurations 1.3.5 Is outbound traffic from the cardholder data environment to the Internet explicitly authorized?
(For example, block traffic originating from the internet with an internal address) Examine firewall and router configurations 1.3.4 Is outbound traffic from the cardholder data environment to the Internet explicitly authorized?
Modified
p. 11 → 12
Examine firewall and router configurations 1.3.6 Is stateful inspection, also known as dynamic packet filtering, implemented•that is, only established connections are allowed into the network? Examine firewall and router configurations
Examine firewall and router configurations 1.3.5 Are only established connections permitted into the network? Examine firewall and router configurations
Modified
p. 12 → 13
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 1.3.8 (a) Are methods in place to prevent the disclosure of private IP addresses and routing information to the Internet? Note: Methods to obscure IP addressing may include, but are not limited to:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 1.3.7 (a) Are methods in place to prevent the disclosure of private IP addresses and routing information to the Internet? Note: Methods to obscure IP addressing may include, but are not limited to:
Modified
p. 12 → 13
Examine firewall and router configurations (b) Is any disclosure of private IP addresses and routing information to external entities authorized? Examine firewall and router configurations Interview personnel
Examine firewall and router configurations (b) Is any disclosure of private IP addresses and routing information to external entities authorized?
Modified
p. 13 → 14
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.1 (a) Are vendor-supplied defaults always changed before installing a system on the network? This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, Simple Network Management Protocol (SNMP) community strings, etc.).
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.1 (a) Are vendor-supplied defaults always changed before installing a system on the network? This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).
Modified
p. 13 → 14
Review system configuration Review industry-accepted hardening Review policies and procedures Interview personnel (b) Are system configuration standards updated as new vulnerability issues are identified, as defined in Requirement 6.1?
Review system configuration Review industry-accepted hardening standards Review policies and procedures Interview personnel (b) Are system configuration standards updated as new vulnerability issues are identified, as defined in Requirement 6.1?
Removed
p. 15
Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS Review Risk Mitigation and Migration 2.2.4 (a) Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components?
Modified
p. 15 → 16
Review configuration standards Interview personnel Examine configuration settings Compare enabled services, etc. to documented justifications 2.2.3 Are additional security features documented and implemented for any required services, protocols or daemons that are considered to be insecure? For example, use secured technologies such as SSH, S- FTP, TLS, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.
Review configuration standards Interview personnel Examine configuration settings Compare enabled services, etc. to documented justifications 2.2.3 Are additional security features documented and implemented for any required services, protocols or daemons that are considered to be insecure? Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
Modified
p. 15 → 16
Review configuration standards Examine configuration settings If SSL/early TLS is used:
Review configuration standards Examine configuration settings 2.2.4 (a) Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components?
Modified
p. 15 → 16
Review system configuration (c) Are security parameter settings set appropriately on system components? Examine system components Examine security parameter settings Compare settings to system configuration standards
Review system configuration (c) Are security parameter settings set appropriately on system components?
Removed
p. 16
Use technologies such as SSH, VPN, or TLS for web- based management and other non-console administrative access.
Modified
p. 16
Examine system components Examine security parameter Compare settings to system configuration standards 2.2.5 (a) Has all unnecessary functionality•such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers•been removed?
Modified
p. 16
Review documentation Examine security parameters on system components (c) Is only documented functionality present on system components? Review documentation Examine security parameters on system components 2.3 Is non-console administrative access encrypted as follows:
Review documentation Examine security parameters on system components (c) Is only documented functionality present on system components? Review documentation Examine security parameters on system components
Modified
p. 16 → 17
Examine system components Examine system configurations Observe an administrator log on (b) Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? Examine system components Examine services and files
Examine system components Examine system configurations Observe an administrator log on (b) Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands?
Removed
p. 17
Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies the devices are not susceptible to any known exploits for SSL/early TLS? Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS (f) For all other environments using SSL and/or early TLS:
Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in place; Description of processes to monitor for new vulnerabilities associated with SSL/early TLS; Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new environments; Overview of migration project plan including target migration completion date no later than 30th June 2016.
Review Risk Mitigation and Migration
Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in place; Description of processes to monitor for new vulnerabilities associated with SSL/early TLS; Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new environments; Overview of migration project plan including target migration completion date no later than 30th June 2016.
Review Risk Mitigation and Migration
Modified
p. 17
Examine system components Examine services and files (c) Is administrator access to web-based management interfaces encrypted with strong cryptography?
Modified
p. 17
Examine system components Observe an administrator log on (d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? Examine system components Review vendor documentation Interview personnel (e) For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols:
Examine system components Observe an administrator log on (d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? Examine system components Review vendor documentation Interview personnel
Modified
p. 19
Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and General Packet Radio Service (GPRS).
Modified
p. 19
Examine system configurations (d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)? Review vendor documentation Examine system configurations
Examine system configurations (d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)?
Removed
p. 20
Review Risk Mitigation and Migration
Examine system configurations (f) For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols: Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies the devices are not susceptible to any known exploits for SSL/early TLS?
Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS (g) For all other environments using SSL and/or early Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in place; Description of processes to monitor for new vulnerabilities associated …
Examine system configurations (f) For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols: Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies the devices are not susceptible to any known exploits for SSL/early TLS?
Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS (g) For all other environments using SSL and/or early Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in place; Description of processes to monitor for new vulnerabilities associated …
Modified
p. 20 → 19
Review vendor documentation Examine system configurations (e) For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? For example, for browser-based implementations:
Modified
p. 21 → 19
Examine system configurations 4.2 (b) Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies? Review policies and procedures
Modified
p. 23 → 22
Examine anti-virus configurations Examine system components Observe processes Interview personnel
Examine anti-virus configurations Examine system components Observe processes Interview personnel 5.4 Are security policies and operational procedures for protecting systems against malware:
Removed
p. 25
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.4.5 (a) Are change-control procedures for implementing security patches and software modifications documented and require the following?
Modified
p. 26 → 25
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.5 (c) Are applications developed based on secure coding guidelines to protect applications from, at a minimum, the following vulnerabilities:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.4.6 Upon completion of a significant change, are all relevant PCI DSS requirements implemented on all new or changed systems and networks, and documentation updated as applicable? Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement. Trace changes to change control documentation Examine change control documentation Interview personnel Observe affected systems or 6.5 …
Modified
p. 26 → 25
Examine software-development policies and procedures Interview responsible personnel 6.5.2 Do coding techniques address buffer overflow vulnerabilities? Examine software-development policies and procedures Interview responsible personnel For web applications and application interfaces (internal or external), are applications developed based on secure coding guidelines to protect applications from the following additional vulnerabilities:
Examine software-development policies and procedures Interview responsible personnel 6.5.5 Do coding techniques address improper error handling? Examine software-development policies and procedures Interview responsible personnel
Modified
p. 28 → 29
Examine written access control policy Interview personnel Interview management Review privileged user IDs 7.1.3 Are access assigned based on individual personnel’s job classification and function? Examine written access control policy Interview management Review user IDs
Examine written access control policy Interview personnel Interview management Review privileged user IDs 7.1.3 Is access assigned based on individual personnel’s job classification and function?
Modified
p. 29 → 30
Review password procedures Interview personnel 8.1.3 Is access for any terminated users immediately deactivated or removed?
Review password procedures Examine privileged and general user IDs and associated authorizations Observe system settings 8.1.3 Is access for any terminated users immediately deactivated or removed?
Modified
p. 29 → 30
Review password procedures Examine terminated users accounts Review current access lists Observe returned physical authentication devices 8.1.5 (a) Are accounts used by vendors to access, support, or maintain system components via remote access enabled only during the time period needed and disabled when not in use?
Review password procedures Observe user accounts 8.1.5 (a) Are accounts used by third parties to access, support, or maintain system components via remote access enabled only during the time period needed and disabled when not in use?
Modified
p. 29 → 30
Review password procedures Interview personnel Observe processes (b) Are vendor remote access accounts monitored when in use?
Review password procedures Interview personnel Observe processes (b) Are third party remote access accounts monitored when in use?
Modified
p. 29 → 30
Review password procedures Examine system configuration settings 8.1.7 Once a user account is locked out, is the lockout duration set to a minimum of 30 minutes or until an administrator enables the user ID?
Review password procedures Examine system configuration settings 8.1.7 Once a user account is locked out, is the lockout duration set to a minimum of 30 minutes or until an administrator enables the user ID? Review password procedures Examine system configuration settings
Modified
p. 29 → 31
Review password procedures Examine system configuration settings In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users? Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric Review password procedures Observe authentication processes
Review password procedures Examine system configuration settings In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users?
Modified
p. 30 → 31
Review password procedures Review vendor documentation Examine system configuration settings Observe password files Observe data transmissions 8.2.3 (a) Are user password parameters configured to require passwords/passphrases meet the following? A minimum password length of at least seven characters Contain both numeric and alphabetic characters Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above.
Review authentication procedures Observe personnel 8.2.3 (a) Are user password parameters configured to require passwords/passphrases meet the following? A minimum password length of at least seven characters Contain both numeric and alphabetic characters Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the parameters specified above.
Modified
p. 30 → 31
Examine system configuration settings to verify password parameters 8.2.4 (a) Are user passwords/passphrases changed at least once every 90 days?
Examine system configuration settings to verify password parameters
Modified
p. 30 → 32
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.2.1 (a) Is strong cryptography used to render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.2.4 (a) Are user passwords/passphrases changed at least once every 90 days?
Modified
p. 30 → 32
Review password procedures Examine system configuration settings 8.2.5 (a) Must an individual submit a new password/phrase that is different from any of the last four passwords/phrases he or she has used?
Review password procedures Examine system configuration settings 8.2.5 (a) Must an individual submit a new password/phrase that is different from any of the last four passwords/passphrases he or she has used?
Modified
p. 30 → 32
Review password procedures Sample system components Examine system configuration settings 8.2.6 Are passwords/phrases set to a unique value for each user for first-time use and upon reset, and must each user change their password immediately after the first use? Review password procedures Examine system configuration settings Observe security personnel
Review password procedures Sample system components Examine system configuration settings 8.2.6 Are passwords/passphrases set to a unique value for each user for first-time use and upon reset, and must each user change their password immediately after the first use? Review password procedures Examine system configuration settings Observe security personnel 8.3 Is all individual non-console administrative access and all remote access to the CDE secured using multi- factor authentication, as follows:
Removed
p. 31
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.3 Is two-factor authentication incorporated for remote network access originating from outside the network by personnel (including users and administrators) and all third parties (including vendor access for support or maintenance)? Note: Two-factor authentication requires that two of the three authentication methods (see PCI DSS Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered two-factor authentication.
Examples of two-factor technologies include remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; and other technologies that facilitate two-factor authentication.
Review policies and procedures Examine system configurations Observe personnel 8.5 Are group, shared, or generic accounts, passwords, or other authentication methods prohibited as follows:
Examples of two-factor technologies include remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; and other technologies that facilitate two-factor authentication.
Review policies and procedures Examine system configurations Observe personnel 8.5 Are group, shared, or generic accounts, passwords, or other authentication methods prohibited as follows:
Modified
p. 31 → 33
Generic user IDs and accounts are disabled or Shared user IDs for system administration activities and other critical functions do not exist; and Shared and generic user IDs are not used to administer any system components?
Generic user IDs and accounts are disabled or Shared user IDs for system administration activities and other critical functions do not exist; and Shared and generic user IDs are not used to administer any system components? Review policies and procedures Examine user ID lists Interview personnel
Modified
p. 31 → 34
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.6 Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, and certificates, etc.), is the use of these mechanisms assigned as follows? Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain …
Modified
p. 34 → 37
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 10.2 Are automated audit trails implemented for all system components to reconstruct the following events:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 10.1 Are audit trails enabled and active for system components?
Modified
p. 34 → 37
• and all changes, additions, or deletions to accounts with root or administrative privileges? Interview personnel Observe audit logs Examine audit log settings 10.3 Are the following audit trail entries recorded for all system components for each event:
• and all changes, additions, or deletions to accounts with root or administrative privileges? Interview personnel Observe audit logs Examine audit log settings 10.2.6 Initialization, stopping, or pausing of the audit logs? Interview personnel Observe audit logs Examine audit log settings
Modified
p. 35 → 40
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 10.3.4 Success or failure indication? Interview personnel Observe audit logs Examine audit log settings 10.3.5 Origination of event? Interview personnel Observe audit logs Examine audit log settings 10.3.6 Identity or name of affected data, system component, or resource?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 10.5.1 Is viewing of audit trails limited to those with a job- related need?
Modified
p. 35 → 40
Interview personnel Observe audit logs Examine audit log settings Are logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) written onto a secure, centralized, internal log server or media?
Interview system administrators Examine system configurations and permissions Are logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) written onto a secure, centralized, internal log server or media?
Modified
p. 35 → 40
Examine settings, monitored files, and results from monitoring activities 10.6 Are logs and security events for all system components reviewed to identify anomalies or suspicious activity as follows? Note: Log harvesting, parsing, and alerting tools may be used to achieve compliance with Requirement 10.6.
Modified
p. 36 → 41
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 10.6.2 (b) Are logs of all other system components periodically
•either manually or via log tools
•based on the organization’s policies and risk management strategy?
•either
•based on the organization’s policies and risk management strategy?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 10.6.1 (b) Are the following logs and security events reviewed at least daily, either manually or via log tools?
Modified
p. 40 → 45
Examine system configurations Interview responsible personnel (c) Are all intrusion-detection and prevention engines, baselines, and signatures kept up-to-date? Examine IDS/IPS configurations Examine vendor documentation 11.5 (a) Is a change-detection mechanism (for example, file- integrity monitoring tools) deployed to detect unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files? Examples of files that should be monitored include:
Modified
p. 40 → 46
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (b) Is the change-detection mechanism configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files or content files, and do the tools perform critical file comparisons at least weekly? Note: For change detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of …
Modified
p. 41 → 47
Review information security policy and procedures 12.6 (a) Is a formal security awareness program in place to make all personnel aware of the importance of cardholder data security? Review security awareness program 12.8 Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:
Review information security policy and procedures 12.6 (a) Is a formal security awareness program in place to make all personnel aware of the cardholder data security policy and procedures? Review security awareness program 12.8 Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:
Modified
p. 47 → 54
Based on the results documented in the SAQ A-EP noted above, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document: (check one):
Removed
p. 48
Signature of ISA Date:
Modified
p. 48 → 55
Part 3c. QSA Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Part 3c. Qualified Security Assessor (QSA) Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Modified
p. 48 → 55
Part 3d. ISA Acknowledgement (if applicable) If a ISA was involved or assisted with this assessment, describe the role performed:
Part 3d. Internal Security Assessor (ISA) Involvement (if applicable) If an ISA(s) was involved or assisted with this assessment, identify the ISA personnel and describe the role performed:
Modified
p. 49 → 56
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti-virus software or programs 6 Develop and maintain secure systems and …
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti-virus software or programs 6 Develop and maintain secure systems …