Document Comparison
PCI-DSS-v3_2-SAQ-B_IP-rev1_1.pdf
→
PCI-DSS-v3-2-1-SAQ-B-IP-r2.pdf
82% similar
39 → 36
Pages
9189 → 8975
Words
88
Content Changes
Content Changes
88 content changes. 33 administrative changes (dates, page numbers) hidden.
Added
p. 2
This document aligns with PCI DSS v3.2.1 r1.
Added
p. 5
• Section 1 (Parts 1 & 2 of the AOC)
• Section 3 (Parts 3 & 4 of the AOC)
• Section 3 (Parts 3 & 4 of the AOC)
Added
p. 10
Examine network configurations.
(b) Is there a process to ensure the diagram is kept current?
• Interview responsible personnel.
• Observe network configurations to verify that a firewall(s) is in place.
(b) Is the current network diagram consistent with the firewall configuration standards?
• Compare firewall configuration standards to current network diagram.
(b) Are all insecure services, protocols, and ports identified, and are security features documented and implemented for each identified service?
• Review firewall and router configuration standards.
(b) Is there a process to ensure the diagram is kept current?
• Interview responsible personnel.
• Observe network configurations to verify that a firewall(s) is in place.
(b) Is the current network diagram consistent with the firewall configuration standards?
• Compare firewall configuration standards to current network diagram.
(b) Are all insecure services, protocols, and ports identified, and are security features documented and implemented for each identified service?
• Review firewall and router configuration standards.
Added
p. 12
• Examine vendor documentation.
• Observe system configurations and account settings.
• Observe system configurations and account settings.
Added
p. 12
Are unnecessary default accounts removed or disabled before installing a system on the network?
• Review policies and procedures.
• Review policies and procedures.
Added
p. 12
• Examine system configurations and account settings.
Added
p. 13
(e) Are other security-related wireless vendor defaults changed, if applicable?
• Review policies and procedures.
• Review policies and procedures.
Added
p. 13
• Observe an administrator log on.
• Observe an administrator log on.
• Examine services and files.
• Examine deletion processes.
• The cardholder’s name,
• Primary account number (PAN),
• Expiration date, and
• Observe an administrator log on.
• Examine services and files.
• Examine deletion processes.
• The cardholder’s name,
• Primary account number (PAN),
• Expiration date, and
Added
p. 14
- Database contents 3.2.2 The card verification code or value (three-digit or four- digit number printed on the front or back of a payment card) is not stored after authorization?
• Examine data sources including:
• Review roles that need access to displays of full PAN.
• Observe displays of PAN.
• Review documented standards.
• Review all locations where CHD is transmitted or received.
(b) Are only trusted keys and/or certificates accepted?
• Observe inbound and outbound transmissions.
• Examine keys and certificates.
(c) Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations?
• Examine system configurations.
• Cardholder data is only requested if “HTTPS” appears as part of the URL.
• Review wireless networks.
• Examine system configuration settings.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.1 Is there a process to identify security vulnerabilities, including the following:
• Using reputable outside sources for vulnerability information?
• Examine …
• Examine data sources including:
• Review roles that need access to displays of full PAN.
• Observe displays of PAN.
• Review documented standards.
• Review all locations where CHD is transmitted or received.
(b) Are only trusted keys and/or certificates accepted?
• Observe inbound and outbound transmissions.
• Examine keys and certificates.
(c) Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations?
• Examine system configurations.
• Cardholder data is only requested if “HTTPS” appears as part of the URL.
• Review wireless networks.
• Examine system configuration settings.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.1 Is there a process to identify security vulnerabilities, including the following:
• Using reputable outside sources for vulnerability information?
• Examine …
Added
p. 29
• Interview a sample of responsible personnel.
Added
p. 29
• Review list of service providers.
• Observe written agreements.
• Review incident response plan procedures.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A A2.1 For POS POI terminals (at the merchant or payment- acceptance location) using SSL and/or early TLS: Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS? Note: This requirement is intended to apply to the entity with the POS POI terminal, such as a merchant. This requirement is not intended for service providers who serve as the termination or connection point to those POS POI terminals. Requirements A2.2 and A2.3 apply to POS POI service providers.
• Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS.
• Observe written agreements.
• Review incident response plan procedures.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A A2.1 For POS POI terminals (at the merchant or payment- acceptance location) using SSL and/or early TLS: Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS? Note: This requirement is intended to apply to the entity with the POS POI terminal, such as a merchant. This requirement is not intended for service providers who serve as the termination or connection point to those POS POI terminals. Requirements A2.2 and A2.3 apply to POS POI service providers.
• Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS.
Added
p. 36
Do not use vendor-supplied defaults for system passwords and other security parameters.
Added
p. 36
Appendix A2 Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card- Present POS POI Terminal Connections.
Modified
p. 4
• Your company uses only standalone, PTS-approved point-of-interaction (POI) devices (excludes SCRs) connected via IP to your payment processor to take your customers’ payment card information; • The standalone IP-connected POI devices are validated to the PTS POI program as listed on the PCI SSC website (excludes SCRs); • The standalone IP-connected POI devices are not connected to any other systems within your environment (this can be achieved via network segmentation to isolate POI devices from other systems)1; • The …
Modified
p. 4
1. Identify the applicable SAQ for your environment
• refer to the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website for information.
• refer
1. Identify the applicable SAQ for your environment⎯refer to the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website for information.
Removed
p. 5
(PCI Data Security Standard Requirements and Security Assessment Procedures) Guidance on Scoping Guidance on the intent of all PCI DSS Requirements Details of testing procedures Guidance on Compensating Controls SAQ Instructions and Guidelines documents Information about all SAQs and their eligibility criteria How to determine which SAQ is right for your organization
Modified
p. 5
• PCI DSS Self-Assessment Questionnaire (SAQ B-IP) Section 3 (Parts 3 & 4 of the AOC)
• Validation and Attestation Details and Action Plan for Non-Compliant Requirements (if applicable)
• Validation and Attestation Details and Action Plan for Non-Compliant Requirements (if applicable)
Modified
p. 5
5. Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation
•such as ASV scan reports
•to your acquirer, paymentbrand or other requester.
•such as ASV scan reports
•to your acquirer, payment
5. Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation
•such as ASV scan reports
•to your acquirer, payment brand, or other requester.
•such as ASV scan reports
•to your acquirer, payment brand, or other requester.
Modified
p. 5
PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org). Organizations are encouraged to review the PCI DSS and other supporting documents before beginning an assessment.
(PCI Data Security Standard Requirements and Security Assessment Procedures)
• Guidance on Scoping
• Guidance on the intent of all PCI DSS Requirements
• Details of testing procedures
• Guidance on Compensating Controls SAQ Instructions and Guidelines documents
• Information about all SAQs and their eligibility criteria
• How to determine which SAQ is right for your organization PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms • Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources …
• Guidance on Scoping
• Guidance on the intent of all PCI DSS Requirements
• Details of testing procedures
• Guidance on Compensating Controls SAQ Instructions and Guidelines documents
• Information about all SAQs and their eligibility criteria
• How to determine which SAQ is right for your organization PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms • Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources …
Modified
p. 7
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact your acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.
Modified
p. 8
Type of facility Number of facilities of this type Location(s) of facility (e.g. city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. Payment Application Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses:
Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. Payment Applications Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses:
Modified
p. 8
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation)
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation.)
Removed
p. 10
Review current network diagram Examine network configurations (b) Is there a process to ensure the diagram is kept current?
Review firewall configuration standards Observe network configurations to verify that a firewall(s) is in place (b) Is the current network diagram consistent with the firewall configuration standards?
Review firewall configuration standards Observe network configurations to verify that a firewall(s) is in place (b) Is the current network diagram consistent with the firewall configuration standards?
Modified
p. 10
Self-assessment completion date: Build and Maintain a Secure Network
Self-assessment completion date: Build and Maintain a Secure Network and Systems
Modified
p. 10
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 1.1.2 (a) Is there a current network diagram that documents all connections between the cardholder data environment and other networks, including any wireless networks?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 1.1.2 (a) Is there a current network diagram that documents all connections between the cardholder data environment and other networks, including any wireless networks? • Review current network diagram.
Modified
p. 11
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (b) Are all insecure services, protocols, and ports identified, and are security features documented and implemented for each identified service? Review firewall and router configuration Examine firewall and router configurations 1.2 Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 1.2 Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows:
Modified
p. 11
Is all other inbound and outbound traffic specifically denied (for example by using an explicit “deny all” or an implicit deny after allow statement)? • Review firewall and router configuration standards.
Removed
p. 12
(For example, block traffic originating from the internet with an internal address) Examine firewall and router configurations 1.3.4 Is outbound traffic from the cardholder data environment to the Internet explicitly authorized?
Removed
p. 13
Review policies and procedures Examine vendor documentation Observe system configurations and account settings Interview personnel (b) Are unnecessary default accounts removed or disabled before installing a system on the network? Review policies and procedures Review vendor documentation Examine system configurations and account settings Interview personnel 2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, are ALL wireless vendor defaults changed at installations, as follows:
Modified
p. 13 → 12
(a) Are encryption keys changed from default at installation, and changed anytime anyone with knowledge of the keys leaves the company or changes positions?
(a) Are encryption keys changed from default at installation, and changed anytime anyone with knowledge of the keys leaves the company or changes positions? • Review policies and procedures.
Modified
p. 13 → 12
(b) Are default SNMP community strings on wireless devices changed at installation? • Review policies and procedures.
Modified
p. 13 → 12
(c) Are default passwords/passphrases on access points changed at installation? • Review policies and procedures.
Removed
p. 14
Review policies and procedures Review vendor documentation Examine system configurations (e) Are other security-related wireless vendor defaults changed, if applicable? Review policies and procedures Review vendor documentation Examine system configurations 2.3 Is non-console administrative access, including web- based access, encrypted as follows:
Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
Modified
p. 14 → 13
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (d) Is firmware on wireless devices updated to support strong encryption for authentication and transmission over wireless networks?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.1.1 (cont.) (d) Is firmware on wireless devices updated to support strong encryption for authentication and transmission over wireless networks? • Review policies and procedures.
Modified
p. 14 → 13
(a) Is all non-console administrative access encrypted with strong cryptography, and is a strong encryption method invoked before the administrator’s password is requested?
(a) Is all non-console administrative access encrypted with strong cryptography, and is a strong encryption method invoked before the administrator’s password is requested? • Examine system components.
Modified
p. 14 → 13
(b) Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? • Examine system components.
Modified
p. 14 → 13
(c) Is administrator access to web-based management interfaces encrypted with strong cryptography? • Examine system components.
Modified
p. 14 → 13
(d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? • Examine system components.
Removed
p. 15
Incoming transaction data All logs History files Trace files Database schema Database contents
Modified
p. 15 → 14
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2 (c) Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process? Review policies and procedures Examine system configurations Examine deletion processes (d) Do all systems adhere to the following requirements regarding non-storage of sensitive authentication data after authorization (even if encrypted):
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2 (c) Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process? • Review policies and procedures.
Modified
p. 15 → 14
• Service code To minimize risk, store only these data elements as needed for business.
Modified
p. 15 → 14
• Examine data sources including:
Removed
p. 16
Incoming transaction data All logs History files Trace files Database schema Database contents 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization? Examine data sources including:
Review policies and procedures Review roles that need access to displays of full PAN Examine system configurations Observe displays of PAN
Review policies and procedures Review roles that need access to displays of full PAN Examine system configurations Observe displays of PAN
Modified
p. 16 → 15
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2.2 The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored after authorization? Examine data sources including:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization? • Examine data sources including:
Modified
p. 16 → 15
- Database contents 3.3 Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN? Note: This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, legal or payment card brand requirements for point-of-sale (POS) receipts.
Removed
p. 17
Review documented standards Review policies and procedures Review all locations where CHD is transmitted or received Examine system configurations (b) Are only trusted keys and/or certificates accepted? Observe inbound and outbound transmissions Examine keys and certificates (c) Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations?
Modified
p. 17 → 16
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1 (a) Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1 (a) Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? Note: Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and General Packet Radio Service (GPRS).
Modified
p. 17 → 16
(d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)? • Review vendor documentation.
Modified
p. 17 → 16
(e) For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? For example, for browser-based implementations:
Modified
p. 17 → 16
• “HTTPS” appears as the browser Universal Record Locator (URL) protocol, and
Modified
p. 17 → 16
• Examine system configurations.
Modified
p. 18 → 17
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.2 Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies? • Review policies and procedures.
Modified
p. 19 → 18
• Assigning a risk ranking to vulnerabilities that includes identification of all “high” risk and “critical” vulnerabilities? Note: Risk rankings should be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the CVSS base score and/or the classification by the vendor, and/or type of systems affected.
Modified
p. 19
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.2 (a) Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches? • Review policies and procedures.
Modified
p. 20 → 19
Are critical security patches installed within one month of release? Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1.
Modified
p. 20 → 19
• Compare list of security patches installed to recent vendor patch lists.
Modified
p. 21 → 20
• To least privileges necessary to perform job responsibilities?
Modified
p. 21 → 20
• Assigned only to roles that specifically require that privileged access? • Examine written access control
Modified
p. 22 → 21
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 8.1.5 (a) Are accounts used by third parties to access, support, or maintain system components via remote access enabled only during the time period needed and disabled when not in use?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.1.5 (a) Are accounts used by third parties to access, support, or maintain system components via remote access enabled only during the time period needed and disabled when not in use? • Review password procedures.
Modified
p. 23 → 21
• Observe administrator logging into CDE.
• Observe personnel connecting remotely.
• Generic user IDs and accounts are disabled or removed;
• Shared user IDs for system administration activities and other critical functions do not exist; and • Shared and generic user IDs are not used to administer any system components?
• Review policies and procedures.
• Examine user ID lists.
• Interview personnel.
• Observe personnel connecting remotely.
• Generic user IDs and accounts are disabled or removed;
• Shared user IDs for system administration activities and other critical functions do not exist; and • Shared and generic user IDs are not used to administer any system components?
• Review policies and procedures.
• Examine user ID lists.
• Interview personnel.
Modified
p. 23 → 22
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 9.1.2 Are physical and/or logical controls in place to restrict access to publicly accessible network jacks? For example, network jacks located in public areas and areas accessible to visitors could be disabled and only enabled when network access is explicitly authorized. Alternatively, processes could be implemented to ensure that visitors are escorted at all times in areas with active network jacks.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.1.2 Are physical and/or logical controls in place to restrict access to publicly accessible network jacks? For example, network jacks located in public areas and areas accessible to visitors could be disabled and only enabled when network access is explicitly authorized. Alternatively, processes could be implemented to ensure that visitors are escorted at all times in areas with active network jacks.
Modified
p. 23 → 22
• Review policies and procedures for physically securing media.
Modified
p. 24 → 23
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.8 (a) Is all media destroyed when it is no longer needed for business or legal reasons? • Review periodic media destruction policies and procedures.
Modified
p. 24 → 23
Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents? • Examine security of storage containers.
Removed
p. 25
Review policies and procedures 9.9.1 (a) Does the list of devices include the following?
Make, model of device Location of device (for example, the address of the site or facility where the device is located) Device serial number or other method of unique identification Examine the list of devices (b) Is the list accurate and up to date? Observe devices and device locations and compare to list (c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.? Interview personnel
Make, model of device Location of device (for example, the address of the site or facility where the device is located) Device serial number or other method of unique identification Examine the list of devices (b) Is the list accurate and up to date? Observe devices and device locations and compare to list (c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.? Interview personnel
Modified
p. 25 → 23
(a) Do policies and procedures require that a list of such devices be maintained?
(a) Do policies and procedures require that a list of such devices be maintained? • Review policies and procedures.
Modified
p. 25 → 23
(b) Do policies and procedures require that devices are periodically inspected to look for tampering or substitution? • Review policies and procedures.
Modified
p. 25 → 23
(c) Do policies and procedures require that personnel are trained to be aware of suspicious behavior and to report tampering or substitution of devices? • Review policies and procedures.
Removed
p. 26
Interview personnel 9.9.3 Are personnel trained to be aware of attempted tampering or replacement of devices, to include the following?
Modified
p. 26 → 24
• Observe inspection processes and compare to defined processes.
Modified
p. 26 → 25
(a) Do training materials for personnel at point-of-sale locations include the following? Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. Do not install, replace, or return devices without verification. Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). Report suspicious behavior and indications of device tampering or substitution to appropriate personnel …
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.9.3 Are personnel trained to be aware of attempted tampering or replacement of devices, to include the following? (a) Do training materials for personnel at point-of-sale locations include the following? - Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. - Do not install, replace, or return devices without verification. …
Modified
p. 26 → 25
• Review training materials.
Modified
p. 27 → 25
(b) Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices? • Interview personnel at POS locations.
Modified
p. 28 → 26
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 11.2.2 (a) Are quarterly external vulnerability scans performed? Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.2.2 (a) Are quarterly external vulnerability scans performed? Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).
Modified
p. 28 → 26
(b) Do external quarterly scan and rescan results satisfy the ASV Program Guide requirements for a passing scan (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic failures)? • Review results of each external quarterly scan and rescan.
Modified
p. 28 → 26
(c) Are quarterly external vulnerability scans performed by a PCI SSC Approved Scanning Vendor (ASV? • Review results of each external quarterly scan and rescan.
Modified
p. 28 → 27
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE? Examine segmentation controls Review penetration-testing methodology
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of- scope systems from systems in the CDE? • Examine segmentation controls.
Modified
p. 29 → 27
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A (b) Does penetration testing to verify segmentation controls meet the following? Performed at least annually and after any changes to segmentation controls/methods Covers all segmentation controls/methods in use Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A If segmentation is used to isolate the CDE from other networks:
Modified
p. 29 → 27
(c) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? • Interview responsible personnel.
Modified
p. 30 → 28
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel? • Review the information security policy.
Modified
p. 31 → 29
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 12.4 Do security policy and procedures clearly define information security responsibilities for all personnel? Review information security policy and procedures Interview a sample of responsible 12.5 (b) Are the following information security management responsibilities formally assigned to an individual or team:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.4 Do security policy and procedures clearly define information security responsibilities for all personnel? • Review information security policy and procedures.
Removed
p. 32
Observe written agreements Review policies and procedures 12.8.3 Is there an established process for engaging service providers, including proper due diligence prior to engagement?
Removed
p. 33
Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS Is there a formal Risk Mitigation and Migration Plan in place per Requirement A2.2? Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS A2.2 Is there a formal Risk Mitigation and Migration Plan in place for all implementations that use SSL and/or early TLS (other than as allowed in A2.1), that includes:
Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in place; Description of processes to monitor for new vulnerabilities associated with SSL/early TLS; Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new …
Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in place; Description of processes to monitor for new vulnerabilities associated with SSL/early TLS; Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new …
Modified
p. 33 → 30
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A A2.1 For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.8.3 Is there an established process for engaging service providers, including proper due diligence prior to engagement?
• Review policies and procedures and supporting documentation.
• Review policies and procedures and supporting documentation.
Modified
p. 33 → 31
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-Present POS POI Terminal Connections
Modified
p. 37 → 34
Based on the results documented in the SAQ B-IP noted above, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document: (check one):
Based on the results documented in the SAQ B-IP noted above, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document (check one):
Modified
p. 38 → 35
ASV scans are being completed by the PCI SSC Approved Scanning Vendor (ASV Name) Part 3b. Merchant Attestation Signature of Merchant Executive Officer Date:
ASV scans are being completed by the PCI SSC Approved Scanning Vendor (ASV Name).
Modified
p. 39 → 36
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks 6 Develop and maintain secure systems and applications 7 Restrict access to cardholder data by business need to know …
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data.