Document Comparison
PCI-DSS-v4-0-SAQ-C-VT-r1.pdf
→
PCI-DSS-v4-0-1-SAQ-C-VT.pdf
93% similar
45 → 46
Pages
11754 → 12137
Words
52
Content Changes
From Revision History
- October 2008 1.2
Content Changes
52 content changes. 38 administrative changes (dates, page numbers) hidden.
Added
p. 2
Added ASV Resource Guide to section “Additional PCI SSC Resources.” Restored bullet in Eligibility Criteria and related footnote that referred to “network segmentation” to wording from SAQ C-VT for PCI DSS v3.2.1.
Added
p. 7
Note: A legal exception is a legal restriction due to a local or regional law, regulation, or regulatory requirement, where meeting a PCI DSS requirement would violate that law, regulation, or regulatory requirement.
Added
p. 33
Applicability Notes This requirement does not apply to locations that are publicly accessible by consumers (cardholders).
PCI DSS Requirement Expected Testing Response¨ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 9.4 Media with cardholder data is securely stored, accessed, distributed, and destroyed.
If the merchant never stores any paper with account data, mark this requirement as Not Applicable and complete Appendix C: Explanation of Requirements Noted as Not Applicable.
PCI DSS Requirement Expected Testing Response¨ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 9.4 Media with cardholder data is securely stored, accessed, distributed, and destroyed.
If the merchant never stores any paper with account data, mark this requirement as Not Applicable and complete Appendix C: Explanation of Requirements Noted as Not Applicable.
Added
p. 38
The TPSP’s written acknowledgment is a confirmation that states the TPSP is responsible for the security of the account data it may store, process, or transmit on behalf of the customer or to the extent the TPSP may impact the security of a customer’s cardholder data and/or sensitive authentication data.
Added
p. 46
Note: The PCI Security Standards Council is a global standards body that provides resources for payment security professionals developed collaboratively with our stakeholder community. Our materials are accepted in numerous compliance programs worldwide. Please check with your individual compliance-accepting organization to ensure that this form is acceptable in its program. For more information about PCI SSC and our stakeholder community please visit: https://www.pcisecuritystandards.org/about_us/.
Modified
p. 4
The only payment processing is via a virtual payment terminal accessed by an Internet-connected web browser; The virtual payment terminal solution is provided and hosted by a PCI DSS compliant third-party service provider; The PCI DSS-compliant virtual payment terminal solution is only accessed via a computing device that is isolated in a single location, and is not connected to other locations or systems; The computing device does not have software installed that causes account data to …
The only payment processing is via a virtual payment terminal accessed by an Internet-connected web browser; The virtual payment terminal solution is provided and hosted by a PCI DSS compliant third-party service provider; The PCI DSS-compliant virtual payment terminal solution is only accessed via a computing device that is isolated in a single location, and is not connected to other locations or systems (this can be achieved via a firewall or network segmentation to isolate the merchant …
Modified
p. 5
PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). Cardholder data and sensitive authentication data are considered account data and are defined as follows:
PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of cardholder data and/or sensitive authentication data. Cardholder data and sensitive authentication data are considered account data and are defined as follows:
Removed
p. 7
Note: A legal restriction is one where meeting the PCI DSS requirement would violate a local or regional law or regulation.
Modified
p. 8
− Guide to Safe Payments − Common Payment Systems − Questions to Ask Your Vendors − Glossary of Payment and Information Security Terms − PCI Firewall Basics These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org).
− Guide to Safe Payments − Common Payment Systems − Questions to Ask Your Vendors − Glossary of Payment and Information Security Terms − PCI Firewall Basics − ASV Resource Guide These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org).
Modified
p. 11
Facility Type Total number of locations (How many locations of this type are in scope) Location(s) of facility (city, country) Example: Data centers 3 Boston, MA, USA Part 2e. PCI SSC Validated Products and Solutions Does the merchant use any item identified on any PCI SSC Lists of Validated Products and Solutions♦? Provide the following information regarding each item the merchant uses from PCI SSC’s Lists of Validated Products and Solutions.
Facility Type Total number of locations (How many locations of this type are in scope) Location(s) of facility (city, country) Example: Data centers 3 Boston, MA, USA Part 2e. PCI SSC Validated Products and Solutions Does the merchant use any item identified on any PCI SSC Lists of Validated Products and Solutions¨? Provide the following information regarding each item the merchant uses from PCI SSC’s Lists of Validated Products and Solutions.
Modified
p. 11
Name of PCI SSC- validated Product or Version of Product or
Name of PCI SSC validated Product or Version of Product or
Modified
p. 11
PCI SSC listing reference number Expiry date of listing (YYYY-MM-DD) YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD ♦ For purposes of this document, ”Lists of Validated Products and Solutions” means the lists of validated products, solutions, and/or components appearing on the PCI SSC website (www.pcisecuritystandards.org)for example, 3DS Software Development Kits, Approved PTS Devices, Validated Payment Software, Payment Applications (PA- DSS), Point to Point Encryption (P2PE) solutions, Software-Based PIN Entry on COTS (SPoC) solutions, and Contactless Payments …
PCI SSC listing reference number Expiry date of listing (YYYY-MM-DD) YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD ♦ For purposes of this document, ”Lists of Validated Products and Solutions” means the lists of validated products, solutions, and/or components, appearing on the PCI SSC website (www.pcisecuritystandards.org)for example, 3DS Software Development Kits, Approved PTS Devices, Validated Payment Software, Point to Point Encryption (P2PE) solutions, Software-Based PIN Entry on COTS (SPoC) solutions, Contactless Payments on COTS (CPoC) solutions, and …
Modified
p. 14
The PCI DSS-compliant virtual payment terminal solution is only accessed via a computing device that is isolated in a single location and is not connected to other locations or systems.
The PCI DSS-compliant virtual payment terminal solution is only accessed via a computing device that is isolated in a single location and is not connected to other locations or systems (this can be achieved via a firewall or network segmentation to isolate the merchant system(s) accessing the virtual payment terminal from other merchant systems).
Modified
p. 15
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 1.3 Network access to and from the cardholder data environment is restricted.
PCI DSS Requirement Expected Testing Response¨ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 1.3 Network access to and from the cardholder data environment is restricted.
Modified
p. 16
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 1.5 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.
PCI DSS Requirement Expected Testing Response¨ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 1.5 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.
Modified
p. 17
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 2.1 Processes and mechanisms for applying secure configurations to all system components are defined and understood.
PCI DSS Requirement Expected Testing Response¨ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 2.1 Processes and mechanisms for applying secure configurations to all system components are defined and understood.
Removed
p. 18
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 2.2.5 If any insecure services, protocols, or daemons are present:
Modified
p. 19
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 2.3 Wireless environments are configured and managed securely.
PCI DSS Requirement Expected Testing Response¨ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 2.3 Wireless environments are configured and managed securely.
Modified
p. 20
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 3.1 Processes and mechanisms for protecting stored account data are defined and understood.
PCI DSS Requirement Expected Testing Response¨ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 3.1 Processes and mechanisms for protecting stored account data are defined and understood.
Modified
p. 21
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 3.3 Sensitive authentication data (SAD) is not stored after authorization.
PCI DSS Requirement Expected Testing Response¨ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 3.3 Sensitive authentication data (SAD) is not stored after authorization.
Modified
p. 22
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 3.4 Access to displays of full PAN and ability to copy PAN is restricted.
PCI DSS Requirement Expected Testing Response¨ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 3.4 Access to displays of full PAN and ability to copy PAN are restricted.
Modified
p. 24
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 5.2 Malicious software (malware) is prevented, or detected and addressed.
PCI DSS Requirement Expected Testing Response¨ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 5.2 Malicious software (malware) is prevented, or detected and addressed.
Modified
p. 25
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 5.3.3 For removable electronic media, the anti-malware solution(s):
PCI DSS Requirement Expected Testing Response¨ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 5.3.3 For removable electronic media, the anti-malware solution(s):
Removed
p. 26
Applicability Notes This requirement applies to the automated mechanism. It is not intended that the systems and services providing such automated mechanisms (such as e-mail servers) are brought into scope for PCI DSS.
Modified
p. 26
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 5.4 Anti-phishing mechanisms protect users against phishing attacks.
PCI DSS Requirement Expected Testing Response¨ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 5.4 Anti-phishing mechanisms protect users against phishing attacks.
Modified
p. 26
The focus of this requirement is on protecting personnel with access to system components in-scope for PCI DSS.
Applicability Notes The focus of this requirement is on protecting personnel with access to system components in-scope for PCI DSS.
Modified
p. 27
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 6.3 Security vulnerabilities are identified and addressed.
PCI DSS Requirement Expected Testing Response¨ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 6.3 Security vulnerabilities are identified and addressed.
Modified
p. 27
• Bullet intentionally left blank for this SAQ. .
• Bullet intentionally left blank for this SAQ.
Modified
p. 27
Applicability Notes This requirement is not achieved by, nor is it the same as, vulnerability scans performed for Requirements 11.3.1 and 11.3.2. This requirement is for a process to actively monitor industry sources for vulnerability information and for the entity to determine the risk ranking to be associated with each vulnerability.
Applicability Notes This requirement is not achieved by, and is in addition to, performing vulnerability scans according to Requirements 11.3.1 and 11.3.2. This requirement is for a process to actively monitor industry sources for vulnerability information and for the entity to determine the risk ranking to be associated with each vulnerability.
Modified
p. 27
• Critical or high-security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release.
• Patches/updates for critical vulnerabilities (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release.
Modified
p. 28
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 7.2 Access to system components and data is appropriately defined and assigned.
PCI DSS Requirement Expected Testing Response¨ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 7.2 Access to system components and data is appropriately defined and assigned.
Modified
p. 29
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 8.1 Processes and mechanisms for identifying users and authenticating access to system components are defined and understood.
PCI DSS Requirement Expected Testing Response¨ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 8.1 Processes and mechanisms for identifying users and authenticating access to system components are defined and understood.
Modified
p. 29
Applicability Notes This requirement is not intended to apply to user accounts within point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals).
Applicability Notes This requirement is not intended to apply to user accounts within point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction.
Modified
p. 30
Applicability Notes This requirement is not intended to apply to user accounts within point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals).
Applicability Notes This requirement is not intended to apply to user accounts within point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction.
Modified
p. 30
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 8.2.2 Group, shared, or generic accounts, or other shared authentication credentials are only used when necessary on an exception basis, and are managed as follows:
PCI DSS Requirement Expected Testing Response¨ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 8.2.2 Group, shared, or generic IDs, or other shared authentication credentials are only used when necessary on an exception basis, and are managed as follows:
Modified
p. 30
• Account use is prevented unless needed for an exceptional circumstance.
• ID use is prevented unless needed for an exceptional circumstance.
Modified
p. 31
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 8.2.5 Access for terminated users is immediately revoked.
PCI DSS Requirement Expected Testing Response¨ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 8.2.5 Access for terminated users is immediately revoked.
Modified
p. 31
Applicability Notes This requirement is not intended to apply to user accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals).
Applicability Notes This requirement is not intended to apply to user accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction.
Removed
p. 32
MFA is considered a best practice for non-console administrative access to in-scope system components that are not part of the CDE.
Modified
p. 32
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 8.3.6 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity:
PCI DSS Requirement Expected Testing Response¨ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 8.3.6 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity:
Modified
p. 32
User accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals). Application or system accounts, which are governed by requirements in section 8.6. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
User accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction. Application or system accounts, which are governed by requirements in section 8.6. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Modified
p. 33
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 9.1 Processes and mechanisms for restricting physical access to cardholder data are defined and understood.
PCI DSS Requirement Expected Testing Response¨ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 9.1 Processes and mechanisms for restricting physical access to cardholder data are defined and understood.
Modified
p. 34 → 35
• Examine the periodic media destruction policy.
• Examine the media destruction policy.
Modified
p. 35 → 36
Note: Requirement 12 specifies that merchants have information security policies for their personnel, but these policies can be as simple or complex as needed for the size and complexity of the merchant’s operations. The policy document must be provided to all personnel so they are aware of their responsibilities for protecting payment terminals, any paper documents with account data, etc. If a merchant has no employees, then it is expected that the merchant understands and acknowledges their responsibility for security …
Note: Requirement 12 specifies that merchants have information security policies for their personnel, but these policies can be as simple or complex as needed for the size and complexity of the merchant’s operations. The policy document must be provided to all personnel so they are aware of their responsibilities for protecting payment terminals, any paper documents with cardholder data and/or sensitive authentication data, etc. If a merchant has no employees, then it is expected that the merchant understands and acknowledges …
Modified
p. 35 → 36
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 12.1 A comprehensive information security policy that governs and provides direction for protection of the entity’s information assets is known and current.
PCI DSS Requirement Expected Testing Response¨ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 12.1 A comprehensive information security policy that governs and provides direction for protection of the entity’s information assets is known and current.
Modified
p. 36 → 37
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 12.6 Security awareness education is an ongoing activity.
PCI DSS Requirement Expected Testing Response¨ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 12.6 Security awareness education is an ongoing activity.
Modified
p. 37 → 38
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 12.8 Risk to information assets associated with third-party service provider (TPSP) relationships is managed.
PCI DSS Requirement Expected Testing Response¨ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 12.8 Risk to information assets associated with third-party service provider (TPSP) relationships is managed.
Modified
p. 37 → 38
• Written agreements include acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE.
• Written agreements include acknowledgments from TPSPs that TPSPs are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that the TPSP could impact the security of the entity’s cardholder data and/or sensitive authentication data.
Modified
p. 37 → 38
Applicability Notes The exact wording of an acknowledgment will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgment does not have to include the exact wording provided in this requirement.
Applicability Notes The exact wording of an agreement will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The agreement does not have to include the exact wording provided in this requirement.
Modified
p. 37 → 38
Evidence that a TPSP is meeting PCI DSS requirements (for example, a PCI DSS Attestation of Compliance (AOC) or a declaration on a company’s website) is not the same as a written agreement specified in this requirement.
Evidence that a TPSP is meeting PCI DSS requirements is not the same as a written acknowledgment specified in this requirement. For example, a PCI DSS Attestation of Compliance (AOC), a declaration on a company’s website, a policy statement, a responsibility matrix, or other evidence not included in a written agreement is not a written acknowledgment.
Modified
p. 38 → 39
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 12.8.3 An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement.
PCI DSS Requirement Expected Testing Response¨ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 12.8.3 An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement.
Modified
p. 44 → 45
PCI DSS Self-Assessment Questionnaire C-VT, Version 4.0 was completed according to the instructions therein.
PCI DSS Self-Assessment Questionnaire C-VT, Version 4.0.1, was completed according to the instructions therein.