Document Comparison
PCI_DSS_v3-1_SAQ_D_ServiceProvider_rev1-1.pdf
→
PCI-DSS-v3_2-SAQ-D_ServiceProvider.pdf
84% similar
92 → 96
Pages
23001 → 23760
Words
183
Content Changes
Content Changes
183 content changes. 32 administrative changes (dates, page numbers) hidden.
Added
p. 16
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.3.4 Is outbound traffic from the cardholder data environment to the Internet explicitly authorized?
Added
p. 22
Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
Added
p. 25
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) For issuers and/or companies that support issuing services and store sensitive authentication data: Is the data secured?
Incoming transaction data All logs History files Trace files Database schema Database contents 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization? Examine data sources including:
Note: This requirement applies in addition to all other PCI DSS encryption and key management requirements.
Incoming transaction data All logs History files Trace files Database schema Database contents 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization? Examine data sources including:
Note: This requirement applies in addition to all other PCI DSS encryption and key management requirements.
Added
p. 28
Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date, Description of the key usage for each key, Inventory of any HSMs and other SCDs used for key management? Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
Examine key-storage locations Observe processes 3.6 (a) Are all key-management processes and procedures fully documented and implemented for cryptographic keys used for encryption of cardholder data?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.6.6 If manual clear-text key-management operations are used, do cryptographic key procedures include split knowledge and dual control of cryptographic keys as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 4.1 (a) Are strong cryptography …
Examine key-storage locations Observe processes 3.6 (a) Are all key-management processes and procedures fully documented and implemented for cryptographic keys used for encryption of cardholder data?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.6.6 If manual clear-text key-management operations are used, do cryptographic key procedures include split knowledge and dual control of cryptographic keys as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 4.1 (a) Are strong cryptography …
Added
p. 40
Trace changes to change control documentation Examine change control documentation 6.4.5.4 Back-out procedures? Trace changes to change control documentation Examine change control documentation 6.4.6 Upon completion of a significant change, are all relevant PCI DSS requirements implemented on all new or changed systems and networks, and documentation updated as applicable? Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
Trace changes to change control documentation Examine change control documentation Interview personnel Observe affected systems or networks
Trace changes to change control documentation Examine change control documentation Interview personnel Observe affected systems or networks
Added
p. 46
Review vendor documentation Examine configuration settings 7.2.2 Is the access control system(s) configured to enforce privileges assigned to individuals based on job classification and function?
Added
p. 50
Examine system configurations Observe administrator logging into CDE 8.3.2 Is multi-factor authentication incorporated for all remote network access (both user and administrator, and including third party access for support or maintenance) originating from outside the entity’s network? Examine system configurations Observe personnel connecting remotely
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.4 (a) Are authentication policies and procedures documented and communicated to all users?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.7 Is all access to any database containing cardholder data (including access by applications, administrators, and all other users) restricted as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.4 (a) Are authentication policies and procedures documented and communicated to all users?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.7 Is all access to any database containing cardholder data (including access by applications, administrators, and all other users) restricted as follows:
Added
p. 56
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.3 Is physical access to sensitive areas controlled for onsite personnel, as follows:
Examine inventory logs Interview personnel 9.8 (a) Is all media destroyed when it is no longer needed for business or legal reasons?
Examine inventory logs Interview personnel 9.8 (a) Is all media destroyed when it is no longer needed for business or legal reasons?
Added
p. 67
(a) Are processes implemented for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of:
Firewalls IDS/IPS FIM Anti-virus Physical access controls Logical access controls Audit logging mechanisms Segmentation controls (if used) Review policies and procedures
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Does the failure of a critical security control result in the generation of an alert? Observe processes Interview personnel 10.8.1 For service providers only: Are failures of any critical security controls responded to in a timely manner, as follows:
Are processes for responding to critical security control failures defined and implemented, and include:
Restoring security functions Identifying and documenting the duration (date and time start to end) of the security failure Identifying and documenting cause(s) …
Firewalls IDS/IPS FIM Anti-virus Physical access controls Logical access controls Audit logging mechanisms Segmentation controls (if used) Review policies and procedures
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Does the failure of a critical security control result in the generation of an alert? Observe processes Interview personnel 10.8.1 For service providers only: Are failures of any critical security controls responded to in a timely manner, as follows:
Are processes for responding to critical security control failures defined and implemented, and include:
Restoring security functions Identifying and documenting the duration (date and time start to end) of the security failure Identifying and documenting cause(s) …
Added
p. 74
Examine results from the most recent penetration test (c) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? Interview responsible personnel
(a) Is PCI DSS scope confirmed by performing penetration tests on segmentation controls at least every six months and after any changes to segmentation controls/methods?
Examine results of penetration tests on segmentation controls (b) Does penetration testing cover all segmentation controls/methods in use?
Examine results of penetration tests on segmentation controls (c) Does penetration testing verify that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE Examine results of penetration tests on segmentation controls (d) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist …
(a) Is PCI DSS scope confirmed by performing penetration tests on segmentation controls at least every six months and after any changes to segmentation controls/methods?
Examine results of penetration tests on segmentation controls (b) Does penetration testing cover all segmentation controls/methods in use?
Examine results of penetration tests on segmentation controls (c) Does penetration testing verify that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE Examine results of penetration tests on segmentation controls (d) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist …
Added
p. 80
Has executive management assigned overall accountability for maintaining the entity’s PCI DSS compliance? Examine documentation (b) Has executive management defined a charter for the
PCI DSS compliance program and communication to executive management?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Are the following information security management responsibilities formally assigned to an individual or team:
PCI DSS compliance program and communication to executive management?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Are the following information security management responsibilities formally assigned to an individual or team:
Added
p. 85
Review incident response plan procedures 12.10.2 Is the plan reviewed and tested at least annually, including all elements listed in Requirement 12.10.1?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.11 For service providers only: Are reviews performed at least quarterly to confirm personnel are following security policies and operational procedures, as follows:
(a) Do reviews cover the following processes:
Daily log reviews Firewall rule-set reviews Applying configuration standards to new systems Responding to security alerts Change management processes Examine policies and procedures for performing quarterly reviews Interview personnel (b) Are reviews performed at least quarterly? Interview personnel Examine records of reviews 12.11.1 For service providers only: Is documentation of the quarterly review process maintained to include:
Documenting results of the reviews Review and sign off of results by personnel assigned …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.11 For service providers only: Are reviews performed at least quarterly to confirm personnel are following security policies and operational procedures, as follows:
(a) Do reviews cover the following processes:
Daily log reviews Firewall rule-set reviews Applying configuration standards to new systems Responding to security alerts Change management processes Examine policies and procedures for performing quarterly reviews Interview personnel (b) Are reviews performed at least quarterly? Interview personnel Examine records of reviews 12.11.1 For service providers only: Is documentation of the quarterly review process maintained to include:
Documenting results of the reviews Review and sign off of results by personnel assigned …
Added
p. 89
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested A2.1 For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS:
Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS Is there a formal Risk Mitigation and Migration Plan in place per Requirement A2.2? Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS A2.2 Is there a formal Risk Mitigation and Migration Plan in place for all implementations that use SSL and/or early TLS (other than as allowed in A2.1), that includes:
Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results …
Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS Is there a formal Risk Mitigation and Migration Plan in place per Requirement A2.2? Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS A2.2 Is there a formal Risk Mitigation and Migration Plan in place for all implementations that use SSL and/or early TLS (other than as allowed in A2.1), that includes:
Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results …
Added
p. 94
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation This AOC is based on results noted in SAQ D (Section 2), dated (SAQ completion date).
Modified
p. 4
Section 1 (Part 1 & 2 of the AOC)
• Assessment Information and Executive Summary Section 2
• PCI DSS Self-Assessment Questionnaire (SAQ D) Section 3 (Parts 3 & 4 of the AOC)
• Validation and Attestation Details and Action Plan for Non- Compliant Requirements (if applicable)
• Assessment Information and Executive Summary Section 2
• PCI DSS Self-Assessment Questionnaire (SAQ D) Section 3 (Parts 3 & 4 of the AOC)
• Validation and Attestation Details and Action Plan for Non- Compliant Requirements (if applicable)
Section 1 (Parts 1 & 2 of the AOC)
• Assessment Information and Executive Summary Section 2
• PCI DSS Self-Assessment Questionnaire (SAQ D) Section 3 (Parts 3 & 4 of the AOC)
• Validation and Attestation Details and Action Plan for Non- Compliant Requirements (if applicable)
• Assessment Information and Executive Summary Section 2
• PCI DSS Self-Assessment Questionnaire (SAQ D) Section 3 (Parts 3 & 4 of the AOC)
• Validation and Attestation Details and Action Plan for Non- Compliant Requirements (if applicable)
Modified
p. 4
4. Submit the SAQ and Attestation of Compliance, along with any other requested documentation•such as ASV scan reports•to the payment brand, or other requester.
4. Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation
•such as ASV scan reports
•to the payment brand, or other requester.
•such as ASV scan reports
•to the payment brand, or other requester.
Removed
p. 7
ISA Name(s) (if applicable): Title:
Modified
p. 10
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation) Part 2f. Third-Party Service Providers Does your company have a relationship with one or more third-party service providers (for example, gateways, payment processors, payment service providers (PSP), web-hosting companies, airline booking agents, loyalty program agents, etc.) for the purpose of the services being validated? Type of service provider: Description of services provided:
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation) Part 2f. Third-Party Service Providers Does your company have a relationship with a Qualified Integrator Reseller (QIR) for the purpose of the services being validated? Description of services provided by QIR:
Modified
p. 12 → 13
Interview responsible personnel 1.1.3 (a) Is there a current diagram that shows all cardholder data flows across systems and networks? Review current dataflow diagram Examine network configurations.
Interview responsible personnel 1.1.3 Is there a current diagram that shows all cardholder data flows across systems and networks? Review current dataflow diagram Examine network configurations.
Modified
p. 13 → 14
Review firewall configuration standards Observe network configurations to verify that a firewall(s) is in place (b) Is the current network diagram consistent with the firewall configuration standards?
Review firewall configuration standards Observe network configurations to verify that a firewall(s) is in place Is the current network diagram consistent with the firewall configuration standards?
Modified
p. 13 → 14
Review firewall and router configuration standards Interview personnel 1.1.6 (a) Do firewall and router configuration standards include a documented list of services, protocols, and ports, including business justification (for example, hypertext transfer protocol (HTTP), Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols)?
Review firewall and router configuration standards Interview personnel 1.1.6 Do firewall and router configuration standards include a documented list of services, protocols, and ports, including business justification and approval for each?
Modified
p. 13 → 14
Review firewall and router configuration standards (b) Are all insecure services, protocols, and ports identified, and are security features documented and implemented for each identified service? Note: Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP.
Review firewall and router configuration standards Are all insecure services, protocols, and ports identified, and are security features documented and implemented for each identified service?
Modified
p. 13 → 14
Review firewall and router configuration standards Examine firewall and router configurations 1.1.7 (a) Do firewall and router configuration standards require review of firewall and router rule sets at least every six months?
Review firewall and router configuration standards Examine firewall and router configurations 1.1.7 Do firewall and router configuration standards require review of firewall and router rule sets at least every six months?
Modified
p. 13 → 14
Review firewall and router configuration standards (b) Are firewall and router rule sets reviewed at least every six months? Examine documentation from firewall reviews
Review firewall and router configuration standards (c) Are firewall and router rule sets reviewed at least every six months? Examine documentation from firewall reviews 1.2 Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows:
Removed
p. 14
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.2 Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows:
Modified
p. 14 → 15
Review firewall and router configuration standards Examine firewall and router configurations (b) Is all other inbound and outbound traffic specifically denied (for example by using an explicit “deny all” or an implicit deny after allow statement)?
Review firewall and router configuration standards Examine firewall and router configurations Is all other inbound and outbound traffic specifically denied (for example by using an explicit “deny all” or an implicit deny after allow statement)?
Modified
p. 14 → 15
Review firewall and router configuration standards Examine router configuration files and router configurations 1.2.3 Are perimeter firewalls installed between all wireless networks and the cardholder data environment, and are these firewalls configured to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment? Review firewall and router configuration standards Examine firewall and router configurations
Review firewall and router configuration standards Examine router configuration files and router configurations 1.2.3 Are perimeter firewalls installed between all wireless networks and the cardholder data environment, and are these firewalls configured to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment? Review firewall and router configuration standards Examine firewall and router configurations 1.3 Is direct public access prohibited between the Internet and …
Removed
p. 15
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.3 Is direct public access prohibited between the Internet and any system component in the cardholder data environment, as follows:
(For example, block traffic originating from the internet with an internal address.) Examine firewall and router configurations 1.3.5 Is outbound traffic from the cardholder data environment to the Internet explicitly authorized?
Examine firewall and router configurations 1.3.6 Is stateful inspection, also known as dynamic packet filtering, implemented•that is, only established connections are allowed into the network?
(For example, block traffic originating from the internet with an internal address.) Examine firewall and router configurations 1.3.5 Is outbound traffic from the cardholder data environment to the Internet explicitly authorized?
Examine firewall and router configurations 1.3.6 Is stateful inspection, also known as dynamic packet filtering, implemented•that is, only established connections are allowed into the network?
Modified
p. 15
Examine firewall and router configurations 1.3.4 Are anti-spoofing measures implemented to detect and block forged sourced IP addresses from entering the network?
Examine firewall and router configurations 1.3.3 Are anti-spoofing measures implemented to detect and block forged sourced IP addresses from entering the network? (For example, block traffic originating from the internet with an internal address.) Examine firewall and router configurations
Modified
p. 15 → 16
Examine firewall and router configurations 1.3.3 Are direct connections prohibited for inbound or outbound traffic between the Internet and the cardholder data environment?
Examine firewall and router configurations 1.3.5 Are only established connections permitted into the network?
Modified
p. 15 → 16
Examine firewall and router configurations 1.3.7 Are system components that store cardholder data (such as a database) placed in an internal network zone, segregated from the DMZ and other untrusted networks? Examine firewall and router configurations
Examine firewall and router configurations 1.3.6 Are system components that store cardholder data (such as a database) placed in an internal network zone, segregated from the DMZ and other untrusted networks?
Modified
p. 16
Examine firewall and router configurations 1.3.7 (a) Are methods in place to prevent the disclosure of private IP addresses and routing information to the Internet? Note: Methods to obscure IP addressing may include, but are not limited to:
Modified
p. 16
Examine firewall and router configurations (b) Is any disclosure of private IP addresses and routing information to external entities authorized?
Examine firewall and router configurations Is any disclosure of private IP addresses and routing information to external entities authorized?
Modified
p. 16
Examine firewall and router configurations Interview personnel 1.4 (a) Is personal firewall software installed and active on any mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network?
Examine firewall and router configurations Interview personnel 1.4 Is personal firewall software (or equivalent functionality) installed and active on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE? Review policies and configuration standards Examine mobile and/or employee- owned devices
Modified
p. 16 → 17
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Is the personal firewall software (or equivalent functionality) configured to specific configuration settings, actively running, and not alterable by users of mobile and/or employee-owned devices? Review policies and configuration standards Examine mobile and/or employee- owned devices 1.5 Are security policies and operational procedures for managing firewalls:
Modified
p. 17 → 18
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.1 (a) Are vendor-supplied defaults always changed before installing a system on the network? This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, Simple Network Management Protocol (SNMP) community strings, etc.).
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.1 (a) Are vendor-supplied defaults always changed before installing a system on the network? This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).
Modified
p. 17 → 18
Review policies and procedures Examine vendor documentation Observe system configurations and account settings Interview personnel (b) Are unnecessary default accounts removed or disabled before installing a system on the network? Review policies and procedures Review vendor documentation Examine system configurations and account settings Interview personnel 2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, are ALL wireless vendor defaults changed at installations, as follows:
Review policies and procedures Examine vendor documentation Observe system configurations and account settings Interview personnel Are unnecessary default accounts removed or disabled before installing a system on the network? Review policies and procedures Review vendor documentation Examine system configurations and account settings Interview personnel 2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, are ALL wireless vendor defaults changed at installations, as follows:
Modified
p. 19 → 20
Examine system configurations (b) If virtualization technologies are used, is only one primary function implemented per virtual system component or device? Examine system configurations
Examine system configurations If virtualization technologies are used, is only one primary function implemented per virtual system component or device? Examine system configurations
Removed
p. 20
Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS Review Risk Mitigation and Migration Plan
Modified
p. 20 → 21
Review configuration standards Examine system configurations (b) Are all enabled insecure services, daemons, or protocols justified per documented configuration standards?
Review configuration standards Examine system configurations (d) Are all enabled insecure services, daemons, or protocols justified per documented configuration standards?
Modified
p. 20 → 21
Review configuration standards Interview personnel Examine configuration settings Compare enabled services, etc. to documented justifications 2.2.3 Are additional security features documented and implemented for any required services, protocols or daemons that are considered to be insecure? For example, use secured technologies such as SSH, S- FTP, TLS, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.
Review configuration standards Interview personnel Examine configuration settings Compare enabled services, etc. to documented justifications 2.2.3 Are additional security features documented and implemented for any required services, protocols or daemons that are considered to be insecure? Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
Modified
p. 20 → 21
Review configuration standards Examine configuration settings If SSL/early TLS is used:
Review configuration standards Examine configuration settings 2.2.4 (a) Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components?
Removed
p. 21
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.2.4 (a) Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components?
Review documentation Examine security parameters on system components (c) Is only documented functionality present on system components? Review documentation Examine security parameters on system components
Review documentation Examine security parameters on system components (c) Is only documented functionality present on system components? Review documentation Examine security parameters on system components
Modified
p. 21
Interview personnel (b) Are common system security parameters settings included in the system configuration standards?
Interview personnel Are common system security parameters settings included in the system configuration standards?
Modified
p. 21
Examine security parameters on system components (b) Are enabled functions documented and do they support secure configuration?
Examine security parameters on system components Are enabled functions documented and do they support secure configuration? Review documentation Examine security parameters on system components
Removed
p. 22
Use technologies such as SSH, VPN, or TLS for web- based management and other non-console administrative access.
Modified
p. 22
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.3 Is non-console administrative access encrypted as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (c) Is only documented functionality present on system components? Review documentation Examine security parameters on system components 2.3 Is non-console administrative access encrypted as follows:
Modified
p. 22
Examine system components Observe an administrator log on (d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? Examine system components Review vendor documentation Interview personnel
Examine system components Observe an administrator log on (d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations?
Removed
p. 23
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (e) For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols: Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies the devices are not susceptible to any known exploits for SSL/early TLS? Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS (f) For all other environments using SSL and/or early TLS:
Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in …
Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in …
Modified
p. 23 → 22
Review Risk Mitigation and Migration Plan 2.4 (a) Is an inventory maintained for systems components that are in scope for PCI DSS, including a list of hardware and software components and a description of function/use for each? Examine system inventory (b) Is the documented inventory kept current? Interview personnel
Examine system components Review vendor documentation Interview personnel 2.4 (a) Is an inventory maintained for systems components that are in scope for PCI DSS, including a list of hardware and software components and a description of function/use for each? Examine system inventory (b) Is the documented inventory kept current? Interview personnel 2.5 Are security policies and operational procedures for managing vendor defaults and other security parameters:
Removed
p. 24
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.5 Are security policies and operational procedures for managing vendor defaults and other security parameters:
Modified
p. 24 → 22
Documented Known to all affected parties?
Documented Known to all affected parties? Review security policies and operational procedures Interview personnel
Modified
p. 24 → 23
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.6 If you are a shared hosting provider, are your systems configured to protect each entity’s (your customers’) hosted environment and cardholder data? See Appendix A1: Additional PCI DSS Requirements for Shared Hosting Providers for specific requirements that must be met.
Modified
p. 24 → 23
Complete Appendix A testing procedures
Complete Appendix A1 testing procedures
Removed
p. 25
Review policies and procedures Interview personnel Review documented business justification (b) For issuers and/or companies that support issuing services and store sensitive authentication data: Is the data secured? Examine data stores and system configuration files
Modified
p. 25 → 24
Examine files and system records 3.2 (a) For issuers and/or companies that support issuing services and store sensitive authentication data, is there a documented business justification for the storage of sensitive authentication data?
Examine files and system records 3.2 (a) For issuers and/or companies that support issuing services and store sensitive authentication data, is there a documented business justification for the storage of sensitive authentication data? Review policies and procedures Interview personnel Review documented business justification
Removed
p. 26
Incoming transaction data All logs History files Trace files Database schema Database contents 3.2.2 The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored after authorization? Examine data sources including:
Modified
p. 26 → 25
Examine data stores and system configuration files (c) For all other entities: Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process? Review policies and procedures Examine system configurations Examine deletion processes (d) Do all systems adhere to the following requirements regarding non-storage of sensitive authentication data after authorization (even if encrypted):
Modified
p. 27 → 26
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization? Examine data sources including:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.2.2 The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored after authorization? Examine data sources including:
Modified
p. 27 → 26
Incoming transaction data All logs History files Trace files Database schema Database contents 3.3 Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see the full PAN? Note: This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, legal or payment card brand requirements for point-of-sale …
Incoming transaction data All logs History files Trace files Database schema Database contents 3.3 Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN? Note: This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, legal …
Modified
p. 28 → 27
Examine vendor documentation Examine data repositories Examine removable media Examine audit logs 3.4.1 If disk encryption (rather than file- or column-level database encryption) is used, is access managed as follows:
Examine vendor documentation Examine data repositories Examine removable media Examine audit logs, including payment application logs 3.4.1 If disk encryption (rather than file- or column-level database encryption) is used, is access managed as follows:
Modified
p. 28 → 27
Examine system configurations Observe the authentication process (b) Are cryptographic keys stored securely (for example, stored on removable media that is adequately protected with strong access controls)?
Examine system configurations Observe the authentication process (b) Are cryptographic keys stored securely (for example, stored on removable media that is adequately protected with strong access controls)? Observe processes Interview personnel
Modified
p. 28
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (c) Is cardholder data on removable media encrypted wherever stored? Note: If disk encryption is not used to encrypt removable media, the data stored on this media will need to be rendered unreadable through some other method.
Modified
p. 28
Examine system configurations Observe processes
Examine system configurations Observe processes 3.5 Are keys used to secure stored cardholder data protected against disclosure and misuse as follows:
Removed
p. 29
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.5 Are keys used to secure stored cardholder data protected against disclosure and misuse as follows:
Modified
p. 29
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.5.3 Are secret and private cryptographic keys used to encrypt/decrypt cardholder data stored in one (or more) of the following forms at all times? Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key Within a secure cryptographic device (such as a hardware (host) security …
Modified
p. 29
Review documented procedures Examine system configurations and key storage locations, including for key-encrypting keys 3.5.3 Are cryptographic keys stored in the fewest possible locations? Examine key-storage locations Observe processes
Review documented procedures Examine system configurations and key storage locations, including for key-encrypting keys 3.5.4 Are cryptographic keys stored in the fewest possible locations?
Removed
p. 30
Review key-management procedures Observe key-generation method 3.6.2 Do cryptographic key procedures include secure cryptographic key distribution?
Modified
p. 30 → 29
Review key-management procedures (b) For service providers only: If keys are shared with customers for transmission or storage of cardholder data, is documentation provided to customers that includes guidance on how to securely transmit, store and update customer’s keys, in accordance with requirements 3.6.1 through 3.6.8 below? Review documentation provided to customers (c) Are key-management processes and procedures implemented to require the following:
Review key-management procedures (b) For service providers only: If keys are shared with customers for transmission or storage of cardholder data, is documentation provided to customers that includes guidance on how to securely transmit, store and update customer’s keys, in accordance with requirements 3.6.1 through 3.6.8 below? Review documentation provided to customers Are key-management processes and procedures implemented to require the following:
Modified
p. 30
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.6 (a) Are all key-management processes and procedures fully documented and implemented for cryptographic keys used for encryption of cardholder data?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.6.2 Do cryptographic key procedures include secure cryptographic key distribution?
Modified
p. 30
Review key-management procedures Observe the method for secure storage of keys 3.6.4 Do cryptographic key procedures include cryptographic key changes for keys that have reached the end of their defined cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines (for example, NIST Special Publication …
Review key-management procedures Observe the method for secure storage of keys 3.6.4 Do cryptographic key procedures include cryptographic key changes for keys that have reached the end of their defined cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher- text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines (for example, NIST Special …
Modified
p. 31 → 30
Review key-management procedures Interview personnel 3.6.5 (a) Do cryptographic key procedures include retirement or replacement (for example, archiving, destruction, and/or revocation) of cryptographic keys when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear- text key)?
Modified
p. 31 → 30
Review key-management procedures Interview personnel (b) Do cryptographic key procedures include replacement of known or suspected compromised keys?
Review key-management procedures Interview personnel Do cryptographic key procedures include replacement of known or suspected compromised keys?
Modified
p. 31 → 30
Review key-management procedures Interview personnel (c) If retired or replaced cryptographic keys are retained, are these keys only used for decryption/verification purposes, and not used for encryption operations? Review key-management procedures Interview personnel 3.6.6 If manual clear-text key-management operations are used, do cryptographic key procedures include split knowledge and dual control of cryptographic keys as follows:
Review key-management procedures Interview personnel (d) If retired or replaced cryptographic keys are retained, are these keys only used for decryption/verification purposes, and not used for encryption operations? Review key-management procedures Interview personnel
Modified
p. 31
Review key-management procedures Interview personnel and/or Observe processes
Review key-management procedures Interview personnel and/or Observe processes 3.6.7 Do cryptographic key procedures include the prevention of unauthorized substitution of cryptographic keys?
Removed
p. 32
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.6.7 Do cryptographic key procedures include the prevention of unauthorized substitution of cryptographic keys?
Modified
p. 33 → 32
Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and General Packet Radio Service (GPRS).
Modified
p. 33 → 32
Examine system configurations (d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)? Review vendor documentation Examine system configurations
Examine system configurations (d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)?
Removed
p. 34
Examine system configurations (f) For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols:
Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies the devices are not susceptible to any known exploits for SSL/early TLS? Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS (g) For all other environments using SSL and/or early TLS:
Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in place; Description of processes to monitor for new vulnerabilities associated with SSL/early TLS; Description …
Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies the devices are not susceptible to any known exploits for SSL/early TLS? Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS (g) For all other environments using SSL and/or early TLS:
Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in place; Description of processes to monitor for new vulnerabilities associated with SSL/early TLS; Description …
Modified
p. 34 → 32
Review vendor documentation Examine system configurations (e) For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? For example, for browser-based implementations:
Modified
p. 35 → 33
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 4.1.1 Are industry best practices (for example, IEEE 802.11i) used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment? Note: The use of WEP as a security control is prohibited.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 4.1.1 Are industry best practices used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment?
Modified
p. 35 → 33
Observe processes Review outbound transmissions (b) Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies? Review policies and procedures 4.3 Are security policies and operational procedures for encrypting transmissions of cardholder data:
Observe processes Review outbound transmissions Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies? Review policies and procedures 4.3 Are security policies and operational procedures for encrypting transmissions of cardholder data:
Modified
p. 38 → 36
Review policies and procedures Interview personnel Observe processes 6.2 (a) Are all system components and software protected from known vulnerabilities by installing applicable vendor- supplied security patches?
Review policies and procedures Interview personnel Observe processes 6.2 (a) Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches? Review policies and procedures
Modified
p. 38 → 37
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested Are critical security patches installed within one month of release? Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1.
Modified
p. 38 → 37
Review policies and procedures Examine system components Compare list of security patches installed to recent vendor patch lists
Review policies and procedures Examine system components Compare list of security patches installed to recent vendor patch lists 6.3 (a) Are software- development processes based on industry standards and/or best practices?
Removed
p. 39
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.3 (a) Are software- development processes based on industry standards and/or best practices?
Modified
p. 39 → 37
Review software development processes Observe processes Interview personnel (b) Is information security included throughout the software- development life cycle? Review software development processes Observe processes Interview personnel (c) Are software applications developed in accordance with
Review software development processes Observe processes Interview personnel Is information security included throughout the software-development life cycle?
Modified
p. 39 → 37
PCI DSS (for example, secure authentication and logging)? Review software development processes Observe processes Interview personnel (d) Do software development processes ensure the following at 6.3.1 - 6.3.2:
Review software development processes Observe processes Interview personnel (c) Are software applications developed in accordance with PCI DSS (for example, secure authentication and logging)? Review software development processes Observe processes Interview personnel (d) Do software development processes ensure the following at 6.3.1 - 6.3.2:
Modified
p. 40 → 38
Review change control processes and procedures Examine network documentation and network device configurations (b) Is access control in place to enforce the separation between the development/test environments and the production environment? Review change control processes and procedures Examine access control settings
Review change control processes and procedures Examine network documentation and network device configurations Is access control in place to enforce the separation between the development/test environments and the production environment? Review change control processes and procedures Examine access control settings
Modified
p. 41 → 39
Review change control processes and procedures Observe processes Interview personnel Examine test data 6.4.4 Are test data and accounts removed before production systems become active?
Review change control processes and procedures Observe processes Interview personnel Examine test data 6.4.4 Are test data and accounts removed from system components before the system becomes active / goes into production?
Modified
p. 41 → 39
Review change control processes and procedures Observe processes Interview personnel Examine production systems 6.4.5 (a) Are change-control procedures for implementing security patches and software modifications documented and require the following? Documentation of impact Documented change control approval by authorized parties Functionality testing to verify that the change does not adversely impact the security of the system Back-out procedures Review change control processes and procedures (b) Are the following performed and documented …
Review change control processes and procedures Observe processes Interview personnel Examine production systems 6.4.5 (a) Are change-control procedures documented and require the following? Documentation of impact Documented change control approval by authorized parties Functionality testing to verify that the change does not adversely impact the security of the system Back-out procedures Review change control processes and procedures Are the following performed and documented for all 6.4.5.1 Documentation of impact? Trace …
Modified
p. 42 → 40
Trace changes to change control documentation Examine change control documentation (b) For custom code changes, testing of updates for compliance with PCI DSS Requirement 6.5 before being deployed into production? Trace changes to change control documentation Examine change control documentation 6.4.5.4 Back-out procedures? Trace changes to change control documentation Examine change control documentation
Trace changes to change control documentation Examine change control documentation (b) For custom code changes, testing of updates for compliance with PCI DSS Requirement 6.5 before being deployed into production?
Modified
p. 43 → 41
Review software-development policies and procedures (b) Are developers trained in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory? Interview personnel Examine training records (c) Are applications developed based on secure coding guidelines to protect applications from, at a minimum, the following vulnerabilities:
Review software-development policies and procedures (b) Are developers trained at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities? Examine software-development policies and procedures Examine training records (c) Are applications developed based on secure coding guidelines to protect applications from, at a minimum, the following vulnerabilities:
Modified
p. 47 → 45
Interview personnel Interview management Review privileged user IDs 7.1.3 Are access assigned based on individual personnel’s job classification and function? Interview management Review user IDs
Interview personnel Interview management Review privileged user IDs 7.1.3 Is access assigned based on individual personnel’s job classification and function? Interview management Review user IDs
Modified
p. 48 → 46
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 7.1.4 Is documented approval by authorized parties required, specifying required privileges? Review user IDs Compare with documented approvals Compare assigned privileges with documented approvals 7.2 Is an access control system in place for system components to restrict access based on a user’s need to know, and is it set to “deny all” unless specifically allowed, as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 7.1.4 Is documented approval by authorized parties required, specifying required privileges? Review user IDs Compare with documented approvals Compare assigned privileges with documented approvals 7.2 Is an access control system(s) in place for system components to restrict access based on a user’s need to know, and is it set to “deny all” unless specifically allowed, as follows:
Modified
p. 48 → 46
Review vendor documentation Examine configuration settings 7.2.3 Does the access control system(s) have a default “deny- all” setting? Review vendor documentation Examine configuration settings 7.3 Are security policies and operational procedures for restricting access to cardholder data:
Modified
p. 49 → 47
Review password procedures Observe user accounts 8.1.5 (a) Are accounts used by vendors to access, support, or maintain system components via remote access enabled only during the time period needed and disabled when not in use?
Review password procedures Observe user accounts 8.1.5 (a) Are accounts used by third parties to access, support, or maintain system components via remote access enabled only during the time period needed and disabled when not in use?
Modified
p. 49 → 47
Review password procedures Interview personnel Observe processes (b) Are vendor remote access accounts monitored when in use? Interview personnel Observe processes
Review password procedures Interview personnel Observe processes Are third party remote access accounts monitored when in use? Interview personnel Observe processes
Modified
p. 50 → 48
Review password procedures Examine system configuration settings (b) For service providers only: Are non-consumer customer passwords temporarily locked-out after not more than six invalid access attempts?
Review password procedures Examine system configuration settings For service providers only: Are non-consumer customer passwords temporarily locked-out after not more than six invalid access attempts?
Modified
p. 50 → 48
Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric Review password procedures Observe authentication processes 8.2.1 (a) Is strong cryptography used to render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components? Review password procedures Review vendor documentation Examine system configuration settings Observe password files Observe …
Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric Review password procedures Observe authentication processes 8.2.1 (a) Is strong cryptography used to render all authentication credentials (such as passwords/passphrases) unreadable during transmission and storage on all system components? Review password procedures Review vendor documentation Examine system configuration settings Observe password files Observe …
Modified
p. 51 → 49
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) For service providers only: Is strong cryptography used to render all non-consumer customers’ authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested For service providers only: Is strong cryptography used to render all non-consumer customers’ authentication credentials (such as passwords/passphrases) unreadable during transmission and storage on all system components?
Modified
p. 51 → 49
Review authentication procedures Observe personnel 8.2.3 (a) Are user password parameters configured to require passwords/passphrases meet the following? A minimum password length of at least seven characters Contain both numeric and alphabetic characters Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above.
Review authentication procedures Observe personnel 8.2.3 (a) Are user password parameters configured to require passwords/passphrases meet the following? A minimum password length of at least seven characters Contain both numeric and alphabetic characters Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the parameters specified above.
Modified
p. 51 → 49
Examine system configuration settings to verify password parameters (b) For service providers only: Are non-consumer customer passwords required to meet the following minimum length and complexity requirements?
Examine system configuration settings to verify password parameters For service providers only: Are non-consumer customer passwords required to meet the following minimum length and complexity requirements?
Modified
p. 51 → 49
A minimum password length of at least seven characters Contain both numeric and alphabetic characters Review customer/user documentation Observe internal processes 8.2.4 (a) Are user passwords/passphrases changed at least once every 90 days? Review password procedures Examine system configuration settings (b) For service providers only: Are non-consumer customer passwords required to be changed periodically, and are non-consumer customers given guidance as to when, and under what circumstances, passwords must change.
A minimum password length of at least seven characters Contain both numeric and alphabetic characters Review customer/user documentation Observe internal processes 8.2.4 (a) Are user passwords/passphrases changed at least once every 90 days? Review password procedures Examine system configuration settings For service providers only: Are non-consumer customer passwords required to be changed periodically, and are non-consumer customers given guidance as to when, and under what circumstances, passwords must change.
Removed
p. 52
Examples of two-factor technologies include remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; and other technologies that facilitate two-factor authentication.
Review policies and procedures Examine system configurations Observe personnel 8.4 (a) Are authentication policies and procedures documented and communicated to all users? Review policies and procedures Review distribution method Interview personnel Interview users
Review policies and procedures Examine system configurations Observe personnel 8.4 (a) Are authentication policies and procedures documented and communicated to all users? Review policies and procedures Review distribution method Interview personnel Interview users
Modified
p. 52 → 50
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.2.5 (a) Must an individual submit a new password/phrase that is different from any of the last four passwords/phrases he or she has used?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.2.5 (a) Must an individual submit a new password/passphrase that is different from any of the last four passwords/passphrases he or she has used?
Modified
p. 52 → 50
Review password procedures Sample system components Examine system configuration settings (b) For service providers only: Are new, non-consumer customer passwords required to be different from any of the last four passwords used?
Review password procedures Sample system components Examine system configuration settings For service providers only: Are new, non-consumer customer passwords required to be different from any of the last four passwords used?
Modified
p. 52 → 50
Review customer/user documentation Observe internal processes 8.2.6 Are passwords/phrases set to a unique value for each user for first-time use and upon reset, and must each user change their password immediately after the first use?
Review customer/user documentation Observe internal processes 8.2.6 Are passwords/passphrases set to a unique value for each user for first-time use and upon reset, and must each user change their password immediately after the first use? Review password procedures Examine system configuration settings Observe security personnel 8.3 Is all individual non-console administrative access and all remote access to the CDE secured using multi-factor authentication, as follows:
Modified
p. 52 → 50
Note: Multi-factor authentication requires that a minimum of two of the three authentication methods (see PCI DSS Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication.
Modified
p. 53 → 51
Review policies and procedures Review distribution method Interview personnel Interview users Do authentication policies and procedures include the following? Guidance on selecting strong authentication credentials Guidance for how users should protect their authentication credentials Instructions not to reuse previously used passwords Instructions that users should change passwords if there is any suspicion the password could be compromised Review policies and procedures Review documentation provided to users 8.5 Are group, shared, …
Modified
p. 53 → 51
Generic user IDs and accounts are disabled or removed; Shared user IDs for system administration activities and other critical functions do not exist; and Shared and generic user IDs are not used to administer any system components?
Generic user IDs and accounts are disabled or removed; Shared user IDs for system administration activities and other critical functions do not exist; and Shared and generic user IDs are not used to administer any system components? Review policies and procedures Examine user ID lists Interview personnel
Modified
p. 53 → 52
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.5.1 For service providers only: Do service providers with remote access to customer premises (for example, for support of POS systems or servers) use a unique authentication credential (such as a password/passphrase) for each customer? Note: This requirement is not intended to apply to shared hosting providers accessing their own hosting environment, where multiple customer environments are hosted.
Modified
p. 54 → 52
Review policies and procedures Interview personnel 8.6 Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, and certificates, etc.), is the use of these mechanisms assigned as follows? Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access Review policies and procedures …
Modified
p. 54 → 53
Review database authentication policies and procedures Examine database and application configuration settings (b) Is user direct access to or queries to of databases restricted to database administrators? Review database authentication policies and procedures Examine database access control settings Examine database application configuration settings
Review database authentication policies and procedures Examine database and application configuration settings Is user direct access to or queries to of databases restricted to database administrators?
Modified
p. 55 → 53
Review database authentication policies and procedures Examine database access control settings Examine database application configuration settings (d) Are application IDs only able to be used by the applications (and not by individual users or other processes)? Review database authentication policies and procedures Examine database access control settings Examine database application configuration settings 8.8 Are security policies and operational procedures for identification and authentication:
Modified
p. 56 → 54
Observe physical access controls Observe personnel 9.1.1 (a) Are video cameras and/or access-control mechanisms in place to monitor individual physical access to sensitive areas? Note: “Sensitive areas” refers to any data center, server room, or any area that houses systems that store, process, or transmit cardholder data. This excludes public-facing areas where only point-of-sale terminals are present such as the cashier areas in a retail store.
Observe physical access controls Observe personnel 9.1.1 (a) Are either video cameras or access-control mechanisms (or both) in place to monitor individual physical access to sensitive areas? Note: “Sensitive areas” refers to any data center, server room, or any area that houses systems that store, process, or transmit cardholder data. This excludes public-facing areas where only point-of-sale terminals are present such as the cashier areas in a retail store.
Modified
p. 56 → 54
Review policies and procedures Observe physical monitoring mechanisms Observe security features (b) Are video cameras and/or access-control mechanisms protected from tampering or disabling?
Review policies and procedures Observe physical monitoring mechanisms Observe security features Are either video cameras or access-control mechanisms (or both) protected from tampering or disabling?
Modified
p. 57 → 55
Review policies and procedures Interview personnel Observe identification methods (e.g. badges) Observe visitor processes (b) Do identification methods (such as ID badges) clearly identify visitors and easily distinguish between onsite personnel and visitors?
Review policies and procedures Interview personnel Observe identification methods (e.g. badges) Observe visitor processes Do identification methods (such as ID badges) clearly identify visitors and easily distinguish between onsite personnel and visitors?
Modified
p. 57 → 55
Observe identification methods (c) Is access to the badge system limited to authorized personnel? Observe physical controls and access controls for the badge system 9.3 Is physical access to sensitive areas controlled for onsite personnel, as follows:
Observe identification methods (e) Is access to the badge system limited to authorized personnel? Observe physical controls and access controls for the badge system
Modified
p. 57 → 56
Is access revoked immediately upon termination Upon termination, are all physical access mechanisms, such as keys, access cards, etc., returned or disabled? Interview personnel Examine access control lists Observe onsite personnel Compare lists of terminated employees to access control lists
Is access revoked immediately upon termination Upon termination, are all physical access mechanisms, such as keys, access cards, etc., returned or disabled? Interview personnel Examine access control lists Observe onsite personnel Compare lists of terminated employees to access control lists 9.4 Is visitor identification and access handled as follows:
Removed
p. 58
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.4 Is visitor identification and access handled as follows:
Modified
p. 58 → 56
Observe badge use of personnel and visitors Examine identification (b) Do visitor badges or other identification expire? Observe process Examine identification 9.4.3 Are visitors asked to surrender the badge or other identification before leaving the facility or at the date of expiration?
Observe badge use of personnel and visitors Examine identification Do visitor badges or other identification expire? Observe process Examine identification 9.4.3 Are visitors asked to surrender the badge or other identification before leaving the facility or at the date of expiration?
Modified
p. 58 → 56
Review policies and procedures Examine the visitor log Observe visitor processes Examine log retention (b) Does the visitor log contain the visitor’s name, the firm represented, and the onsite personnel authorizing physical access?
Review policies and procedures Examine the visitor log Observe visitor processes Examine log retention Does the visitor log contain the visitor’s name, the firm represented, and the onsite personnel authorizing physical access? Review policies and procedures Examine the visitor log
Modified
p. 58 → 57
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (f) Is the visitor log retained for at least three months? Review policies and procedures Examine visitor log retention 9.5 Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? For purposes of Requirement 9, “media” refers to all paper and electronic media containing cardholder data.
Modified
p. 58 → 57
Review policies and procedures for physically securing media Interview personnel
Review policies and procedures for physically securing media Interview personnel 9.5.1 Is the location where media back-ups are stored reviewed at least annually to confirm storage is secure?
Removed
p. 59
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.5.1 (a) Are media back-ups stored in a secure location, preferably in an off-site facility, such as an alternate or backup site, or a commercial storage facility?
Review policies and procedures 9.7.1 (a) Are inventory logs of all media properly maintained? Examine inventory logs (b) Are periodic media inventories conducted at least annually? Examine inventory logs Interview personnel
Review policies and procedures 9.7.1 (a) Are inventory logs of all media properly maintained? Examine inventory logs (b) Are periodic media inventories conducted at least annually? Examine inventory logs Interview personnel
Modified
p. 59 → 57
Review policies and procedures for reviewing offsite media locations Interview security personnel 9.6 (a) Is strict control maintained over the internal or external distribution of any kind of media? Review policies and procedures for distribution of media Do controls include the following:
Modified
p. 59 → 57
Interview personnel Examine media distribution tracking logs and documentation 9.7 Is strict control maintained over the storage and accessibility of media?
Interview personnel Examine media distribution tracking logs and documentation 9.7 Is strict control maintained over the storage and accessibility of media? Review policies and procedures 9.7.1 (a) Are inventory logs of all media properly maintained? Examine inventory logs
Modified
p. 60 → 58
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.8 (a) Is all media destroyed when it is no longer needed for business or legal reasons?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested Are periodic media inventories conducted at least annually?
Modified
p. 60 → 58
Review periodic media destruction policies and procedures (b) Is there a periodic media destruction policy that defines requirements for the following? Hard-copy materials must be crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
Review periodic media destruction policies and procedures Is there a periodic media destruction policy that defines requirements for the following? Hard-copy materials must be crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
Modified
p. 60 → 58
Cardholder data on electronic media must be rendered unrecoverable (e.g., via a secure wipe program in accordance with industry-accepted standards for secure deletion, or by physically destroying the media).
Cardholder data on electronic media must be rendered unrecoverable (e.g., via a secure wipe program in accordance with industry- accepted standards for secure deletion, or by physically destroying the media).
Modified
p. 60 → 58
Interview personnel Examine procedures Observe processes (b) Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents?
Interview personnel Examine procedures Observe processes Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents?
Modified
p. 62 → 60
Interview personnel Observe inspection processes and compare to defined processes (b) Are personnel are aware of procedures for inspecting devices?
Interview personnel Observe inspection processes and compare to defined processes Are personnel aware of procedures for inspecting devices?
Modified
p. 64 → 62
Observe processes Interview system administrator (b) Is access to system components linked to individual users? Observe processes Interview system administrator 10.2 Are automated audit trails implemented for all system components to reconstruct the following events:
Observe processes Interview system administrator Is access to system components linked to individual users? Observe processes Interview system administrator 10.2 Are automated audit trails implemented for all system components to reconstruct the following events:
Modified
p. 65 → 63
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 10.2.6 Initialization, stopping, or pausing of the audit logs? Interview personnel Observe audit logs Examine audit log settings 10.2.7 Creation and deletion of system-level object? Interview personnel Observe audit logs Examine audit log settings 10.3 Are the following audit trail entries recorded for all system components for each event:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 10.2.6 Initialization, stopping, or pausing of the audit logs? Interview personnel Observe audit logs Examine audit log settings 10.2.7 Creation and deletion of system-level objects? Interview personnel Observe audit logs Examine audit log settings 10.3 Are the following audit trail entries recorded for all system components for each event:
Modified
p. 66 → 64
Review time configuration standards and processes Examine time-related system parameters (b) Where there is more than one designated time server, do the time servers peer with each other to keep accurate time?
Review time configuration standards and processes Examine time-related system parameters Where there is more than one designated time server, do the time servers peer with each other to keep accurate time?
Modified
p. 66 → 64
Review time configuration standards and processes Examine time-related system parameters (c) Do systems receive time only from designated central time server(s)? Review time configuration standards and processes Examine time-related system parameters 10.4.2 Is time data is protected as follows:
Review time configuration standards and processes Examine time-related system parameters (g) Do systems receive time only from designated central time server(s)? Review time configuration standards and processes Examine time-related system parameters 10.4.2 Is time data is protected as follows:
Modified
p. 68 → 66
All security events Logs of all system components that store, process, or transmit CHD and/or SAD Logs of all critical system components Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e- commerce redirection servers, etc.) Review security policies and procedures (b) Are the above logs and security events reviewed at least daily?
All security events Logs of all system components that store, process, or transmit CHD and/or SAD Logs of all critical system components Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e- commerce redirection servers, etc.) Review security policies and procedures Are the above logs and security events reviewed at least daily?
Modified
p. 68 → 66
Review security policies and procedures (b) Are reviews of all other system components performed in accordance with organization’s policies and risk management strategy? Review risk assessment documentation Interview personnel
Review security policies and procedures Are reviews of all other system components performed in accordance with organization’s policies and risk management strategy? Review risk assessment documentation Interview personnel
Modified
p. 69 → 67
Review security policies and procedures (b) Is follow up to exceptions and anomalies performed? Observe processes Interview personnel 10.7 (a) Are audit log retention policies and procedures in place and do they require that logs are retained for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup)?
Review security policies and procedures Is follow up to exceptions and anomalies performed? Observe processes Interview personnel 10.7 (a) Are audit log retention policies and procedures in place and do they require that logs are retained for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup)?
Modified
p. 69 → 67
Review security policies and procedures (b) Are audit logs retained for at least one year? Interview personnel Examine audit logs (c) Are at least the last three months’ logs immediately available for analysis? Interview personnel Observe processes 10.8 Are security policies and operational procedures for monitoring all access to network resources and cardholder data:
Review security policies and procedures Are audit logs retained for at least one year? Interview personnel Examine audit logs (c) Are at least the last three months’ logs immediately available for analysis? Interview personnel Observe processes 10.8 For service providers only: Is a process implemented for the timely detection and reporting of failures of critical security control systems as follows:
Modified
p. 70
Review policies and procedures (b) Does the methodology detect and identify any unauthorized wireless access points, including at least the following? WLAN cards inserted into system components; Portable or mobile devices attached to system components to create a wireless access point (for example, by USB, etc.); and Wireless devices attached to a network port or network device.
Review policies and procedures Does the methodology detect and identify any unauthorized wireless access points, including at least the following? WLAN cards inserted into system components; Portable or mobile devices attached to system components to create a wireless access point (for example, by USB, etc.); and Wireless devices attached to a network port or network device.
Modified
p. 70
Evaluate the methodology (c) If wireless scanning is utilized to identify authorized and unauthorized wireless access points, is the scan performed at least quarterly for all system components and facilities?
Evaluate the methodology (h) If wireless scanning is utilized to identify authorized and unauthorized wireless access points, is the scan performed at least quarterly for all system components and facilities?
Modified
p. 70
Examine output from recent wireless scans (d) If automated monitoring is utilized (for example, wireless IDS/IPS, NAC, etc.), is monitoring configured to generate alerts to notify personnel?
Examine output from recent wireless scans (i) If automated monitoring is utilized (for example, wireless IDS/IPS, NAC, etc.), is monitoring configured to generate alerts to notify personnel?
Modified
p. 71
Examine incident response plan (see Requirement 12.10) (b) Is action taken when unauthorized wireless access points are found? Interview responsible personnel Inspect recent wireless scans and related responses 11.2 Are internal and external network vulnerability scans run at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades), as follows:
Examine incident response plan (see Requirement 12.10) Is action taken when unauthorized wireless access points are found? Interview responsible personnel Inspect recent wireless scans and related responses 11.2 Are internal and external network vulnerability scans run at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades), as follows:
Modified
p. 71
For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterly scanning, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred.
For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterly scanning, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re- scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred.
Modified
p. 71 → 72
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (c) Are quarterly internal scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?
Modified
p. 72
Interview personnel 11.2.2 (a) Are quarterly external vulnerability scans performed? Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).
Modified
p. 72
Review results from the four most recent quarters of external vulnerability scans (b) Do external quarterly scan and rescan results satisfy the ASV Program Guide requirements for a passing scan (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic failures)? Review results of each external quarterly scan and rescan (c) Are quarterly external vulnerability scans performed by a
Review results from the four most recent quarters of external vulnerability scans (b) Do external quarterly scan and rescan results satisfy the ASV Program Guide requirements for a passing scan (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic failures)?
Modified
p. 75
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.4 (a) Are intrusion-detection and/or intrusion-prevention techniques that detect and/or prevent intrusions into the network in place to monitor all traffic:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.3.4.1 For service providers only: If segmentation is used:
Modified
p. 75
Examine system configurations Interview responsible personnel (c) Are all intrusion-detection and prevention engines, baselines, and signatures kept up-to-date? Examine IDS/IPS configurations Examine vendor documentation 11.5 (a) Is a change-detection mechanism (for example, file- integrity monitoring tools) deployed within the cardholder data environment to detect unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files? Examples of files that should be monitored include:
Examine system configurations Interview responsible personnel (c) Are all intrusion-detection and prevention engines, baselines, and signatures kept up-to-date? Examine IDS/IPS configurations Examine vendor documentation
Modified
p. 75 → 76
System executables Application executables Configuration and parameter files Centrally stored, historical or archived, log, and audit files Additional critical files determined by entity (for example, through risk assessment or other means) Observe system settings and monitored files Examine system configuration settings
System executables Application executables Configuration and parameter files Centrally stored, historical or archived, log, and audit files Additional critical files determined by entity (for example, through risk assessment or other means) Observe system settings and monitored files Examine system configuration settings (b) Is the change-detection mechanism configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files or content files, and do the tools perform critical …
Removed
p. 76
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Is the change-detection mechanism configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files or content files, and do the tools perform critical file comparisons at least weekly? Note: For change detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change detection mechanisms such as file- integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is the merchant or service provider).
Modified
p. 76
Observe system settings and monitored files Review results from monitoring activities 11.5.1 Is a process in place to respond to any alerts generated by the change-detection solution? Examine system configuration settings 11.6 Are security policies and operational procedures for security monitoring and testing:
Observe system settings and monitored files Review results from monitoring activities 11.5.1 Is a process in place to respond to any alerts generated by the change-detection solution? Examine system configuration settings
Modified
p. 77 → 78
Review the information security policy Interview responsible personnel 12.2 (a) Is an annual risk assessment process implemented Identifies critical assets, threats, and vulnerabilities, Results in a formal, documented analysis of risk? Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800- 30.
Review the information security policy Interview responsible personnel 12.2 (a) Is an annual risk assessment process implemented Identifies critical assets, threats, and vulnerabilities, and Results in a formal, documented analysis of risk? Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800- 30.
Modified
p. 79 → 80
Review usage policies Interview responsible personnel 12.4 Do security policy and procedures clearly define information security responsibilities for all personnel?
Review usage policies Interview responsible personnel 12.4 Do security policy and procedures clearly define information security responsibilities for all personnel? Review information security policy and procedures Interview a sample of responsible personnel 12.4.1 For service providers only: Have executive management established responsibility for the protection of cardholder data and a PCI DSS compliance program, as follows:
Modified
p. 79 → 80
Review information security policy and procedures Interview a sample of responsible personnel 12.5 (a) Is responsibility for information security formally assigned to a Chief Security Officer or other security- knowledgeable member of management? Review information security policy and procedures (b) Are the following information security management responsibilities formally assigned to an individual or team:
Examine PCI DSS charter 12.5 (a) Is responsibility for information security formally assigned to a Chief Security Officer or other security- knowledgeable member of management? Review information security policy and procedures
Modified
p. 79 → 81
Review information security policy and procedures 12.5.4 Administering user accounts, including additions, deletions, and modifications? Review information security policy and procedures
Review information security policy and procedures 12.5.4 Administering user accounts, including additions, deletions, and modifications?
Modified
p. 80 → 81
Review information security policy and procedures 12.5.5 Monitoring and controlling all access to data? Review information security policy and procedures 12.6 (a) Is a formal security awareness program in place to make all personnel aware of the cardholder data security policy and procedures? Review security awareness program (b) Do security awareness program procedures include the following:
Modified
p. 80 → 81
Review security awareness program Review security awareness program procedures Review security awareness program attendance records (b) Are personnel educated upon hire and at least annually?
Review security awareness program Review security awareness program procedures Review security awareness program attendance records (b) Are personnel educated upon hire and at least annually? Examine security awareness program procedures and documentation
Modified
p. 80 → 82
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (c) Have employees completed awareness training and are they aware of the importance of cardholder data security?
Modified
p. 80 → 82
Interview personnel 12.6.2 Are personnel required to acknowledge at least annually that they have read and understood the security policy and procedures? Examine security awareness program procedures and documentation
Interview personnel 12.6.2 Are personnel required to acknowledge at least annually that they have read and understood the security policy and procedures?
Modified
p. 81 → 82
Examine security awareness program procedures and documentation 12.7 Are potential personnel (see definition of “personnel” above) screened prior to hire to minimize the risk of attacks from internal sources? Examples of background checks include previous employment history, criminal record, credit history and reference checks.
Modified
p. 81 → 83
Observe written agreements Review policies and procedures
Observe written agreements Review policies and procedures 12.8.3 Is there an established process for engaging service providers, including proper due diligence prior to engagement?
Removed
p. 82
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.8.3 Is there an established process for engaging service providers, including proper due diligence prior to engagement?
Modified
p. 82 → 83
Observe processes Review policies and procedures and supporting documentation 12.8.5 Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity?
Observe processes Review policies and procedures and supporting documentation 12.8.5 Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity? Observe processes Review policies and procedures and supporting documentation
Modified
p. 82 → 84
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.9 For service providers only: Do service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment? Note: The exact wording of an acknowledgement …
Modified
p. 82 → 84
Review service provider’s policies and procedures Observe templates used for written agreeements 12.10 Has an incident response plan been implemented in preparation to respond immediately to a system breach, as follows:
Review service provider’s policies and procedures Observe templates used for written agreements 12.10 Has an incident response plan been implemented in preparation to respond immediately to a system breach, as follows:
Removed
p. 83
Review incident response plan procedures Specific incident response procedures? Review incident response plan procedures Business recovery and continuity procedures? Review incident response plan procedures Data backup processes? Review incident response plan procedures Analysis of legal requirements for reporting compromises?
Modified
p. 83 → 84
Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum?
Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum? Review incident response plan procedures Specific incident response procedures? Review incident response plan procedures Business recovery and continuity procedures? Review incident response plan procedures
Modified
p. 83 → 85
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Does the plan address the following, at a minimum:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested Data backup processes? Review incident response plan procedures Analysis of legal requirements for reporting compromises?
Modified
p. 83 → 85
Review incident response plan procedures Interview responsible personnel 12.10.3 Are specific personnel designated to be available on a 24/7 basis to respond to alerts?
Modified
p. 84 → 85
Observe processes Review policies Interview responsible personnel 12.10.4 Is appropriate training provided to staff with security breach response responsibilities?
Modified
p. 85 → 87
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested A.1 Is each entity’s (that is, a merchant, service provider, or other entity) hosted environment and data protected, per A.1.1 through A.1.4 as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested A1 Is each entity’s (that is, a merchant, service provider, or other entity) hosted environment and data protected, per A1.1 through A1.4 as follows:
Modified
p. 85 → 87
A1.1 Does each entity run processes that have access to only that entity’s cardholder data environment, and are these application processes run using the unique ID of the entity? No entity on the system can use a shared web server user ID.
Modified
p. 85 → 87
All CGI scripts used by an entity must be created and run as the entity’s unique user ID Examine system configurations and related unique IDs for hosted entities A.1.2 Are each entity’s access and privileges restricted to its own cardholder data environment as follows:
All CGI scripts used by an entity must be created and run as the entity’s unique user ID Examine system configurations and related unique IDs for hosted entities A1.2 Are each entity’s access and privileges restricted to its own cardholder data environment as follows:
Modified
p. 86 → 88
Disk space Bandwidth Memory CPU A.1.3 (a) Are logging and audit trails enabled and unique to each entity’s cardholder data environment and consistent with PCI DSS Requirement 10? Examine log settings (b) Is logging enabled as follows, for each merchant and service provider environment as follows:
Disk space Bandwidth Memory CPU A1.3 (a) Are logging and audit trails enabled and unique to each entity’s cardholder data environment and consistent with PCI DSS Requirement 10? Examine log settings (b) Is logging enabled as follows, for each merchant and service provider environment as follows:
Modified
p. 86 → 88
Examine log settings A.1.4 Are written policies and processes enabled to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider? Review written policies and procedures
Examine log settings A1.4 Are written policies and processes enabled to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider? Review written policies and procedures
Modified
p. 90 → 94
Based on the results documented in the SAQ D noted above, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document: (check one):
Removed
p. 91
Signature of ISA Date:
Modified
p. 91 → 95
Part 3c. QSA Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Part 3c. Qualified Security Assessor (QSA) Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Modified
p. 91 → 95
Part 3d. ISA Acknowledgement (if applicable) If a ISA was involved or assisted with this assessment, describe the role performed:
Part 3d. Internal Security Assessor (ISA) Involvement (if applicable) If an ISA(s) was involved or assisted with this assessment, identify the ISA personnel and describe the role performed:
Modified
p. 92 → 96
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti- virus software or programs 6 Develop and maintain secure …
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 1 Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti-virus software or programs 6 Develop and maintain secure …