Document Comparison
PCI_DSS_v3-1_SAQ_C-VT_rev1-1.pdf
→
PCI-DSS-v3_2-SAQ-C_VT.pdf
84% similar
35 → 36
Pages
8540 → 8532
Words
44
Content Changes
Content Changes
44 content changes. 28 administrative changes (dates, page numbers) hidden.
Added
p. 13
Review configuration standards Interview personnel Examine configuration settings Compare enabled services, etc. to documented justifications 2.2.3 Are additional security features documented and implemented for any required services, protocols or daemons that are considered to be insecure? Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
Examine system components Observe an administrator log on (d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? Examine system components Review vendor documentation Interview personnel
Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
Examine system components Observe an administrator log on (d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? Examine system components Review vendor documentation Interview personnel
Added
p. 17
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1 (a) Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
Added
p. 23
Requirement 8: Identify and authenticate access to system components
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 8.1.1 Are all users assigned a unique ID before allowing them to access system components or cardholder data?
Review password procedures Interview personnel 8.1.3 Is access for any terminated users immediately deactivated or removed?
Review password procedures Examine terminated users accounts Review current access lists Observe returned physical authentication devices In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users?
Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric Review password procedures Observe authentication processes (a) Are user password parameters configured to require passwords/passphrases meet the following? A …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 8.1.1 Are all users assigned a unique ID before allowing them to access system components or cardholder data?
Review password procedures Interview personnel 8.1.3 Is access for any terminated users immediately deactivated or removed?
Review password procedures Examine terminated users accounts Review current access lists Observe returned physical authentication devices In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users?
Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric Review password procedures Observe authentication processes (a) Are user password parameters configured to require passwords/passphrases meet the following? A …
Added
p. 28
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.5 (b) Are the following information security management responsibilities formally assigned to an individual or team:
Added
p. 30
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A A2.1 For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS:
Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS Is there a formal Risk Mitigation and Migration Plan in place per Requirement A2.2? Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS A2.2 Is there a formal Risk Mitigation and Migration Plan in place for all implementations that use SSL and/or early TLS (other than as allowed in A2.1), that includes:
Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type …
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A A2.1 For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS:
Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS Is there a formal Risk Mitigation and Migration Plan in place per Requirement A2.2? Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS A2.2 Is there a formal Risk Mitigation and Migration Plan in place for all implementations that use SSL and/or early TLS (other than as allowed in A2.1), that includes:
Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type …
Added
p. 34
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation This AOC is based on results noted in SAQ C-VT (Section 2), dated (SAQ completion date).
Modified
p. 4
Your company’s only payment processing is via a virtual payment terminal accessed by an Internet- connected web browser; Your company’s virtual payment terminal solution is provided and hosted by a PCI DSS validated third-party service provider; Your company accesses the PCI DSS-compliant virtual payment terminal solution via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment (this can be achieved via a firewall or network …
Your company’s only payment processing is via a virtual payment terminal accessed by an Internet- connected web browser; Your company’s virtual payment terminal solution is provided and hosted by a PCI DSS validated third-party service provider; Your company accesses the PCI DSS-compliant virtual payment terminal solution via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment (this can be achieved via a firewall or network …
Modified
p. 5
Section 1 (Part 1 & 2 of the AOC)
• Assessment Information and Executive Summary.
• Assessment Information and Executive Summary.
Section 1 (Parts 1 & 2 of the AOC)
• Assessment Information and Executive Summary.
• Assessment Information and Executive Summary.
Modified
p. 5
5. Submit the SAQ and Attestation of Compliance, along with any other requested documentation• such as ASV scan reports•to your acquirer, payment brand or other requester.
5. Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation
•such as ASV scan reports
•to your acquirer, payment brand or other requester.
•such as ASV scan reports
•to your acquirer, payment brand or other requester.
Removed
p. 7
ISA Name(s) (if applicable): Title:
Modified
p. 11
Examine firewall and router configurations 1.3.6 Is stateful inspection, also known as dynamic packet filtering, implemented•that is, only established connections are allowed into the network?
Examine firewall and router configurations 1.3.5 Are only established connections permitted into the network?
Modified
p. 11
Examine firewall and router configurations 1.4 (a) Is personal firewall software installed and active on any mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network?
Examine firewall and router configurations 1.4 (a) Is personal firewall software (or equivalent functionality) installed and active on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE?
Modified
p. 11
Review policies and configuration standards Examine mobile and/or employee- owned devices (b) Is the personal firewall software configured to specific configuration settings, actively running, and not alterable by users of mobile and/or employee- owned devices? Review policies and configuration standards Examine mobile and/or employee- owned devices
Review policies and configuration standards Examine mobile and/or employee- owned devices (b) Is the personal firewall software (or equivalent functionality) configured to specific configuration settings, actively running, and not alterable by users of mobile and/or employee-owned devices? Review policies and configuration standards Examine mobile and/or employee- owned devices
Modified
p. 12
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.1 (a) Are vendor-supplied defaults always changed before installing a system on the network? This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, Simple Network Management Protocol (SNMP) community strings, etc.).
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.1 (a) Are vendor-supplied defaults always changed before installing a system on the network? This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).
Modified
p. 13
Review configuration standards Examine system configurations (b) Are all enabled insecure services, daemons, or protocols justified per documented configuration standards? Review configuration standards Interview personnel Examine configuration settings Compare enabled services, etc. to documented justifications
Review configuration standards Examine system configurations (b) Are all enabled insecure services, daemons, or protocols justified per documented configuration standards?
Removed
p. 14
Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS Review Risk Mitigation and Migration Plan 2.2.4 (a) Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components?
Review system configuration standards (c) Are security parameter settings set appropriately on system components?
Review system configuration standards (c) Are security parameter settings set appropriately on system components?
Modified
p. 14 → 13
Review configuration standards Examine configuration settings If SSL/early TLS is used:
Review configuration standards Examine configuration settings 2.2.4 (a) Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components?
Modified
p. 14 → 13
Interview personnel (b) Are common system security parameters settings included in the system configuration standards?
Interview personnel (b) Are common system security parameters settings included in the system configuration standards? Review system configuration standards
Modified
p. 14
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.2.3 Are additional security features documented and implemented for any required services, protocols or daemons that are considered to be insecure? For example, use secured technologies such as SSH, S- FTP, TLS, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (c) Are security parameter settings set appropriately on system components?
Modified
p. 14
Examine system components Examine security parameter settings Compare settings to system configuration standards 2.2.5 (a) Has all unnecessary functionality•such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers•been removed? Examine security parameters on system components
Examine system components Examine security parameter settings Compare settings to system configuration standards 2.2.5 (a) Has all unnecessary functionality•such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers•been removed?
Removed
p. 15
Use technologies such as SSH, VPN, or TLS for web-based management and other non-console administrative access.
Modified
p. 15 → 14
Examine security parameters on system components (b) Are enabled functions documented and do they support secure configuration?
Modified
p. 15 → 14
Examine system components Examine services and files (c) Is administrator access to web-based management interfaces encrypted with strong cryptography? Examine system components Observe an administrator log on
Examine system components Examine services and files (c) Is administrator access to web-based management interfaces encrypted with strong cryptography?
Removed
p. 16
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? Examine system components Review vendor documentation Interview personnel (e) For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols:
Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies the devices are not susceptible to any known exploits for SSL/early TLS? Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS (f) For all other environments using SSL and/or early TLS:
Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being …
Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies the devices are not susceptible to any known exploits for SSL/early TLS? Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS (f) For all other environments using SSL and/or early TLS:
Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being …
Modified
p. 17 → 15
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2 (c) Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process? Review policies and procedures Examine system configurations Examine deletion processes (d) Do all systems adhere to the following requirements regarding non-storage of sensitive authentication data after authorization (even if encrypted):
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 3.2 (c) Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process? Review policies and procedures Examine system configurations Examine deletion processes (d) Do all systems adhere to the following requirements regarding non-storage of sensitive authentication data after authorization (even if encrypted):
Modified
p. 17 → 16
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 3.3 Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN? Note: This requirement does not supersede stricter requirements in place for displays of cardholder data• for example, legal or …
Modified
p. 18 → 17
Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and General Packet Radio Service (GPRS).
Modified
p. 18 → 17
Examine system configurations (d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)? Review vendor documentation Examine system configurations
Examine system configurations (d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)?
Removed
p. 19
Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in place; Description of processes to monitor for new vulnerabilities associated with SSL/early TLS; Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new environments; Overview of migration project plan including target migration completion date no later than 30th June 2016.
Review Risk Mitigation and Migration Plan
Examine system configurations (f) For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols:
Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies …
Review Risk Mitigation and Migration Plan
Examine system configurations (f) For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols:
Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies …
Modified
p. 19 → 17
Review vendor documentation Examine system configurations (e) For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? For example, for browser-based implementations:
Modified
p. 20 → 18
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1.1 Are industry best practices (for example, IEEE 802.11i) used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment? Note: The use of WEP as a security control is prohibited.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1.1 Are industry best practices used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment?
Modified
p. 21 → 19
Examine policies and procedures Examine anti-virus configurations, including the master installation Examine system components (b) Are automatic updates and periodic scans enabled and being performed?
Modified
p. 24 → 22
Examine written access control policy Interview personnel Interview management Review privileged user IDs 7.1.3 Are access assigned based on individual personnel’s job classification and function? Examine written access control policy Interview management Review user IDs
Examine written access control policy Interview personnel Interview management Review privileged user IDs 7.1.3 Is access assigned based on individual personnel’s job classification and function? Examine written access control policy Interview management Review user IDs
Modified
p. 25
Observe physical access controls Observe personnel 9.5 Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? For purposes of Requirement 9, “media” refers to all paper and electronic media containing cardholder data.
Modified
p. 27
Review usage policies Interview responsible personnel 12.3.3 A list of all such devices and personnel with access? Review usage policies Interview responsible personnel 12.3.5 Acceptable uses of the technologies? Review usage policies Interview responsible personnel 12.4 Do security policy and procedures clearly define information security responsibilities for all personnel? Review information security policy and procedures Interview a sample of responsible personnel 12.5 (b) Are the following information security management responsibilities formally assigned …
Review usage policies Interview responsible personnel 12.3.3 A list of all such devices and personnel with access? Review usage policies Interview responsible personnel 12.3.5 Acceptable uses of the technologies? Review usage policies Interview responsible personnel 12.4 Do security policy and procedures clearly define information security responsibilities for all personnel? Review information security policy and procedures Interview a sample of responsible personnel
Modified
p. 28
Review information security policy and procedures 12.6 (a) Is a formal security awareness program in place to make all personnel aware of the importance of cardholder data security? Review security awareness program 12.8 Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:
Review information security policy and procedures 12.6 (a) Is a formal security awareness program in place to make all personnel aware of the cardholder data security policy and procedures? Review security awareness program 12.8 Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:
Modified
p. 28
Observe written agreements Review policies and procedures 12.8.3 Is there an established process for engaging service providers, including proper due diligence prior to engagement?
Observe written agreements Review policies and procedures 12.8.3 Is there an established process for engaging service providers, including proper due diligence prior to engagement? Observe processes Review policies and procedures and supporting documentation
Modified
p. 28 → 29
Observe processes Review policies and procedures and supporting documentation 12.8.4 Is a program maintained to monitor service providers’ PCI DSS compliance status at least annually? Observe processes Review policies and procedures and supporting documentation
Observe processes Review policies and procedures and supporting documentation 12.8.5 Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity?
Modified
p. 29
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.8.5 Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.8.4 Is a program maintained to monitor service providers’ PCI DSS compliance status at least annually?
Modified
p. 33 → 34
Based on the results documented in the SAQ C-VT noted above, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document: (check one):
Removed
p. 34
Signature of ISA Date:
Modified
p. 34 → 35
Part 3c. QSA Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Part 3c. Qualified Security Assessor (QSA) Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Modified
p. 34 → 35
Part 3d. ISA Acknowledgement (if applicable) If a ISA was involved or assisted with this assessment, describe the role performed:
Part 3d. Internal Security Assessor (ISA) Involvement (if applicable) If an ISA(s) was involved or assisted with this assessment, identify the ISA personnel and describe the role performed:
Modified
p. 35 → 36
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti- virus software or programs 6 Develop and maintain secure …
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti- virus software or programs 6 Develop and maintain secure …