Document Comparison
PCI_DSS_v3-1_SAQ_D_Merchant_rev1-1.pdf
→
PCI-DSS-v3_2-SAQ-D_Merchant.pdf
88% similar
87 → 85
Pages
21423 → 21174
Words
109
Content Changes
Content Changes
109 content changes. 27 administrative changes (dates, page numbers) hidden.
Added
p. 13
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.3.4 Is outbound traffic from the cardholder data environment to the Internet explicitly authorized?
Added
p. 19
Examine system components Review vendor documentation Interview personnel 2.4 (a) Is an inventory maintained for systems components that are in scope for PCI DSS, including a list of hardware and software components and a description of function/use for each?
Added
p. 23
Note: This requirement applies in addition to all other PCI DSS encryption and key management requirements.
Added
p. 27
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.6.6 If manual clear-text key-management operations are used, do cryptographic key procedures include split knowledge and dual control of cryptographic keys as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 4.1 (a) Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 4.1 (a) Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
Added
p. 36
Trace changes to change control documentation Examine change control documentation 6.4.5.4 Back-out procedures? Trace changes to change control documentation Examine change control documentation 6.4.6 Upon completion of a significant change, are all relevant PCI DSS requirements implemented on all new or changed systems and networks, and documentation updated as applicable? Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
Trace changes to change control documentation Examine change control documentation Interview personnel Observe affected systems or networks
Examine software- development policies and procedures Interview responsible personnel 6.5.2 Do coding techniques address buffer overflow vulnerabilities?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.5.9 Do coding techniques address cross-site request forgery (CSRF)?
Trace changes to change control documentation Examine change control documentation Interview personnel Observe affected systems or networks
Examine software- development policies and procedures Interview responsible personnel 6.5.2 Do coding techniques address buffer overflow vulnerabilities?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.5.9 Do coding techniques address cross-site request forgery (CSRF)?
Added
p. 43
Review vendor documentation Examine configuration settings 7.2.2 Is the access control system(s) configured to enforce privileges assigned to individuals based on job classification and function?
Added
p. 47
Note: Multi-factor authentication requires that a minimum of two of the three authentication methods (see PCI DSS Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication.
Added
p. 47
Examine system configurations Observe administrator logging into CDE 8.3.2 Is multi-factor authentication incorporated for all remote network access (both user and administrator, and including third party access for support or maintenance) originating from outside the entity’s network?
Review database authentication policies and procedures Examine database and application configuration settings (b) Is user direct access to or queries to of databases restricted to database administrators?
Review database authentication policies and procedures Examine database and application configuration settings (b) Is user direct access to or queries to of databases restricted to database administrators?
Added
p. 68
Examine results from the most recent penetration test (c) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? Interview responsible personnel
Added
p. 77
Review incident response plan procedures 12.10.2 Is the plan reviewed and tested at least annually, including all elements listed in Requirement 12.10.1?
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested A2.1 For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS:
Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS Is there a formal Risk Mitigation and Migration Plan in place per Requirement A2.2? Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS A2.2 Is there a formal Risk Mitigation and Migration Plan in place for all implementations that use SSL and/or early TLS (other than as …
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested A2.1 For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS:
Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS Is there a formal Risk Mitigation and Migration Plan in place per Requirement A2.2? Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS A2.2 Is there a formal Risk Mitigation and Migration Plan in place for all implementations that use SSL and/or early TLS (other than as …
Added
p. 83
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation This AOC is based on results noted in SAQ D (Section 2), dated (SAQ completion date).
Modified
p. 1
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants All other SAQ-Eligible Merchants For use with PCI DSS Version 3.1 Revision 1.1
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants All other SAQ-Eligible Merchants For use with PCI DSS Version 3.2
Modified
p. 4
Section 1 (Part 1 & 2 of the AOC)
• Assessment Information and Executive Summary.
• Assessment Information and Executive Summary.
Section 1 (Parts 1 & 2 of the AOC)
• Assessment Information and Executive Summary.
• Assessment Information and Executive Summary.
Modified
p. 4
5. Submit the SAQ and Attestation of Compliance, along with any other requested documentation•such as ASV scan reports•to your acquirer, payment brand or other requester.
5. Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation
•such as ASV scan reports
•to your acquirer, payment brand or other requester.
•such as ASV scan reports
•to your acquirer, payment brand or other requester.
Removed
p. 7
ISA Name(s) (if applicable): Title:
Modified
p. 11
Review firewall and router configuration standards Interview personnel 1.1.6 (a) Do firewall and router configuration standards include a documented list of services, protocols, and ports, including business justification (for example, hypertext transfer protocol (HTTP), Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols)?
Review firewall and router configuration standards Interview personnel 1.1.6 (a) Do firewall and router configuration standards include a documented list of services, protocols, and ports, including business justification and approval for each?
Modified
p. 11
Review firewall and router configuration standards (b) Are all insecure services, protocols, and ports identified, and are security features documented and implemented for each identified service? Note: Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP.
Review firewall and router configuration standards (b) Are all insecure services, protocols, and ports identified, and are security features documented and implemented for each identified service?
Modified
p. 11
Review firewall and router configuration standards (b) Are firewall and router rule sets reviewed at least every six months? Examine documentation from firewall reviews
Review firewall and router configuration standards (b) Are firewall and router rule sets reviewed at least every six months? Examine documentation from firewall reviews 1.2 Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows:
Removed
p. 12
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.2 Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows:
Modified
p. 12
Review firewall and router configuration standards Examine router configuration files and router configurations 1.2.3 Are perimeter firewalls installed between all wireless networks and the cardholder data environment, and are these firewalls configured to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment? Review firewall and router configuration standards Examine firewall and router configurations
Review firewall and router configuration standards Examine router configuration files and router configurations 1.2.3 Are perimeter firewalls installed between all wireless networks and the cardholder data environment, and are these firewalls configured to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment? Review firewall and router configuration standards Examine firewall and router configurations 1.3 Is direct public access prohibited between the Internet and …
Removed
p. 13
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.3 Is direct public access prohibited between the Internet and any system component in the cardholder data environment, as follows:
(For example, block traffic originating from the internet with an internal address.) Examine firewall and router configurations 1.3.5 Is outbound traffic from the cardholder data environment to the Internet explicitly authorized?
Examine firewall and router configurations 1.3.6 Is stateful inspection, also known as dynamic packet filtering, implemented•that is, only established connections are allowed into the network?
(For example, block traffic originating from the internet with an internal address.) Examine firewall and router configurations 1.3.5 Is outbound traffic from the cardholder data environment to the Internet explicitly authorized?
Examine firewall and router configurations 1.3.6 Is stateful inspection, also known as dynamic packet filtering, implemented•that is, only established connections are allowed into the network?
Modified
p. 13 → 12
Examine firewall and router configurations 1.3.4 Are anti-spoofing measures implemented to detect and block forged sourced IP addresses from entering the network?
Examine firewall and router configurations 1.3.3 Are anti-spoofing measures implemented to detect and block forged sourced IP addresses from entering the network? (For example, block traffic originating from the internet with an internal address.) Examine firewall and router configurations
Modified
p. 13
Examine firewall and router configurations 1.3.3 Are direct connections prohibited for inbound or outbound traffic between the Internet and the cardholder data environment?
Examine firewall and router configurations 1.3.5 Are only established connections permitted into the network?
Modified
p. 13
Examine firewall and router configurations 1.3.7 Are system components that store cardholder data (such as a database) placed in an internal network zone, segregated from the DMZ and other untrusted networks? Examine firewall and router configurations
Examine firewall and router configurations 1.3.6 Are system components that store cardholder data (such as a database) placed in an internal network zone, segregated from the DMZ and other untrusted networks?
Modified
p. 14 → 13
Examine firewall and router configurations 1.3.7 (a) Are methods in place to prevent the disclosure of private IP addresses and routing information to the Internet? Note: Methods to obscure IP addressing may include, but are not limited to:
Modified
p. 14 → 13
Examine firewall and router configurations Interview personnel 1.4 (a) Is personal firewall software installed and active on any mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network?
Examine firewall and router configurations Interview personnel 1.4 (a) Is personal firewall software (or equivalent functionality) installed and active on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE? Review policies and configuration standards Examine mobile and/or employee- owned devices
Modified
p. 14
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Is the personal firewall software (or equivalent functionality) configured to specific configuration settings, actively running, and not alterable by users of mobile and/or employee-owned devices? Review policies and configuration standards Examine mobile and/or employee- owned devices 1.5 Are security policies and operational procedures for managing firewalls:
Modified
p. 15
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.1 (a) Are vendor-supplied defaults always changed before installing a system on the network? This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, Simple Network Management Protocol (SNMP) community strings, etc.).
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.1 (a) Are vendor-supplied defaults always changed before installing a system on the network? This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).
Removed
p. 18
Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS Review Risk Mitigation and Migration Plan
Modified
p. 18
Review configuration standards Interview personnel Examine configuration settings Compare enabled services, etc. to documented justifications 2.2.3 Are additional security features documented and implemented for any required services, protocols or daemons that are considered to be insecure? For example, use secured technologies such as SSH, S- FTP, TLS, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.
Review configuration standards Interview personnel Examine configuration settings Compare enabled services, etc. to documented justifications 2.2.3 Are additional security features documented and implemented for any required services, protocols or daemons that are considered to be insecure? Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
Modified
p. 18
Review configuration standards Examine configuration settings If SSL/early TLS is used:
Review configuration standards Examine configuration settings 2.2.4 (a) Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components?
Removed
p. 19
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.2.4 (a) Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components?
Review documentation Examine security parameters on system components (c) Is only documented functionality present on system components? Review documentation Examine security parameters on system components
Review documentation Examine security parameters on system components (c) Is only documented functionality present on system components? Review documentation Examine security parameters on system components
Modified
p. 19 → 18
Examine security parameters on system components (b) Are enabled functions documented and do they support secure configuration?
Examine security parameters on system components (b) Are enabled functions documented and do they support secure configuration? Review documentation Examine security parameters on system components
Removed
p. 20
Use technologies such as SSH, VPN, or TLS for web- based management and other non-console administrative access.
Modified
p. 20 → 19
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.3 Is non-console administrative access encrypted as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (c) Is only documented functionality present on system components? Review documentation Examine security parameters on system components 2.3 Is non-console administrative access encrypted as follows:
Modified
p. 20 → 19
(a) Is all non-console administrative access encrypted with strong cryptography, and is a strong encryption method invoked before the administrator’s password is requested?
Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed (a) Is all non-console administrative access encrypted with strong cryptography, and is a strong encryption method invoked before the administrator’s password is requested?
Modified
p. 20 → 19
Examine system components Observe an administrator log on (d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? Examine system components Review vendor documentation Interview personnel
Examine system components Observe an administrator log on (d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations?
Removed
p. 21
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (e) For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols: Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies the devices are not susceptible to any known exploits for SSL/early TLS? Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS (f) For all other environments using SSL and/or early TLS:
Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in …
Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in …
Removed
p. 22
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.4 (a) Is an inventory maintained for systems components that are in scope for PCI DSS, including a list of hardware and software components and a description of function/use for each? Examine system inventory (b) Is the documented inventory kept current? Interview personnel 2.5 Are security policies and operational procedures for managing vendor defaults and other security parameters:
Modified
p. 22 → 19
Documented Known to all affected parties? Review security policies and operational procedures Interview personnel 2.6 This requirement applies only to service providers.
Examine system inventory (b) Is the documented inventory kept current? Interview personnel 2.5 Are security policies and operational procedures for managing vendor defaults and other security parameters: Documented In use Known to all affected parties? Review security policies and operational procedures Interview personnel 2.6 This requirement applies only to service providers.
Modified
p. 25 → 22
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.2.2 The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored after authorization? Examine data sources including:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.2.2 The card verification code or value (three-digit or four- digit number printed on the front or back of a payment card) is not stored after authorization? Examine data sources including:
Modified
p. 25 → 22
Incoming transaction data All logs History files Trace files Database schema Database contents 3.3 Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see the full PAN? Note: This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, legal or payment card brand requirements for point-of-sale …
Incoming transaction data All logs History files Trace files Database schema Database contents 3.3 Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN? Note: This requirement does not supersede stricter requirements in place for displays of cardholder data• for example, …
Modified
p. 26 → 23
Examine vendor documentation Examine data repositories Examine removable media Examine audit logs 3.4.1 If disk encryption (rather than file- or column-level database encryption) is used, is access managed as follows:
Examine vendor documentation Examine data repositories Examine removable media Examine audit logs, including payment application logs 3.4.1 If disk encryption (rather than file- or column-level database encryption) is used, is access managed as follows:
Modified
p. 26 → 23
(a) Is logical access to encrypted file systems managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials)?
(a) Is logical access to encrypted file systems managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials)? Examine system configurations Observe the authentication process
Modified
p. 26 → 24
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Are cryptographic keys stored securely (for example, stored on removable media that is adequately protected with strong access controls)?
Modified
p. 27 → 24
Observe processes Interview personnel (c) Is cardholder data on removable media encrypted wherever stored? Note: If disk encryption is not used to encrypt removable media, the data stored on this media will need to be rendered unreadable through some other method.
Modified
p. 27 → 24
Note: This requirement applies to keys used to encrypt stored cardholder data, and also applies to key-encrypting keys used to protect data-encrypting keys. Such key- encrypting keys must be at least as strong as the data- encrypting key.
Note: This requirement applies to keys used to encrypt stored cardholder data, and also applies to key- encrypting keys used to protect data-encrypting keys. Such key-encrypting keys must be at least as strong as the data-encrypting key.
Modified
p. 27 → 25
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.5.3 Are secret and private cryptographic keys used to encrypt/decrypt cardholder data stored in one (or more) of the following forms at all times? Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key Within a secure cryptographic device (such as a hardware (host) security …
Modified
p. 27 → 25
Review documented procedures Examine system configurations and key storage locations, including for key-encrypting keys 3.5.3 Are cryptographic keys stored in the fewest possible locations? Examine key-storage locations Observe processes
Review documented procedures Examine system configurations and key storage locations, including for key-encrypting keys 3.5.4 Are cryptographic keys stored in the fewest possible locations?
Modified
p. 28 → 25
Examine key-storage locations Observe processes 3.6 (a) Are all key-management processes and procedures fully documented and implemented for cryptographic keys used for encryption of cardholder data? Review key-management procedures (b) This testing procedure applies only to service providers.
Modified
p. 28 → 25
Review key-management procedures Observe key-generation method 3.6.2 Do cryptographic key procedures include secure cryptographic key distribution?
Review key-management procedures Observe key-generation method 3.6.2 Do cryptographic key procedures include secure cryptographic key distribution? Review key management procedures Observe the key-distribution procedures
Modified
p. 28 → 26
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.6.3 Do cryptographic key procedures include secure cryptographic key storage?
Modified
p. 28 → 26
Review key-management procedures Observe the method for secure storage of keys 3.6.4 Do cryptographic key procedures include cryptographic key changes for keys that have reached the end of their defined cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines (for example, NIST Special Publication …
Review key-management procedures Observe the method for secure storage of keys 3.6.4 Do cryptographic key procedures include cryptographic key changes for keys that have reached the end of their defined cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines (for example, NIST Special Publication …
Modified
p. 29 → 26
Review key-management procedures Interview personnel 3.6.5 (a) Do cryptographic key procedures include retirement or replacement (for example, archiving, destruction, and/or revocation) of cryptographic keys when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key)?
Modified
p. 29 → 26
Review key-management procedures Interview personnel (c) If retired or replaced cryptographic keys are retained, are these keys only used for decryption/verification purposes, and not used for encryption operations? Review key-management procedures Interview personnel 3.6.6 If manual clear-text key-management operations are used, do cryptographic key procedures include split knowledge and dual control of cryptographic keys as follows:
Review key-management procedures Interview personnel (c) If retired or replaced cryptographic keys are retained, are these keys only used for decryption/verification purposes, and not used for encryption operations? Review key-management procedures Interview personnel
Modified
p. 29 → 27
Review key-management procedures Interview personnel and/or Observe processes
Review key-management procedures Interview personnel and/or Observe processes 3.6.7 Do cryptographic key procedures include the prevention of unauthorized substitution of cryptographic keys?
Removed
p. 30
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.6.7 Do cryptographic key procedures include the prevention of unauthorized substitution of cryptographic keys?
Modified
p. 31 → 28
Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and General Packet Radio Service (GPRS).
Modified
p. 31 → 28
Examine system configurations (d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)? Review vendor documentation Examine system configurations
Examine system configurations (d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)?
Removed
p. 32
Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in place; Description of processes to monitor for new vulnerabilities associated with SSL/early TLS; Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new environments; Overview of migration project plan including target migration completion date no later than 30th June 2016.
Review Risk Mitigation and Migration Plan
Examine system configurations (f) For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols: Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that …
Review Risk Mitigation and Migration Plan
Examine system configurations (f) For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols: Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that …
Modified
p. 32 → 28
Review vendor documentation Examine system configurations (e) For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? For example, for browser-based implementations:
Modified
p. 33 → 29
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 4.1.1 Are industry best practices (for example, IEEE 802.11i) used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment? Note: The use of WEP as a security control is prohibited.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 4.1.1 Are industry best practices used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment?
Modified
p. 34 → 30
Examine policies and procedures Examine anti-virus configurations, including the master installation Examine system components (b) Are automatic updates and periodic scans enabled and being performed?
Modified
p. 38 → 34
Are code review results are reviewed and approved by management prior to release? Note: This requirement for code reviews applies to all custom code (both internal and public-facing), as part of the system development life cycle. Code reviews can be conducted by knowledgeable internal personnel or third parties. Public- facing web applications are also subject to additional controls, to address ongoing threats and vulnerabilities after implementation, as defined at PCI DSS Requirement 6.6.
Are code review results are reviewed and approved by management prior to release? Note: This requirement for code reviews applies to all custom code (both internal and public-facing), as part of the system development life cycle. Code reviews can be conducted by knowledgeable internal personnel or third parties. Public-facing web applications are also subject to additional controls, to address ongoing threats and vulnerabilities after implementation, as defined at PCI DSS Requirement 6.6.
Modified
p. 39 → 35
Review change control processes and procedures Observe processes Interview personnel Examine test data 6.4.4 Are test data and accounts removed before production systems become active?
Review change control processes and procedures Observe processes Interview personnel Examine test data 6.4.4 Are test data and accounts removed from system components before the system becomes active / goes into production?
Modified
p. 39 → 35
Review change control processes and procedures Observe processes Interview personnel Examine production systems 6.4.5 (a) Are change-control procedures for implementing security patches and software modifications documented and require the following? Documentation of impact Documented change control approval by authorized parties Functionality testing to verify that the change does not adversely impact the security of the system Back-out procedures Review change control processes and procedures (b) Are the following performed and documented …
Review change control processes and procedures Observe processes Interview personnel Examine production systems 6.4.5 (a) Are change-control procedures documented and require the following? Documentation of impact Documented change control approval by authorized parties Functionality testing to verify that the change does not adversely impact the security of the system Back-out procedures Review change control processes and procedures (b) Are the following performed and documented for all 6.4.5.1 Documentation of impact? …
Modified
p. 40 → 36
Trace changes to change control documentation Examine change control documentation (b) For custom code changes, testing of updates for compliance with PCI DSS Requirement 6.5 before being deployed into production? Trace changes to change control documentation Examine change control documentation 6.4.5.4 Back-out procedures? Trace changes to change control documentation Examine change control documentation
Trace changes to change control documentation Examine change control documentation (b) For custom code changes, testing of updates for compliance with PCI DSS Requirement 6.5 before being deployed into production?
Modified
p. 41 → 37
Review software-development policies and procedures (b) Are developers trained in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory? Interview personnel Examine training records (c) Are applications developed based on secure coding guidelines to protect applications from, at a minimum, the following vulnerabilities:
Review software-development policies and procedures (b) Are developers trained at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities? Examine software- development policies and procedures Examine training records (c) Are applications developed based on secure coding guidelines to protect applications from, at a minimum, the following vulnerabilities:
Modified
p. 41 → 37
Examine software-development policies and procedures Interview responsible personnel 6.5.2 Do coding techniques address buffer overflow vulnerabilities? Examine software-development policies and procedures Interview responsible personnel 6.5.3 Do coding techniques address insecure cryptographic storage? Examine software-development policies and procedures Interview responsible personnel 6.5.4 Do coding techniques address insecure communications? Examine software-development policies and procedures Interview responsible personnel
Examine software- development policies and procedures Interview responsible personnel 6.5.3 Do coding techniques address insecure cryptographic storage? Examine software- development policies and procedures Interview responsible personnel
Removed
p. 42
Examine software-development policies and procedures Interview responsible personnel 6.5.10 Do coding techniques address broken authentication and session management? Examine software-development policies and procedures Interview responsible personnel
Modified
p. 42 → 38
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.5.5 Do coding techniques address improper error handling? Examine software-development policies and procedures Interview responsible personnel 6.5.6 Do coding techniques address all “high risk” vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1)? Examine software-development policies and procedures Interview responsible personnel For web applications and application interfaces (internal or external), are applications …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.5.4 Do coding techniques address insecure communications? Examine software- development policies and procedures Interview responsible personnel 6.5.5 Do coding techniques address improper error handling? Examine software- development policies and procedures Interview responsible personnel 6.5.6 Do coding techniques address all “high risk” vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1)? Examine …
Modified
p. 42 → 38
Examine software-development policies and procedures Interview responsible personnel 6.5.8 Do coding techniques address improper access control such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions?
Examine software- development policies and procedures Interview responsible personnel 6.5.8 Do coding techniques address improper access control such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions? Examine software- development policies and procedures Interview responsible personnel
Modified
p. 42 → 39
Examine software-development policies and procedures Interview responsible personnel 6.5.9 Do coding techniques address cross-site request forgery (CSRF)?
Examine software- development policies and procedures Interview responsible personnel 6.5.10 Do coding techniques address broken authentication and session management? Examine software- development policies and procedures Interview responsible personnel
Modified
p. 45 → 42
Interview personnel Interview management Review privileged user IDs 7.1.3 Are access assigned based on individual personnel’s job classification and function? Interview management Review user IDs
Interview personnel Interview management Review privileged user IDs 7.1.3 Is access assigned based on individual personnel’s job classification and function? Interview management Review user IDs
Modified
p. 46 → 43
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 7.1.4 Is documented approval by authorized parties required, specifying required privileges? Review user IDs Compare with documented approvals Compare assigned privileges with documented approvals 7.2 Is an access control system in place for system components to restrict access based on a user’s need to know, and is it set to “deny all” unless specifically allowed, as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 7.1.4 Is documented approval by authorized parties required, specifying required privileges? Review user IDs Compare with documented approvals Compare assigned privileges with documented approvals 7.2 Is an access control system(s) in place for system components to restrict access based on a user’s need to know, and is it set to “deny all” unless specifically allowed, as follows:
Modified
p. 46 → 43
Review vendor documentation Examine configuration settings 7.2.3 Does the access control system(s) have a default “deny- all” setting? Review vendor documentation Examine configuration settings 7.3 Are security policies and operational procedures for restricting access to cardholder data:
Modified
p. 47 → 44
Review password procedures Observe user accounts 8.1.5 (a) Are accounts used by vendors to access, support, or maintain system components via remote access enabled only during the time period needed and disabled when not in use?
Review password procedures Observe user accounts 8.1.5 (a) Are accounts used by third parties to access, support, or maintain system components via remote access enabled only during the time period needed and disabled when not in use?
Modified
p. 47 → 44
Review password procedures Interview personnel Observe processes (b) Are vendor remote access accounts monitored when in use? Interview personnel Observe processes
Review password procedures Interview personnel Observe processes (b) Are third party remote access accounts monitored when in use? Interview personnel Observe processes
Modified
p. 48 → 45
Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric Review password procedures Observe authentication processes 8.2.1 (a) Is strong cryptography used to render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components? Review password procedures Review vendor documentation Examine system configuration settings Observe password files Observe …
Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric Review password procedures Observe authentication processes 8.2.1 (a) Is strong cryptography used to render all authentication credentials (such as passwords/passphrases) unreadable during transmission and storage on all system components? Review password procedures Review vendor documentation Examine system configuration settings Observe password files Observe …
Modified
p. 49 → 46
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.2.3 (a) Are user password parameters configured to require passwords/passphrases meet the following? A minimum password length of at least seven characters Contain both numeric and alphabetic characters Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the parameters specified above.
Removed
p. 50
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.3 Is two-factor authentication incorporated for remote network access originating from outside the network by personnel (including users and administrators) and all third parties (including vendor access for support or maintenance)? Note: Two-factor authentication requires that two of the three authentication methods (see PCI DSS Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered two-factor authentication.
Examples of two-factor technologies include remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; and other technologies that facilitate two-factor authentication.
Examples of two-factor technologies include remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; and other technologies that facilitate two-factor authentication.
Modified
p. 50 → 47
Examine system configurations Observe personnel connecting remotely 8.4 (a) Are authentication policies and procedures documented and communicated to all users? Review policies and procedures Review distribution method Interview personnel Interview users
Modified
p. 50 → 48
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Do authentication policies and procedures include the following? Guidance on selecting strong authentication credentials Guidance for how users should protect their authentication credentials Instructions not to reuse previously used passwords Instructions that users should change passwords if there is any suspicion the password could be compromised Review policies and procedures Review documentation provided to …
Modified
p. 51 → 47
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.5 Are group, shared, or generic accounts, passwords, or other authentication methods prohibited as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.3 Is all individual non-console administrative access and all remote access to the CDE secured using multi-factor authentication as follows:
Modified
p. 51 → 49
(a) Is all user access to, user queries of, and user actions on (for example, move, copy, delete), the database through programmatic methods only (for example, through stored procedures)? Review database authentication policies and procedures Examine database and application configuration settings
(a) Is all user access to, user queries of, and user actions on (for example, move, copy, delete), the database through programmatic methods only (for example, through stored procedures)?
Modified
p. 52 → 49
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Is user direct access to or queries to of databases restricted to database administrators?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.7 Is all access to any database containing cardholder data (including access by applications, administrators, and all other users) restricted as follows:
Modified
p. 53 → 50
Observe physical access controls Observe personnel 9.1.1 (a) Are video cameras and/or access-control mechanisms in place to monitor individual physical access to sensitive areas? Note: “Sensitive areas” refers to any data center, server room, or any area that houses systems that store, process, or transmit cardholder data. This excludes public-facing areas where only point-of-sale terminals are present such as the cashier areas in a retail store.
Observe physical access controls Observe personnel 9.1.1 (a) Are either video cameras or access-control mechanisms (or both) in place to monitor individual physical access to sensitive areas? Note: “Sensitive areas” refers to any data center, server room, or any area that houses systems that store, process, or transmit cardholder data. This excludes public-facing areas where only point-of-sale terminals are present such as the cashier areas in a retail store.
Modified
p. 53 → 50
Review policies and procedures Observe physical monitoring mechanisms Observe security features (b) Are video cameras and/or access-control mechanisms protected from tampering or disabling?
Review policies and procedures Observe physical monitoring mechanisms Observe security features (b) Are either video cameras or access-control mechanisms (or both) protected from tampering or disabling?
Removed
p. 56
Observe physical security at media location (b) Is this location’s security reviewed at least annually? Review policies and procedures for reviewing offsite media locations Interview security personnel 9.6 (a) Is strict control maintained over the internal or external distribution of any kind of media? Review policies and procedures for distribution of media (b) Do controls include the following:
Modified
p. 56 → 53
Review policies and procedures for physically securing media Interview personnel 9.5.1 (a) Are media back-ups stored in a secure location, preferably in an off-site facility, such as an alternate or backup site, or a commercial storage facility?
Review policies and procedures for physically securing media Interview personnel 9.5.1 Is the location where media back-ups are stored reviewed at least annually to confirm storage is secure?
Modified
p. 59 → 56
Interview personnel Observe inspection processes and compare to defined processes (b) Are personnel are aware of procedures for inspecting devices? Interview personnel
Interview personnel Observe inspection processes and compare to defined processes (b) Are personnel aware of procedures for inspecting devices? Interview personnel
Modified
p. 60 → 57
(a) Do training materials for personnel at point-of-sale locations include the following? Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. Do not install, replace, or return devices without verification. Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). Report suspicious behavior and indications of device tampering or substitution to appropriate personnel …
Modified
p. 62 → 59
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 10.2.6 Initialization, stopping, or pausing of the audit logs? Interview personnel Observe audit logs Examine audit log settings 10.2.7 Creation and deletion of system-level object? Interview personnel Observe audit logs Examine audit log settings 10.3 Are the following audit trail entries recorded for all system components for each event:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 10.2.6 Initialization, stopping, or pausing of the audit logs? Interview personnel Observe audit logs Examine audit log settings 10.2.7 Creation and deletion of system-level objects? Interview personnel Observe audit logs Examine audit log settings 10.3 Are the following audit trail entries recorded for all system components for each event:
Modified
p. 66 → 63
Review security policies and procedures (b) Are audit logs retained for at least one year? Interview personnel Examine audit logs (c) Are at least the last three months’ logs immediately available for analysis? Interview personnel Observe processes 10.8 Are security policies and operational procedures for monitoring all access to network resources and cardholder data:
Review security policies and procedures (b) Are audit logs retained for at least one year? Interview personnel Examine audit logs (c) Are at least the last three months’ logs immediately available for analysis? Interview personnel Observe processes 10.8 This requirement applies only to service providers 10.9 Are security policies and operational procedures for monitoring all access to network resources and cardholder data:
Modified
p. 68 → 66
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (c) Are quarterly internal scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?
Modified
p. 69 → 66
Interview personnel 11.2.2 (a) Are quarterly external vulnerability scans performed? Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).
Modified
p. 70 → 67
Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) Includes coverage for the entire CDE perimeter and critical Includes testing from both inside and outside the network Includes testing to validate any segmentation and scope- reduction controls Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 Defines network-layer penetration tests to include components that support network functions as well as operating systems Includes review and …
Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) Includes coverage for the entire CDE perimeter and critical systems Includes testing from both inside and outside the network Includes testing to validate any segmentation and scope- reduction controls Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 Defines network-layer penetration tests to include components that support network functions as well as operating systems Includes review …
Modified
p. 72 → 69
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.4 (a) Are intrusion-detection and/or intrusion-prevention techniques that detect and/or prevent intrusions into the network in place to monitor all traffic:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.3.4.1 This requirement applies only to service providers 11.4 (a) Are intrusion-detection and/or intrusion-prevention techniques that detect and/or prevent intrusions into the network in place to monitor all traffic:
Modified
p. 72 → 69
Examine system configurations Interview responsible personnel (c) Are all intrusion-detection and prevention engines, baselines, and signatures kept up-to-date? Examine IDS/IPS configurations Examine vendor documentation 11.5 (a) Is a change-detection mechanism (for example, file- integrity monitoring tools) deployed within the cardholder data environment to detect unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files? Examples of files that should be monitored include:
Examine system configurations Interview responsible personnel (c) Are all intrusion-detection and prevention engines, baselines, and signatures kept up-to-date? Examine IDS/IPS configurations Examine vendor documentation 11.5 (a) Is a change-detection mechanism (for example, file- integrity monitoring tools) deployed to detect unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files? Examples of files that should be monitored include:
Modified
p. 74 → 71
Review the information security policy Interview responsible personnel 12.2 (a) Is an annual risk assessment process implemented that Identifies critical assets, threats, and vulnerabilities, Results in a formal, documented analysis of risk? Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30.
Review the information security policy Interview responsible personnel 12.2 (a) Is an annual risk assessment process implemented Identifies critical assets, threats, and vulnerabilities, and Results in a formal, documented analysis of risk? Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800- 30.
Modified
p. 76 → 73
Review information security policy and procedures Interview a sample of responsible personnel 12.5 (a) Is responsibility for information security formally assigned to a Chief Security Officer or other security- knowledgeable member of management? Review information security policy and procedures (b) Are the following information security management responsibilities formally assigned to an individual or team:
Review information security policy and procedures Interview a sample of responsible personnel 12.4.1 This requirement applies only to service providers 12.5 (a) Is responsibility for information security formally assigned to a Chief Security Officer or other security- knowledgeable member of management? Review information security policy and procedures (b) Are the following information security management responsibilities formally assigned to an individual or team:
Modified
p. 77 → 74
Review information security policy and procedures 12.5.5 Monitoring and controlling all access to data? Review information security policy and procedures 12.6 (a) Is a formal security awareness program in place to make all personnel aware of the importance of cardholder data security? Review security awareness program (b) Do security awareness program procedures include the following:
Review information security policy and procedures 12.5.5 Monitoring and controlling all access to data? Review information security policy and procedures 12.6 (a) Is a formal security awareness program in place to make all personnel aware of the cardholder data security policy and procedures? Review security awareness program (b) Do security awareness program procedures include the following:
Modified
p. 80 → 77
Review incident response plan procedures Interview responsible personnel 12.10.3 Are specific personnel designated to be available on a 24/7 basis to respond to alerts?
Modified
p. 80 → 77
Observe processes Review incident response plan procedures 12.10.6 Is a process developed and in place to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments? Observe processes Review incident response plan procedures Interview responsible personnel
Observe processes Review incident response plan procedures 12.10.6 Is a process developed and in place to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments? Observe processes Review incident response plan procedures Interview responsible personnel 12.11 This requirement applies only to service providers
Modified
p. 85 → 83
Based on the results documented in the SAQ D noted above , the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document: (check one):
Removed
p. 86
Signature of ISA Date:
Modified
p. 86 → 84
Part 3c. QSA Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Part 3c. Qualified Security Assessor (QSA) Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Modified
p. 86 → 84
Part 3d. ISA Acknowledgement (if applicable) If a ISA was involved or assisted with this assessment, describe the role performed:
Part 3d. Internal Security Assessor (ISA) Involvement (if applicable) If an ISA(s) was involved or assisted with this assessment, identify the ISA personnel and describe the role performed:
Modified
p. 87 → 85
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti- virus software or programs 6 Develop and maintain secure …
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti- virus software or programs 6 Develop and maintain secure …