Document Diff - PCI Watch

Added p. 2

This document aligns with PCI DSS v3.2.1 r1.

Added p. 5

• Section 1 (Parts 1 & 2 of the AOC)

• Section 3 (Parts 3 & 4 of the AOC)

• Guidance on Scoping

• Guidance on the intent of all PCI DSS Requirements

• Details of testing procedures

• Guidance on Compensating Controls SAQ Instructions and Guidelines documents

• Information about all SAQs and their eligibility criteria

• How to determine which SAQ is right for your organization

• Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org). Organizations are encouraged to review the PCI DSS and other supporting documents before beginning an assessment.

Added p. 11

• Examine mobile and/or employee- owned devices.

• Examine mobile and/or employee- owned devices.

(b) Is the personal firewall software (or equivalent functionality) configured to specific configuration settings, actively running, and not alterable by users of mobile and/or employee-owned devices?

• Review policies and configuration standards.

Added p. 12

• Examine vendor documentation.

• Observe system configurations and account settings.

Added p. 12

Are unnecessary default accounts removed or disabled before installing a system on the network?

• Review policies and procedures.

Added p. 12

• Examine system configurations and account settings.

Added p. 13

• Examine configuration settings.

• Examine configuration settings.

• Compare enabled services, etc. to documented justifications.

(c) Are security parameter settings set appropriately on system components?

• Examine system components.

• Examine security parameter settings.

• Compare settings to system configuration standards.

• Examine security parameters on system components.

• Examine security parameters on system components.

(c) Is only documented functionality present on system components?

• Review documentation.

• Observe an administrator log on.

• Observe an administrator log on.

• Examine services and files.

• Examine deletion processes.

- Incoming transaction data

- Incoming transaction data

• Review roles that need access to displays of full PAN.

• Observe displays of PAN.

• Review documented standards.

• Review all locations where CHD is transmitted or received.

(b) Are only trusted keys and/or certificates accepted?

• Observe inbound and outbound transmissions.

• Examine keys and certificates.

(c) Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations?

• Examine system configurations.

• Cardholder data is only requested if “HTTPS” …

Added p. 19

(b) Are automatic updates and periodic scans enabled and being performed?

• Examine anti-virus configurations, including the master installation.

• Review log retention processes.

• Examine anti-virus configurations.

• Using reputable outside sources for vulnerability information?

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.2 (a) Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches?

• Review policies and procedures.

Added p. 23

• Interview management.

• Interview management.

• Review privileged user IDs.

• Examine terminated users accounts.

• Review current access lists.

• Observe returned physical authentication devices.

In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users?

• Something you know, such as a password or passphrase

• Something you have, such as a token device or smart card

• Something you are, such as a biometric

• Review password procedures.

• Observe authentication processes.

• Observe administrator logging into CDE.

• Generic user IDs and accounts are disabled or removed;

• Shared user IDs for system administration activities and other critical functions do not exist; and

• Shared and generic user IDs are not used to administer any system components?

• Review policies and procedures.

• Examine user ID lists.

• Review policies and procedures for physically securing media.

• Interview security personnel.

• Examine media distribution tracking logs and documentation.

• Examine media distribution tracking logs and documentation.

• Examine …

Added p. 29

• Interview a sample of responsible personnel.

Added p. 30

• Review list of service providers.

• Observe written agreements.

Added p. 31

• Review incident response plan procedures.

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A A2.1 For POS POI terminals (at the merchant or payment- acceptance location) using SSL and/or early TLS: Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS? Note: This requirement is intended to apply to the entity with the POS POI terminal, such as a merchant. This requirement is not intended for service providers who serve as the termination or connection point to those POS POI terminals. Requirements A2.2 and A2.3 apply to POS POI service providers.

• Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS.

Added p. 37

Do not use vendor-supplied defaults for system passwords and other security parameters.

Added p. 37

Protect all systems against malware and regularly update anti-virus software or programs.

Added p. 37

Appendix A2 Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-Present POS POI Terminal Connections.

Modified p. 4

 Your company’s only payment processing is via a virtual payment terminal accessed by an Internet- connected web browser;  Your company’s virtual payment terminal solution is provided and hosted by a PCI DSS validated third-party service provider;  Your company accesses the PCI DSS-compliant virtual payment terminal solution via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment (this can be achieved via a firewall or network …

• Your company’s only payment processing is via a virtual payment terminal accessed by an Internet- connected web browser; • Your company’s virtual payment terminal solution is provided and hosted by a PCI DSS validated third-party service provider; • Your company accesses the PCI DSS-compliant virtual payment terminal solution via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment (this can be achieved via a firewall or network …

Removed p. 5

(PCI Data Security Standard Requirements and Security Assessment Procedures)  Guidance on Scoping  Guidance on the intent of all PCI DSS Requirements  Details of testing procedures  Guidance on Compensating Controls SAQ Instructions and Guidelines documents  Information about all SAQs and their eligibility criteria  How to determine which SAQ is right for your organization

PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms  Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org). Organizations are encouraged to review the PCI DSS and other supporting documents before beginning an assessment.

Modified p. 5

1. Identify the applicable SAQ for your environment

• refer to the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website for information.

1. Identify the applicable SAQ for your environment⎯refer to the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website for information.

Modified p. 5

~~ Section 1 (Parts 1 & 2 of the AOC)~~

• Assessment Information and Executive ~~Summary.~~

• Assessment Information and Executive Summary

Modified p. 5

 Section 2

• PCI DSS Self-Assessment Questionnaire (SAQ C-VT)  Section 3 (Parts 3 & 4 of the AOC)

• Validation and Attestation Details and Action Plan for Non-Compliant Requirements (if applicable)

• Validation and Attestation Details and Action Plan for Non-Compliant Requirements (if applicable)

Modified p. 5

5. Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation

•such as ASV scan reports

•to your acquirer, payment ~~brand~~ or other requester.

5. Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation

•such as ASV scan reports

•to your acquirer, payment brand, or other requester.

Modified p. 7

Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.

Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact your acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.

Modified p. 8

Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. Payment ~~Application~~ Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses:

Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. Payment Applications Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses:

Modified p. 8

Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network ~~segmentation)~~

Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation.)

Modified p. 10

~~ Review firewall and router configuration standards  Examine firewall and router configurations (b)~~ Is all other inbound and outbound traffic specifically denied (for example by using an explicit “deny all” or an implicit deny after allow statement)?

Is all other inbound and outbound traffic specifically denied (for example by using an explicit “deny all” or an implicit deny after allow statement)? • Review firewall and router configuration standards.

Removed p. 11

 Review policies and configuration standards  Examine mobile and/or employee- owned devices (b) Is the personal firewall software (or equivalent functionality) configured to specific configuration settings, actively running, and not alterable by users of mobile and/or employee-owned devices?  Review policies and configuration standards  Examine mobile and/or employee- owned devices

Removed p. 12

 Review policies and procedures  Examine vendor documentation  Observe system configurations and account settings  Interview personnel (b) Are unnecessary default accounts removed or disabled before installing a system on the network?  Review policies and procedures  Review vendor documentation  Examine system configurations and account settings  Interview personnel 2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, are ALL wireless vendor defaults changed at installations, as follows:

Modified p. 12

(a) Are encryption keys changed from default at installation, and changed anytime anyone with knowledge of the keys leaves the company or changes positions?

(a) Are encryption keys changed from default at installation, and changed anytime anyone with knowledge of the keys leaves the company or changes positions? • Review policies and procedures.

Modified p. 12

~~ Review policies and procedures  Review vendor documentation  Interview personnel~~ (b) Are default SNMP community strings on wireless devices changed at installation?

(b) Are default SNMP community strings on wireless devices changed at installation? • Review policies and procedures.

Modified p. 12

~~ Review policies and procedures  Review vendor documentation  Interview personnel  Examine system configurations~~ (c) Are default passwords/passphrases on access points changed at installation?  Review policies and ~~procedures  Interview personnel  Examine system configurations~~

(c) Are default passwords/passphrases on access points changed at installation? • Review policies and procedures.

Modified p. 13

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (d) Is firmware on wireless devices updated to support strong encryption for authentication and transmission over wireless networks?

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.1.1 (cont.) (d) Is firmware on wireless devices updated to support strong encryption for authentication and transmission over wireless networks? • Review policies and procedures.

Modified p. 13

~~ Review policies and procedures  Review vendor documentation  Examine system configurations~~ (e) Are other security-related wireless vendor defaults changed, if applicable?

(e) Are other security-related wireless vendor defaults changed, if applicable? • Review policies and procedures.

Modified p. 13

~~ Review configuration standards  Examine system configurations~~ (b) Are all enabled insecure services, daemons, or protocols justified per documented configuration standards?

(b) Are all enabled insecure services, daemons, or protocols justified per documented configuration standards? • Review configuration standards

Modified p. 13

~~ Interview personnel (b)~~ Are common system security parameters settings included in the system configuration standards?  Review system configuration ~~standards~~

Are common system security parameters settings included in the system configuration standards? • Review system configuration standards.

Removed p. 14

 Examine system components  Examine security parameter settings  Compare settings to system configuration standards 2.2.5 (a) Has all unnecessary functionality•such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers•been removed?

 Review documentation  Examine security parameters on system components (c) Is only documented functionality present on system components?  Review documentation  Examine security parameters on system components 2.3 Is non-console administrative access encrypted as follows:

Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.

Modified p. 14

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A ~~(c) Are~~ security ~~parameter settings set appropriately~~ on system ~~components?~~

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.2.5 (a) Has all unnecessary functionality•such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers•been removed?

• Examine security parameters on system components.

Modified p. 14

~~ Examine security parameters on system components (b)~~ Are enabled functions documented and do they support secure configuration?

Are enabled functions documented and do they support secure configuration? • Review documentation.

Modified p. 14

(a) Is all non-console administrative access encrypted with strong cryptography, and is a strong encryption method invoked before the administrator’s password is requested?

(a) Is all non-console administrative access encrypted with strong cryptography, and is a strong encryption method invoked before the administrator’s password is requested? • Examine system components.

Modified p. 14

~~ Examine system components  Examine system configurations  Observe an administrator log on~~ (b) Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands?

(b) Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? • Examine system components.

Modified p. 14

~~ Examine system components  Examine services and files~~ (c) Is administrator access to web-based management interfaces encrypted with strong cryptography?

(c) Is administrator access to web-based management interfaces encrypted with strong cryptography? • Examine system components.

Modified p. 14

~~ Examine system components  Observe an administrator log on~~ (d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations?  Examine system ~~components  Review vendor documentation  Interview personnel~~

(d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? • Examine system components.

Removed p. 15

 Incoming transaction data  All logs  History files  Trace files  Database schema  Database contents

Modified p. 15

PCI DSS Question Expected Testing Response (Check one response for each question) ~~Yes with~~ CCW No N/A 3.2 (c) Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process?  Review policies and procedures  Examine system configurations  Examine deletion processes (d) Do all systems adhere to the following requirements regarding non-storage of sensitive authentication data after authorization (even if encrypted):

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2 (c) Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process? • Review policies and procedures.

Modified p. 15

~~ Incoming transaction data  All logs  History files  Trace files  Database schema ~~ Database contents 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization?  Examine data sources including:

- Database contents 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization? • Examine data sources including:

Removed p. 16

 Review policies and procedures  Review roles that need access to displays of full PAN  Examine system configurations  Observe displays of PAN

Modified p. 16

PCI DSS Question Expected Testing Response (Check one response for each question) ~~Yes with~~ CCW No N/A 3.3 Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN? Note: This requirement does not supersede stricter requirements in place for displays of cardholder ~~data• for~~ example, legal or …

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.3 Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN? Note: This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, legal or payment card brand …

Removed p. 17

 Review documented standards  Review policies and procedures  Review all locations where CHD is transmitted or received  Examine system configurations (b) Are only trusted keys and/or certificates accepted?  Observe inbound and outbound transmissions  Examine keys and certificates (c) Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations?

Modified p. 17

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1 (a) Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? Note: ~~Where SSL/early TLS is used,~~ the ~~requirements in Appendix A2 must be completed.~~

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1 (a) Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? Note: Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and General Packet Radio Service (GPRS).

Modified p. 17

~~ Examine system configurations~~ (d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)?

(d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)? • Review vendor documentation.

Modified p. 17

~~ Review vendor documentation  Examine system configurations~~ (e) For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? For example, for browser-based implementations:

(e) For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? For example, for browser-based implementations:

Modified p. 17

 “HTTPS” appears as the browser Universal Record Locator (URL) protocol, and ~~ Cardholder data is only requested if “HTTPS” appears as part of the URL.~~

• “HTTPS” appears as the browser Universal Record Locator (URL) protocol, and

Modified p. 17

 Examine system ~~configurations~~

• Examine system configurations.

Modified p. 18

~~ Review documented standards  Review wireless networks  Examine system configuration settings~~ 4.2 ~~(b)~~ Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies?  Review policies and ~~procedures~~

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.2 Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies? • Review policies and procedures.

Removed p. 19

 Examine policies and procedures  Examine anti-virus configurations, including the master installation  Examine system components (b) Are automatic updates and periodic scans enabled and being performed?

Modified p. 19

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 5.1 Is anti-virus software deployed on all systems commonly affected by malicious software?

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 5.1 Is anti-virus software deployed on all systems commonly affected by malicious software? • Examine system configurations.

Modified p. 19

(a) Are all anti-virus software and definitions kept current?

(a) Are all anti-virus software and definitions kept current? • Examine policies and procedures.

Modified p. 19

~~ Examine anti-virus configurations, including the master installation  Examine system components~~ (c) Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7?  Examine anti-virus ~~configurations  Review log retention processes~~

(c) Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? • Examine anti-virus configurations.

Removed p. 20

 Examine anti-virus configurations  Examine system components  Observe processes  Interview personnel

Modified p. 20

 Unable to be disabled or altered by users? Note: Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not active.

• Unable to be disabled or altered by users? Note: Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not active.

Modified p. 21

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.1 Is there a process to identify security vulnerabilities, including the following:  Using reputable outside sources for vulnerability information?  Assigning a risk ranking to vulnerabilities that includes identification of all “high” risk and “critical” vulnerabilities? Note: Risk rankings should be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the …

• Assigning a risk ranking to vulnerabilities that includes identification of all “high” risk and “critical” vulnerabilities? Note: Risk rankings should be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the CVSS base score and/or the classification by the vendor, and/or type of systems affected.

Modified p. 21 → 22

 Review policies and procedures  Interview personnel  Observe processes 6.2 (a) Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches?  Review policies and procedures (b) Are critical security patches installed within one month of release? Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1.

Are critical security patches installed within one month of release? Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1.

Modified p. 21 → 22

~~ Review policies and procedures  Examine system components ~~ Compare list of security patches installed to recent vendor patch ~~lists~~

• Compare list of security patches installed to recent vendor patch lists.

Modified p. 22 → 23

 To least privileges necessary to perform job responsibilities?

• To least privileges necessary to perform job responsibilities?

Modified p. 22 → 23

 Assigned only to roles that specifically require that privileged access?

• Assigned only to roles that specifically require that privileged access? • Examine written access control policy.

Removed p. 23

 Review password procedures  Examine terminated users accounts  Review current access lists  Observe returned physical authentication devices In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users?

Modified p. 23 → 24

PCI DSS Question Expected Testing Response (Check one response for each question) ~~Yes with~~ CCW No N/A 8.1.1 Are all users assigned a unique ID before allowing them to access system components or cardholder data?

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.1.1 Are all users assigned a unique ID before allowing them to access system components or cardholder data? • Review password procedures.

Modified p. 23 → 24

 Examine system configuration settings to verify password ~~parameters~~

• Examine system configuration settings to verify password parameters.

Removed p. 24

 Generic user IDs and accounts are disabled or removed;  Shared user IDs for system administration activities and other critical functions do not exist; and  Shared and generic user IDs are not used to administer any system components?  Review policies and procedures  Examine user ID lists  Interview personnel

Modified p. 24 → 25

PCI DSS Question Expected Testing Response (Check one response for each question) ~~Yes with~~ CCW No N/A 8.3 Is all individual non-console administrative access and all remote access to the CDE secured using ~~multi- factor~~ authentication, as follows:

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.3 Is all individual non-console administrative access and all remote access to the CDE secured using multi-factor authentication, as follows:

Modified p. 25 → 26

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.1 Are appropriate facility entry controls in place to limit and monitor physical access to systems in the cardholder data environment?

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.1 Are appropriate facility entry controls in place to limit and monitor physical access to systems in the cardholder data environment? • Observe physical access controls.

Modified p. 26 → 27

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.8.1 (a) Are hardcopy materials cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed?

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.8.1 (a) Are hardcopy materials cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed? • Review periodic media destruction policies and procedures.

Modified p. 26 → 27

~~ Review periodic media destruction policies and procedures  Interview personnel  Observe processes (b)~~ Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents?  Review periodic media destruction policies and ~~procedures  Examine security of storage containers~~

Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents? • Review periodic media destruction policies and procedures.

Modified p. 27 → 28

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A ~~11.3.4~~ If segmentation is used to isolate the CDE from other networks:

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A If segmentation is used to isolate the CDE from other networks:

Modified p. 27 → 28

(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all ~~out-of-scope~~ systems from systems in the CDE?

(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of- scope systems from systems in the CDE? • Examine segmentation controls.

Modified p. 27 → 28

~~ Examine segmentation controls  Review penetration-testing methodology~~ (b) Does penetration testing to verify segmentation controls meet the following?  Performed at least annually and after any changes to segmentation controls/methods ~~ Covers all segmentation controls/methods in use  Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.~~

(b) Does penetration testing to verify segmentation controls meet the following? - Performed at least annually and after any changes to segmentation controls/methods

Modified p. 27 → 28

~~ Examine results from the most recent penetration test~~ (c) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?  Interview responsible ~~personnel~~

(c) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? • Interview responsible personnel.

Removed p. 28

 Review usage policies  Interview responsible personnel 12.3.3 A list of all such devices and personnel with access?  Review usage policies  Interview responsible personnel 12.3.5 Acceptable uses of the technologies?  Review usage policies  Interview responsible personnel 12.4 Do security policy and procedures clearly define information security responsibilities for all personnel?  Review information security policy and procedures  Interview a sample of responsible personnel

Modified p. 28 → 29

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel?

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel? • Review the information security policy.

Removed p. 30

 Observe processes  Review policies and procedures and supporting documentation 12.8.5 Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity?

Modified p. 30 → 31

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A ~~12.8.4~~ Is ~~a program~~ maintained ~~to monitor service providers’~~ PCI DSS ~~compliance status at least annually?~~

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.8.5 Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity?

• Review policies and procedures and supporting documentation.

Removed p. 31

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A A2.1 For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS:

 Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS  Is there a formal Risk Mitigation and Migration Plan in place per Requirement A2.2?  Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS A2.2 Is there a formal Risk Mitigation and Migration Plan in place for all implementations that use SSL and/or early TLS (other than as allowed in A2.1), that includes:

 Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment;  Risk assessment results and risk reduction controls …

Modified p. 31 → 32

Appendix A2: Additional PCI DSS Requirements for Entities using ~~SSL/early~~ TLS

Appendix A2: Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-Present POS POI Terminal Connections

Modified p. 35

Based on the results documented in the SAQ C-VT noted above, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this ~~document:~~ (check one):

Based on the results documented in the SAQ C-VT noted above, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document (check one):

Modified p. 36

ASV scans are being completed by the PCI SSC Approved Scanning Vendor (ASV ~~Name) Part 3b. Merchant Attestation Signature of Merchant Executive Officer  Date:~~

ASV scans are being completed by the PCI SSC Approved Scanning Vendor (ASV Name).

Modified p. 37

PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti- virus software or programs 6 Develop and maintain secure …

PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data.

Document Comparison

Content Changes