Document Comparison
PCI_DSSv3_DESV_S-ROC_Reporting_Template.pdf
→
PCI-DSS-v3_2-A3_DESV-S_ROC-Reporting-Template.pdf
95% similar
26 → 26
Pages
7750 → 7875
Words
114
Content Changes
From Revision History
- June 2015 For use with PCI DSS v3.1 Revision1.0
- May 2016 For use with PCI DSS v3.2 Revision 1.0
- May 2016 © 2016 PCI Security Standards Council, LLC. All Rights Reserved. Page 3 Introduction to the Supplemental ROC Template for PCI DSS v3.2, Appendix A3:
- May 2016 © 2016 PCI Security Standards Council, LLC. All Rights Reserved. Page 4 Addendum to ROC Reporting Template - Reporting Template for use with PCI DSS
- May 2016 © 2016 PCI Security Standards Council, LLC. All Rights Reserved. Page 5
- May 2016 © 2016 PCI Security Standards Council, LLC. All Rights Reserved. Page 6
- May 2016 © 2016 PCI Security Standards Council, LLC. All Rights Reserved. Page 7
- May 2016 © 2016 PCI Security Standards Council, LLC. All Rights Reserved. Page 8
- May 2016 © 2016 PCI Security Standards Council, LLC. All Rights Reserved. Page 9
- May 2016 © 2016 PCI Security Standards Council, LLC. All Rights Reserved. Page 10
Content Changes
114 content changes. 34 administrative changes (dates, page numbers) hidden.
Added
p. 4
Overall accountability for maintaining PCI DSS compliance Defining a charter for a PCI DSS compliance program Provide updates to executive management and board of directors on PCI DSS compliance initiatives and issues, including remediation activities, at least annually.
Definition of activities for maintaining and monitoring overall PCI DSS compliance, including business as usual activities Annual PCI DSS assessment processes Processes for the continuous validation of PCI DSS requirements (for example: daily, weekly, quarterly, etc. as applicable per requirement). A process for performing business impact analyses to determine potential PCI DSS impacts for strategic business
Managing PCI DSS business as usual activities Managing annual PCI DSS assessments Managing continuous validation of PCI DSS requirements (for example: daily, weekly, quarterly, etc. as applicable per requirement) Managing business impact analyses to determine potential PCI DSS impacts for strategic business decisions
Managing PCI DSS business …
Definition of activities for maintaining and monitoring overall PCI DSS compliance, including business as usual activities Annual PCI DSS assessment processes Processes for the continuous validation of PCI DSS requirements (for example: daily, weekly, quarterly, etc. as applicable per requirement). A process for performing business impact analyses to determine potential PCI DSS impacts for strategic business
Managing PCI DSS business as usual activities Managing annual PCI DSS assessments Managing continuous validation of PCI DSS requirements (for example: daily, weekly, quarterly, etc. as applicable per requirement) Managing business impact analyses to determine potential PCI DSS impacts for strategic business decisions
Managing PCI DSS business …
Added
p. 14
The entity has a process in place to test the effectiveness of methods used for data discovery The process includes verifying the methods are able to discover clear text PAN on all types of system components and file formats in use Identify the personnel interviewed who confirm that; The entity has a process in place to test the effectiveness of methods used for data discovery The process includes verifying the methods are able to discover clear text PAN on all types of system components and file formats in use <Report Findings Here> Identify the document(s) examined to verify that:
Added
p. 15
Procedures for determining what to do if clear text PAN is discovered outside of the CDE, including its retrieval, secure deletion and/or migration into the currently defined CDE, as applicable Procedures for determining how the data ended up outside the CDE Procedures for remediating data leaks or process gaps that resulted in the data being outside of the CDE Procedures for identifying the source of the data Procedures for identifying any other track data stored with the PANs Identify the response procedures document(s) examined to verify that procedures for responding to the detection of clear text PAN outside of the CDE are defined and include:
Procedures for determining what to do if clear text PAN is discovered outside of the CDE, including its retrieval, secure deletion and/or migration into the currently defined CDE, as applicable Procedures for determining how the data ended up outside …
Procedures for determining what to do if clear text PAN is discovered outside of the CDE, including its retrieval, secure deletion and/or migration into the currently defined CDE, as applicable Procedures for determining how the data ended up outside …
Added
p. 20
Restoring security functions Identifying and documenting the duration (date and time start to end) of the security failure Identifying and documenting cause(s) of failure, including root cause, and document remediation required to address root cause Identifying and addressing any security issues that arose during the failure Performing a risk assessment to determine if further actions are required as a result of the security failure Implementing controls to prevent cause of failure from reoccurring Resuming monitoring of security controls <Report Findings Here> A3.3.1.1.b Examine records to verify that security control failures are documented to include:
Confirm that all BAU activities (e.g. A3.2.2, A3.2.6, and A3.3.1) are being performed Confirm that personnel are following security policies and operational procedures (for example, daily log reviews, firewall rule-set reviews, configuration standards for new systems, etc.) Document how the reviews were completed, including how all BAU …
Confirm that all BAU activities (e.g. A3.2.2, A3.2.6, and A3.3.1) are being performed Confirm that personnel are following security policies and operational procedures (for example, daily log reviews, firewall rule-set reviews, configuration standards for new systems, etc.) Document how the reviews were completed, including how all BAU …
Added
p. 25
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.5 Identify and respond to suspicious events.
Identification of anomalies or suspicious activity as they occur Issuance of timely alerts upon detection of suspicious activity or anomaly to responsible personnel Response to alerts in accordance with documented response procedures
Identification of anomalies or suspicious activity as they occur Issuance of timely alerts upon detection of suspicious activity or anomaly to responsible personnel Response to alerts in accordance with documented response procedures
Removed
p. 2
June 2015 Revision1.0 To introduce the template for submitting Supplemental Reports on Compliance for Designated Entities.
Modified
p. 3
This “Supplemental ROC Template” or “S-ROC” document is to be completed according to the same instructions provided in the Reporting Template for PCI DSS v3. Refer to the Reporting Template(s) for use with PCI DSS v3 and the ROC Reporting Template for PCI DSS v3: Frequently Asked Questions (FAQs) documents on the PCI SSC website for detailed instruction on how to complete these reporting templates. As such, do not delete any content from any place in this document, including this …
This “Supplemental ROC Template” or “S-ROC” document is to be completed according to the same instructions provided in the Reporting Template for PCI DSS v3.2. Refer to the Reporting Template(s) for use with PCI DSS v3.2 and the ROC Reporting Template for PCI DSS v3.x: Frequently Asked Questions (FAQs) documents on the PCI SSC website for detailed instruction on how to complete these reporting templates. As such, do not delete any content from any place in this document, including this …
Modified
p. 3
The “S-ROC” template is an addendum to the ROC Reporting Template and is not intended to stand alone. Because of this, details related to Scope of Work, Details of Reviewed Environment and so on that are applicable to the environment reviewed for the S-ROC must be included in the applicable sections in the full ROC for that entity. For example, the list of interviewees in the full ROC should also include any persons interviewed during assessment of the PCI DSS …
The “S-ROC” template is an addendum to the ROC Reporting Template and is not intended to stand alone. Because of this, details related to Scope of Work, Details of Reviewed Environment and so on that are applicable to the environment reviewed for the S-ROC must be included in the applicable sections in the full ROC for that entity. For example, the list of interviewees in the full ROC should also include any persons interviewed during assessment of the PCI DSS …
Removed
p. 4
• Overall accountability for maintaining PCI DSS compliance
• Defining a charter for a PCI DSS compliance program
• Provide updates to executive management and board of directors on PCI DSS compliance initiatives and issues, including remediation activities, at least annually.
• Defining a charter for a PCI DSS compliance program
• Provide updates to executive management and board of directors on PCI DSS compliance initiatives and issues, including remediation activities, at least annually.
Modified
p. 4
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A DE.1 Implement a PCI DSS compliance program DE.1.1 Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.1 Implement a PCI DSS compliance program A3.1.1 Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include:
Modified
p. 4
PCI DSS Reference: Requirement 12 DE.1.1.a Examine documentation to verify executive management has assigned overall accountability for maintaining the entity’s PCI DSS compliance.
PCI DSS Reference: Requirement 12 A3.1.1.a Examine documentation to verify executive management has assigned overall accountability for maintaining the entity’s PCI DSS compliance.
Modified
p. 4
<Report Findings Here> DE.1.1.b Examine the company’s PCI DSS charter to verify it outlines the conditions under which the PCI DSS compliance program is organized.
<Report Findings Here> A3.1.1.b Examine the company’s PCI DSS charter to verify it outlines the conditions under which the PCI DSS compliance program is organized.
Modified
p. 4
<Report Findings Here> DE.1.1.c Examine executive management and board of directors meeting minutes and/or presentations to ensure PCI DSS compliance initiatives and remediation activities are communicated at least annually.
<Report Findings Here> A3.1.1.c Examine executive management and board of directors meeting minutes and/or presentations to ensure PCI DSS compliance initiatives and remediation activities are communicated at least annually.
Removed
p. 5
• Definition of activities for maintaining and monitoring overall PCI DSS compliance, including business as usual activities
• Annual PCI DSS assessment processes
• Annual PCI DSS assessment processes
Modified
p. 5
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A DE.1.2 A formal PCI DSS compliance program must be in place to include:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.1.2 A formal PCI DSS compliance program must be in place to include:
Modified
p. 5
PCI DSS Reference: Requirements 1-12 DE.1.2.a Examine information security policies and procedures to verify that processes are specifically defined for the following:
PCI DSS Reference: Requirements 1-12 A3.1.2.a Examine information security policies and procedures to verify that processes are specifically defined for the following:
Modified
p. 5
Maintaining and monitoring overall PCI DSS compliance, including business as usual activities Annual PCI DSS assessment(s) Continuous validation of PCI DSS requirements Business impact analyses to determine potential PCI DSS impacts for strategic business decisions Identify the information security policies and procedures document(s) examined to verify that processes are specifically defined for the following:
Modified
p. 5 → 7
• A process for performing
PCI DSS requirements (for example: daily, weekly, quarterly, etc. as applicable per requirement) Managing business impact analyses to determine potential PCI DSS impacts for strategic business decisions Identify the information security policies and procedures document(s) examined to verify that roles and responsibilities are clearly defined and that duties are assigned to include at least the following:
Removed
p. 6
• Managing continuous validation of PCI DSS requirements (for example: daily, weekly, quarterly, etc. as applicable per requirement)
• Managing business impact analyses to determine potential PCI DSS impacts for strategic business decisions
• Managing business impact analyses to determine potential PCI DSS impacts for strategic business decisions
Modified
p. 6
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A DE.1.2.b Interview personnel and observe compliance activities to verify that the defined processes are implemented for the following:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.1.2.b Interview personnel and observe compliance activities to verify that the defined processes are implemented for the following:
Modified
p. 6
Maintaining and monitoring overall PCI DSS compliance, including business as usual activities Annual PCI DSS assessment(s) Continuous validation of PCI DSS requirements Business impact analyses to determine potential PCI DSS impacts for strategic business decisions Identify the personnel interviewed who confirm that defined processes are implemented for:
Modified
p. 6
Maintaining and monitoring overall PCI DSS compliance, including business as usual activities Annual PCI DSS assessment(s) Continuous validation of PCI DSS requirements Business impact analyses to determine potential PCI DSS impacts for strategic business decisions <Report Findings Here> Describe how compliance activities were observed to verify that defined processes are implemented for the following:
Modified
p. 6
Maintaining and monitoring overall PCI DSS compliance, including business as usual activities <Report Findings Here> Annual PCI DSS assessment(s) <Report Findings Here> Continuous validation of PCI DSS requirements <Report Findings Here> Business impact analyses to determine potential PCI DSS impacts for strategic business decisions <Report Findings Here> DE.1.3 PCI DSS compliance roles and responsibilities must be specifically defined and formally assigned to one or more personnel, including at least the following:
Maintaining and monitoring overall PCI DSS compliance, including business as usual activities <Report Findings Here> Annual PCI DSS assessment(s) <Report Findings Here> Continuous validation of PCI DSS requirements <Report Findings Here> Business impact analyses to determine potential PCI DSS impacts for strategic business decisions <Report Findings Here> A3.1.3 PCI DSS compliance roles and responsibilities must be specifically defined and formally assigned to one or more personnel, including at least the following:
Removed
p. 7
• Managing continuous validation of PCI DSS requirements (for example: daily, weekly, quarterly, etc. as applicable per requirement)
• Managing business impact analyses to determine potential PCI DSS impacts for strategic business decisions Identify the information security policies and procedures document(s) examined to verify that roles and responsibilities are clearly defined and that duties are assigned to include at least the following:
• Managing business impact analyses to determine potential PCI DSS impacts for strategic business decisions Identify the information security policies and procedures document(s) examined to verify that roles and responsibilities are clearly defined and that duties are assigned to include at least the following:
Modified
p. 7
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A DE.1.3.a Examine information security policies and procedures and interview personnel to verify that roles and responsibilities are clearly defined and that duties are assigned to include at least the following:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.1.3.a Examine information security policies and procedures and interview personnel to verify that roles and responsibilities are clearly defined and that duties are assigned to include at least the following:
Modified
p. 7
Managing PCI DSS business as usual activities Managing annual PCI DSS assessments Managing continuous validation of PCI DSS requirements Managing business impact analyses to determine potential PCI DSS impacts for strategic business decisions <Report Findings Here> Identify the personnel interviewed who confirm that roles and responsibilities are clearly defined and that duties are assigned to include at least the following:
Modified
p. 7
Managing PCI DSS business as usual activities Managing annual PCI DSS assessments Managing continuous validation of PCI DSS requirements Managing business impact analyses to determine potential PCI DSS impacts for strategic business decisions <Report Findings Here> A3.1.3.b Interview responsible personnel and verify they are familiar with and performing their designated PCI DSS compliance responsibilities.
Removed
p. 8
• Identifying all in-scope networks and system components
• Identifying all connected entities (e.g. third party entities with access to the cardholder data environment (CDE))
• Identifying all connected entities (e.g. third party entities with access to the cardholder data environment (CDE))
Modified
p. 8
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A DE.1.4 Provide up-to-date PCI DSS and/or information security training at least annually to personnel with PCI DSS compliance responsibilities (as identified in DE.1.3).
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.1.4 Provide up-to-date PCI DSS and/or information security training at least annually to personnel with PCI DSS compliance responsibilities (as identified in A3.1.3).
Modified
p. 8
PCI DSS Reference: Requirement 12 DE.1.4.a Examine information security policies and procedures to verify that PCI DSS and/or similar information security training is required at least annually for each role with PCI DSS compliance responsibilities.
PCI DSS Reference: Requirement 12 A3.1.4.a Examine information security policies and procedures to verify that PCI DSS and/or similar information security training is required at least annually for each role with PCI DSS compliance responsibilities.
Modified
p. 8
<Report Findings Here> DE.1.4.b Interview personnel and examine certificates of attendance or other records to verify that personnel with PCI DSS compliance responsibility receive up-to-date PCI DSS and/or similar information security training at least annually.
<Report Findings Here> A3.1.4.b Interview personnel and examine certificates of attendance or other records to verify that personnel with PCI DSS compliance responsibility receive up-to-date PCI DSS and/or similar information security training at least annually.
Modified
p. 8
<Report Findings Here> DE.2 Document and validate PCI DSS scope DE.2.1 Document and confirm the accuracy of PCI DSS scope at least quarterly and upon significant changes to the in- scope environment. At a minimum, the quarterly scoping validation should include:
<Report Findings Here> A3.2 Document and validate PCI DSS scope A3.2.1 Document and confirm the accuracy of PCI DSS scope at least quarterly and upon significant changes to the in- scope environment. At a minimum, the quarterly scoping validation should include:
Modified
p. 8
Identifying all in-scope networks and system components Identifying all out-of-scope networks and justification for networks being out of scope, including descriptions of all segmentation controls implemented Identifying all connected entities (e.g. third party entities with access to the cardholder data environment (CDE))
Modified
p. 8
PCI DSS Reference: Scope of PCI DSS Requirements DE.2.1.a Examine documented results of scope reviews and interview personnel to verify that the reviews are performed:
PCI DSS Reference: Scope of PCI DSS Requirements A3.2.1.a Examine documented results of scope reviews and interview personnel to verify that the reviews are performed:
Modified
p. 8
At least quarterly Identify the documented results of scope reviews examined to verify that the reviews are performed:
Removed
p. 9
• Identification of all in-scope networks and system components
• Identification of all out-of-scope networks and justification for networks being out of scope, including descriptions of all segmentation controls implemented
• Identification of all in-scope networks and system components <Report Findings Here>
• Identification of all out-of-scope networks and justification for networks being out of scope, including descriptions of all segmentation controls implemented <Report Findings Here>
• Performing a formal PCI DSS impact assessment
• Identifying applicable PCI DSS requirements to the system or network
• Updating PCI DSS scope as appropriate
• Identification of all out-of-scope networks and justification for networks being out of scope, including descriptions of all segmentation controls implemented
• Identification of all in-scope networks and system components <Report Findings Here>
• Identification of all out-of-scope networks and justification for networks being out of scope, including descriptions of all segmentation controls implemented <Report Findings Here>
• Performing a formal PCI DSS impact assessment
• Identifying applicable PCI DSS requirements to the system or network
• Updating PCI DSS scope as appropriate
Modified
p. 9
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Place in-scope environment Identify the personnel interviewed who confirm that the reviews are performed:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Place After significant changes to the in-scope environment Identify the personnel interviewed who confirm that the reviews are performed:
Modified
p. 9
At least quarterly After significant changes to the in-scope environment <Report Findings Here> A3.2.1.b Examine documented results of quarterly scope reviews to verify the following is performed:
Modified
p. 9
Identification of all in-scope networks and system components Identification of all out-of-scope networks and justification for networks being out of scope, including descriptions of all segmentation controls implemented Identification of all connected entities (e.g. third party entities with access to the CDE) Using the documented results of quarterly scope review identified at DE 2.1.a, describe how the documented results of quarterly scope reviews were observed to verify that the following is performed:
Modified
p. 9
Identification of all in-scope networks and system components <Report Findings Here> Identification of all out-of-scope networks and justification for networks being out of scope, including descriptions of all segmentation controls implemented <Report Findings Here> Identification of all connected entities <Report Findings Here> A3.2.2 Determine PCI DSS scope impact for all changes to systems or networks, including additions of new systems and new network connections. Processes must include:
Modified
p. 9
Performing a formal PCI DSS impact assessment Identifying applicable PCI DSS requirements to the system or network Updating PCI DSS scope as appropriate Documented sign-off of the results of the impact assessment by responsible personnel (as defined in A3.1.3)
Removed
p. 10
• Updated network diagram to reflect changes
• Systems are configured per configuration standards, with all default passwords changed and unnecessary services
• Systems are protected with required controls, e.g. file integrity monitoring (FIM), anti-virus, patches, audit logging
• Verification that sensitive authentication data (SAD) is not stored and that all cardholder data (CHD) storage is documented and incorporated into data retention policy and procedures
• Systems are configured per configuration standards, with all default passwords changed and unnecessary services
• Systems are protected with required controls, e.g. file integrity monitoring (FIM), anti-virus, patches, audit logging
• Verification that sensitive authentication data (SAD) is not stored and that all cardholder data (CHD) storage is documented and incorporated into data retention policy and procedures
Modified
p. 10
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A DE.2.2 Examine change documentation and interview personnel to verify that for each change to systems or networks:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.2.2 Examine change documentation and interview personnel to verify that for each change to systems or networks:
Modified
p. 10
A formal PCI DSS impact assessment was performed PCI DSS requirements applicable to the system or network changes were identified PCI DSS scope was updated as appropriate for the change Sign-off by responsible personnel (as defined in A3.1.3) was obtained and documented Identify the change documentation examined to verify that for each change to systems or networks:
Modified
p. 10
A formal PCI DSS impact assessment was PCI DSS requirements applicable to the system or network changes were identified PCI DSS scope was updated as appropriate for the change Sign-off by responsible personnel (as defined in A3.1.3) was obtained and documented <Report Findings Here> Identify the personnel interviewed who confirm that for each change to systems or networks:
Modified
p. 10
A formal PCI DSS impact assessment was PCI DSS requirements applicable to the system or network changes were identified PCI DSS scope was updated as appropriate for the change Sign-off by responsible personnel (as defined in A3.1.3) was obtained and documented <Report Findings Here> A3.2.2.1 Upon completion of a change, all relevant PCI DSS requirements must be verified on all new or changed systems and networks, and documentation must be updated as applicable. Examples of PCI …
Modified
p. 11
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A DE.2.2.1 For a sample of systems and network changes, examine change records, interview personnel and observe the affected systems/networks to verify that applicable PCI DSS requirements were implemented and documentation updated as part of the change.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.2.2.1 For a sample of systems and network changes, examine change records, interview personnel and observe the affected systems/networks to verify that applicable PCI DSS requirements were implemented and documentation updated as part of the change.
Modified
p. 11
<Report Findings Here> DE.2.3 Changes to organizational structure (for example, a company merger or acquisition, change or reassignment of personnel with responsibility for security controls) result in a formal (internal) review of the impact to PCI DSS scope and applicability of controls.
<Report Findings Here> A3.2.3 Changes to organizational structure (for example, a company merger or acquisition, change or reassignment of personnel with responsibility for security controls) result in a formal (internal) review of the impact to PCI DSS scope and applicability of controls.
Modified
p. 11
PCI DSS Reference: Requirement 12 DE.2.3 Examine policies and procedures to verify that a change to organizational structure results in formal review of the impact to PCI DSS scope and applicability of controls.
PCI DSS Reference: Requirement 12 A3.2.3 Examine policies and procedures to verify that a change to organizational structure results in formal review of the impact to PCI DSS scope and applicability of controls.
Modified
p. 11
<Report Findings Here> DE.2.4 If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.
<Report Findings Here> A3.2.4 If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.
Modified
p. 11
PCI DSS Reference: Requirement 11 DE.2.4 Examine the results from the most recent penetration test to verify that:
PCI DSS Reference: Requirement 11 A3.2.4 Examine the results from the most recent penetration test to verify that:
Modified
p. 11
Penetration testing to verify segmentation controls is Is segmentation in use? (yes/no) If no, mark the remainder of DE 2.4 as “not applicable.” <Report Findings Here> Identify the date of the most recent penetration test for which results are being examined.
Removed
p. 12
• The penetration testing covers all segmentation controls/methods in use
• The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
• The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
• The penetration testing covers all segmentation controls/methods in use <Report Findings Here>
• The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
• The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
• The penetration testing covers all segmentation controls/methods in use <Report Findings Here>
Modified
p. 12
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Place performed at least every six months and after any changes to segmentation controls/methods,
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Place performed at least every six months and after any changes to segmentation controls/methods, The penetration testing covers all segmentation controls/methods in use The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
Modified
p. 12
Penetration testing to verify segmentation controls is performed at least every six months and after any changes to segmentation controls/methods, <Report Findings Here> The penetration testing covers all segmentation controls/methods in use <Report Findings Here> The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
Removed
p. 13
• Data discovery methodology includes processes for identifying all sources and locations of clear text PAN
• Methodology takes into consideration the potential for clear text PAN to reside on systems and networks outside of the currently defined CDE.
• Methodology takes into consideration the potential for clear text PAN to reside on systems and networks outside of the currently defined CDE.
Modified
p. 13
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A DE.2.5 Implement a data discovery methodology to confirm PCI DSS scope and to locate all sources and locations of clear text PAN at least quarterly, and upon significant changes to the cardholder environment or processes.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.2.5 Implement a data discovery methodology to confirm PCI DSS scope and to locate all sources and locations of clear text PAN at least quarterly, and upon significant changes to the cardholder environment or processes.
Modified
p. 13
PCI DSS Reference: Scope of PCI DSS Requirements DE.2.5.a Examine documented data discovery methodology to verify the following:
PCI DSS Reference: Scope of PCI DSS Requirements A3.2.5.a Examine documented data discovery methodology to verify the following:
Modified
p. 13
Data discovery methodology includes processes for identifying all sources and locations of clear text PAN Methodology takes into consideration the potential for clear text PAN to reside on systems and networks outside of the currently defined CDE.
Modified
p. 13
Identify the data discovery methodology document(s) examined to verify that; Data discovery methodology includes processes for identifying all sources and locations of clear text PAN Methodology takes into consideration the potential for clear text PAN to reside on systems and networks outside of the currently defined CDE.
Modified
p. 13
<Report Findings Here> DE.2.5.b Examine results from recent data discovery efforts, and interview responsible personnel to verify that data discovery is performed at least quarterly and upon significant changes to the cardholder environment or processes Describe the results from recent data discovery efforts examined to verify that data discovery is performed at least quarterly and upon significant changes to the cardholder environment or processes.
<Report Findings Here> A3.2.5.b Examine results from recent data discovery efforts, and interview responsible personnel to verify that data discovery is performed at least quarterly and upon significant changes to the cardholder environment or processes Describe the results from recent data discovery efforts examined to verify that data discovery is performed at least quarterly and upon significant changes to the cardholder environment or processes.
Modified
p. 13
<Report Findings Here> DE.2.5.1 Ensure effectiveness of methods used for data discovery
• e.g. methods must be able to discover clear text PAN on all types of system components (for example, on each operating system or platform) and file formats in use.
• e.g. methods must be able to discover clear text PAN on all types of system components (for example, on each operating system or platform) and file formats in use.
<Report Findings Here> A3.2.5.1 Ensure effectiveness of methods used for data discovery
• e.g. methods must be able to discover clear text PAN on all types of system components (for example, on each operating system or platform) and file formats in use.
• e.g. methods must be able to discover clear text PAN on all types of system components (for example, on each operating system or platform) and file formats in use.
Removed
p. 14
• The process includes verifying the methods are able to discover clear text PAN on all types of system components and file formats in use Identify the personnel interviewed who confirm that;
• The process includes verifying the methods are able to discover clear text PAN on all types of system components and file formats in use <Report Findings Here> Identify the document(s) examined to verify that:
• The process includes verifying the methods are able to discover clear text PAN on all types of system components and file formats in use <Report Findings Here> Identify the document(s) examined to verify that:
Removed
p. 14
• Procedures for determining how the data ended up outside of the CDE
Modified
p. 14
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A DE.2.5.1.a Interview personnel and review documentation to verify:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.2.5.1.a Interview personnel and review documentation to verify:
Modified
p. 14
The entity has a process in place to test the effectiveness of methods used for data discovery The process includes verifying the methods are able to discover clear text PAN on all types of system components and file formats in use <Report Findings Here> A3.2.5.1.b Examine the results of recent effectiveness tests to verify the effectiveness of methods used for data discovery is confirmed at least annually.
Modified
p. 14
<Report Findings Here> DE.2.5.2 Implement response procedures to be initiated upon the detection of clear text PAN outside of the CDE to include:
<Report Findings Here> A3.2.5.2 Implement response procedures to be initiated upon the detection of clear text PAN outside of the CDE to include:
Removed
p. 15
• Procedures for determining how the data ended up outside the CDE
• Procedures for determining how the data ended up outside the CDE
• Procedures for identifying any other track data stored with the PANs Identify the response procedures document(s) examined to verify that procedures for responding to the detection of clear text PAN outside of the CDE are defined and include:
• Procedures for identifying if any other track data is stored with the PANs <Report Findings Here> DE.2.5.2.b Interview personnel and examine records of response actions to verify that remediation activities are performed when clear text PAN is detected outside of the CDE.
• Procedures for determining how the data ended up outside the CDE
• Procedures for identifying any other track data stored with the PANs Identify the response procedures document(s) examined to verify that procedures for responding to the detection of clear text PAN outside of the CDE are defined and include:
• Procedures for identifying if any other track data is stored with the PANs <Report Findings Here> DE.2.5.2.b Interview personnel and examine records of response actions to verify that remediation activities are performed when clear text PAN is detected outside of the CDE.
Modified
p. 15
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A DE.2.5.2.a Examine documented response procedures to verify that procedures for responding to the detection of clear text PAN outside of the CDE are defined and include:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.2.5.2.a Examine documented response procedures to verify that procedures for responding to the detection of clear text PAN outside of the CDE are defined and include:
Removed
p. 16
• Generating logs and alerts upon detection of clear text PAN leaving the CDE via an unauthorized channel, method or process Identify the document(s) examined to verify that mechanisms are:
Modified
p. 16
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A DE.2.6 Implement mechanisms for detecting and preventing clear text PAN from leaving the CDE via an unauthorized channel, method or process, including generation of audit logs and alerts.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.2.6 Implement mechanisms for detecting and preventing clear text PAN from leaving the CDE via an unauthorized channel, method or process, including generation of audit logs and alerts.
Modified
p. 16
PCI DSS Reference: Scope of PCI DSS Requirements DE.2.6.a Examine documentation and observe implemented mechanisms to verify that the mechanisms are:
PCI DSS Reference: Scope of PCI DSS Requirements A3.2.6.a Examine documentation and observe implemented mechanisms to verify that the mechanisms are:
Modified
p. 16
Implemented and actively running Configured to detect and prevent clear text PAN leaving the CDE via an unauthorized channel, method or process Generating logs and alerts upon detection of clear text PAN leaving the CDE via an unauthorized channel, method or process <Report Findings Here> Describe the implemented mechanisms observed to verify that mechanisms are:
Modified
p. 16
Implemented and actively running Configured to detect and prevent clear text PAN leaving the CDE via an unauthorized channel, method or process Generating logs and alerts upon detection of clear text PAN leaving the CDE via an unauthorized channel, method or process <Report Findings Here> A3.2.6.b Examine audit logs and alerts, and interview responsible personnel to verify that alerts are investigated.
Modified
p. 16
<Report Findings Here> DE.2.6.1 Implement response procedures to be initiated upon the detection of attempts to remove clear text PAN from the CDE via an unauthorized channel, method or process. Response procedures must include:
<Report Findings Here> A3.2.6.1 Implement response procedures to be initiated upon the detection of attempts to remove clear text PAN from the CDE via an unauthorized channel, method or process. Response procedures must include:
Modified
p. 17
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A DE.2.6.1.a Examine documented response procedures to verify that procedures for responding to the attempted removal of clear text PAN from the CDE via an unauthorized channel, method or process include:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.2.6.1.a Examine documented response procedures to verify that procedures for responding to the attempted removal of clear text PAN from the CDE via an unauthorized channel, method or process include:
Modified
p. 17
Procedures for the timely investigation of alerts by responsible personnel Procedures for remediating data leaks or process gaps, as necessary, to prevent any data loss Identify the response procedures document(s) examined to verify that procedures for responding to the attempted removal of clear text PAN from the CDE via an unauthorized channel, method or process include:
Removed
p. 18
• physical access controls
• logical access controls
• audit logging mechanisms
• segmentation controls (if used)
• logical access controls
• audit logging mechanisms
• segmentation controls (if used)
Modified
p. 18
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A DE.3.1 Implement a process to immediately detect and alert on critical security control failures. Examples of critical security controls include, but are not limited to:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.3.1 Implement a process to immediately detect and alert on critical security control failures. Examples of critical security controls include, but are not limited to:
Modified
p. 18
PCI DSS Reference: Requirements 1-12 DE.3.1.a Examine documented policies and procedures to verify that processes are defined to immediately detect and alert on critical security control failures.
PCI DSS Reference: Requirements 1-12 A3.3.1.a Examine documented policies and procedures to verify that processes are defined to immediately detect and alert on critical security control failures.
Modified
p. 18
<Report Findings Here> DE.3.1.b Examine detection and alerting processes and interview personnel to verify that processes are implemented for all critical security controls, and that failure of a critical security control results in the generation of an alert.
<Report Findings Here> A3.3.1.b Examine detection and alerting processes and interview personnel to verify that processes are implemented for all critical security controls, and that failure of a critical security control results in the generation of an alert.
Removed
p. 19
• Performing a risk assessment to Identify the policies and procedures document(s) examined to verify that processes are defined and implemented to respond to a security control failure, and include:
Modified
p. 19
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A DE.3.1.1 Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.3.1.1 Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include:
Modified
p. 19 → 21
PCI DSS Reference: Requirement 2, 6 A3.3.2.a Examine documented policies and procedures and interview personnel to verify processes are defined and implemented to review hardware and software technologies to confirm whether they continue to meet the organization’s PCI DSS requirements.
Removed
p. 20
• Resuming monitoring of security controls Identify the personnel interviewed who confirm that processes are defined and implemented to respond to a security control failure, and include:
• Resuming monitoring of security controls <Report Findings Here> DE.3.1.1.b Examine records to verify that security control failures are documented to include:
• Identification of cause(s) of the failure, including root cause
• Identification of cause(s) of the failure, including root cause
• Duration (date and time start and end) of the security failure
• Duration (date and time start and end) of the security failure
• Resuming monitoring of security controls <Report Findings Here> DE.3.1.1.b Examine records to verify that security control failures are documented to include:
• Identification of cause(s) of the failure, including root cause
• Identification of cause(s) of the failure, including root cause
• Duration (date and time start and end) of the security failure
• Duration (date and time start and end) of the security failure
Modified
p. 20
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Place determine if further actions are required as a result of the security failure
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Place Performing a risk assessment to determine if further actions are required as a result of the security failure Implementing controls to prevent cause of failure from reoccurring Resuming monitoring of security Identify the personnel interviewed who confirm that processes are defined and implemented to respond to a security control failure, and include:
Modified
p. 20
Identification of cause(s) of the failure, including root cause Duration (date and time start and end) of the security failure Details of the remediation required to address the root cause Identify the records of security control failures examined to verify that security control failures are documented to include:
Removed
p. 21
PCI DSS Reference: Requirement 2, 6 DE.3.2.a Examine documented policies and procedures and interview personnel to verify processes are defined and implemented to review hardware and software technologies to confirm whether they continue to meet the organization’s PCI DSS requirements.
Modified
p. 21
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A DE.3.2 Review hardware and software technologies at least annually to confirm whether they continue to meet the organization’s PCI DSS requirements. (For example, a review of technologies that are no longer supported by the vendor, and/or no longer meet the security needs of the organization.) The process includes a plan for remediating technologies that no longer meet …
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.3.2 Review hardware and software technologies at least annually to confirm whether they continue to meet the organization’s PCI DSS requirements. (For example, a review of technologies that are no longer supported by the vendor, and/or no longer meet the security needs of the organization.) The process includes a plan for remediating technologies that no longer meet …
Modified
p. 21
<Report Findings Here> DE.3.2.b Review the results of the recent reviews to verify reviews are performed at least annually.
<Report Findings Here> A3.3.2.b Review the results of the recent reviews to verify reviews are performed at least annually.
Modified
p. 21
<Report Findings Here> DE.3.2.c For any technologies that have been determined to no longer meet the organization’s PCI DSS requirements, verify a plan is in place to remediate the technology.
<Report Findings Here> A3.3.2.c For any technologies that have been determined to no longer meet the organization’s PCI DSS requirements, verify a plan is in place to remediate the technology.
Removed
p. 22
• Confirm that all BAU activities (e.g. DE.2.2, DE.2.6, and DE.3.1) are being performed
• Confirm that personnel are following security policies and operational procedures (for example, daily log reviews, firewall rule-set reviews, configuration standards for new systems, etc.)
• Document how the reviews were completed, including how all BAU activities were verified as being in place
• Collection of documented evidence as required for the annual PCI DSS assessment
• Review and sign off of results by personnel assigned responsibility for the PCI DSS compliance program (as identified in DE.1.3)
• Retention of records and documentation, for at least 12 months, covering all BAU activities
• Confirm that personnel are following security policies and operational procedures (for example, daily log reviews, firewall rule-set reviews, configuration standards for new systems, etc.)
• Document how the reviews were completed, including how all BAU activities were verified as being in place
• Collection of documented evidence as required for the annual PCI DSS assessment
• Review and sign off of results by personnel assigned responsibility for the PCI DSS compliance program (as identified in DE.1.3)
• Retention of records and documentation, for at least 12 months, covering all BAU activities
Modified
p. 22
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A DE.3.3 Perform reviews at least quarterly to verify BAU activities are being followed. Reviews must be performed by personnel assigned to the PCI DSS compliance program (as identified in DE.1.3), and include the following:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.3.3 Perform reviews at least quarterly to verify BAU activities are being followed. Reviews must be performed by personnel assigned to the PCI DSS compliance program (as identified in A3.1.3), and include the following:
Removed
p. 23
• Confirming that all BAU activities (e.g. DE.2.2, DE.2.6, and DE.3.1) are being performed
• Confirming that personnel are following security policies and operational procedures (for example, daily log reviews, firewall rule-set reviews, configuration standards for new systems, etc.)
• Documenting how the reviews were completed, including how all BAU activities were verified as being in place
• Documenting how the reviews were completed, including how all BAU activities were verified as being in place
• Collecting documented evidence as required for the annual PCI DSS assessment
• Collecting documented evidence as required for the annual PCI DSS assessment
• Reviewing and sign off of results by executive management assigned responsibility for PCI DSS governance
• Reviewing and sign off of results by executive management assigned responsibility for PCI DSS governance
• Retaining records and documentation, for at least 12 months, covering all BAU activities Identify the policies and procedures document(s) examined to verify that processes are defined …
• Confirming that personnel are following security policies and operational procedures (for example, daily log reviews, firewall rule-set reviews, configuration standards for new systems, etc.)
• Documenting how the reviews were completed, including how all BAU activities were verified as being in place
• Documenting how the reviews were completed, including how all BAU activities were verified as being in place
• Collecting documented evidence as required for the annual PCI DSS assessment
• Collecting documented evidence as required for the annual PCI DSS assessment
• Reviewing and sign off of results by executive management assigned responsibility for PCI DSS governance
• Reviewing and sign off of results by executive management assigned responsibility for PCI DSS governance
• Retaining records and documentation, for at least 12 months, covering all BAU activities Identify the policies and procedures document(s) examined to verify that processes are defined …
Modified
p. 23
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A DE.3.3.a Examine policies and procedures to verify that processes are defined for reviewing and verifying BAU activities. Verify the procedures include:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.3.3.a Examine policies and procedures to verify that processes are defined for reviewing and verifying BAU activities. Verify the procedures include:
Removed
p. 24
• Reviews are performed at least quarterly Identify the responsible personnel interviewed who confirm that:
• Reviews are performed by personnel assigned to the PCI DSS compliance program
• Reviews are performed by personnel assigned to the PCI DSS compliance program
• Reviews are performed by personnel assigned to the PCI DSS compliance program
• Reviews are performed by personnel assigned to the PCI DSS compliance program
Removed
p. 24
• Reviews confirm that access is appropriate based on job function, and that all access is authorized <Report Findings Here> DE.5 Identify and respond to suspicious events.
Modified
p. 24
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A DE.3.3.b Interview responsible personnel and examine records of reviews to verify that:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.3.3.b Interview responsible personnel and examine records of reviews to verify that:
Modified
p. 24
Reviews are performed by personnel assigned to the PCI DSS compliance program Reviews are performed at least quarterly Identify the responsible personnel interviewed who confirm that:
Modified
p. 24
Reviews are performed by personnel assigned to the PCI DSS compliance program Reviews are performed at least quarterly <Report Findings Here> Identify the records of reviews document(s) examined to verify that:
Modified
p. 24
Reviews are performed by personnel assigned to the PCI DSS compliance program Reviews are performed at least quarterly <Report Findings Here> A3.4 Control and manage logical access to the cardholder data environment.
Modified
p. 24
A3.4.1 Review user accounts and access privileges to in-scope system components at least every six months to ensure user accounts and access remain appropriate, based on job function, and authorized.
Modified
p. 24
PCI DSS Reference: Requirement 7 DE.4.1 Interview responsible personnel and examine supporting documentation to verify that:
PCI DSS Reference: Requirement 7 A3.4.1 Interview responsible personnel and examine supporting documentation to verify that:
Modified
p. 24
User accounts and access privileges are reviewed at least every six months Reviews confirm that access is appropriate based on job function, and that all access is authorized Identify the personnel interviewed who confirm that:
Modified
p. 24
User accounts and access privileges are reviewed at least every six months Reviews confirm that access is appropriate based on job function, and that all access is authorized <Report Findings Here> Identify the supporting document(s) examined to verify that:
Removed
p. 25
• Issuance of timely alerts upon detection of suspicious activity or anomaly to responsible personnel
• Response to alerts in accordance with documented response procedures
• Response to alerts in accordance with documented response procedures
Modified
p. 25
A3.5.1 Implement a methodology for the timely identification of attack patterns and undesirable behavior across systems (for example, using coordinated manual reviews and/or using centrally-managed or automated log correlation tools) to include at least the following:
Modified
p. 25
PCI DSS Reference: Requirements 10, 12 DE.5.1.a Review documentation and interview personnel to verify a methodology is defined and implemented to identify attack patterns and undesirable behavior across systems in a timely manner, and includes the following:
PCI DSS Reference: Requirements 10, 12 A3.5.1.a Review documentation and interview personnel to verify a methodology is defined and implemented to identify attack patterns and undesirable behavior across systems in a timely manner, and includes the following:
Modified
p. 25
Identification of anomalies or suspicious activity as they occur Issuance of timely alerts to responsible personnel Response to alerts in accordance with documented response procedures Identify the policies and procedures document(s) examined to verify that a methodology is defined and implemented to identify attack patterns and undesirable behavior across systems in a timely manner, and includes the following:
Modified
p. 25
Identification of anomalies or suspicious activity as they occur Issuance of timely alerts to responsible Response to alerts in accordance with documented response procedures <Report Findings Here> Identify the personnel interviewed who confirm that a methodology is defined and implemented to identify attack patterns and undesirable behavior across systems in a timely manner, and includes the following:
Modified
p. 26
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A DE.5.1.b Examine incident response procedures and interview responsible personnel to verify that:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A A3.5.1.b Examine incident response procedures and interview responsible personnel to verify that:
Modified
p. 26
On-call personnel receive timely alerts Alerts are responded to per documented response procedures Identify the incident response procedures document(s) examined to verify that:
Modified
p. 26
On-call personnel receive timely alerts Alerts are responded to per documented response procedures <Report Findings Here> Identify the personnel interviewed who confirm that:
Modified
p. 26
On-call personnel receive timely alerts Alerts are responded to per documented response procedures <Report Findings Here>