Document Comparison
PCI-DSS-v3_2-SAQ-P2PE-rev1_1.pdf
→
PCI-DSS-v3-2-1-SAQ-P2PE%20-r2.pdf
94% similar
24 → 24
Pages
6314 → 6394
Words
56
Content Changes
Content Changes
56 content changes. 21 administrative changes (dates, page numbers) hidden.
Added
p. 2
This document aligns with PCI DSS v3.2.1 r1.
• All payment processing is via a validated PCI P2PE solution approved and listed by the PCI SSC;
• Your company does not otherwise receive or transmit cardholder data electronically;
• There is no legacy storage of electronic cardholder data in the environment;
• Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically; and
• Your company has implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider.
• Guidance on Scoping
• Guidance on the intent of all PCI DSS Requirements
• Details of testing procedures
• Guidance on Compensating Controls SAQ Instructions and Guidelines documents
• Information about all SAQs and their eligibility criteria
• How to determine which SAQ is right for your organization
• Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources can …
• All payment processing is via a validated PCI P2PE solution approved and listed by the PCI SSC;
• Your company does not otherwise receive or transmit cardholder data electronically;
• There is no legacy storage of electronic cardholder data in the environment;
• Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically; and
• Your company has implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider.
• Guidance on Scoping
• Guidance on the intent of all PCI DSS Requirements
• Details of testing procedures
• Guidance on Compensating Controls SAQ Instructions and Guidelines documents
• Information about all SAQs and their eligibility criteria
• How to determine which SAQ is right for your organization
• Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources can …
Added
p. 10
• Examine deletion mechanism.
• Review policies and procedures.
• Examine retention requirements.
• Observe deletion processes.
(e) Does all stored cardholder data meet the requirements defined in the data-retention policy?
• Examine files and system records.
Guidance: Guidance: A “Yes” answer for Requirement 3.2.2 means that if the merchant writes down the card security code while a transaction is being conducted, the merchant either securely destroys the paper (for example, with a shredder) immediately after the transaction is complete, or obscures the code (for example, by “blacking it out” with a marker) before the paper is stored.
• Known to all affected parties?
• Review security policies and operational procedures.
• Review policies and procedures for physically securing media.
Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents?
• Review periodic media destruction policies and procedures.
• Examine security of storage containers.
• Review policies and procedures.
• Examine retention requirements.
• Observe deletion processes.
(e) Does all stored cardholder data meet the requirements defined in the data-retention policy?
• Examine files and system records.
Guidance: Guidance: A “Yes” answer for Requirement 3.2.2 means that if the merchant writes down the card security code while a transaction is being conducted, the merchant either securely destroys the paper (for example, with a shredder) immediately after the transaction is complete, or obscures the code (for example, by “blacking it out” with a marker) before the paper is stored.
• Known to all affected parties?
• Review security policies and operational procedures.
• Review policies and procedures for physically securing media.
Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents?
• Review periodic media destruction policies and procedures.
• Examine security of storage containers.
Added
p. 13
• Examine the list of devices.
(b) Is the list accurate and up to date?
• Observe devices and device locations and compare to list.
(c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.?
• Interview personnel.
(b) Are personnel aware of procedures for inspecting devices?
• Interview personnel.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.9.3 (cont.) (b) Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices?
• Interview personnel at POS locations.
• Known to all affected parties?
• Examine security policies and operational procedures.
(b) Is the list accurate and up to date?
• Observe devices and device locations and compare to list.
(c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.?
• Interview personnel.
(b) Are personnel aware of procedures for inspecting devices?
• Interview personnel.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.9.3 (cont.) (b) Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices?
• Interview personnel at POS locations.
• Known to all affected parties?
• Examine security policies and operational procedures.
Added
p. 16
• Interview responsible personnel.
• Interview a sample of responsible personnel.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with 12.6 (a) Is a formal security awareness program in place to make all personnel aware of the cardholder data security policy and procedures?
• Review security awareness program.
• Interview a sample of responsible personnel.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with 12.6 (a) Is a formal security awareness program in place to make all personnel aware of the cardholder data security policy and procedures?
• Review security awareness program.
Added
p. 17
• Review list of service providers.
• Observe written agreements.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with 12.8.4 Is a program maintained to monitor service providers’ PCI DSS compliance status at least annually?
• Review policies and procedures and supporting documentation.
• Observe written agreements.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with 12.8.4 Is a program maintained to monitor service providers’ PCI DSS compliance status at least annually?
• Review policies and procedures and supporting documentation.
Added
p. 18
• Review incident response plan procedures.
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-Present POS POI Terminal Connections This appendix is not used for SAQ P2PE merchant assessments.
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-Present POS POI Terminal Connections This appendix is not used for SAQ P2PE merchant assessments.
Modified
p. 1
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance Merchants using Hardware Payment Terminals in a PCI SSC-Listed P2PE Solution Only
• No Electronic Cardholder Data Storage For use with PCI DSS Version3.2 Revision 1.1
• No Electronic Cardholder Data Storage For use with PCI DSS Version
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance Merchants using Hardware Payment Terminals in a PCI SSC-Listed P2PE Solution Only
• No Electronic Cardholder Data Storage For use with PCI DSS Version 3.2.1 Revision 2
• No Electronic Cardholder Data Storage For use with PCI DSS Version 3.2.1 Revision 2
Removed
p. 4
There is no legacy storage of electronic cardholder data in the environment; If your company stores cardholder data, such data is only in paper reports or copies of paper receipts and is not received electronically, and Your company has implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider.
Modified
p. 4
• The only systems in the merchant environment that store, process or transmit account data are the Point of Interaction (POI) devices which are approved for use with the validated and PCI-listed P2PE solution;
Modified
p. 4
1. Identify the applicable SAQ for your environment
• refer to the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website for information.
• refer
1. Identify the applicable SAQ for your environment⎯refer to the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website for information.
Removed
p. 5
PCI DSS (PCI Data Security Standard Requirements and Security Assessment Procedures) Guidance on Scoping Guidance on the intent of all PCI DSS Requirements Details of testing procedures Guidance on Compensating Controls SAQ Instructions and Guidelines documents Information about all SAQs and their eligibility criteria How to determine which SAQ is right for your organization
Modified
p. 5
Expected Testing The instructions provided in the “Expected Testing” column are based on the testing procedures in the PCI DSS, and provide a high-level description of the types of testing activities that should be performed in order to verify that a requirement has been met. Full details of testing procedures for each requirement can be found in the PCI DSS.
Modified
p. 6
(Not Applicable) The requirement does not apply to the organization’s environment. (See Guidance for Non-Applicability of Certain, Specific Requirements below for examples.) All responses in this column require a supporting explanation in Appendix C of the SAQ.
Removed
p. 7
Retailer Telecommunication Grocery and Supermarkets Petroleum Mail/Telephone-Order Others (please specify):
Modified
p. 7
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard (PCI DSS) Requirements and Security Assessment Procedures. Complete all sections. The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact your acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact your acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.
Modified
p. 7
Part 1. Merchant and Qualified Security Assessor Information Part 1a. Merchant Organization Information Company Name: DBA (Doing Business As):
Part 1. Merchant and Qualified Security Assessor Information Part 1a. Merchant Organization Information Company Name: DBA (doing business as):
Modified
p. 7
Business Address City:
Business Address: City:
Modified
p. 7
Business Address City:
Business Address: City:
Modified
p. 7
State/Province: Country: ZIP:
State/Province: Country: Zip:
Modified
p. 7
State/Province: Country: ZIP:
State/Province: Country: Zip:
Modified
p. 7
Part 2. Executive Summary Part 2a: Type of merchant business (check all that apply):
Part 2. Executive Summary Part 2a. Type of Merchant Business (check all that apply) Retailer Telecommunication Grocery and Supermarkets Petroleum Mail/Telephone Order (MOTO) Others (please specify):
Modified
p. 8
• Connections into and out of the cardholder data environment (CDE).
• Connections into and out of the cardholder data environment (CDE).
Modified
p. 8
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to Network Segmentation section of PCI DSS for guidance on network segmentation)
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation.)
Modified
p. 9
Note: Requirement 12.8 applies to all entities listed in response to this question.
Note: Requirement 12.8 applies to all entities in this list.
Modified
p. 9
The only systems in the merchant environment that store, process or transmit account data are the Point of Interaction (POI) devices which are approved for use with the validated and PCI-listed P2PE solution.
The only systems in the merchant environment that store, process or transmit account data are the Point of Interaction (POI) devices that are approved for use with the validated and PCI-listed P2PE solution.
Modified
p. 10
Note: The following questions are numbered according to the actual PCI DSS requirements and testing procedures, as defined in the PCI DSS Requirements and Security Assessment Procedures document. As only a subset of PCI DSS requirements are provided in this SAQ P2PE, the numbering of these questions may not be consecutive.
Note: The following questions are numbered according to the PCI DSS requirements and testing procedures, as defined in the PCI DSS Requirements and Security Assessment Procedures document. As only a subset of PCI DSS requirements are provided in this SAQ P2PE, the numbering of these questions may not be consecutive.
Modified
p. 10
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 3.1 Are data-retention and disposal policies, procedures, and processes implemented as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.1 Are data-retention and disposal policies, procedures, and processes implemented as follows:
Modified
p. 10
(a) Is data storage amount and retention time limited to that required for legal, regulatory, and/or business requirements?
(a) Is data storage amount and retention time limited to that required for legal, regulatory, and/or business requirements? • Review data retention and disposal policies and procedures.
Modified
p. 10
(b) Are there defined processes in place for securely deleting cardholder data when no longer needed for legal, regulatory, and/or business reasons? • Review policies and procedures.
Modified
p. 10
(d) Is there a quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements? • Review policies and procedures.
Modified
p. 11
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A (e) Does all stored cardholder data meet the requirements defined in the data-retention policy? Examine files and system records Guidance: “Yes” answers for requirements at 3.1 mean that if a merchant stores any paper (for example, receipts or paper reports) that contain account data, the merchant only stores the paper as long as it is needed for business, legal, and/or regulatory reasons …
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Guidance: “Yes” answers for requirements at 3.1 mean that if a merchant stores any paper (for example, receipts or paper reports) that contain account data, the merchant only stores the paper as long as it is needed for business, legal, and/or regulatory reasons and destroys the paper once it is no longer needed.
Modified
p. 12
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 9.5 Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? For purposes of Requirement 9, “media” refers to all paper and electronic media containing cardholder data.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.5 Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? For purposes of Requirement 9, “media” refers to all paper and electronic media containing cardholder data.
Modified
p. 12
Guidance: “Yes” answers for requirements at 9.5 and 9.8 mean that the merchant securely stores any paper with account data, for example by storing them in a locked drawer, cabinet, or safe, and that the merchant destroys such paper when no longer needed for business purposes. This includes a written document or policy for employees so they know how to secure paper with account data and how to destroy the paper when no longer needed.
Removed
p. 13
Review policies and procedures 9.9.1 (a) Does the list of devices include the following?
Make, model of device Location of device (for example, the address of the site or facility where the device is located) Device serial number or other method of unique identification Examine the list of devices (b) Is the list accurate and up to date? Observe devices and device locations and compare to list (c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.? Interview personnel
Make, model of device Location of device (for example, the address of the site or facility where the device is located) Device serial number or other method of unique identification Examine the list of devices (b) Is the list accurate and up to date? Observe devices and device locations and compare to list (c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.? Interview personnel
Modified
p. 13
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 9.9 Are devices that capture payment card data via direct physical interaction with the card protected against tampering and substitution as follows? Note: This requirement applies to card-reading devices used in card-present transactions (that is, card swipe or dip) at the point of sale. This requirement is not intended to apply to manual key- entry components such as computer keyboards and POS keypads.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.9 Are devices that capture payment card data via direct physical interaction with the card protected against tampering and substitution as follows? Note: This requirement applies to card-reading devices used in card-present transactions (that is, card swipe or dip) at the point of sale. This requirement is not intended to apply to manual key-entry components such as computer keyboards and POS keypads.
Modified
p. 13
(a) Do policies and procedures require that a list of such devices be maintained?
(a) Do policies and procedures require that a list of such devices be maintained? • Review policies and procedures.
Modified
p. 13
(b) Do policies and procedures require that devices are periodically inspected to look for tampering or substitution? • Review policies and procedures.
Modified
p. 13
(c) Do policies and procedures require that personnel are trained to be aware of suspicious behavior and to report tampering or substitution of devices? • Review policies and procedures.
Removed
p. 14
Interview personnel 9.9.3 Are personnel trained to be aware of attempted tampering or replacement of devices, to include the following?
Modified
p. 14
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 9.9.2 (a) Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables …
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.9.2 (a) Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables plugged into …
Modified
p. 14
• Observe inspection processes and compare to defined processes.
Modified
p. 14
• Review training materials.
Modified
p. 15
• 9.9.3, and that they maintain a current list of devices, conduct periodic device inspections, and …
Guidance: “Yes” answers to requirements at 9.9 mean the merchant has policies and procedures in place for Requirements 9.9.1
• 9.9.3, and that they maintain a current list of devices, conduct periodic device inspections, and train employees about what to look for to detect tampered or replaced devices.
• 9.9.3, and that they maintain a current list of devices, conduct periodic device inspections, and train employees about what to look for to detect tampered or replaced devices.
Modified
p. 16
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel? • Review the information security policy.
Modified
p. 16
Guidance: “Yes” answers for requirements at 12.1 mean that the merchant has a security policy that is reasonable for the size and complexity of the merchant’s operations, and that the policy is reviewed annually and updated if needed. For example, such a policy could be a simple document that covers how to protect the store and payment devices in accordance with the P2PE Instruction Manual (PIM), and who to call in an emergency.
Modified
p. 17
Guidance: A Yes” answer for Requirement 12.6 means that the merchant has a security awareness program in place, consistent with the size and complexity of the merchant’s operations. For example, a simple awareness program could be a flyer posted in the back office, or a periodic e-mail sent to all employees. Examples of awareness program messaging include descriptions of security tips all employees should follow, such as how to lock doors and storage containers, how to determine whether a payment …
Modified
p. 17
• Review policies and procedures.
Removed
p. 18
Observe processes Review policies and procedures and supporting documentation 12.8.4 Is a program maintained to monitor service providers’ PCI DSS compliance status at least annually?
Modified
p. 18
Guidance: “Yes” answers for requirements at 12.8 mean that the merchant has a list of, and agreements with, service providers they share cardholder data with. For example, such agreements would be applicable if a merchant uses a document-retention company to store paper documents that include account data.
Removed
p. 19
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS This appendix is not used for SAQ P2PE merchant assessments Appendix A3: Designated Entities Supplemental Validation (DESV) This Appendix applies only to entities designated by a payment brand(s) or acquirer as requiring additional validation of existing PCI DSS requirements. Entities required to validate to this Appendix should use the DESV Supplemental Reporting Template and Supplemental Attestation of Compliance for reporting, and consult with the applicable payment brand and/or acquirer for submission procedures.
Modified
p. 22
Based on the results documented in the SAQ P2PE noted above, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document (check one):
Based on the results documented in the SAQ P2PE noted above, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document: (check one):
Modified
p. 22
Compliant: All sections of the PCI DSS SAQ P2PE are complete, and all questions answered affirmatively, resulting in an overall COMPLIANT rating, thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Compliant: All sections of the PCI DSS SAQ P2PE are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Modified
p. 22
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before completing Part 4, since not all payment brands require this section.
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document Check with your acquirer or the payment brand(s) before completing Part 4, since not all payment brands require this section.
Modified
p. 22
All information within the above-referenced SAQ and in this attestation fairly represents the results of my assessment.
All information within the above-referenced SAQ and in this attestation fairly represents the results of my assessment in all material respects.
Removed
p. 23
No evidence of, full track data1, CAV2, CVC2, CID, or CVV2 data2, or PIN data3) was found on ANY system reviewed during this assessment.
Modified
p. 24
PCI DSS Requirement* Description of Requirement Compliance to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 3 Protect stored cardholder data 9 Restrict physical access to cardholder data Maintain a policy that addresses information security for all personnel * PCI DSS Requirements indicated here refer to the questions in Section 2 of the SAQ.
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 3 Protect stored cardholder data.