Document Comparison
aoc_saq_b.pdf
→
AOC_SAQ_B_v3-1_rev1-1.pdf
23% similar
20 → 8
Pages
4411 → 1657
Words
37
Content Changes
Content Changes
37 content changes. 22 administrative changes (dates, page numbers) hidden.
Added
p. 2
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.
ISA Name(s) (if applicable): Title:
What types of payment channels does your business serve?
Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face) Which payment channels are covered by this SAQ? Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face)
Note: If your organization has a payment channel or process that is not covered by this SAQ, consult your acquirer or payment brand about validation for the other channels.
ISA Name(s) (if applicable): Title:
What types of payment channels does your business serve?
Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face) Which payment channels are covered by this SAQ? Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face)
Note: If your organization has a payment channel or process that is not covered by this SAQ, consult your acquirer or payment brand about validation for the other channels.
Added
p. 3
Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. Payment Application Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses:
Payment Application Version Number Application Is application PA-DSS Listed? PA-DSS Listing Expiry date (if applicable) Part 2e. Description of Environment Provide a high-level description of the environment covered by this assessment.
For example:
• Connections into and out of the cardholder data environment (CDE).
• Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation)
Payment Application Version Number Application Is application PA-DSS Listed? PA-DSS Listing Expiry date (if applicable) Part 2e. Description of Environment Provide a high-level description of the environment covered by this assessment.
For example:
• Connections into and out of the cardholder data environment (CDE).
• Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation)
Added
p. 4
Note: Requirement 12.8 applies to all entities in this list.
Section 2: Self-Assessment Questionnaire B This Attestation of Compliance reflects the results of a self-assessment, which is documented in an accompanying SAQ.
The assessment documented in this attestation and in the SAQ was completed on:
Have compensating controls been used to meet any requirement in the SAQ? Yes No Were any requirements in the SAQ identified as being not applicable (N/A)? Yes No Were any requirements in the SAQ unable to be met due to a legal constraint? Yes No
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation Based on the results noted in the SAQ B dated (completion date), the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document as of (date): (check one):
Compliant but with Legal exception: One or more requirements are marked “No” due to …
Section 2: Self-Assessment Questionnaire B This Attestation of Compliance reflects the results of a self-assessment, which is documented in an accompanying SAQ.
The assessment documented in this attestation and in the SAQ was completed on:
Have compensating controls been used to meet any requirement in the SAQ? Yes No Were any requirements in the SAQ identified as being not applicable (N/A)? Yes No Were any requirements in the SAQ unable to be met due to a legal constraint? Yes No
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation Based on the results noted in the SAQ B dated (completion date), the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document as of (date): (check one):
Compliant but with Legal exception: One or more requirements are marked “No” due to …
Added
p. 8
Check with your acquirer or the payment brand(s) before completing Part 4.
Removed
p. 2
October 28, 2010 2.0 To align content with new PCI DSS v2.0 requirements and testing procedures.
Removed
p. 4
PCI Data Security Standard: Related Documents The following documents were created to assist merchants and service providers in understanding the PCI Data Security Standard and the PCI DSS SAQ.
PCI Data Security Standard: Requirements and Security Assessment Procedures All merchants and service providers Navigating PCI DSS: Understanding the Intent of the Requirements All merchants and service providers
PCI Data Security Standard: Self-Assessment Guidelines and Instructions All merchants and service providers
PCI Data Security Standard: Self-Assessment Questionnaire A and Attestation Eligible merchants1
PCI Data Security Standard: Self-Assessment Questionnaire B and Attestation Eligible merchants1
PCI Data Security Standard: Self-Assessment Questionnaire C-VT and Attestation Eligible merchants1
PCI Data Security Standard: Self-Assessment Questionnaire C and Attestation Eligible merchants1
PCI Data Security Standard: Self-Assessment Questionnaire D and Attestation Eligible merchants and service providers1
PCI Data Security Standard and Payment Application Data Security Standard: Glossary of Terms, Abbreviations, and Acronyms All merchants and service providers 1 To determine the appropriate Self-Assessment Questionnaire, see PCI …
PCI Data Security Standard: Requirements and Security Assessment Procedures All merchants and service providers Navigating PCI DSS: Understanding the Intent of the Requirements All merchants and service providers
PCI Data Security Standard: Self-Assessment Guidelines and Instructions All merchants and service providers
PCI Data Security Standard: Self-Assessment Questionnaire A and Attestation Eligible merchants1
PCI Data Security Standard: Self-Assessment Questionnaire B and Attestation Eligible merchants1
PCI Data Security Standard: Self-Assessment Questionnaire C-VT and Attestation Eligible merchants1
PCI Data Security Standard: Self-Assessment Questionnaire C and Attestation Eligible merchants1
PCI Data Security Standard: Self-Assessment Questionnaire D and Attestation Eligible merchants and service providers1
PCI Data Security Standard and Payment Application Data Security Standard: Glossary of Terms, Abbreviations, and Acronyms All merchants and service providers 1 To determine the appropriate Self-Assessment Questionnaire, see PCI …
Removed
p. 5
Your company uses only imprint machines and/or uses only standalone, dial-out terminals (connected via a phone line to your processor) to take your customers’ payment card information; The standalone, dial-out terminals are not connected to any other systems within your environment; The standalone, dial-out terminals are not connected to the Internet; Your company does not transmit cardholder data over a network (either an internal network or the Internet); Your company retains only paper reports or paper copies of receipts with cardholder data, and these documents are not received electronically; and Your company does not store cardholder data in electronic format.
Each section of the questionnaire focuses on a specific area of security, based on the requirements in the PCI DSS Requirements and Security Assessment Procedures. This shortened version of the SAQ includes questions which apply to a specific type of small merchant environment, as defined …
Each section of the questionnaire focuses on a specific area of security, based on the requirements in the PCI DSS Requirements and Security Assessment Procedures. This shortened version of the SAQ includes questions which apply to a specific type of small merchant environment, as defined …
Removed
p. 6
Part 2. Type of merchant business (check all that apply):
List facilities and locations included in PCI DSS review:
Part 2a. Relationships Does your company have a relationship with one or more third-party agents (for example, gateways, web-hosting companies, airline booking agents, loyalty program agents, etc.)? Yes No Does your company have a relationship with more than one acquirer? Yes No
List facilities and locations included in PCI DSS review:
Part 2a. Relationships Does your company have a relationship with one or more third-party agents (for example, gateways, web-hosting companies, airline booking agents, loyalty program agents, etc.)? Yes No Does your company have a relationship with more than one acquirer? Yes No
Modified
p. 6 → 2
Part 1. Merchant and Qualified Security Assessor Information Part 1a. Merchant Organization Information Company Name: DBA(S):
Part 1. Merchant and Qualified Security Assessor Information Part 1a. Merchant Organization Information Company Name: DBA (doing business as):
Modified
p. 6 → 2
Business Address City:
Business Address: City:
Modified
p. 6 → 2
Business Address City:
Business Address: City:
Modified
p. 6 → 2
State/Province: Country: ZIP:
State/Province: Country: Zip:
Modified
p. 6 → 2
State/Province: Country: ZIP:
State/Province: Country: Zip:
Modified
p. 6 → 2
Lead QSA Contact Name:
Lead QSA Contact Name: Title:
Modified
p. 6 → 2
Retailer Telecommunication Grocery and Supermarkets Petroleum E-Commerce Mail/Telephone-Order Others (please specify):
Part 2. Executive Summary Part 2a. Type of Merchant Business (check all that apply) Retailer Telecommunication Grocery and Supermarkets Petroleum E-Commerce Mail order/telephone order (MOTO) Others (please specify):
Removed
p. 7
Part 3. PCI DSS Validation Based on the results noted in the SAQ B dated (completion date), (Merchant Company Name) asserts the following compliance status (check one):
Modified
p. 7 → 4
Part 2g. Eligibility to Complete SAQ B Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because, for this payment channel:
Modified
p. 7 → 4
Merchant uses only an imprint machine to imprint customers’ payment card information and does not transmit cardholder data over either a phone line or the Internet; or Merchant uses only standalone, dial-out terminals; and the standalone, dial-out terminals are not connected to the Internet or any other systems within the merchant environment; Merchant does not store cardholder data in electronic format; and If Merchant does store cardholder data, such data is only paper reports or copies of paper receipts and …
Merchant uses only an imprint machine to imprint customers’ payment card information and does not transmit cardholder data over either a phone line or the Internet; and/or Merchant uses only standalone, dial-out terminals (connected via a phone line to your processor); and the standalone, dial-out terminals are not connected to the Internet or any other systems within the merchant environment; Merchant does not transmit cardholder data over a network (either an internal network or the Internet); Merchant does not store …
Modified
p. 7 → 6
Compliant: All sections of the PCI SAQ are complete, and all questions answered “yes,” resulting in an overall COMPLIANT rating, thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Compliant: All sections of the PCI DSS SAQ are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Modified
p. 7 → 6
Non-Compliant: Not all sections of the PCI SAQ are complete, or some questions are answered “no,” resulting in an overall NON-COMPLIANT rating, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
Modified
p. 7 → 6
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before completing Part 4, since not all payment brands require this section.
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before completing Part 4.
Removed
p. 8
Part 3b. Merchant Acknowledgement Signature of Merchant Executive Officer Date Merchant Executive Officer Name Title Merchant Company Represented 2 Data encoded in the magnetic stripe or equivalent data on a chip used for authorization during a card-present transaction.
Modified
p. 8 → 6
All information within the above-referenced SAQ and in this attestation fairly represents the results of my assessment.
All information within the above-referenced SAQ and in this attestation fairly represents the results of my assessment in all material respects.
Modified
p. 8 → 6
I have read the PCI DSS and I recognize that I must maintain full PCI DSS compliance at all times.
I have read the PCI DSS and I recognize that I must maintain PCI DSS compliance, as applicable to my environment, at all times.
Modified
p. 9 → 8
PCI DSS Requirement Description of Requirement Compliance Status (Select One) Remediation Date and Actions (if Compliance Status is “NO”) YES NO 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks 7 Restrict access to cardholder data by business need to know 9 Restrict physical access to cardholder data 12 Maintain a policy that addresses information security for all personnel
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 3 Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks 7 Restrict access to cardholder data by business need to know 9 Restrict physical access to cardholder data Maintain a policy that addresses information security for all personnel * PCI DSS Requirements indicated here refer to the questions in Section 2 …
Removed
p. 10
Note: The following questions are numbered according to PCI DSS requirements and testing procedures, as defined in the PCI DSS Requirements and Security Assessment Procedures document.
Date of Completion: Protect Cardholder Data
Requirement 3: Protect stored cardholder data
PCI DSS Question Response: Yes No Special* 3.2 (b) If sensitive authentication data is received and deleted, are processes in place to securely delete the data to verify that the data is unrecoverable?
(c) Do all systems adhere to the following requirements regarding non-storage of sensitive authentication data after authorization (even if encrypted)? 3.2.1 The full contents of any track from the magnetic stripe (located on the back of a card, equivalent data contained on a chip, or elsewhere) are not stored under any circumstance? This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data. In the normal course of business, the following data elements from the magnetic stripe may need …
Date of Completion: Protect Cardholder Data
Requirement 3: Protect stored cardholder data
PCI DSS Question Response: Yes No Special* 3.2 (b) If sensitive authentication data is received and deleted, are processes in place to securely delete the data to verify that the data is unrecoverable?
(c) Do all systems adhere to the following requirements regarding non-storage of sensitive authentication data after authorization (even if encrypted)? 3.2.1 The full contents of any track from the magnetic stripe (located on the back of a card, equivalent data contained on a chip, or elsewhere) are not stored under any circumstance? This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data. In the normal course of business, the following data elements from the magnetic stripe may need …
Removed
p. 10
This requirement does not apply to employees and other parties with a specific need to see the full PAN; This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, for point-of- sale (POS) receipts.
* “Not Applicable” (N/A) or “Compensating Control Used.” Organizations using this section must complete the Compensating Control Worksheet or Explanation of Non-Applicability Worksheet, as appropriate, in the Appendix.
* “Not Applicable” (N/A) or “Compensating Control Used.” Organizations using this section must complete the Compensating Control Worksheet or Explanation of Non-Applicability Worksheet, as appropriate, in the Appendix.
Removed
p. 11
Requirement 4: Encrypt transmission of cardholder data across open, public networks
PCI DSS Question Response: Yes No Special* 4.2 (b) Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies? * “Not Applicable” (N/A) or “Compensating Control Used.” Organizations using this section must complete the Compensating Control Worksheet or Explanation of Non-Applicability Worksheet, as appropriate, in the Appendix.
PCI DSS Question Response: Yes No Special* 4.2 (b) Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies? * “Not Applicable” (N/A) or “Compensating Control Used.” Organizations using this section must complete the Compensating Control Worksheet or Explanation of Non-Applicability Worksheet, as appropriate, in the Appendix.
Removed
p. 12
Requirement 7: Restrict access to cardholder data by business need to know
PCI DSS Question Response: Yes No Special* 7.1 Is access to system components and cardholder data limited to only those individuals whose jobs require such access as follows:
PCI DSS Question Response: Yes No Special* 7.1 Is access to system components and cardholder data limited to only those individuals whose jobs require such access as follows:
Removed
p. 12
PCI DSS Question Response: Yes No Special* 9.6 Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? For purposes of Requirement 9, ―media‖ refers to all paper and electronic media containing cardholder data.
Removed
p. 13
PCI DSS Question Response: Yes No Special* 9.10 Is all media destroyed when it is no longer needed for business or legal reasons? Is destruction performed as follows:
Removed
p. 14
Requirement 12: Maintain a policy that addresses information security for all personnel
PCI DSS Question Response: Yes No Special* 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel? For the purposes of Requirement 12, ―personnel‖ refers to full-time part-time employees, temporary employees and personnel, and contractors and consultants who are ―resident‖ on the entity’s site or otherwise have access to the company’s site cardholder data environment.
Is the information security policy reviewed at least once a year and updated as needed to reflect changes to business objectives or the risk environment? 12.3 Are usage policies for critical technologies (for example, remote- access technologies, wireless technologies, removable electronic media, laptops, tablets, personal data/digital assistants [PDAs], e-mail, and Internet usage) developed to define proper use of these technologies for all personnel, and require the following:
PCI DSS Question Response: Yes No Special* 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel? For the purposes of Requirement 12, ―personnel‖ refers to full-time part-time employees, temporary employees and personnel, and contractors and consultants who are ―resident‖ on the entity’s site or otherwise have access to the company’s site cardholder data environment.
Is the information security policy reviewed at least once a year and updated as needed to reflect changes to business objectives or the risk environment? 12.3 Are usage policies for critical technologies (for example, remote- access technologies, wireless technologies, removable electronic media, laptops, tablets, personal data/digital assistants [PDAs], e-mail, and Internet usage) developed to define proper use of these technologies for all personnel, and require the following:
Removed
p. 15
PCI DSS Question Response: Yes No Special* 12.8 If cardholder data is shared with service providers, are policies and procedures maintained and implemented to manage service providers, as follows?
Removed
p. 17
1. Meet the intent and rigor of the original PCI DSS requirement.
2. Provide a similar level of defense as the original PCI DSS requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. (See Navigating PCI DSS for the intent of each PCI DSS requirement.) 3. Be “above and beyond” other PCI DSS requirements. (Simply being in compliance with other PCI DSS requirements is not a compensating control.) When evaluating “above and beyond” for compensating controls, consider the following:
Note: The items at a) through c) below are intended as examples only. All compensating controls must be reviewed and validated for sufficiency by the assessor who conducts the PCI DSS review. The effectiveness of a compensating control is dependent on the specifics of the environment in which the control is implemented, the surrounding security controls, and the configuration of the …
2. Provide a similar level of defense as the original PCI DSS requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. (See Navigating PCI DSS for the intent of each PCI DSS requirement.) 3. Be “above and beyond” other PCI DSS requirements. (Simply being in compliance with other PCI DSS requirements is not a compensating control.) When evaluating “above and beyond” for compensating controls, consider the following:
Note: The items at a) through c) below are intended as examples only. All compensating controls must be reviewed and validated for sufficiency by the assessor who conducts the PCI DSS review. The effectiveness of a compensating control is dependent on the specifics of the environment in which the control is implemented, the surrounding security controls, and the configuration of the …
Removed
p. 18
Note: Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance. Requirement Number and Definition:
Information Required Explanation
1. Constraints List constraints precluding compliance with the original requirement.
2. Objective Define the objective of the original control; identify the objective met by the compensating control.
3. Identified Risk Identify any additional risk posed by the lack of the original control.
4. Definition of Compensating Controls Define the compensating controls and explain how they address the objectives of the original control and the increased risk, if any.
5. Validation of Compensating Controls Define how the compensating controls were validated and tested.
6. Maintenance Define process and controls in place to maintain compensating controls.
1. Constraints List constraints precluding compliance with the original requirement.
2. Objective Define the objective of the original control; identify the objective met by the compensating control.
3. Identified Risk Identify any …
Information Required Explanation
1. Constraints List constraints precluding compliance with the original requirement.
2. Objective Define the objective of the original control; identify the objective met by the compensating control.
3. Identified Risk Identify any additional risk posed by the lack of the original control.
4. Definition of Compensating Controls Define the compensating controls and explain how they address the objectives of the original control and the increased risk, if any.
5. Validation of Compensating Controls Define how the compensating controls were validated and tested.
6. Maintenance Define process and controls in place to maintain compensating controls.
1. Constraints List constraints precluding compliance with the original requirement.
2. Objective Define the objective of the original control; identify the objective met by the compensating control.
3. Identified Risk Identify any …
Removed
p. 19
Requirement Number: 8.1
• Are all users identified with a unique user name before allowing them to access system components or cardholder data? Information Required Explanation
Company XYZ employs stand-alone Unix Servers without LDAP. As such, they each require a ―root‖ login. It is not possible for Company XYZ to manage the ―root‖ login nor is it feasible to log all ―root‖ activity by each user.
The objective of requiring unique logins is twofold. First, it is not considered acceptable from a security perspective to share login credentials. Secondly, having shared logins makes it impossible to state definitively that a person is responsible for a particular action.
Additional risk is introduced to the access control system by not ensuring all users have a unique ID and are able to be tracked.
Company XYZ is going to require all users to log into the servers from their desktops using the SU command. SU allows a user …
• Are all users identified with a unique user name before allowing them to access system components or cardholder data? Information Required Explanation
Company XYZ employs stand-alone Unix Servers without LDAP. As such, they each require a ―root‖ login. It is not possible for Company XYZ to manage the ―root‖ login nor is it feasible to log all ―root‖ activity by each user.
The objective of requiring unique logins is twofold. First, it is not considered acceptable from a security perspective to share login credentials. Secondly, having shared logins makes it impossible to state definitively that a person is responsible for a particular action.
Additional risk is introduced to the access control system by not ensuring all users have a unique ID and are able to be tracked.
Company XYZ is going to require all users to log into the servers from their desktops using the SU command. SU allows a user …
Removed
p. 20
Requirement Reason Requirement is Not Applicable Example: 12.8 Cardholder data is never shared with service providers.