Document Comparison
PCI-DSS-v3_2-SAQ-A_EP-rev1_1.pdf
→
PCI-DSS-v3-2-1-SAQ-A-EP-r2.pdf
93% similar
56 → 55
Pages
13589 → 13444
Words
148
Content Changes
Content Changes
148 content changes. 36 administrative changes (dates, page numbers) hidden.
Added
p. 2
This document aligns with PCI DSS v3.2.1 r1.
Added
p. 5
• Section 1 (Parts 1 & 2 of the AOC)
• Section 3 (Parts 3 & 4 of the AOC)
• Section 3 (Parts 3 & 4 of the AOC)
Added
p. 10
• Observe network configurations to verify that a firewall(s) is in place.
Added
p. 11
(b) Are firewall and router rule sets reviewed at least every six months?
• Examine documentation from firewall reviews.
• Examine router configuration files and router configurations.
• Examine documentation from firewall reviews.
• Examine router configuration files and router configurations.
Added
p. 13
• Network Address Translation (NAT)
• Placing servers containing cardholder data behind proxy servers/firewalls,
• Examine mobile and/or employee- owned devices.
• Examine mobile and/or employee- owned devices.
(b) Is the personal firewall software (or equivalent functionality) configured to specific configuration settings, actively running, and not alterable by users of mobile and/or employee-owned devices?
• Review policies and configuration standards.
• Placing servers containing cardholder data behind proxy servers/firewalls,
• Examine mobile and/or employee- owned devices.
• Examine mobile and/or employee- owned devices.
(b) Is the personal firewall software (or equivalent functionality) configured to specific configuration settings, actively running, and not alterable by users of mobile and/or employee-owned devices?
• Review policies and configuration standards.
Added
p. 14
• Examine vendor documentation.
• Observe system configurations and account settings.
(b) Are unnecessary default accounts removed or disabled before installing a system on the network?
• Review policies and procedures.
• Observe system configurations and account settings.
(b) Are unnecessary default accounts removed or disabled before installing a system on the network?
• Review policies and procedures.
Added
p. 14
• Examine system configurations and account settings.
• Review system configuration standards.
• Review industry-accepted hardening standards.
• Review system configuration standards.
• Review industry-accepted hardening standards.
Added
p. 16
• Examine configuration settings.
• Examine configuration settings.
• Compare enabled services, etc. to documented justifications.
• Examine security parameter settings.
• Compare settings to system configuration standards.
• Examine security parameters on system components.
• Examine security parameters on system components.
• Observe an administrator log on.
• Observe an administrator log on.
• Examine services and files.
• Examine deletion processes.
• Review documented standards.
• Review all locations where CHD is transmitted or received.
(b) Are only trusted keys and/or certificates accepted?
• Observe inbound and outbound transmissions.
• Examine keys and certificates.
(c) Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations?
• Examine system configurations.
• Cardholder data is only requested if “HTTPS” appears as part of the URL.
• Examine anti-virus configurations, including the master installation.
• Examine configuration settings.
• Compare enabled services, etc. to documented justifications.
• Examine security parameter settings.
• Compare settings to system configuration standards.
• Examine security parameters on system components.
• Examine security parameters on system components.
• Observe an administrator log on.
• Observe an administrator log on.
• Examine services and files.
• Examine deletion processes.
• Review documented standards.
• Review all locations where CHD is transmitted or received.
(b) Are only trusted keys and/or certificates accepted?
• Observe inbound and outbound transmissions.
• Examine keys and certificates.
(c) Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations?
• Examine system configurations.
• Cardholder data is only requested if “HTTPS” appears as part of the URL.
• Examine anti-virus configurations, including the master installation.
Added
p. 21
(b) Are automatic updates and periodic scans enabled and being performed?
• Examine anti-virus configurations, including the master installation.
• Review log retention processes.
• Examine anti-virus configurations.
• Review change control processes and procedures.
(b) Are the following performed and documented for all 6.4.5.1 Documentation of impact?
• Trace changes to change control documentation.
• Examine anti-virus configurations, including the master installation.
• Review log retention processes.
• Examine anti-virus configurations.
• Review change control processes and procedures.
(b) Are the following performed and documented for all 6.4.5.1 Documentation of impact?
• Trace changes to change control documentation.
Added
p. 25
• Observe affected systems or networks.
Added
p. 25
• Examine training records.
• Examine software-development policies and procedures.
• Examine software-development policies and procedures.
Added
p. 27
• Review documented processes.
• Examine records of application security assessments.
• Examine records of application security assessments.
Added
p. 29
• Interview management.
• Interview management.
• Review privileged user IDs.
• Interview management.
• Review privileged user IDs.
Added
p. 29
• Compare assigned privileges with documented approvals.
• Examine privileged and general user IDs and associated authorizations.
• Observe system settings.
• Examine privileged and general user IDs and associated authorizations.
• Observe system settings.
Added
p. 30
• Examine terminated users accounts.
• Review current access lists.
• Observe returned physical authentication devices.
• Review current access lists.
• Observe returned physical authentication devices.
Added
p. 30
• Observe user accounts.
• Something you have, such as a token device or smart card
• Something you are, such as a biometric
• Review password procedures.
• Observe authentication processes.
• Observe password files.
• Observe data transmissions.
• Something you have, such as a token device or smart card
• Something you are, such as a biometric
• Review password procedures.
• Observe authentication processes.
• Observe password files.
• Observe data transmissions.
Added
p. 32
• Sample system components.
• Observe security personnel.
• Observe security personnel.
Added
p. 32
• Observe administrator logging into CDE.
• Observe personnel connecting remotely.
• Review distribution method.
Do authentication policies and procedures include the following? - Guidance on selecting strong authentication credentials
- Guidance for how users should protect their authentication credentials
- Instructions not to reuse previously used passwords
- Instructions that users should change passwords if there is any suspicion the password could be compromised
• Review documentation provided to users.
• Generic user IDs and accounts are disabled or
• Shared user IDs for system administration activities and other critical functions do not exist; and
• Shared and generic user IDs are not used to administer any system components?
• Review policies and procedures.
• Examine user ID lists.
• Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access
• Examine system configuration settings and/or physical controls.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A …
• Observe personnel connecting remotely.
• Review distribution method.
Do authentication policies and procedures include the following? - Guidance on selecting strong authentication credentials
- Guidance for how users should protect their authentication credentials
- Instructions not to reuse previously used passwords
- Instructions that users should change passwords if there is any suspicion the password could be compromised
• Review documentation provided to users.
• Generic user IDs and accounts are disabled or
• Shared user IDs for system administration activities and other critical functions do not exist; and
• Shared and generic user IDs are not used to administer any system components?
• Review policies and procedures.
• Examine user ID lists.
• Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access
• Examine system configuration settings and/or physical controls.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A …
Added
p. 41
• Review security policies and procedures.
Added
p. 41
• Review risk assessment documentation.
Added
p. 41
• Examine audit logs.
(c) Are at least the last three months’ logs immediately available for analysis?
• Interview personnel.
• Review results from the four most recent quarters of external vulnerability scans.
• Includes coverage for the entire CDE perimeter and critical systems
• Includes testing from both inside and outside the network
• Includes testing to validate any segmentation and scope- reduction controls
• Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
• Defines network-layer penetration tests to include components that support network functions as well as operating systems
• Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
• Specifies retention of penetration testing results and remediation activities results
• Examine penetration-testing methodology.
(c) Are at least the last three months’ logs immediately available for analysis?
• Interview personnel.
• Review results from the four most recent quarters of external vulnerability scans.
• Includes coverage for the entire CDE perimeter and critical systems
• Includes testing from both inside and outside the network
• Includes testing to validate any segmentation and scope- reduction controls
• Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
• Defines network-layer penetration tests to include components that support network functions as well as operating systems
• Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
• Specifies retention of penetration testing results and remediation activities results
• Examine penetration-testing methodology.
Added
p. 43
• Examine results from the most recent external penetration test.
• Review penetration-testing methodology.
• Examine results from the most recent penetration test.
• Examine vendor documentation.
• Examine network diagrams.
(c) Are all intrusion-detection and prevention engines, baselines, and signatures kept up-to-date?
• Examine IDS/IPS configurations.
• Application executables
• Configuration and parameter files
• Centrally stored, historical or archived, log, and audit files
• Additional critical files determined by entity (for example, through risk assessment or other means)
• Observe system settings and monitored files.
• Observe system settings and monitored files.
• Review results from monitoring activities.
• Interview a sample of responsible personnel.
• Review penetration-testing methodology.
• Examine results from the most recent penetration test.
• Examine vendor documentation.
• Examine network diagrams.
(c) Are all intrusion-detection and prevention engines, baselines, and signatures kept up-to-date?
• Examine IDS/IPS configurations.
• Application executables
• Configuration and parameter files
• Centrally stored, historical or archived, log, and audit files
• Additional critical files determined by entity (for example, through risk assessment or other means)
• Observe system settings and monitored files.
• Observe system settings and monitored files.
• Review results from monitoring activities.
• Interview a sample of responsible personnel.
Added
p. 47
• Review list of service providers.
• Observe written agreements.
• Review incident response plan procedures.
- Specific incident response procedures?
• Review incident response plan procedures.
- Business recovery and continuity procedures?
• Review incident response plan procedures.
- Data backup processes?
• Review incident response plan procedures.
- Analysis of legal requirements for reporting compromises?
• Review incident response plan procedures.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A A2.1 For POS POI terminals (at the merchant or payment- acceptance location) using SSL and/or early TLS: Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS? Note: This requirement is intended to apply to the entity with the POS POI terminal, such as a merchant. This requirement is not intended for service providers who serve as the termination or connection point to those POS POI terminals. Requirements A2.2 and A2.3 apply to POS POI service providers.
• Review …
• Observe written agreements.
• Review incident response plan procedures.
- Specific incident response procedures?
• Review incident response plan procedures.
- Business recovery and continuity procedures?
• Review incident response plan procedures.
- Data backup processes?
• Review incident response plan procedures.
- Analysis of legal requirements for reporting compromises?
• Review incident response plan procedures.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A A2.1 For POS POI terminals (at the merchant or payment- acceptance location) using SSL and/or early TLS: Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS? Note: This requirement is intended to apply to the entity with the POS POI terminal, such as a merchant. This requirement is not intended for service providers who serve as the termination or connection point to those POS POI terminals. Requirements A2.2 and A2.3 apply to POS POI service providers.
• Review …
Added
p. 55
Do not use vendor-supplied defaults for system passwords and other security parameters.
Added
p. 55
Protect all systems against malware and regularly update anti-virus software or programs.
Added
p. 55
Appendix A2 Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card- Present POS POI Terminal Connections.
Modified
p. 4
• Your company accepts only e-commerce transactions; • All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a PCI DSS validated third-party payment processor; • Your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor; • If merchant website is hosted by a third-party provider, the provider is validated to all applicable PCI DSS requirements (e.g., including …
Removed
p. 5
(PCI Data Security Standard Requirements and Security Assessment Procedures) Guidance on Scoping Guidance on the intent of all PCI DSS Requirements Details of testing procedures Guidance on Compensating Controls SAQ Instructions and Guidelines documents Information about all SAQs and their eligibility criteria How to determine which SAQ is right for your organization
Modified
p. 5
1. Identify the applicable SAQ for your environment
• refer to the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website for information.
• refer
1. Identify the applicable SAQ for your environment⎯refer to the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website for information.
Modified
p. 5
• Assessment Information and Executive Summary.
• Assessment Information and Executive Summary.
Modified
p. 5
• PCI DSS Self-Assessment Questionnaire (SAQ A-EP) Section 3 (Parts 3 & 4 of the AOC)
• Validation and Attestation Details and Action Plan for Non-Compliant Requirements (if applicable)
• Validation and Attestation Details and Action Plan for Non-Compliant Requirements (if applicable)
Modified
p. 5
PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org). Organizations are encouraged to review the PCI DSS and other supporting documents before beginning an assessment.
(PCI Data Security Standard Requirements and Security Assessment Procedures)
• Guidance on Scoping
• Guidance on the intent of all PCI DSS Requirements
• Details of testing procedures
• Guidance on Compensating Controls SAQ Instructions and Guidelines documents
• Information about all SAQs and their eligibility criteria
• How to determine which SAQ is right for your organization PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms • Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources …
• Guidance on Scoping
• Guidance on the intent of all PCI DSS Requirements
• Details of testing procedures
• Guidance on Compensating Controls SAQ Instructions and Guidelines documents
• Information about all SAQs and their eligibility criteria
• How to determine which SAQ is right for your organization PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms • Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources …
Modified
p. 7
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact your acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.
Modified
p. 8
Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. Payment Application Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses:
Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. Payment Applications Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses:
Modified
p. 8
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation)
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation.)
Modified
p. 10
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 1.1 Are firewall and router configuration standards established and implemented to include the following:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 1.1 Are firewall and router configuration standards established and implemented to include the following:
Modified
p. 10
(b) Is there a process to ensure the diagram is kept current? • Interview personnel.
Modified
p. 10
(b) Is there a process to ensure the diagram is kept current?
(b) Is there a process to ensure the diagram is kept current? • Interview responsible personnel.
Modified
p. 10
(b) Is the current network diagram consistent with the firewall configuration standards? • Compare firewall configuration standards to current network diagram.
Modified
p. 11
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 1.1.6 (a) Do firewall and router configuration standards include a documented list of services, protocols, and ports, including business justification and approval for each?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 1.1.6 (a) Do firewall and router configuration standards include a documented list of services, protocols, and ports, including business justification and approval for each? • Review firewall and router configuration standards.
Modified
p. 11
(b) Are all insecure services, protocols, and ports identified, and are security features documented and implemented for each identified service? • Review firewall and router configuration standards.
Modified
p. 11
(b) Is all other inbound and outbound traffic specifically denied (for example by using an explicit “deny all” or an implicit deny after allow statement)? • Review firewall and router configuration standards.
Removed
p. 12
(For example, block traffic originating from the internet with an internal address) Examine firewall and router configurations 1.3.4 Is outbound traffic from the cardholder data environment to the Internet explicitly authorized?
Modified
p. 12
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 1.2.3 Are perimeter firewalls installed between all wireless networks and the cardholder data environment, and are these firewalls configured to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment? • Review firewall and router configuration standards.
Removed
p. 13
Review policies and configuration Examine mobile and/or employee- owned devices (b) Is the personal firewall software (or equivalent functionality) configured to specific configuration settings, actively running, and not alterable by users of mobile and/or employee-owned devices? Review policies and configuration Examine mobile and/or employee- owned devices 1.5 Are security policies and operational procedures for managing firewalls:
Modified
p. 13
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 1.3.7 (a) Are methods in place to prevent the disclosure of private IP addresses and routing information to the Internet? Note: Methods to obscure IP addressing may include, but are not limited to:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 1.3.7 (a) Are methods in place to prevent the disclosure of private IP addresses and routing information to the Internet? Note: Methods to obscure IP addressing may include, but are not limited to:
Modified
p. 13
• Removal or filtering of route advertisements for private networks that employ registered addressing, Internal use of RFC1918 address space instead of registered addresses.
Modified
p. 13
(b) Is any disclosure of private IP addresses and routing information to external entities authorized? • Examine firewall and router configurations.
Removed
p. 14
Review policies and procedures Examine vendor documentation Observe system configurations and account settings Interview personnel (b) Are unnecessary default accounts removed or disabled before installing a system on the network?
Modified
p. 14
(b) Are system configuration standards updated as new vulnerability issues are identified, as defined in Requirement 6.1? • Review policies and procedures.
Modified
p. 14
(c) Are system configuration standards applied when new systems are configured? • Review policies and procedures.
Modified
p. 15
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (d) Do system configuration standards include all of the following:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.2 (cont.) (d) Do system configuration standards include all of the following:
Modified
p. 15
- Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server? - Enabling only necessary services, protocols, daemons, etc., as required for the function of the system? - Implementing additional security features for any required services, protocols or daemons that are considered to be insecure? - Configuring system security parameters to prevent misuse? - Removing all unnecessary …
Modified
p. 15
(b) If virtualization technologies are used, is only one primary function implemented per virtual system component or device? • Examine system configurations.
Modified
p. 15 → 16
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.2.2 (a) Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)? • Review configuration standards.
Modified
p. 16
(b) Are all enabled insecure services, daemons, or protocols justified per documented configuration standards? • Review configuration standards.
Modified
p. 16
(b) Are common system security parameters settings included in the system configuration standards? • Review system configuration standards.
Modified
p. 16
(c) Are security parameter settings set appropriately on system components? • Examine system components.
Modified
p. 16
(b) Are enabled functions documented and do they support secure configuration? • Review documentation.
Modified
p. 16
(c) Is only documented functionality present on system components? • Review documentation.
Removed
p. 17
Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
Modified
p. 17
(a) Is all non-console administrative access encrypted with strong cryptography, and is a strong encryption method invoked before the administrator’s password is requested?
(a) Is all non-console administrative access encrypted with strong cryptography, and is a strong encryption method invoked before the administrator’s password is requested? • Examine system components.
Modified
p. 17
(b) Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? • Examine system components.
Modified
p. 17
(c) Is administrator access to web-based management interfaces encrypted with strong cryptography? • Examine system components.
Modified
p. 17
(d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? • Examine system components.
Modified
p. 18
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2 (c) Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process? Review policies and procedures Examine system configurations Examine deletion processes (d) Do all systems adhere to the following requirements regarding non-storage of sensitive authentication data after authorization (even if encrypted):
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2 (c) Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process? • Review policies and procedures.
Modified
p. 18
- Incoming transaction data - All logs - History files - Trace files - Database schema - Database contents 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization? • Examine data sources including:
Modified
p. 18
- Incoming transaction data - All logs - History files - Trace files - Database schema - Database contents
Removed
p. 19
Review documented standards Review policies and procedures Review all locations where CHD is transmitted or received Examine system configurations (b) Are only trusted keys and/or certificates accepted? Observe inbound and outbound transmissions Examine keys and certificates (c) Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations?
Modified
p. 19
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1 (a) Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1 (a) Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? Note: Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and General Packet Radio Service (GPRS).
Modified
p. 19
(d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)? • Review vendor documentation.
Modified
p. 19
(e) For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? For example, for browser-based implementations:
Modified
p. 19
• “HTTPS” appears as the browser Universal Record Locator (URL) protocol, and
Removed
p. 21
Examine policies and procedures Examine anti-virus configurations, including the master installation Examine system components (b) Are automatic updates and periodic scans enabled and being performed?
Modified
p. 21
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 5.1 Is anti-virus software deployed on all systems commonly affected by malicious software?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 5.1 Is anti-virus software deployed on all systems commonly affected by malicious software? • Examine system configurations.
Modified
p. 21
(a) Are all anti-virus software and definitions kept current?
(a) Are all anti-virus software and definitions kept current? • Examine policies and procedures.
Modified
p. 21
(c) Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? • Examine anti-virus configurations.
Modified
p. 22
• Unable to be disabled or altered by users? Note: Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not active.
Modified
p. 23
• Using reputable outside sources for vulnerability information?
Modified
p. 23
• Assigning a risk ranking to vulnerabilities that includes identification of all “high” risk and “critical” vulnerabilities? Note: Risk rankings should be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the CVSS base score and/or the classification by the vendor, and/or type of systems affected.
Modified
p. 23
(b) Are critical security patches installed within one month of release? Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1.
Modified
p. 23
• Compare list of security patches installed to recent vendor patch lists.
Modified
p. 24
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.4.5 (a) Are change-control procedures documented and require the following? Documentation of impact Documented change control approval by authorized parties Functionality testing to verify that the change does not adversely impact the security of the system Back-out procedures Review change control processes and procedures (b) Are the following performed and documented for all changes:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.4.5 (a) Are change-control procedures documented and require the following? - Documentation of impact - Documented change control approval by authorized parties - Functionality testing to verify that the change does not adversely impact the security of the system - Back-out procedures
Modified
p. 24
(b) For custom code changes, testing of updates for compliance with PCI DSS Requirement 6.5 before being deployed into production? • Trace changes to change control documentation.
Removed
p. 25
Trace changes to change control documentation Examine change control documentation Interview personnel Observe affected systems or 6.5 Do software-development processes address common coding vulnerabilities?
Examine software-development policies and procedures Interview responsible personnel 6.5.2 Do coding techniques address buffer overflow vulnerabilities?
Examine software-development policies and procedures Interview responsible personnel 6.5.4 Do coding techniques address insecure communications?
Examine software-development policies and procedures Interview responsible personnel 6.5.2 Do coding techniques address buffer overflow vulnerabilities?
Examine software-development policies and procedures Interview responsible personnel 6.5.4 Do coding techniques address insecure communications?
Modified
p. 25
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.4.6 Upon completion of a significant change, are all relevant PCI DSS requirements implemented on all new or changed systems and networks, and documentation updated as applicable? Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.4.6 Upon completion of a significant change, are all relevant PCI DSS requirements implemented on all new or changed systems and networks, and documentation updated as applicable? • Trace changes to change control documentation.
Modified
p. 25
Are developers trained at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities? • Examine software-development policies and procedures.
Removed
p. 26
Examine software-development policies and procedures Interview responsible personnel 6.5.9 Do coding techniques address cross-site request forgery (CSRF)?
Modified
p. 26
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.5.6 Do coding techniques address all “high risk” vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1)? Examine software-development policies and procedures Interview responsible personnel For web applications and application interfaces (internal or external), are applications developed based on secure coding guidelines to protect applications from the following additional vulnerabilities:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A For web applications and application interfaces (internal or external), are applications developed based on secure coding guidelines to protect applications from the following additional vulnerabilities:
Removed
p. 27
Review documented processes Interview personnel Examine records of application security assessments Examine system configuration
Modified
p. 27
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.6 For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods? Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.6 For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods? • Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, as follows:
Modified
p. 27
• Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) as follows:
Removed
p. 29
Examine written access control policy Interview personnel Interview management Review privileged user IDs 7.1.3 Is access assigned based on individual personnel’s job classification and function?
Modified
p. 29
• To least privileges necessary to perform job responsibilities?
Modified
p. 29
• Assigned only to roles that specifically require that privileged access? • Examine written access control policy.
Removed
p. 30
Review password procedures Examine privileged and general user IDs and associated authorizations Observe system settings 8.1.3 Is access for any terminated users immediately deactivated or removed?
Review password procedures Examine terminated users accounts Review current access lists Observe returned physical authentication devices 8.1.4 Are inactive user accounts either removed or disabled within 90 days?
Review password procedures Examine terminated users accounts Review current access lists Observe returned physical authentication devices 8.1.4 Are inactive user accounts either removed or disabled within 90 days?
Modified
p. 30
(b) Are third-party remote access accounts monitored when in use? • Interview personnel.
Modified
p. 31
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.1.8 If a session has been idle for more than 15 minutes, are users required to re-authenticate (for example, re- enter the password) to re-activate the terminal or session?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.1.8 If a session has been idle for more than 15 minutes, are users required to re-authenticate (for example, re-enter the password) to re-activate the terminal or session? • Review password procedures.
Modified
p. 31
In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users? • Something you know, such as a password or passphrase
Modified
p. 31
• Examine system configuration settings to verify password parameters.
Removed
p. 32
Review password procedures Examine system configuration settings 8.2.5 (a) Must an individual submit a new password/phrase that is different from any of the last four passwords/passphrases he or she has used?
Modified
p. 32
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.2.4 (a) Are user passwords/passphrases changed at least once every 90 days?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.2.5 (a) Must an individual submit a new password/phrase that is different from any of the last four passwords/passphrases he or she has used?
• Review password procedures.
• Review password procedures.
Removed
p. 33
Review policies and procedures Review distribution method Interview personnel Interview users Do authentication policies and procedures include the following? Guidance on selecting strong authentication credentials Guidance for how users should protect their authentication credentials Instructions not to reuse previously used passwords Instructions that users should change passwords if there is any suspicion the password could be compromised Review policies and procedures Review documentation provided to 8.5 Are group, shared, or generic accounts, passwords, or other authentication methods prohibited as follows:
Generic user IDs and accounts are disabled or Shared user IDs for system administration activities and other critical functions do not exist; and Shared and generic user IDs are not used to administer any system components? Review policies and procedures Examine user ID lists Interview personnel
Generic user IDs and accounts are disabled or Shared user IDs for system administration activities and other critical functions do not exist; and Shared and generic user IDs are not used to administer any system components? Review policies and procedures Examine user ID lists Interview personnel
Modified
p. 33
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.4 (a) Are authentication policies and procedures documented and communicated to all users?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.4 (a) Are authentication policies and procedures documented and communicated to all users? • Review policies and procedures.
Modified
p. 34
• Known to all affected parties? • Examine security policies and operational procedures.
Modified
p. 35
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.1 Are appropriate facility entry controls in place to limit and monitor physical access to systems in the cardholder data environment?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.1 Are appropriate facility entry controls in place to limit and monitor physical access to systems in the cardholder data environment? • Observe physical access controls.
Modified
p. 36
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.8.1 (a) Are hardcopy materials cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.8.1 (a) Are hardcopy materials cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed? • Review periodic media destruction policies and procedures.
Modified
p. 36
(b) Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents? • Examine security of storage containers.
Modified
p. 37
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 10.1 Are audit trails enabled and active for system components?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 10.1 Are audit trails enabled and active for system components? • Interview system administrator.
Modified
p. 37
• and all changes, additions, or deletions to accounts with root or administrative privileges? Interview personnel Observe audit logs Examine audit log settings 10.2.6 Initialization, stopping, or pausing of the audit logs? Interview personnel Observe audit logs Examine audit log settings
• and all changes, additions, or deletions to accounts with root or administrative privileges? • Interview personnel.
Modified
p. 38
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 10.2.7 Creation and deletion of system-level objects? Interview personnel Observe audit logs Examine audit log settings 10.3 Are the following audit trail entries recorded for all system components for each event:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 10.3 Are the following audit trail entries recorded for all system components for each event:
Modified
p. 38
• Review time configuration standards and processes.
Modified
p. 39
(a) Do only designated central time server(s) receive time signals from external sources, and are time signals from external sources based on International Atomic Time or UTC?
(a) Do only designated central time server(s) receive time signals from external sources, and are time signals from external sources based on International Atomic Time or UTC? • Review time configuration standards and processes.
Modified
p. 39
(b) Where there is more than one designated time server, do the time servers peer with each other to keep accurate time? • Review time configuration standards and processes.
Modified
p. 39
(c) Do systems receive time only from designated central time server(s)? • Review time configuration standards and processes.
Modified
p. 39
(a) Is access to time data restricted to only personnel with a business need to access time data?
(a) Is access to time data restricted to only personnel with a business need to access time data? • Examine system configurations and time-synchronization settings.
Modified
p. 39
(b) Are changes to time settings on critical systems logged, monitored, and reviewed? • Examine system configurations and time-synchronization settings and logs.
Modified
p. 39 → 40
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 10.5 Are audit trails secured so they cannot be altered, as follows:
Removed
p. 40
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 10.5.1 Is viewing of audit trails limited to those with a job- related need?
Modified
p. 40
• Examine system configurations and permissions 10.5.2 Are audit trail files protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation? • Interview system administrators.
Modified
p. 40
Are logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) written onto a secure, centralized, internal log server or media? • Interview system administrators.
Modified
p. 40 → 41
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 10.6 Are logs and security events for all system components reviewed to identify anomalies or suspicious activity as follows? Note: Log harvesting, parsing, and alerting tools may be used to achieve compliance with Requirement 10.6.
Removed
p. 41
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 10.6.1 (b) Are the following logs and security events reviewed at least daily, either manually or via log tools?
Review security policies and procedures Observe processes Interview personnel 10.7 (b) Are audit logs retained for at least one year? Review security policies and procedures Interview personnel Examine audit logs (c) Are at least the last three months’ logs immediately available for analysis? Interview personnel Observe processes
Review security policies and procedures Observe processes Interview personnel 10.7 (b) Are audit logs retained for at least one year? Review security policies and procedures Interview personnel Examine audit logs (c) Are at least the last three months’ logs immediately available for analysis? Interview personnel Observe processes
Modified
p. 42
(b) Do external quarterly scan and rescan results satisfy the ASV Program Guide requirements for a passing scan (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic failures)? • Review results of each external quarterly scan and rescan.
Modified
p. 42
PCI SSC Approved Scanning Vendor (ASV?
PCI SSC Approved Scanning Vendor (ASV? • Review results of each external quarterly scan and rescan.
Modified
p. 42
• Examine and correlate change control documentation and scan reports.
Modified
p. 42
- For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS; - For internal scans, a passing result is obtained or all “high-risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved? • Review scan reports.
Modified
p. 42
(c) Are scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? • Interview personnel.
Removed
p. 43
Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) Includes coverage for the entire CDE perimeter and critical systems Includes testing from both inside and outside the network Includes testing to validate any segmentation and scope- reduction controls Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 Defines network-layer penetration tests to include components that support network functions as well as operating systems Includes review and consideration of threats and vulnerabilities experienced in the last 12 months Specifies retention of penetration testing results and remediation activities results Examine penetration-testing methodology Interview responsible personnel 11.3.1 (a) Is external penetration testing performed per the defined methodology, at least annually, and after any significant infrastructure or application changes to the environment (such as an operating system upgrade, a sub-network added to the environment, or an …
Modified
p. 43
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.3 Does the penetration-testing methodology include the following?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.3 Does the penetration-testing methodology include the following? • Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
Modified
p. 43
(b) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? • Interview responsible personnel.
Modified
p. 44
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.3.3 Are exploitable vulnerabilities found during penetration testing corrected, followed by repeated testing to verify the corrections? Examine penetration testing results 11.3.4 If segmentation is used to isolate the CDE from other networks:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.3.3 Are exploitable vulnerabilities found during penetration testing corrected, followed by repeated testing to verify the corrections? • Examine penetration testing results.
Modified
p. 44
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE?
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE? • Examine segmentation controls.
Modified
p. 44
(b) Does penetration testing to verify segmentation controls meet the following? - Performed at least annually and after any changes to segmentation controls/methods. - Covers all segmentation controls/methods in use. - Verifies that segmentation methods are operational and effective, and isolate all out-of- scope systems from systems in the CDE.
Modified
p. 44
(c) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? • Interview responsible personnel.
Removed
p. 45
System executables Application executables Configuration and parameter files Centrally stored, historical or archived, log, and audit files Additional critical files determined by entity (for example, through risk assessment or other means) Observe system settings and monitored files Examine system configuration
Modified
p. 45
- At the perimeter of the cardholder data environment, and - At critical points in the cardholder data environment.
Modified
p. 45
(b) Are intrusion-detection and/or intrusion-prevention techniques configured to alert personnel of suspected compromises? • Examine system configurations.
Modified
p. 46
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (b) Is the change-detection mechanism configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files or content files, and do the tools perform critical file comparisons at least weekly? Note: For change detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of …
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.5 (cont.) (b) Is the change-detection mechanism configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files or content files, and do the tools perform critical file comparisons at least weekly? Note: For change detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or …
Modified
p. 47
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel? • Review the information security policy.
Removed
p. 49
Review incident response plan procedures Specific incident response procedures? Review incident response plan procedures Business recovery and continuity procedures? Review incident response plan procedures Data backup processes? Review incident response plan procedures Analysis of legal requirements for reporting compromises?
Modified
p. 49
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.10.1 (a) Has an incident response plan been created to be implemented in the event of system breach? Review the incident response plan Review incident response plan procedures (b) Does the plan address the following, at a minimum:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.10.1 (a) Has an incident response plan been created to be implemented in the event of system breach? • Review the incident response plan.
Modified
p. 49
- Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum? • Review incident response plan procedures.
Modified
p. 49
- Coverage and responses of all critical system components? • Review incident response plan procedures.
Modified
p. 49
- Reference or inclusion of incident response procedures from the payment brands? • Review incident response plan procedures.
Removed
p. 50
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A A2.1 For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS:
Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS Is there a formal Risk Mitigation and Migration Plan in place per Requirement A2.2? Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS A2.2 Is there a formal Risk Mitigation and Migration Plan in place for all implementations that use SSL and/or early TLS (other than as allowed in A2.1), that includes:
Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls …
Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS Is there a formal Risk Mitigation and Migration Plan in place per Requirement A2.2? Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS A2.2 Is there a formal Risk Mitigation and Migration Plan in place for all implementations that use SSL and/or early TLS (other than as allowed in A2.1), that includes:
Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls …
Modified
p. 50
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-Present POS POI Terminal Connections
Modified
p. 56 → 55
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti-virus software or programs 6 Develop and maintain secure systems …
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 1 Install and maintain a firewall configuration to protect cardholder data.