PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

PCI-DSS-v4-0-SAQ-B-r1.pdf PCI-DSS-v4-0-1-SAQ-B.pdf
90% similar
33 → 34 Pages
8371 → 8635 Words
24 Content Changes

From Revision History

  • October 2008 1.2

Content Changes

24 content changes. 28 administrative changes (dates, page numbers) hidden.

Added p. 2
Added ASV Resource Guide to section “Additional PCI SSC Resources.”
Added p. 7
Note: A legal exception is a legal restriction due to a local or regional law, regulation, or regulatory requirement, where meeting a PCI DSS requirement would violate that law, regulation, or regulatory requirement.
Added p. 17
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicabl Not in Place PIN blocks are encrypted during the natural course of transaction processes, but even if an entity encrypts the PIN block again, it is still not allowed to be stored after the completion of the authorization process.
Added p. 18
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicabl Not in Place 3.4 Access to displays of full PAN and ability to copy PAN are restricted.
Added p. 22
These requirements do not apply to:

• Components used only for manual PAN key entry.
Added p. 26
The TPSP’s written acknowledgment is a confirmation that states the TPSP is responsible for the security of the account data it may store, process, or transmit on behalf of the customer or to the extent the TPSP may impact the security of a customer’s cardholder data and/or sensitive authentication data.
Added p. 34
Note: The PCI Security Standards Council is a global standards body that provides resources for payment security professionals developed collaboratively with our stakeholder community. Our materials are accepted in numerous compliance programs worldwide. Please check with your individual compliance-accepting organization to ensure that this form is acceptable in its program. For more information about PCI SSC and our stakeholder community please visit: https://www.pcisecuritystandards.org/about_us/.
Modified p. 5
PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). Cardholder data and sensitive authentication data are considered account data and are defined as follows:
PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of cardholder data and/or sensitive authentication data. Cardholder data and sensitive authentication data are considered account data and are defined as follows:
Removed p. 7
Note: A legal restriction is one where meeting the PCI DSS requirement would violate a local or regional law or regulation.
Modified p. 8
− Guide to Safe Payments − Common Payment Systems − Questions to Ask Your Vendors − Glossary of Payment and Information Security Terms − PCI Firewall Basics These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org).
− Guide to Safe Payments − Common Payment Systems − Questions to Ask Your Vendors − Glossary of Payment and Information Security Terms − PCI Firewall Basics − ASV Resource Guide These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org).
Modified p. 11
Name of PCI SSC- validated Product or Version of Product or
Name of PCI SSC validated Product or Version of Product or
Modified p. 11
PCI SSC listing reference number Expiry date of listing (YYYY-MM-DD) ♦ For purposes of this document, ”Lists of Validated Products and Solutions” means the lists of validated products, solutions, and/or components appearing on the PCI SSC website (www.pcisecuritystandards.org)for example, 3DS Software Development Kits, Approved PTS Devices, Validated Payment Software, Payment Applications (PA-DSS), Point to Point Encryption (P2PE) solutions, Software-Based PIN Entry on COTS (SPoC) solutions, and Contactless Payments on COTS (CPoC) solutions.
PCI SSC listing reference number Expiry date of listing (YYYY-MM-DD) ♦ For purposes of this document, ”Lists of Validated Products and Solutions” means the lists of validated products, solutions, and/or components, appearing on the PCI SSC website (www.pcisecuritystandards.org)for example, 3DS Software Development Kits, Approved PTS Devices, Validated Payment Software, Point to Point Encryption (P2PE) solutions, Software-Based PIN Entry on COTS (SPoC) solutions, Contactless Payments on COTS (CPoC) solutions, and Mobile Payments on COTS (MPoC) products.
Modified p. 14
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 3.1 Processes and mechanisms for protecting stored account data are defined and understood.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicabl Not in Place 3.1 Processes and mechanisms for protecting stored account data are defined and understood.
Modified p. 15
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 3.3 Sensitive authentication data (SAD) is not stored after authorization.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicabl Not in Place 3.3 Sensitive authentication data (SAD) is not stored after authorization.
Removed p. 16
Applicability Notes PIN blocks are encrypted during the natural course of transaction processes, but even if an entity encrypts the PIN block again, it is still not allowed to be stored after the completion of the authorization process.
Modified p. 16
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 3.3.1.2 The card verification code is not retained upon completion of the authorization process.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicabl Not in Place 3.3.1.2 The card verification code is not stored upon completion of the authorization process.
Modified p. 20 → 21
• Examine the periodic media destruction policy.
• Examine the media destruction policy.
Modified p. 21 → 22
Applicability Notes These requirements apply to deployed POI devices used in card-present transactions (that is, a payment card form factor such as a card that is swiped, tapped, or dipped). This requirement is not intended to apply to manual PAN key-entry components such as computer keyboards.
Applicability Notes These requirements apply to deployed POI devices used in card-present transactions (that is, a payment card form factor such as a card that is swiped, tapped, or dipped).
Modified p. 21 → 22
This requirement is recommended, but not required, for manual PAN key-entry components such as computer keyboards. This requirement does not apply to commercial off-the-shelf (COTS) devices (for example, smartphones or tablets), which are mobile merchant-owned devices designed for mass-market distribution.
• Commercial off-the-shelf (COTS) devices (for example, smartphones or tablets), which are mobile merchant-owned devices designed for mass-market distribution.
Removed p. 24
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place SAQ Completion Guidance:
Modified p. 25 → 26
• Written agreements include acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE.
• Written agreements include acknowledgments from TPSPs that TPSPs are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that the TPSP could impact the security of the entity’s cardholder data and/or sensitive authentication data.
Modified p. 25 → 26
Applicability Notes The exact wording of an acknowledgment will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgment does not have to include the exact wording provided in this requirement.
Applicability Notes The exact wording of an agreement will depend on the details of the service being provided, and the responsibilities assigned to each party. The agreement does not have to include the exact wording provided in this requirement.
Modified p. 25 → 26
Evidence that a TPSP is meeting PCI DSS requirements (for example, a PCI DSS Attestation of Compliance (AOC) or a declaration on a company’s website) is not the same as a written agreement specified in this requirement.
Evidence that a TPSP is meeting PCI DSS requirements (is not the same as a written acknowledgment specified in this requirement. For example, a PCI DSS Attestation of Compliance (AOC), a declaration on a company’s website, a policy statement, a responsibility matrix, or other evidence not included in a written agreement is not a written acknowledgment.
Modified p. 32 → 33
PCI DSS Self-Assessment Questionnaire B, Version 4.0 was completed according to the instructions therein.
PCI DSS Self-Assessment Questionnaire B, Version 4.0.1, was completed according to the instructions therein.