Document Comparison
SAQ_A-EP_v3.pdf
→
PCI_DSS_v3-1_SAQ_A-EP_rev1-1.pdf
86% similar
46 → 49
Pages
10716 → 11860
Words
53
Content Changes
Content Changes
53 content changes. 24 administrative changes (dates, page numbers) hidden.
Added
p. 2
June 2015 3.1 Update Requirement 11.3 to fix error.
July 2015 3.1 1.1 Updated to remove references to “best practices” prior to June 30, 2015, and remove the PCI DSS v2 reporting option for Requirement 11.3
Note: For the purposes of this SAQ, PCI DSS requirements that refer to the “cardholder data environment” are applicable to the merchant website(s). This is because the merchant website directly impacts how the payment card data is transmitted, even though the website itself does not receive cardholder data.
July 2015 3.1 1.1 Updated to remove references to “best practices” prior to June 30, 2015, and remove the PCI DSS v2 reporting option for Requirement 11.3
Note: For the purposes of this SAQ, PCI DSS requirements that refer to the “cardholder data environment” are applicable to the merchant website(s). This is because the merchant website directly impacts how the payment card data is transmitted, even though the website itself does not receive cardholder data.
Added
p. 8
Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. Payment Application Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses:
Added
p. 15
Review configuration standards Examine configuration settings If SSL/early TLS is used:
Added
p. 17
Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies the devices are not susceptible to any known exploits for SSL/early TLS? Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS (f) For all other environments using SSL and/or early TLS:
Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in place; Description of processes to monitor for new vulnerabilities associated with SSL/early TLS; Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new environments; Overview of migration project plan including target migration completion date no later than 30th June 2016.
Review Risk Mitigation and Migration
Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in place; Description of processes to monitor for new vulnerabilities associated with SSL/early TLS; Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new environments; Overview of migration project plan including target migration completion date no later than 30th June 2016.
Review Risk Mitigation and Migration
Added
p. 20
Review Risk Mitigation and Migration
Examine system configurations (f) For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols: Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies the devices are not susceptible to any known exploits for SSL/early TLS?
Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS (g) For all other environments using SSL and/or early Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in place; Description of processes to monitor for new vulnerabilities associated …
Examine system configurations (f) For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols: Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies the devices are not susceptible to any known exploits for SSL/early TLS?
Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS (g) For all other environments using SSL and/or early Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in place; Description of processes to monitor for new vulnerabilities associated …
Added
p. 25
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.4.5 (a) Are change-control procedures for implementing security patches and software modifications documented and require the following?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.5 (c) Are applications developed based on secure coding guidelines to protect applications from, at a minimum, the following vulnerabilities:
- At least annually - After any changes - By an organization that specializes in application security - That, at a minimum, all vulnerabilities in
- Is situated in front of public-facing web applications to detect and prevent web-based attacks. - Is actively running and up to date as applicable. - Is generating audit logs. - Is configured to either block web-based attacks, or generate an alert that is immediately investigated.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.5 (c) Are applications developed based on secure coding guidelines to protect applications from, at a minimum, the following vulnerabilities:
- At least annually - After any changes - By an organization that specializes in application security - That, at a minimum, all vulnerabilities in
- Is situated in front of public-facing web applications to detect and prevent web-based attacks. - Is actively running and up to date as applicable. - Is generating audit logs. - Is configured to either block web-based attacks, or generate an alert that is immediately investigated.
Modified
p. 1
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A-EP and Attestation of Compliance Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing Version 3.0
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A-EP and Attestation of Compliance Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing For use with PCI DSS Version 3.1 Revision 1.1
Modified
p. 2
February 2014 3.0 New SAQ to address requirements applicable to e-commerce merchants with a websites that do not themselves receive cardholder data but which do affect the security of the payment transaction and/or the integrity of the page that accepts the consumer’s cardholder data.
February 2014 3.0 New SAQ to address requirements applicable to e- commerce merchants with a website(s) that does not itself receive cardholder data but which does affect the security of the payment transaction and/or the integrity of the page that accepts the consumer’s cardholder data.
Modified
p. 4
Your company accepts only e-commerce transactions; All processing of cardholder data is outsourced to a PCI DSS validated third-party payment processor; Your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor; Your e-commerce website is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate the website from all other systems); …
Your company accepts only e-commerce transactions; All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a PCI DSS validated third-party payment processor; Your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor; If merchant website is hosted by a third-party provider, the provider is validated to all applicable PCI DSS requirements (e.g., including …
Modified
p. 9
Merchant accepts only e-commerce transactions; All processing of cardholder data is outsourced to a PCI DSS validated third-party payment processor; Merchant’s e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor; Merchant’s e-commerce website is not connected to any other systems within merchant’s environment (this can be achieved via network segmentation to isolate the website from all other systems); If merchant website is hosted by …
Merchant accepts only e-commerce transactions; All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a PCI DSS validated third-party payment processor; Merchant’s e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor; If merchant website is hosted by a third-party provider, the provider is validated to all applicable PCI DSS requirements (e.g., including PCI DSS Appendix A if …
Modified
p. 13
Review policies and procedures Review vendor documentation Examine system configurations and account settings Interview personnel 2.2 (a) Are configuration standards developed for all system components and are they consistent with industry-accepted system hardening standards? Sources of industry-accepted system hardening standards may include, but are not limited to, SysAdmin Audit Network Security (SANS) Institute, National Institute of Standards Technology (NIST), International Organization for Standardization (ISO), and Center for Internet Security (CIS).
Review policies and procedures Review vendor documentation Examine system configurations and account settings Interview personnel 2.2 (a) Are configuration standards developed for all system components and are they consistent with industry- accepted system hardening standards? Sources of industry-accepted system hardening standards may include, but are not limited to, SysAdmin Audit Network Security (SANS) Institute, National Institute of Standards Technology (NIST), International Organization for Standardization (ISO), and Center for Internet Security (CIS).
Modified
p. 13
Review system configuration standards Review industry-accepted hardening Review policies and procedures Interview personnel (b) Are system configuration standards updated as new vulnerability issues are identified, as defined in Requirement 6.1?
Review system configuration Review industry-accepted hardening Review policies and procedures Interview personnel (b) Are system configuration standards updated as new vulnerability issues are identified, as defined in Requirement 6.1?
Modified
p. 14
Review system configuration standards 2.2.1 (a) Is only one primary function implemented per server, to prevent functions that require different security levels from co-existing on the same server? For example, web servers, database servers, and DNS should be implemented on separate servers.
Review system configuration 2.2.1 (a) Is only one primary function implemented per server, to prevent functions that require different security levels from co-existing on the same server? For example, web servers, database servers, and DNS should be implemented on separate servers.
Modified
p. 14
Examine system configurations (b) If virtualization technologies are used, is only one primary function implemented per virtual system component or device? Examine system configurations
Examine system configurations (b) If virtualization technologies are used, is only one primary function implemented per virtual system component or device?
Modified
p. 15 → 14
Examine system configurations 2.2.2 (a) Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)? Review configuration standards Examine system configurations
Modified
p. 15
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (b) Are all enabled insecure services, daemons, or protocols justified per documented configuration standards?
Modified
p. 15
Review configuration standards Interview personnel Examine configuration settings Compare enabled services, etc. to documented justifications 2.2.3 Are additional security features documented and implemented for any required services, protocols or daemons that are considered to be insecure? For example, use secured technologies such as SSH, S-FTP, SSL or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.
Review configuration standards Interview personnel Examine configuration settings Compare enabled services, etc. to documented justifications 2.2.3 Are additional security features documented and implemented for any required services, protocols or daemons that are considered to be insecure? For example, use secured technologies such as SSH, S- FTP, TLS, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.
Modified
p. 15
Review configuration standards Examine configuration settings 2.2.4 (a) Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components?
Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS Review Risk Mitigation and Migration 2.2.4 (a) Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components?
Modified
p. 15
Review system configuration standards (c) Are security parameter settings set appropriately on system components? Examine system components Examine security parameter settings Compare settings to system configuration
Review system configuration (c) Are security parameter settings set appropriately on system components? Examine system components Examine security parameter settings Compare settings to system configuration standards
Modified
p. 16
Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.
Use technologies such as SSH, VPN, or TLS for web- based management and other non-console administrative access.
Modified
p. 16
Examine system components Examine system configurations Observe an administrator log on (b) Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands?
Examine system components Examine system configurations Observe an administrator log on (b) Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? Examine system components Examine services and files
Modified
p. 16 → 17
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (c) Is administrator access to web-based management interfaces encrypted with strong cryptography?
Modified
p. 16 → 17
Examine system components Observe an administrator log on (d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? Examine system components Review vendor documentation Interview personnel
Examine system components Observe an administrator log on (d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? Examine system components Review vendor documentation Interview personnel (e) For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols:
Modified
p. 18 → 19
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1 (a) Are strong cryptography and security protocols, such as SSL/TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and General Packet Radio Service …
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1 (a) Are strong cryptography and security protocols, such as TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and General Packet Radio Service …
Modified
p. 18 → 19
Review documented standards Review policies and procedures Review all locations where CHD is transmitted or received Examine system configurations (b) Are only trusted keys and/or certificates accepted?
Review documented standards Review policies and procedures Review all locations where CHD is transmitted or received Examine system configurations (b) Are only trusted keys and/or certificates accepted? Observe inbound and outbound transmissions Examine keys and certificates (c) Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations?
Modified
p. 18 → 19
Examine system configurations (d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)?
Examine system configurations (d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)? Review vendor documentation Examine system configurations
Modified
p. 18 → 20
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (e) For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? For example, for browser-based implementations:
Modified
p. 18 → 21
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.2 (b) Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies? Review policies and procedures
Modified
p. 21 → 24
Review policies and procedures Interview personnel Observe processes
Review policies and procedures Interview personnel Observe processes 6.2 (a) Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches?
Removed
p. 22
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.2 (a) Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches?
Modified
p. 22 → 24
Review policies and procedures Examine system components Compare list of security patches installed to recent vendor patch lists 6.4.5 (a) Are change-control procedures for implementing security patches and software modifications documented and require the following?
Review policies and procedures Examine system components Compare list of security patches installed to recent vendor patch lists
Modified
p. 22 → 25
Documentation of impact Documented change control approval by authorized parties Functionality testing to verify that the change does not adversely impact the security of the system Back-out procedures Review change control processes and procedures (b) Are the following performed and documented for all 6.4.5.1 Documentation of impact? Trace changes to change control documentation Examine change control documentation 6.4.5.2 Documented approval by authorized parties? Trace changes to change control documentation Examine change …
Documentation of impact Documented change control approval by authorized parties Functionality testing to verify that the change does not adversely impact the security of the system Back-out procedures Review change control processes and procedures (b) Are the following performed and documented for all 6.4.5.1 Documentation of impact? Trace changes to change control documentation Examine change control documentation 6.4.5.2 Documented approval by authorized parties? Trace changes to change control documentation Examine change …
Modified
p. 23 → 25
Trace changes to change control documentation Examine change control documentation (b) For custom code changes, testing of updates for compliance with PCI DSS Requirement 6.5 before being deployed into production? Trace changes to change control documentation Examine change control documentation 6.4.5.4 Back-out procedures? Trace changes to change control documentation Examine change control documentation
Modified
p. 23 → 26
Examine software-development policies and procedures Interview responsible personnel 6.5.9 Do coding techniques address cross-site request forgery (CSRF)? Examine software-development policies and procedures Interview responsible personnel
Examine software-development policies and procedures Interview responsible personnel 6.5.10 Do coding techniques address broken authentication and session management? Examine software-development policies and procedures Interview responsible personnel
Removed
p. 24
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.5.10 Do coding techniques address broken authentication and session management? Note: Requirement 6.5.10 is a best practice until June 30, 2015, after which it becomes a requirement.
Modified
p. 24 → 27
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.6 For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods? Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, as follows:
Modified
p. 24 → 27
Note: This assessment is not the same as the vulnerability scans performed for Requirement 11.2.
Requirement 6.5 are included in the assessment - That all vulnerabilities are corrected - That the application is re-evaluated after the corrections Note: This assessment is not the same as the vulnerability scans performed for Requirement 11.2.
Modified
p. 24 → 27
Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications to continually check all traffic.
Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) as follows:
Modified
p. 27 → 30
Examine system configuration settings to verify password parameters 8.2.4 (a) Are user passwords/passphrases changed at least every 90 days?
Examine system configuration settings to verify password parameters 8.2.4 (a) Are user passwords/passphrases changed at least once every 90 days?
Modified
p. 34 → 37
Review results from the four most recent quarters of external vulnerability scans (b) Do external quarterly scan and rescan results satisfy the ASV Program Guide requirements for a passing scan (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic failures)?
Review results from the four most recent quarters of external vulnerability scans (b) Do external quarterly scan and rescan results satisfy the ASV Program Guide requirements for a passing scan (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic failures)? Review results of each external quarterly scan and rescan (c) Are quarterly external vulnerability scans performed by a
Modified
p. 35 → 38
Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) Includes coverage for the entire CDE perimeter and critical systems Includes testing from both inside and outside the Includes testing to validate any segmentation and scope-reduction controls Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 Defines network-layer penetration tests to include components that support network functions as well as operating systems Includes review and consideration …
Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) Includes coverage for the entire CDE perimeter and critical systems Includes testing from both inside and outside the network Includes testing to validate any segmentation and scope- reduction controls Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 Defines network-layer penetration tests to include components that support network functions as well as operating systems Includes review …
Modified
p. 35 → 38
Examine scope of work Examine results from the most recent external penetration test (b) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?
Examine scope of work Examine results from the most recent external penetration test (b) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? Interview responsible personnel
Modified
p. 35 → 39
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.3.3 Are exploitable vulnerabilities found during penetration testing corrected, followed by repeated testing to verify the corrections? Examine penetration testing results 11.3.4 If segmentation is used to isolate the CDE from other networks:
Removed
p. 36
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.3.4 If segmentation is used to isolate the CDE from other networks:
Modified
p. 36 → 39
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from in-scope systems?
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE?
Modified
p. 36 → 39
Examine segmentation controls Review penetration-testing methodology (b) Does penetration testing to verify segmentation controls meet the following? Performed at least annually and after any changes to segmentation controls/methods Covers all segmentation controls/methods in use Verifies that segmentation methods are operational and effective, and isolate all out-of- scope systems from in-scope systems.
Examine segmentation controls Review penetration-testing methodology (b) Does penetration testing to verify segmentation controls meet the following? Performed at least annually and after any changes to segmentation controls/methods Covers all segmentation controls/methods in use Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
Modified
p. 36 → 40
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.5 (a) Is a change-detection mechanism (for example, file- integrity monitoring tools) deployed within the cardholder data environment to detect unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files? Examples of files that should be monitored include:
Modified
p. 36 → 40
System executables Application executables Configuration and parameter files Centrally stored, historical or archived, log, and audit files Additional critical files determined by entity (for example, through risk assessment or other means) Observe system settings and monitored files Examine system configuration settings
System executables Application executables Configuration and parameter files Centrally stored, historical or archived, log, and audit files Additional critical files determined by entity (for example, through risk assessment or other means) Observe system settings and monitored files Examine system configuration (b) Is the change-detection mechanism configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files or content files, and do the tools perform critical file …
Removed
p. 37
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (b) Is the change-detection mechanism configured to alert personnel to unauthorized modification of critical system files, configuration files or content files, and do the tools perform critical file comparisons at least weekly? Note: For change detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change detection mechanisms such as file-integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is the merchant or service provider).
Modified
p. 37 → 40
Observe system settings and monitored files Review results from monitoring activities 11.5.1 Is a process in place to respond to any alerts generated by the change-detection solution? Examine system configuration settings
Observe system settings and monitored files Review results from monitoring activities 11.5.1 Is a process in place to respond to any alerts generated by the change-detection solution? Examine system configuration
Modified
p. 45 → 48
Signature of QSA Date:
Signature of Duly Authorized Officer of QSA Company Date:
Modified
p. 45 → 48
Duly Authorized Officer Name: QSA Company:
Modified
p. 46 → 49
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti-virus software or programs 6 Develop and maintain secure systems and …
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti-virus software or programs 6 Develop and maintain secure systems and …