Pci Dss v3-1 Saq a-ep Rev1-1

7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1

1/54

Payment Card Industry (PCI)Data Security Standard

Self-Assessment Questionnaire A-EPand Attestation of Compliance

Partially Outsourced E-commerce Merchants Using

a Third-Party Website for Payment ProcessingFor use with PCI DSS ersion !"#

Revision 1.1

July 2015


2/54

Document Chan$es

DatePCI DSS

ersion

SAQ

%e&isionDescription

N/A 1.0 Not used.

N/A 2.0 Not used.

February 2014 3.0 New SAQ to address reuire!ents a""li#able to e$

#o!!er#e !er#%ants wit% a website&s' t%at does not

itsel( re#eive #ard%older data but w%i#% does a((e#t t%e

se#urity o( t%e "ay!ent transa#tion and/or t%e inte)rity o(

t%e "a)e t%at a##e"ts t%e #onsu!er*s #ard%older data.

+ontent ali)ns wit% ,+- SS v3.0 reuire!ents and

testin) "ro#edures.

A"ril 2015 3.1 "dated to ali)n wit% ,+- SS v3.1. For details o( ,+-

SS #%an)es see PCI DSS Summary of Changes

from PCI DSS Version 3.0 to 3.1.

June 2015 3.1 "date Reuire!ent 11.3 to (i error.

July 2015 3.1 1.1 "dated to re!ove re(eren#es to best "ra#ti#es "rior to

June 30 2015 and re!ove t%e ,+- SS v2 re"ortin)

o"tion (or Reuire!ent 11.3

PCI DSS v3.1 SAQ A-EP !ev. 1.1 "u#y $01%

& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page 1


3/54


4/54

'ale of Contents

Document Chan$es"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" i

efore *ou e$in"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" iii

PCI DSS Self-Assessment Completion Steps""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""i&

+nderstandin$ the Self-Assessment Questionnaire"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""i&

E+,e(te) esting .................................................................................................................................. iv

Completin$ the Self-Assessment Questionnaire"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""&

,uidance for on-Applicaility of Certain. Specific %e/uirements"""""""""""""""""""""""""""""""""""""""""""" """""""&

0e$al E1ception """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""&

Section #2 Assessment Information"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""#

Section 32 Self-Assessment Questionnaire A-EP"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""4

uild and 5aintain a Secure etwor6""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 4!euirement 1/ Insta## an) maintain a firea## (onfiguration to ,rote(t )ata.......................................

!euirement $/ Do not use ven)or-su,,#ie) )efau#ts for system ,assor)s an) other se(urity

,arameters................................................................................................................ 2

Protect Cardholder Data""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" #!

!euirement 3/ Prote(t store) (ar)ho#)er )ata................................................................................13

!euirement / En(ry,t transmission of (ar)ho#)er )ata a(ross o,en ,u#i( netor4s...................1

5aintain a ulneraility 5ana$ement Pro$ram""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""#7

!euirement %/ Prote(t a## systems against ma#are an) regu#ar#y u,)ate anti-virus softare or

,rograms................................................................................................................. 12

!euirement '/ Deve#o, an) maintain se(ure systems an) a,,#i(ations.........................................15

Implement Stron$ Access Control 5easures"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""3!

!euirement 2/ !estri(t a((ess to (ar)ho#)er )ata y usiness nee) to 4no................................$3

!euirement 6/ I)entify an) authenti(ate a((ess to system (om,onents.........................................$

!euirement 5/ !estri(t ,hysi(a# a((ess to (ar)ho#)er )ata.............................................................$2

%e$ularly 5onitor and 'est etwor6s""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 38

!euirement 10/ ra(4 an) monitor a## a((ess to netor4 resour(es an) (ar)ho#)er )ata......... ...... .$5

!euirement 11/ !egu#ar#y test se(urity systems an) ,ro(esses.......................................................3$

5aintain an Information Security Policy""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" !9

!euirement 1$/ 7aintain a ,o#i(y that a))resses information se(urity for a## ,ersonne#...................3'Appendi1 A2 Additional PCI DSS %e/uirements for Shared :ostin$ Pro&iders"""""""""""""""""""""!8

Appendi1 2 Compensatin$ Controls ;or6sheet"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""4uidan#e on +o!"ensatin) +ontrols

SAQ -nstru#tions and >uidelines

do#u!ents -n(or!ation about all SAQs and t%eir eli)ibility #riteria

?ow to deter!ine w%i#% SAQ is ri)%t (or your

or)ani@ation

PCI DSS an) PA-DSS =#ossary of

erms Areviations an) A(ronyms es#ri"tions and de(initions o( ter!s used in t%e ,+-

SS and sel($assess!ent uestionnaires

8%ese and ot%er resour#es #an be (ound on t%e ,+- SS+ website ;.,(ise(uritystan)ar)s.org


7/54

order to veri(y t%at a reuire!ent %as been !et. Full details o( testin) "ro#edures (or ea#% reuire!ent

#an be (ound in t%e ,+- SS.

Completin$ the Self-Assessment Questionnaire

For ea#% uestion t%ere is a #%oi#e o( res"onses to indi#ate your #o!"any*s status re)ardin) t%atreuire!ent. Only one response should be selected for each uestion.

A des#ri"tion o( t%e !eanin) (or ea#% res"onse is "rovided in t%e table below

%esponse ;hen to use this response2

*es 8%e e"e#ted testin) %as been "er(or!ed and all ele!ents o( t%e

reuire!ent %ave been !et as stated.

*es with CC;

&+o!"ensatin)

+ontrol orBs%eet'

8%e e"e#ted testin) %as been "er(or!ed and t%e reuire!ent %as

been !et wit% t%e assistan#e o( a #o!"ensatin) #ontrol.

All res"onses in t%is #olu!n reuire #o!"letion o( a +o!"ensatin)

+ontrol orBs%eet &++' in A""endi C o( t%e SAQ.

-n(or!ation on t%e use o( #o!"ensatin) #ontrols and )uidan#e on %ow to

#o!"lete t%e worBs%eet is "rovided in t%e ,+- SS.

o So!e or all ele!ents o( t%e reuire!ent %ave not been !et or are in t%e

"ro#ess o( bein) i!"le!ented or reuire (urt%er testin) be(ore it will be

Bnown i( t%ey are in "la#e.

=A

&Not A""li#able'

8%e reuire!ent does not a""ly to t%e or)ani@ation*s environ!ent. &See

=ui)an(e for >on-A,,#i(ai#ity of Certain S,e(ifi( !euirements below

(or ea!"les.'

All res"onses in t%is #olu!n reuire a su""ortin) e"lanation in

A""endi + o( t%e SAQ.

,uidance for on-Applicaility of Certain. Specific %e/uirements

-( any reuire!ents are dee!ed not a""li#able to your environ!ent sele#t t%e N/A o"tion (or t%at

s"e#i(i# reuire!ent and #o!"lete t%e "lanation o( Non$A""li#ability worBs%eet in A""endi + (or

ea#% N/A entry.

0e$al E1ception

-( your or)ani@ation is subDe#t to a le)al restri#tion t%at "revents t%e or)ani@ation (ro! !eetin) a ,+- SSreuire!ent #%e#B t%e No #olu!n (or t%at reuire!ent and #o!"lete t%e relevant attestation in ,art 3.

PCI DSS v3.1 SAQ A-EP !ev. 1.1 "u#y $01%



8/54

Section #2 Assessment Information

!nstructions for Submission

8%is do#u!ent !ust be #o!"leted as a de#laration o( t%e results o( t%e !er#%ant*s sel($assess!ent wit% t%e

Payment Car) In)ustry Data Se(urity Stan)ar) !euirements an) Se(urity Assessment Pro(e)ures ;PCIDSS


9/54

Part 3" Description of Payment Card usiness

?ow and in w%at #a"a#ity does your business

store "ro#ess and/or trans!it #ard%older dataH

Part 3c" 0ocations

ist ty"es o( (a#ilities &(or ea!"le retail outlets #or"orate o((i#es data #enters #all #enters et#.' and a

su!!ary o( lo#ations in#luded in t%e ,+- SS review.

'ype of facility

umer of facilities

of this type 0ocation(s) of facility (city. country)

E+am,#e/ !etai# out#ets 3 @oston 7A SA

Part 3d" Payment Application

oes t%e or)ani@ation use one or !ore ,ay!ent A""li#ationsH 6es No

,rovide t%e (ollowin) in(or!ation re)ardin) t%e ,ay!ent A""li#ations your or)ani@ation uses

Payment Application

ame

ersion

umer

Application

endor

Is application

PA-DSS 0isted@

PA-DSS 0istin$ E1piry

date (if applicale)

6es No

6es No

6es No

6es No

6es No

Part 3e" Description of En&ironment

,rovide a high-le"eldes#ri"tion o( t%e environ!ent #overed by

t%is assess!ent.

8or e+am,#e/

B Conne(tions into an) out of the (ar)ho#)er )ata environment

;CDE


10/54

Part 3f" 'hird-Party Ser&ice Pro&iders

oes your #o!"any s%are #ard%older data wit% any t%ird$"arty servi#e "roviders &(or ea!"le

)ateways "ay!ent "ro#essors "ay!ent servi#e "roviders &,S,' web$%ostin) #o!"anies

airline booBin) a)ents loyalty "ro)ra! a)ents et#.'H

6es

No

!f #es:

ame of ser&ice pro&ider2 Description of ser&ices pro&ided2

Note:!euirement 1$.6 a,,#ies to a## entities in this #ist.

Part 3$" Eli$iility to Complete SAQ A-EP

Ger#%ant #erti(ies eli)ibility to #o!"lete t%is s%ortened version o( t%e Sel($Assess!ent Questionnaire

be#ause (or t%is "ay!ent #%annel

Ger#%ant a##e"ts only e$#o!!er#e transa#tions7

All "ro#essin) o( #ard%older data wit% t%e e#e"tion o( t%e "ay!ent "a)e is entirely outsour#ed to a

,+- SS validated t%ird$"arty "ay!ent "ro#essor7

Ger#%ant*s e$#o!!er#e website does not re#eive #ard%older data but #ontrols %ow #onsu!ers or t%eir

#ard%older data are redire#ted to a ,+- SS validated t%ird$"arty "ay!ent "ro#essor7

-( !er#%ant website is %osted by a t%ird$"arty "rovider t%e "rovider is validated to all a""li#able ,+-

SS reuire!ents &e.). in#ludin) ,+- SS A""endi A i( t%e "rovider is a s%ared %ostin) "rovider'7

a#% ele!ent o( t%e "ay!ent "a)e&s' delivered to t%e #onsu!er*s browser ori)inates (ro! eit%er t%e

!er#%ant*s website or a ,+- SS #o!"liant servi#e "rovider&s'7

Ger#%ant does not ele#troni#ally store "ro#ess or trans!it any #ard%older data on !er#%ant syste!s

or "re!ises but relies entirely on a t%ird "arty&s' to %andle all t%ese (un#tions7

Ger#%ant %as #on(ir!ed t%at all t%ird "arty&s' %andlin) stora)e "ro#essin) and/or trans!ission o(

#ard%older data are ,+- SS #o!"liant7 and

Ger#%ant retains only "a"er re"orts or re#ei"ts wit% #ard%older data and t%ese do#u!ents are not

re#eived ele#troni#ally.

PCI DSS v3.1 SAQ A-EP !ev. 1.1 Se(tion 1/ Assessment Information "u#y $01%



11/54

Section 32 Self-Assessment Questionnaire A-EP

Note:he fo##oing uestions are numere) a((or)ing to PCI DSS reuirements an) testing ,ro(e)ures as )efine) in the ,+- SS

Reuire!ents and Se#urity Assess!ent ,ro#edures)o(ument.

Self-assessment completion date2

uild and 5aintain a Secure etwor6

$euirement %: !nstall and maintain a fire&all configuration to protect data

PCI DSS Question E1pected 'estin$

%esponse

'(hec) one response for each

uestion*

*es

*es

with

CC; o =A

1.1.4 &a' -s a (irewall reuired and i!"le!ented at ea#%

-nternet #onne#tion and between any

de!ilitari@ed @one &GE' and t%e internal networB

@oneH

Review (irewall #on(i)uration standards

;bserve networB #on(i)urations to veri(y

t%at a (irewall&s' is in "la#e

&b' -s t%e #urrent networB dia)ra! #onsistent wit% t%e

(irewall #on(i)uration standardsH +o!"are (irewall #on(i)uration standards

to #urrent networB dia)ra!

1.1. a o (irewall and router #on(i)uration standards

in#lude a do#u!ented list o( servi#es "roto#ols

and "orts in#ludin) business Dusti(i#ation &(or

ea!"le %y"ertet trans(er "roto#ol &?88,'

Se#ure So#Bets ayer &SS' Se#ure S%ell &SS?'

and


12/54


%esponse


uestion*

*es

*es

with

CC; o =A

1.2 o (irewall and router #on(i)urations restri#t

#onne#tions between untrusted networBs and any

syste! in t%e #ard%older data environ!ent as (ollows

Note:An 9untruste) netor4: is any netor4 that is

e+terna# to the netor4s e#onging to the entity un)er

revie an)or hi(h is out of the entitys ai#ity to

(ontro# or manage.

1.2.1 a -s inbound and outbound tra((i# restri#ted to t%at

w%i#% is ne#essary (or t%e #ard%older data

environ!entH

Review (irewall and router #on(i)uration

standards

a!ine (irewall and router #on(i)urations

&d' -s all ot%er inbound and outbound tra((i#

s"e#i(i#ally denied &(or ea!"le by usin) an

e"li#it deny all or an i!"li#it deny a(ter allow

state!ent'H

Review (irewall and router #on(i)uration

standards


1.3.4 Are anti$s"oo(in) !easures i!"le!ented to dete#t

and blo#B (or)ed sour#ed -, addresses (ro! enterin)

t%e networBH

&For ea!"le blo#B tra((i# ori)inatin) (ro! t%e internet

wit% an internal address'


1.3.5 -s outbound tra((i# (ro! t%e #ard%older data

environ!ent to t%e -nternet e"li#itly aut%ori@edH


1.3. -s state(ul ins"e#tion also Bnown as dyna!i# "a#Bet

(ilterin) i!"le!ented=t%at is only establis%ed

#onne#tions are allowed into t%e networBH


PCI DSS v3.1 SAQ A-EP !ev. 1.1Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%

& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page5


13/54


%esponse


uestion*

*es

*es

with

CC; o =A

1.3.K a Are !et%ods in "la#e to "revent t%e dis#losure o(

"rivate -, addresses and routin) in(or!ation to

t%e -nternetH

Note:7etho)s to os(ure IP a))ressing may in(#u)e

ut are not #imite) to/

>etor4 A))ress rans#ation ;>A to ,rote(t inse(ure servi(es

su(h as >et@IS fi#e-sharing e#net 8P et(.

Note:SS* an) ear#y *S are not (onsi)ere) strong

(ry,togra,hy an) (annot e use) as a se(urity (ontro#

after 30th "une $01'. Prior to this )ate e+isting

im,#ementations that use SS* an)or ear#y *S must

have a forma# !is4 7itigation an) 7igration P#an in ,#a(e.

Effe(tive imme)iate#y ne im,#ementations must not use

SS* or ear#y *S.

PS PI termina#s ;an) the SS**S termination ,oints

to hi(h they (onne(t< that (an e verifie) as not eing

sus(e,ti#e to any 4non e+,#oits for SS* an) ear#y *S

may (ontinue using these as a se(urity (ontro# after 30th

"une $01'.

Review #on(i)uration standards

a!ine #on(i)uration settin)s

If SS*ear#y *S is use)/

Review do#u!entation t%at

veri(ies ,;S ,;- devi#es are not

sus#e"tible to any Bnown e"loits

(or SS/early 8S

an)or

Review RisB Giti)ation and

Gi)ration ,lan

2.2.4 &a' Are syste! ad!inistrators and/or "ersonnel t%at

#on(i)ure syste! #o!"onents Bnowled)eable about

#o!!on se#urity "ara!eter settin)s (or t%ose

syste! #o!"onentsH

-nterview "ersonnel

&b' Are #o!!on syste! se#urity "ara!eters settin)s

in#luded in t%e syste! #on(i)uration standardsH

Review syste! #on(i)uration

standards




17/54


%esponse

'(hec) one response for each uestion*

*es

*es with

CC; o =A

' Are se#urity "ara!eter settin)s set a""ro"riately on

syste! #o!"onentsH

a!ine syste! #o!"onents

a!ine se#urity "ara!eter

settin)s

+o!"are settin)s to syste!

#on(i)uration standards

2.2.5 &a' ?as all unne#essary (un#tionality=su#% as s#ri"ts

drivers (eatures subsyste!s (ile syste!s and

unne#essary web servers=been re!ovedH

a!ine se#urity "ara!eters on

syste! #o!"onents

&b' Are enabled (un#tions do#u!ented and do t%ey

su""ort se#ure #on(i)urationH

Review do#u!entation


syste! #o!"onents

' -s only do#u!ented (un#tionality "resent on syste!

#o!"onentsH

Review do#u!entation


syste! #o!"onents

2.3 -s non$#onsole ad!inistrative a##ess en#ry"ted as

(ollows

se te(hno#ogies su(h as SSF VP> or *S for e-

ase) management an) other non-(onso#e

a)ministrative a((ess.

Note:SS* an) ear#y *S are not (onsi)ere) strong

(ry,togra,hy an) (annot e use) as a se(urity (ontro#

after 30th "une $01'. Prior to this )ate e+isting

im,#ementations that use SS* an)or ear#y *S must

have a forma# !is4 7itigation an) 7igration P#an in ,#a(e.

Effe(tive imme)iate#y ne im,#ementations must not use

SS* or ear#y *S.

,;S ,;- ter!inals &and t%e SS/8S ter!ination "oints

to w%i#% t%ey #onne#t' t%at #an be veri(ied as not bein)

sus#e"tible to any Bnown e"loits (or SS and early 8S

!ay #ontinue usin) t%ese as a se#urity #ontrol a(ter 30t%

June 201.




18/54


%esponse


*es

*es with

CC; o =A

&a' -s all non$#onsole ad!inistrative a##ess en#ry"ted

wit% stron) #ry"to)ra"%y and is a stron) en#ry"tion

!et%od invoBed be(ore t%e ad!inistrator*s "assword

is reuestedH


a!ine syste! #on(i)urations

;bserve an ad!inistrator lo) on

&b' Are syste! servi#es and "ara!eter (iles #on(i)ured

to "revent t%e use o( 8elnet and ot%er inse#urere!ote lo)in #o!!andsH


a!ine servi#es and (iles

' -s ad!inistrator a##ess to web$based !ana)e!ent

inter(a#es en#ry"ted wit% stron) #ry"to)ra"%yH


;bserve an ad!inistrator lo) on

&d' For t%e te#%nolo)y in use is stron) #ry"to)ra"%y

i!"le!ented a##ordin) to industry best "ra#ti#e

and/or vendor re#o!!endationsH


Review vendor do#u!entation

-nterview "ersonnel

&e' 8or PS PI termina#s ;an) the SS**S

termination ,oints to hi(h they (onne(t< using SS*

an)or ear#y *S an) for hi(h the entity asserts are

not sus(e,ti#e to any 4non e+,#oits for those

,roto(o#s/

-s t%ere do#u!entation &(or ea!"le vendor

do#u!entation syste!/networB #on(i)uration

details et#.' t%at veri(ies t%e devi#es are not

sus#e"tible to any Bnown e"loits (or SS/early8SH

Review do#u!entation t%at veri(ies

,;S ,;- devi#es are not

sus#e"tible to any Bnown e"loits

(or SS/early 8S




19/54


%esponse


*es

*es with

CC; o =A

&(' 8or a## other environments using SS* an)or ear#y

*S/

oes t%e do#u!ented RisB Giti)ation and Gi)ration

,lan in#lude t%e (ollowin)H

es#ri"tion o( usa)e in#ludin)7 w%at

data is bein) trans!itted ty"es and nu!ber o(syste!s t%at use and/or su""ort SS/early

8S ty"e o( environ!ent7

RisB assess!ent results and risB

redu#tion #ontrols in "la#e7

es#ri"tion o( "ro#esses to !onitor (or

new vulnerabilities asso#iated wit% SS/early

8S7

es#ri"tion o( #%an)e #ontrol

"ro#esses t%at are i!"le!ented to ensure

SS/early 8S is not i!"le!ented into new

environ!ents7

;verview o( !i)ration "roDe#t "lan in#ludin) tar)et

!i)ration #o!"letion date no later t%an 30t% June 201.

Review RisB Giti)ation and

Gi)ration ,lan




20/54

Protect Cardholder Data

$euirement : rotect stored cardholder data


%esponse


uestion*

*es

*es with

CC; o =A

3.2 ' -s sensitive aut%enti#ation data deleted or

rendered unre#overable u"on #o!"letion o( t%eaut%ori@ation "ro#essH

Review "oli#ies and "ro#edures


a!ine deletion "ro#esses

&d' o all syste!s ad%ere to t%e (ollowin)

reuire!ents re)ardin) non$stora)e o( sensitive

aut%enti#ation data a(ter aut%ori@ation &even i(

en#ry"ted'

3.2.2 8%e #ard veri(i#ation #ode or value &t%ree$di)it or (our$

di)it nu!ber "rinted on t%e (ront or ba#B o( a "ay!ent

#ard' is not stored a(ter aut%ori@ationH

a!ine data sour#es in#ludin)

-n#o!in) transa#tion data

All lo)s

?istory (iles

8ra#e (iles

atabase s#%e!a

atabase #ontents

3.2.3 8%e "ersonal identi(i#ation nu!ber &,-N' or t%een#ry"ted ,-N blo#B is not stored a(ter aut%ori@ationH

a!ine data sour#es in#ludin) -n#o!in) transa#tion data

All lo)s

?istory (iles

8ra#e (iles

atabase s#%e!a

atabase #ontents




21/54

$euirement /: Encrypt transmission of cardholder data across open0 public net&or)s


%esponse


*es

*es with

CC; o =A

4.1 a Are stron) #ry"to)ra"%y and se#urity "roto#ols

su#% as 8S SS? or -,S+ used to sa(e)uard

sensitive #ard%older data durin) trans!ission over

o"en "ubli# networBsHE+am,#es of o,en ,u#i( netor4s in(#u)e ut are not

#imite) to the InternetG ire#ess te(hno#ogies in(#u)ing

60$.11 an) @#uetoothG (e##u#ar te(hno#ogies for

e+am,#e =#oa# System for 7oi#e (ommuni(ations

;=S7


22/54


%esponse


*es

*es with

CC; o =A

&D' -s t%e "ro"er en#ry"tion stren)t% i!"le!ented (or

t%e en#ry"tion !et%odolo)y in use %e#B vendor

re#o!!endations/best "ra#ti#es'H



&B' For 8S i!"le!entations is 8S enabled w%enever

#ard%older data is trans!itted or re#eivedH

8or e+am,#e for roser-ase) im,#ementations/ 9FPS: a,,ears as the roser niversa# !e(or)

*o(ator ;!*< ,roto(o# an)

Car)ho#)er )ata is on#y reueste) if 9FPS: a,,ears

as ,art of the !*.


&(' 8or PS PI termina#s ;an) the SS**S

termination ,oints to hi(h they (onne(t< using SS*

an)or ear#y *S an) for hi(h the entity asserts

are not sus(e,ti#e to any 4non e+,#oits for those

,roto(o#s/

-s t%ere do#u!entation &(or ea!"le vendor

do#u!entation syste!/networB #on(i)uration

details et#.' t%at veri(ies t%e devi#es are not

sus#e"tible to any Bnown e"loits (or SS/early

8SH

Review do#u!entation t%at veri(ies

,;S ,;- devi#es are not

sus#e"tible to any Bnown e"loits (or

SS/early 8S




23/54


%esponse


*es

*es with

CC; o =A

&)' 8or a## other environments using SS* an)or ear#y

*S/

oes t%e do#u!ented RisB Giti)ation and Gi)ration

,lan in#lude t%e (ollowin)H

es#ri"tion o( usa)e in#ludin)7 w%at data is

bein) trans!itted ty"es and nu!ber o(syste!s t%at use and/or su""ort SS/early

8S ty"e o( environ!ent7

RisB assess!ent results and risB redu#tion

#ontrols in "la#e7

es#ri"tion o( "ro#esses to !onitor (or new

vulnerabilities asso#iated wit% SS/early 8S7

es#ri"tion o( #%an)e #ontrol "ro#esses t%at

are i!"le!ented to ensure SS/early 8S is

not i!"le!ented into new environ!ents7

;verview o( !i)ration "roDe#t "lan in#ludin)

tar)et !i)ration #o!"letion date no later t%an

30t% June 201.

Review RisB Giti)ation and Gi)ration

,lan

4.2 &b' Are "oli#ies in "la#e t%at state t%at un"rote#ted

,ANs are not to be sent via end$user !essa)in)

te#%nolo)iesH





24/54

5aintain a ulneraility 5ana$ement Pro$ram

$euirement 1: rotect all systems against mal&are and regularly update anti-"irus soft&are or programs


%esponse


*es

*es with

CC; o =A

5.1 -s anti$virus so(tware de"loyed on all syste!s

#o!!only a((e#ted by !ali#ious so(twareH


5.1.1 Are anti$virus "ro)ra!s #a"able o( dete#tin) re!ovin)

and "rote#tin) a)ainst all Bnown ty"es o( !ali#ious

so(tware &(or ea!"le viruses 8roDans wor!s

s"yware adware and rootBits'H



5.1.2 Are "eriodi# evaluations "er(or!ed to identi(y and

evaluate evolvin) !alware t%reats in order to #on(ir!

w%et%er t%ose syste!s #onsidered to not be #o!!only

a((e#ted by !ali#ious so(tware #ontinue as su#%H

-nterview "ersonnel

5.2 Are all anti$virus !e#%anis!s !aintained as (ollows

&a' Are all anti$virus so(tware and de(initions Be"t

#urrentH a!ine "oli#ies and "ro#edures

a!ine anti$virus #on(i)urations

in#ludin) t%e !aster installation


&b' Are auto!ati# u"dates and "eriodi# s#ans enabledand bein) "er(or!edH

a!ine anti$virus #on(i)urationsin#ludin) t%e !aster installation


' Are all anti$virus !e#%anis!s )eneratin) audit lo)s

and are lo)s retained in a##ordan#e wit% ,+- SS

Reuire!ent 10.LH


Review lo) retention "ro#esses




25/54


%esponse


*es

*es with

CC; o =A

5.3 Are all anti$virus !e#%anis!s

A#tively runnin)H

nable to be disabled or altered by usersH

Note:Anti-virus so#utions may e tem,orari#y )isa#e)

on#y if there is #egitimate te(hni(a# nee) as authori?e)

y management on a (ase-y-(ase asis. If anti-virus,rote(tion nee)s to e )isa#e) for a s,e(ifi( ,ur,ose it

must e forma##y authori?e). A))itiona# se(urity

measures may a#so nee) to e im,#emente) for the

,erio) of time )uring hi(h anti-virus ,rote(tion is not

a(tive.



;bserve "ro#esses

-nterview "ersonnel




26/54

$euirement 2: ,e"elop and maintain secure systems and applications


%esponse


*es

*es with

CC; o =A

.1 -s t%ere a "ro#ess to identi(y se#urity vulnerabilities

in#ludin) t%e (ollowin)

sin) re"utable outside sour#es (or vulnerability

in(or!ationH

Assi)nin) a risB ranBin) to vulnerabilities t%at

in#ludes identi(i#ation o( all %i)% risB and #riti#al

vulnerabilitiesH

Note/ !is4 ran4ings shou#) e ase) on in)ustry est

,ra(ti(es as e## as (onsi)eration of ,otentia# im,a(t.

8or e+am,#e (riteria for ran4ing vu#nerai#ities may

in(#u)e (onsi)eration of the CVSS ase s(ore an)or

the (#assifi(ation y the ven)or an)or ty,e of

systems affe(te).

7etho)s for eva#uating vu#nerai#ities an) assigning

ris4 ratings i## vary ase) on an organi?ations

environment an) ris4 assessment strategy. !is4

ran4ings shou#) at a minimum i)entify a##

vu#nerai#ities (onsi)ere) to e a 9high ris4: to the

environment. In a))ition to the ris4 ran4ing

vu#nerai#ities may e (onsi)ere) 9(riti(a#: if they,ose an imminent threat to the environment im,a(t

(riti(a# systems an)or ou#) resu#t in a ,otentia#

(om,romise if not a))resse). E+am,#es of (riti(a#

systems may in(#u)e se(urity systems ,u#i(-fa(ing

)evi(es an) systems )ataases an) other systems

that store ,ro(ess or transmit (ar)ho#)er )ata.


-nterview "ersonnel

;bserve "ro#esses




27/54


%esponse


*es

*es with

CC; o =A

.2 a Are all syste! #o!"onents and so(tware

"rote#ted (ro! Bnown vulnerabilities by installin)

a""li#able vendor$su""lied se#urity "at#%esH


&l' Are #riti#al se#urity "at#%es installed wit%in one

!ont% o( releaseH

Note/ Criti(a# se(urity ,at(hes shou#) e i)entifie)a((or)ing to the ris4 ran4ing ,ro(ess )efine) in

!euirement '.1.



+o!"are list o( se#urity "at#%es

installed to re#ent vendor "at#% lists

.4.5 a Are #%an)e$#ontrol "ro#edures (or i!"le!entin)

se#urity "at#%es and so(tware !odi(i#ations

do#u!ented and reuire t%e (ollowin)H

o#u!entation o( i!"a#t

o#u!ented #%an)e #ontrol

a""roval by aut%ori@ed "arties

Fun#tionality testin) to veri(y t%at

t%e #%an)e does not adversely i!"a#t t%e

se#urity o( t%e syste!

Ca#B$out "ro#edures

Review #%an)e #ontrol "ro#esses

and "ro#edures

&!' Are t%e (ollowin) "er(or!ed and do#u!ented (or

all #%an)es

.4.5.1 o#u!entation o( i!"a#tH 8ra#e #%an)es to #%an)e #ontrol

do#u!entation

a!ine #%an)e #ontrol

do#u!entation

.4.5.2 o#u!ented a""roval by aut%ori@ed "artiesH 8ra#e #%an)es to #%an)e #ontrol

do#u!entation


do#u!entation

.4.5.3 a Fun#tionality testin) to veri(y t%at t%e #%an)e

does not adversely i!"a#t t%e se#urity o( t%e

syste!H

8ra#e #%an)es to #%an)e #ontrol

do#u!entation


do#u!entation




28/54


%esponse


*es

*es with

CC; o =A

&n' For #usto! #ode #%an)es testin) o( u"dates (or

#o!"lian#e wit% ,+- SS Reuire!ent .5

be(ore bein) de"loyed into "rodu#tionH

8ra#e #%an)es to #%an)e #ontrol

do#u!entation


do#u!entation

.4.5.4 Ca#B$out "ro#eduresH 8ra#e #%an)es to #%an)e #ontrol

do#u!entation


do#u!entation

.5 ' Are a""li#ations develo"ed based on se#ure

#odin) )uidelines to "rote#t a""li#ations (ro! at

a !ini!u! t%e (ollowin) vulnerabilities

.5.1 o #odin) te#%niues address inDe#tion (laws

"arti#ularly SQ inDe#tionH

Note:A#so (onsi)er S Comman) InHe(tion *DAP

an) Path inHe(tion f#as as e## as other inHe(tion

f#as.

a!ine so(tware$develo"!ent

"oli#ies and "ro#edures

-nterview res"onsible "ersonnel

.5.2 o #odin) te#%niues address bu((er over(low

vulnerabilitiesH




For web a""li#ations and a""li#ation inter(a#es &internal or eternal' are a""li#ations develo"ed based onse#ure #odin) )uidelines to "rote#t a""li#ations (ro! t%e (ollowin) additional vulnerabilities

.5.L o #odin) te#%niues address #ross$site s#ri"tin)

&MSS' vulnerabilitiesH




.5.K o #odin) te#%niues address i!"ro"er a##ess

#ontrol su#% as inse#ure dire#t obDe#t re(eren#es

(ailure to restri#t R a##ess dire#tory traversal and

(ailure to restri#t user a##ess to (un#tionsH




.5. o #odin) te#%niues address #ross$site reuest

(or)ery &+SRF'H







29/54


%esponse


*es

*es with

CC; o =A

.5.10 o #odin) te#%niues address broBen aut%enti#ation

and session !ana)e!entH







30/54


%esponse


*es

*es with

CC; o =A

. For "ubli#$(a#in) web a""li#ations are new t%reats

and vulnerabilities addressed on an on)oin) basis

and are t%ese a""li#ations "rote#ted a)ainst Bnown

atta#Bs by a""lyin) eithero( t%e (ollowin) !et%odsH

Reviewin) "ubli#$(a#in) web a""li#ations via

!anual or auto!ated a""li#ation vulnerabilityse#urity assess!ent tools or !et%ods as (ollows

- At least annually

- A(ter any #%an)es

- Cy an or)ani@ation t%at s"e#iali@es in a""li#ation

se#urity

- 8%at at a !ini!u! all vulnerabilities in Reuire!ent

.5 are in#luded in t%e assess!ent

- 8%at all vulnerabilities are #orre#ted

- 8%at t%e a""li#ation is re$evaluated a(ter t%e

#orre#tions

Note/ his assessment is not the same as the

vu#nerai#ity s(ans ,erforme) for !euirement 11.$.

9 >%9 -nstallin) an auto!ated te#%ni#al solution t%at

dete#ts and "revents web$based atta#Bs &(or

ea!"le a web$a""li#ation (irewall' as (ollows

- -s situated in (ront o( "ubli#$(a#in) web a""li#ations to

dete#t and "revent web$based atta#Bs.

- -s a#tively runnin) and u" to date as a""li#able.

- -s )eneratin) audit lo)s.

- -s #on(i)ured to eit%er blo#B web$based atta#Bs or

)enerate an alert t%at is i!!ediately investi)ated.

Review do#u!ented "ro#esses

-nterview "ersonnel

a!ine re#ords o( a""li#ation

se#urity assess!ents

a!ine syste! #on(i)uration

settin)s




31/54

Implement Stron$ Access Control 5easures

$euirement 3: $estrict access to cardholder data by business need to )no&


%esponse


*es

*es with

CC; o =A

L.1 -s a##ess to syste! #o!"onents and #ard%older data

li!ited to only t%ose individuals w%ose Dobs reuire

su#% a##ess as (ollows

L.1.2-s a##ess to "rivile)ed user -s restri#ted as (ollows

8o least "rivile)es ne#essary to "er(or! Dob

res"onsibilitiesH

Assi)ned only to roles t%at s"e#i(i#ally reuire t%at

"rivile)ed a##essH

a!ine written a##ess #ontrol "oli#y

-nterview "ersonnel

-nterview !ana)e!ent

Review "rivile)ed user -s

L.1.3 Are a##ess assi)ned based on individual "ersonnel*s

Dob #lassi(i#ation and (un#tionH

a!ine written a##ess #ontrol "oli#y

-nterview !ana)e!ent

Review user -s




32/54

$euirement 4: !dentify and authenticate access to system components


%esponse


*es

*es with

CC; o =A

K.1.1 Are all users assi)ned a uniue - be(ore allowin)

t%e! to a##ess syste! #o!"onents or #ard%older

dataH

Review "assword "ro#edures

-nterview "ersonnel

K.1.3 -s a##ess (or any ter!inated users i!!ediatelydea#tivated or re!ovedH


a!ine ter!inated users a##ounts

Review #urrent a##ess lists

;bserve returned "%ysi#al

aut%enti#ation devi#es

K.1.5 a Are a##ounts used by vendors to a##ess su""ort

or !aintain syste! #o!"onents via re!ote

a##ess enabled only durin) t%e ti!e "eriod

needed and disabled w%en not in useH


-nterview "ersonnel

;bserve "ro#esses

&o' Are vendor re!ote a##ess a##ounts !onitored

w%en in useH -nterview "ersonnel

;bserve "ro#esses

K.1. &a' Are re"eated a##ess atte!"ts li!ited by lo#Bin)

out t%e user - a(ter no !ore t%an si atte!"tsH


a!ine syste! #on(i)uration settin)s

K.1.L ;n#e a user a##ount is lo#Bed out is t%e lo#Bout

duration set to a !ini!u! o( 30 !inutes or until an

ad!inistrator enables t%e user -H



K.2 -n addition to assi)nin) a uniue - is one or !ore o(

t%e (ollowin) !et%ods e!"loyed to aut%enti#ate all

usersH

So!et%in) you Bnow su#% as a "assword or

"ass"%rase

So!et%in) you %ave su#% as a toBen devi#e or

s!art #ard

So!et%in) you are su#% as a bio!etri#


;bserve aut%enti#ation "ro#esses




33/54


%esponse


*es

*es with

CC; o =A

K.2.1 &a' -s stron) #ry"to)ra"%y used to render all

aut%enti#ation #redentials &su#% as

"asswords/"%rases' unreadable durin)

trans!ission and stora)e on all syste!

#o!"onentsH




;bserve "assword (iles

;bserve data trans!issionsK.2.3 a Are user "assword "ara!eters #on(i)ured to

reuire "asswords/"ass"%rases !eet t%e

(ollowin)H

A !ini!u! "assword len)t% o( at

least seven #%ara#ters

+ontain bot% nu!eri# and

al"%abeti# #%ara#ters

Alternatively t%e "asswords/"%rases !ust %ave

#o!"leity and stren)t% at least euivalent to t%e

"ara!eters s"e#i(ied above.


to veri(y "assword "ara!eters

K.2.4 &a' Are user "asswords/"ass"%rases #%an)ed at

least on#e every 0 daysH



K.2.5 &a' Gust an individual sub!it a new "assword/"%rase

t%at is di((erent (ro! any o( t%e last (our

"asswords/"%rases %e or s%e %as usedH


Sa!"le syste! #o!"onents


K.2. Are "asswords/"%rases set to a uniue value (or ea#%

user (or (irst$ti!e use and u"on reset and !ust ea#%

user #%an)e t%eir "assword i!!ediately a(ter t%e (irst

useH



;bserve se#urity "ersonnel




34/54


%esponse


*es

*es with

CC; o =A

K.3 -s two$(a#tor aut%enti#ation in#or"orated (or re!ote

networB a##ess ori)inatin) (ro! outside t%e networB

by "ersonnel &in#ludin) users and ad!inistrators' and

all t%ird "arties &in#ludin) vendor a##ess (or su""ort or

!aintenan#e'H

Note:o-fa(tor authenti(ation reuires that to of

the three authenti(ation metho)s ;see PCI DSS

!euirement 6.$ for )es(ri,tions of authenti(ation

metho)s< e use) for authenti(ation. sing one fa(tor

ti(e ;for e+am,#e using to se,arate ,assor)s< is

not (onsi)ere) to-fa(tor authenti(ation.

E+am,#es of to-fa(tor te(hno#ogies in(#u)e remote

authenti(ation an) )ia#-in servi(e ;!ADIS< ith

to4ensG termina# a((ess (ontro##er a((ess (ontro#

system ;ACACS< ith to4ensG an) other te(hno#ogies

that fa(i#itate to-fa(tor authenti(ation.



;bserve "ersonnel

K.5 Are )rou" s%ared or )eneri# a##ounts "asswords or

ot%er aut%enti#ation !et%ods "ro%ibited as (ollows

>eneri# user -s and a##ounts are disabled or

re!oved7

S%ared user -s (or syste! ad!inistration a#tivities

and ot%er #riti#al (un#tions do not eist7 and S%ared and )eneri# user -s are not used to

ad!inister any syste! #o!"onentsH


a!ine user - lists

-nterview "ersonnel

K. %ere ot%er aut%enti#ation !e#%anis!s are used &(or

ea!"le "%ysi#al or lo)i#al se#urity toBens s!art

#ards and #erti(i#ates et#.' is t%e use o( t%ese

!e#%anis!s assi)ned as (ollowsH

Aut%enti#ation !e#%anis!s !ust be assi)ned to an

individual a##ount and not s%ared a!on) !ulti"le

a##ounts

,%ysi#al and/or lo)i#al #ontrols !ust be in "la#e to

ensure only t%e intended a##ount #an use t%at

!e#%anis! to )ain a##ess


-nterview "ersonnel


and/or "%ysi#al #ontrols




35/54

$euirement 5: $estrict physical access to cardholder data


%esponse


uestion*

*es

*es with

CC; o =A

.1 Are a""ro"riate (a#ility entry #ontrols in "la#e to li!it

and !onitor "%ysi#al a##ess to syste!s in t%e

#ard%older data environ!entH

;bserve "%ysi#al a##ess #ontrols

;bserve "ersonnel

.5 Are all !edia "%ysi#ally se#ured &in#ludin) but not

li!ited to #o!"uters re!ovable ele#troni# !edia

"a"er re#ei"ts "a"er re"orts and (aes'H

8or ,ur,oses of !euirement 5 9me)ia: refers to a##

,a,er an) e#e(troni( me)ia (ontaining (ar)ho#)er )ata.

Review "oli#ies and "ro#edures (or

"%ysi#ally se#urin) !edia

-nterview "ersonnel

. a -s stri#t #ontrol !aintained over t%e internal or

eternal distribution o( any Bind o( !ediaH Review "oli#ies and "ro#edures (or

distribution o( !edia

&"' o #ontrols in#lude t%e (ollowin)

..1 -s !edia #lassi(ied so t%e sensitivity o( t%e data #an be

deter!inedH

Review "oli#ies and "ro#edures (or

!edia #lassi(i#ation

-nterview se#urity "ersonnel

..2 -s !edia sent by se#ured #ourier or ot%er delivery

!et%od t%at #an be a##urately tra#BedH

-nterview "ersonnel

a!ine !edia distribution tra#Bin)

lo)s and do#u!entation

..3 -s !ana)e!ent a""roval obtained "rior to !ovin) t%e

!edia &es"e#ially w%en !edia is distributed to

individuals'H

-nterview "ersonnel

a!ine !edia distribution tra#Bin)

lo)s and do#u!entation

.L -s stri#t #ontrol !aintained over t%e stora)e and

a##essibility o( !ediaH


.K a -s all !edia destroyed w%en it is no lon)er needed

(or business or le)al reasonsH Review "eriodi# !edia destru#tion


' -s !edia destru#tion "er(or!ed as (ollows




36/54


%esponse


uestion*

*es

*es with

CC; o =A

.K.1 a Are %ard#o"y !aterials #ross$#ut s%redded

in#inerated or "ul"ed so t%at #ard%older data

#annot be re#onstru#tedH

Review "eriodi# !edia destru#tion


-nterview "ersonnel

;bserve "ro#esses

&' Are stora)e #ontainers used (or !aterials t%at #ontain

in(or!ation to be destroyed se#ured to "revent a##ess

to t%e #ontentsH

a!ine se#urity o( stora)e #ontainers




37/54

%e$ularly 5onitor and 'est etwor6s

$euirement %6: Trac) and monitor all access to net&or) resources and cardholder data


%esponse


uestion*

*es

*es with

CC; o =A

10.2 Are auto!ated audit trails i!"le!ented (or all syste!

#o!"onents to re#onstru#t t%e (ollowin) events

10.2.2 All a#tions taBen by any individual wit% root or

ad!inistrative "rivile)esH

-nterview "ersonnel

;bserve audit lo)s

a!ine audit lo) settin)s

10.2.4 -nvalid lo)i#al a##ess atte!"tsH -nterview "ersonnel

;bserve audit lo)s


10.2.5 se o( and #%an)es to identi(i#ation and aut%enti#ation

!e#%anis!s9in#ludin) but not li!ited to #reation o(

new a##ounts and elevation o( "rivile)es 9 and all

#%an)es additions or deletions to a##ounts wit% root

or ad!inistrative "rivile)esH

-nterview "ersonnel

;bserve audit lo)s


10.3 Are t%e (ollowin) audit trail entries re#orded (or all

syste! #o!"onents (or ea#% event

10.3.1 ser identi(i#ationH -nterview "ersonnel

;bserve audit lo)s


10.3.2 8y"e o( eventH -nterview "ersonnel

;bserve audit lo)s


10.3.3 ate and ti!eH -nterview "ersonnel

;bserve audit lo)s





38/54


%esponse


uestion*

*es

*es with

CC; o =A

10.3.4 Su##ess or (ailure indi#ationH -nterview "ersonnel

;bserve audit lo)s


10.3.5 ;ri)ination o( eventH -nterview "ersonnel

;bserve audit lo)s


10.3. -dentity or na!e o( a((e#ted data syste! #o!"onent

or resour#eH

-nterview "ersonnel

;bserve audit lo)s


10.5.4 Are lo)s (or eternal$(a#in) te#%nolo)ies &(or ea!"le

wireless (irewalls NS !ail' written onto a se#ure

#entrali@ed internal lo) server or !ediaH

-nterview syste! ad!inistrators

a!ine syste! #on(i)urations and

"er!issions

10. Are lo)s and se#urity events (or all syste! #o!"onents

reviewed to identi(y ano!alies or sus"i#ious a#tivity as

(ollowsH

Note:*og harvesting ,arsing an) a#erting too#s may

e use) to a(hieve (om,#ian(e ith !euirement 10.'.




39/54


%esponse


uestion*

*es

*es with

CC; o =A

10..1 &b' Are t%e (ollowin) lo)s and se#urity events

reviewed at least daily eit%er !anually or via lo)

toolsH

All se#urity events

o)s o( all syste! #o!"onents t%atstore "ro#ess or trans!it +? and/or SA

o)s o( all #riti#al syste!

#o!"onents

o)s o( all servers and syste!

#o!"onents t%at "er(or! se#urity (un#tions

&(or ea!"le (irewalls intrusion$dete#tion

syste!s/intrusion$"revention syste!s

&-S/-,S' aut%enti#ation servers e$#o!!er#e

redire#tion servers et#.'

Review se#urity "oli#ies and

"ro#edures

;bserve "ro#esses

-nterview "ersonnel

10..2 &b' Are lo)s o( all ot%er syste! #o!"onents

"eriodi#ally reviewed=eit%er !anually or via lo)

tools=based on t%e or)ani@ation*s "oli#ies and

risB !ana)e!ent strate)yH


"ro#edures

Review risB assess!ent

do#u!entation

-nterview "ersonnel

10..3 &b' -s (ollow u" to e#e"tions and ano!alies identi(ied

durin) t%e review "ro#ess "er(or!edH


"ro#edures

;bserve "ro#esses

-nterview "ersonnel

10.L &b' Are audit lo)s retained (or at least one yearH Review se#urity "oli#ies and

"ro#edures

-nterview "ersonnel

a!ine audit lo)s

' Are at least t%e last t%ree !ont%s* lo)s i!!ediately

available (or analysisH -nterview "ersonnel

;bserve "ro#esses




40/54




41/54

$euirement %%: $egularly test security systems and processes


%esponse


uestion*

*es

*es with

CC; o =A

11.2.2 a Are uarterly eternal vulnerability s#ans "er(or!edH

Note:Quarter#y e+terna# vu#nerai#ity s(ans must e

,erforme) y an A,,rove) S(anning Ven)or ;ASV


42/54


%esponse


uestion*

*es

*es with

CC; o =A

11.3 oes t%e "enetration$testin) !et%odolo)y in#lude t%e

(ollowin)H

-s based on industry$a##e"ted "enetration testin)

a""roa#%es &(or ea!"le N-S8 S,K00$115'

-n#ludes #overa)e (or t%e entire + "eri!eter and#riti#al syste!s

-n#ludes testin) (ro! bot% inside and outside t%e

networB

-n#ludes testin) to validate any se)!entation and

s#o"e$redu#tion #ontrols

e(ines a""li#ation$layer "enetration tests to in#lude at

a !ini!u! t%e vulnerabilities listed in Reuire!ent .5

e(ines networB$layer "enetration tests to in#lude

#o!"onents t%at su""ort networB (un#tions as well as

o"eratin) syste!s

-n#ludes review and #onsideration o( t%reats and

vulnerabilities e"erien#ed in t%e last 12 !ont%s

S"e#i(ies retention o( "enetration testin) results and

re!ediation a#tivities results

a!ine "enetration$testin)

!et%odolo)y


11.3.1 &a' -s e+terna#"enetration testin) "er(or!ed "er t%ede(ined !et%odolo)y at least annually and a(ter any

si)ni(i#ant in(rastru#ture or a""li#ation #%an)es to t%e

environ!ent &su#% as an o"eratin) syste! u")rade a

sub$networB added to t%e environ!ent or an added

web server'H

a!ine s#o"e o( worB

a!ine results (ro! t%e !ost

re#ent eternal "enetration test

&b' Are tests "er(or!ed by a uali(ied internal resour#e or

uali(ied eternal t%ird "arty and i( a""li#able does

or)ani@ational inde"enden#e o( t%e tester eist &not

reuired to be a QSA or AS


43/54


%esponse


uestion*

*es

*es with

CC; o =A

11.3.3Are e"loitable vulnerabilities (ound durin) "enetration

testin) #orre#ted (ollowed by re"eated testin) to veri(y t%e

#orre#tionsH

a!ine "enetration testin)

results

11.3.4 -( se)!entation is used to isolate t%e + (ro! ot%er

networBs

&a' Are "enetration$testin) "ro#edures de(ined to test all

se)!entation !et%ods to #on(ir! t%ey are o"erational

and e((e#tive and isolate all out$o($s#o"e syste!s (ro!

syste!s in t%e +H

a!ine se)!entation #ontrols

Review "enetration$testin)

!et%odolo)y

&b' oes "enetration testin) to veri(y se)!entation

#ontrols !eet t%e (ollowin)H

,er(or!ed at least annually and a(ter any #%an)es

to se)!entation #ontrols/!et%ods

+overs all se)!entation #ontrols/!et%ods in use


44/54


%esponse


uestion*

*es

*es with

CC; o =A

11.5a -s a #%an)e$dete#tion !e#%anis! &(or ea!"le (ile$

inte)rity !onitorin) tools' de"loyed wit%in t%e

#ard%older data environ!ent to dete#t unaut%ori@ed

!odi(i#ation &in#ludin) #%an)es additions and

deletions' o( #riti#al syste! (iles #on(i)uration (iles or

#ontent (ilesH

E+am,#es of fi#es that shou#) e monitore) in(#u)e/

System e+e(uta#es

A,,#i(ation e+e(uta#es

Configuration an) ,arameter fi#es

Centra##y store) histori(a# or ar(hive) #og an) au)it fi#es

A))itiona# (riti(a# fi#es )etermine) y entity ;for e+am,#e

through ris4 assessment or other meansecti&e e(ine t%e obDe#tive o( t%e ori)inal

#ontrol7 identi(y t%e obDe#tive !et by t%e

#o!"ensatin) #ontrol.

!" Identified %is6 -denti(y any additional risB "osed by t%e

la#B o( t%e ori)inal #ontrol.

4" Definition of

Compensatin$

Controls

e(ine t%e #o!"ensatin) #ontrols and

e"lain %ow t%ey address t%e obDe#tives

o( t%e ori)inal #ontrol and t%e in#reased

risB i( any.

B" alidation of

Compensatin$

Controls

e(ine %ow t%e #o!"ensatin) #ontrols

were validated and tested.

9" 5aintenance e(ine "ro#ess and #ontrols in "la#e to!aintain #o!"ensatin) #ontrols.

PCI DSS v3.1 SAQ A-EP !ev. 1.1 Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%



51/54

Appendi1 C2 E1planation of on-Applicaility

If the 9>A: ;>ot A,,#i(a#e< (o#umn as (he(4e) in the uestionnaire use this or4sheet to e+,#ain hy

the re#ate) reuirement is not a,,#i(a#e to your organi?ation.

%e/uirement %eason %e/uirement is ot Applicale

E+am,#e/

3.4 +ard%older data is never stored ele#troni#ally

PCI DSS v3.1 SAQ A-EP !ev. 1.1 Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%



52/54

Section !2 alidation and Attestation Details

Part !" PCI DSS alidation

Cased on t%e results noted in t%e SAQ A$, dated ;(om,#etion )ateame-C>5P0IA'ratin) t%ereby ;7er(hant Com,any >ame


53/54

Part !a" Ac6nowled$ement of Status ontinued'

No eviden#e o( (ull tra#B data0 +Aame/ it#e/

Part !c" QSA Ac6nowled$ement (if applicale)

-( a QSA was involved or assisted wit% t%is

assess!ent des#ribe t%e role "er(or!ed

Signature of Du#y Authori?e) ffi(er of QSA Com,any Date/

Du#y Authori?e) ffi(er>ame/ QSA Com,any/

Part !d" ISA Ac6nowled$ement (if applicale)

-( a -SA was involved or assisted wit% t%is

assess!ent des#ribe t%e role "er(or!ed

Signature of ISA Date/

ISA >ame/ it#e/

0ata en#oded in t%e !a)neti# stri"e or euivalent data on a #%i" used (or aut%ori@ation durin) a #ard$"resent transa#tion. ntities!ay not retain (ull tra#B data a(ter transa#tion aut%ori@ation. 8%e only ele!ents o( tra#B data t%at !ay be retained are "ri!ary

a##ount nu!ber &,AN' e"iration date and #ard%older na!e.

08%e t%ree$ or (our$di)it value "rinted by t%e si)nature "anel or on t%e (a#e o( a "ay!ent #ard used to veri(y #ard$not$"resenttransa#tions.

0,ersonal identi(i#ation nu!ber entered by #ard%older durin) a #ard$"resent transa#tion and/or en#ry"ted ,-N blo#B "resent wit%int%e transa#tion !essa)e.

PCI DSS v3.1 SAQ A-EP !ev. 1.1 Se(tion 3/ Va#i)ation an) Attestation Detai#s "u#y $01%



54/54

Part 4" Action Plan for on-Compliant %e/uirements

Sele#t t%e a""ro"riate res"onse (or +o!"liant to ,+- SS Reuire!ents (or ea#% reuire!ent. -( you

answer No to any o( t%e reuire!ents you !ay be reuired to "rovide t%e date your +o!"any e"e#ts to

be #o!"liant wit% t%e reuire!ent and a brie( des#ri"tion o( t%e a#tions bein) taBen to !eet t%e reuire!ent.

Che(4 ith your a(uirer or the ,ayment ran);s< efore (om,#eting Part .

PCI DSS

%e/uirementDescription of %e/uirement

Compliant to PCI

DSS %e/uirements

&Sele#t ;ne'

%emediation Date and Actions

&-( N; sele#ted (or any

Reuire!ent'*ES >

1

-nstall and !aintain a (irewall

#on(i)uration to "rote#t

#ard%older data

2 o not use vendor$su""lied

de(aults (or syste! "asswords

and ot%er se#urity "ara!eters

3 ,rote#t stored #ard%older data

4

n#ry"t trans!ission o(

#ard%older data a#ross o"en

"ubli# networBs

5

,rote#t all syste!s a)ainst

!alware and re)ularly u"date

anti$virus so(tware or "ro)ra!s

evelo" and !aintain se#ure

syste!s and a""li#ations

LRestri#t a##ess to #ard%older

data by business need to Bnow

K-denti(y and aut%enti#ate a##ess

to syste! #o!"onents

Restri#t "%ysi#al a##ess to

#ard%older data

10

8ra#B and !onitor all a##ess to

networB resour#es and

#ard%older data

11Re)ularly test se#urity syste!s

and "ro#esses

12

Gaintain a "oli#y t%at addresses

in(or!ation se#urity (or all"ersonnel

L PCI DSS !euirements in)i(ate) here refer to the uestions in Se(tion $ of the SAQ.

Date post:	20-Feb-2018
Category:	Documents
Upload:	juanlopez
View:	229 times
Download:	0 times

Pci Dss v3-1 Saq a-ep Rev1-1

Documents