of 54
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
1/54
Payment Card Industry (PCI)Data Security Standard
Self-Assessment Questionnaire A-EPand Attestation of Compliance
Partially Outsourced E-commerce Merchants Using
a Third-Party Website for Payment ProcessingFor use with PCI DSS ersion !"#
Revision 1.1
July 2015
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
2/54
Document Chan$es
DatePCI DSS
ersion
SAQ
%e&isionDescription
N/A 1.0 Not used.
N/A 2.0 Not used.
February 2014 3.0 New SAQ to address reuire!ents a""li#able to e$
#o!!er#e !er#%ants wit% a website&s' t%at does not
itsel( re#eive #ard%older data but w%i#% does a((e#t t%e
se#urity o( t%e "ay!ent transa#tion and/or t%e inte)rity o(
t%e "a)e t%at a##e"ts t%e #onsu!er*s #ard%older data.
+ontent ali)ns wit% ,+- SS v3.0 reuire!ents and
testin) "ro#edures.
A"ril 2015 3.1 "dated to ali)n wit% ,+- SS v3.1. For details o( ,+-
SS #%an)es see PCI DSS Summary of Changes
from PCI DSS Version 3.0 to 3.1.
June 2015 3.1 "date Reuire!ent 11.3 to (i error.
July 2015 3.1 1.1 "dated to re!ove re(eren#es to best "ra#ti#es "rior to
June 30 2015 and re!ove t%e ,+- SS v2 re"ortin)
o"tion (or Reuire!ent 11.3
PCI DSS v3.1 SAQ A-EP !ev. 1.1 "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page 1
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
3/54
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
4/54
'ale of Contents
Document Chan$es"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" i
efore *ou e$in"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" iii
PCI DSS Self-Assessment Completion Steps""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""i&
+nderstandin$ the Self-Assessment Questionnaire"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""i&
E+,e(te) esting .................................................................................................................................. iv
Completin$ the Self-Assessment Questionnaire"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""&
,uidance for on-Applicaility of Certain. Specific %e/uirements"""""""""""""""""""""""""""""""""""""""""""" """""""&
0e$al E1ception """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""&
Section #2 Assessment Information"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""#
Section 32 Self-Assessment Questionnaire A-EP"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""4
uild and 5aintain a Secure etwor6""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 4!euirement 1/ Insta## an) maintain a firea## (onfiguration to ,rote(t )ata.......................................
!euirement $/ Do not use ven)or-su,,#ie) )efau#ts for system ,assor)s an) other se(urity
,arameters................................................................................................................ 2
Protect Cardholder Data""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" #!
!euirement 3/ Prote(t store) (ar)ho#)er )ata................................................................................13
!euirement / En(ry,t transmission of (ar)ho#)er )ata a(ross o,en ,u#i( netor4s...................1
5aintain a ulneraility 5ana$ement Pro$ram""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""#7
!euirement %/ Prote(t a## systems against ma#are an) regu#ar#y u,)ate anti-virus softare or
,rograms................................................................................................................. 12
!euirement '/ Deve#o, an) maintain se(ure systems an) a,,#i(ations.........................................15
Implement Stron$ Access Control 5easures"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""3!
!euirement 2/ !estri(t a((ess to (ar)ho#)er )ata y usiness nee) to 4no................................$3
!euirement 6/ I)entify an) authenti(ate a((ess to system (om,onents.........................................$
!euirement 5/ !estri(t ,hysi(a# a((ess to (ar)ho#)er )ata.............................................................$2
%e$ularly 5onitor and 'est etwor6s""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 38
!euirement 10/ ra(4 an) monitor a## a((ess to netor4 resour(es an) (ar)ho#)er )ata......... ...... .$5
!euirement 11/ !egu#ar#y test se(urity systems an) ,ro(esses.......................................................3$
5aintain an Information Security Policy""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" !9
!euirement 1$/ 7aintain a ,o#i(y that a))resses information se(urity for a## ,ersonne#...................3'Appendi1 A2 Additional PCI DSS %e/uirements for Shared :ostin$ Pro&iders"""""""""""""""""""""!8
Appendi1 2 Compensatin$ Controls ;or6sheet"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""4uidan#e on +o!"ensatin) +ontrols
SAQ -nstru#tions and >uidelines
do#u!ents -n(or!ation about all SAQs and t%eir eli)ibility #riteria
?ow to deter!ine w%i#% SAQ is ri)%t (or your
or)ani@ation
PCI DSS an) PA-DSS =#ossary of
erms Areviations an) A(ronyms es#ri"tions and de(initions o( ter!s used in t%e ,+-
SS and sel($assess!ent uestionnaires
8%ese and ot%er resour#es #an be (ound on t%e ,+- SS+ website ;.,(ise(uritystan)ar)s.org
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
7/54
order to veri(y t%at a reuire!ent %as been !et. Full details o( testin) "ro#edures (or ea#% reuire!ent
#an be (ound in t%e ,+- SS.
Completin$ the Self-Assessment Questionnaire
For ea#% uestion t%ere is a #%oi#e o( res"onses to indi#ate your #o!"any*s status re)ardin) t%atreuire!ent. Only one response should be selected for each uestion.
A des#ri"tion o( t%e !eanin) (or ea#% res"onse is "rovided in t%e table below
%esponse ;hen to use this response2
*es 8%e e"e#ted testin) %as been "er(or!ed and all ele!ents o( t%e
reuire!ent %ave been !et as stated.
*es with CC;
&+o!"ensatin)
+ontrol orBs%eet'
8%e e"e#ted testin) %as been "er(or!ed and t%e reuire!ent %as
been !et wit% t%e assistan#e o( a #o!"ensatin) #ontrol.
All res"onses in t%is #olu!n reuire #o!"letion o( a +o!"ensatin)
+ontrol orBs%eet &++' in A""endi C o( t%e SAQ.
-n(or!ation on t%e use o( #o!"ensatin) #ontrols and )uidan#e on %ow to
#o!"lete t%e worBs%eet is "rovided in t%e ,+- SS.
o So!e or all ele!ents o( t%e reuire!ent %ave not been !et or are in t%e
"ro#ess o( bein) i!"le!ented or reuire (urt%er testin) be(ore it will be
Bnown i( t%ey are in "la#e.
=A
&Not A""li#able'
8%e reuire!ent does not a""ly to t%e or)ani@ation*s environ!ent. &See
=ui)an(e for >on-A,,#i(ai#ity of Certain S,e(ifi( !euirements below
(or ea!"les.'
All res"onses in t%is #olu!n reuire a su""ortin) e"lanation in
A""endi + o( t%e SAQ.
,uidance for on-Applicaility of Certain. Specific %e/uirements
-( any reuire!ents are dee!ed not a""li#able to your environ!ent sele#t t%e N/A o"tion (or t%at
s"e#i(i# reuire!ent and #o!"lete t%e "lanation o( Non$A""li#ability worBs%eet in A""endi + (or
ea#% N/A entry.
0e$al E1ception
-( your or)ani@ation is subDe#t to a le)al restri#tion t%at "revents t%e or)ani@ation (ro! !eetin) a ,+- SSreuire!ent #%e#B t%e No #olu!n (or t%at reuire!ent and #o!"lete t%e relevant attestation in ,art 3.
PCI DSS v3.1 SAQ A-EP !ev. 1.1 "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page 6
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
8/54
Section #2 Assessment Information
!nstructions for Submission
8%is do#u!ent !ust be #o!"leted as a de#laration o( t%e results o( t%e !er#%ant*s sel($assess!ent wit% t%e
Payment Car) In)ustry Data Se(urity Stan)ar) !euirements an) Se(urity Assessment Pro(e)ures ;PCIDSS
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
9/54
Part 3" Description of Payment Card usiness
?ow and in w%at #a"a#ity does your business
store "ro#ess and/or trans!it #ard%older dataH
Part 3c" 0ocations
ist ty"es o( (a#ilities &(or ea!"le retail outlets #or"orate o((i#es data #enters #all #enters et#.' and a
su!!ary o( lo#ations in#luded in t%e ,+- SS review.
'ype of facility
umer of facilities
of this type 0ocation(s) of facility (city. country)
E+am,#e/ !etai# out#ets 3 @oston 7A SA
Part 3d" Payment Application
oes t%e or)ani@ation use one or !ore ,ay!ent A""li#ationsH 6es No
,rovide t%e (ollowin) in(or!ation re)ardin) t%e ,ay!ent A""li#ations your or)ani@ation uses
Payment Application
ame
ersion
umer
Application
endor
Is application
PA-DSS 0isted@
PA-DSS 0istin$ E1piry
date (if applicale)
6es No
6es No
6es No
6es No
6es No
Part 3e" Description of En&ironment
,rovide a high-le"eldes#ri"tion o( t%e environ!ent #overed by
t%is assess!ent.
8or e+am,#e/
B Conne(tions into an) out of the (ar)ho#)er )ata environment
;CDE
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
10/54
Part 3f" 'hird-Party Ser&ice Pro&iders
oes your #o!"any s%are #ard%older data wit% any t%ird$"arty servi#e "roviders &(or ea!"le
)ateways "ay!ent "ro#essors "ay!ent servi#e "roviders &,S,' web$%ostin) #o!"anies
airline booBin) a)ents loyalty "ro)ra! a)ents et#.'H
6es
No
!f #es:
ame of ser&ice pro&ider2 Description of ser&ices pro&ided2
Note:!euirement 1$.6 a,,#ies to a## entities in this #ist.
Part 3$" Eli$iility to Complete SAQ A-EP
Ger#%ant #erti(ies eli)ibility to #o!"lete t%is s%ortened version o( t%e Sel($Assess!ent Questionnaire
be#ause (or t%is "ay!ent #%annel
Ger#%ant a##e"ts only e$#o!!er#e transa#tions7
All "ro#essin) o( #ard%older data wit% t%e e#e"tion o( t%e "ay!ent "a)e is entirely outsour#ed to a
,+- SS validated t%ird$"arty "ay!ent "ro#essor7
Ger#%ant*s e$#o!!er#e website does not re#eive #ard%older data but #ontrols %ow #onsu!ers or t%eir
#ard%older data are redire#ted to a ,+- SS validated t%ird$"arty "ay!ent "ro#essor7
-( !er#%ant website is %osted by a t%ird$"arty "rovider t%e "rovider is validated to all a""li#able ,+-
SS reuire!ents &e.). in#ludin) ,+- SS A""endi A i( t%e "rovider is a s%ared %ostin) "rovider'7
a#% ele!ent o( t%e "ay!ent "a)e&s' delivered to t%e #onsu!er*s browser ori)inates (ro! eit%er t%e
!er#%ant*s website or a ,+- SS #o!"liant servi#e "rovider&s'7
Ger#%ant does not ele#troni#ally store "ro#ess or trans!it any #ard%older data on !er#%ant syste!s
or "re!ises but relies entirely on a t%ird "arty&s' to %andle all t%ese (un#tions7
Ger#%ant %as #on(ir!ed t%at all t%ird "arty&s' %andlin) stora)e "ro#essin) and/or trans!ission o(
#ard%older data are ,+- SS #o!"liant7 and
Ger#%ant retains only "a"er re"orts or re#ei"ts wit% #ard%older data and t%ese do#u!ents are not
re#eived ele#troni#ally.
PCI DSS v3.1 SAQ A-EP !ev. 1.1 Se(tion 1/ Assessment Information "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page 3
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
11/54
Section 32 Self-Assessment Questionnaire A-EP
Note:he fo##oing uestions are numere) a((or)ing to PCI DSS reuirements an) testing ,ro(e)ures as )efine) in the ,+- SS
Reuire!ents and Se#urity Assess!ent ,ro#edures)o(ument.
Self-assessment completion date2
uild and 5aintain a Secure etwor6
$euirement %: !nstall and maintain a fire&all configuration to protect data
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each
uestion*
*es
*es
with
CC; o =A
1.1.4 &a' -s a (irewall reuired and i!"le!ented at ea#%
-nternet #onne#tion and between any
de!ilitari@ed @one &GE' and t%e internal networB
@oneH
Review (irewall #on(i)uration standards
;bserve networB #on(i)urations to veri(y
t%at a (irewall&s' is in "la#e
&b' -s t%e #urrent networB dia)ra! #onsistent wit% t%e
(irewall #on(i)uration standardsH +o!"are (irewall #on(i)uration standards
to #urrent networB dia)ra!
1.1. a o (irewall and router #on(i)uration standards
in#lude a do#u!ented list o( servi#es "roto#ols
and "orts in#ludin) business Dusti(i#ation &(or
ea!"le %y"ertet trans(er "roto#ol &?88,'
Se#ure So#Bets ayer &SS' Se#ure S%ell &SS?'
and
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
12/54
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each
uestion*
*es
*es
with
CC; o =A
1.2 o (irewall and router #on(i)urations restri#t
#onne#tions between untrusted networBs and any
syste! in t%e #ard%older data environ!ent as (ollows
Note:An 9untruste) netor4: is any netor4 that is
e+terna# to the netor4s e#onging to the entity un)er
revie an)or hi(h is out of the entitys ai#ity to
(ontro# or manage.
1.2.1 a -s inbound and outbound tra((i# restri#ted to t%at
w%i#% is ne#essary (or t%e #ard%older data
environ!entH
Review (irewall and router #on(i)uration
standards
a!ine (irewall and router #on(i)urations
&d' -s all ot%er inbound and outbound tra((i#
s"e#i(i#ally denied &(or ea!"le by usin) an
e"li#it deny all or an i!"li#it deny a(ter allow
state!ent'H
Review (irewall and router #on(i)uration
standards
a!ine (irewall and router #on(i)urations
1.3.4 Are anti$s"oo(in) !easures i!"le!ented to dete#t
and blo#B (or)ed sour#ed -, addresses (ro! enterin)
t%e networBH
&For ea!"le blo#B tra((i# ori)inatin) (ro! t%e internet
wit% an internal address'
a!ine (irewall and router #on(i)urations
1.3.5 -s outbound tra((i# (ro! t%e #ard%older data
environ!ent to t%e -nternet e"li#itly aut%ori@edH
a!ine (irewall and router #on(i)urations
1.3. -s state(ul ins"e#tion also Bnown as dyna!i# "a#Bet
(ilterin) i!"le!ented=t%at is only establis%ed
#onne#tions are allowed into t%e networBH
a!ine (irewall and router #on(i)urations
PCI DSS v3.1 SAQ A-EP !ev. 1.1Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page5
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
13/54
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each
uestion*
*es
*es
with
CC; o =A
1.3.K a Are !et%ods in "la#e to "revent t%e dis#losure o(
"rivate -, addresses and routin) in(or!ation to
t%e -nternetH
Note:7etho)s to os(ure IP a))ressing may in(#u)e
ut are not #imite) to/
>etor4 A))ress rans#ation ;>A to ,rote(t inse(ure servi(es
su(h as >et@IS fi#e-sharing e#net 8P et(.
Note:SS* an) ear#y *S are not (onsi)ere) strong
(ry,togra,hy an) (annot e use) as a se(urity (ontro#
after 30th "une $01'. Prior to this )ate e+isting
im,#ementations that use SS* an)or ear#y *S must
have a forma# !is4 7itigation an) 7igration P#an in ,#a(e.
Effe(tive imme)iate#y ne im,#ementations must not use
SS* or ear#y *S.
PS PI termina#s ;an) the SS**S termination ,oints
to hi(h they (onne(t< that (an e verifie) as not eing
sus(e,ti#e to any 4non e+,#oits for SS* an) ear#y *S
may (ontinue using these as a se(urity (ontro# after 30th
"une $01'.
Review #on(i)uration standards
a!ine #on(i)uration settin)s
If SS*ear#y *S is use)/
Review do#u!entation t%at
veri(ies ,;S ,;- devi#es are not
sus#e"tible to any Bnown e"loits
(or SS/early 8S
an)or
Review RisB Giti)ation and
Gi)ration ,lan
2.2.4 &a' Are syste! ad!inistrators and/or "ersonnel t%at
#on(i)ure syste! #o!"onents Bnowled)eable about
#o!!on se#urity "ara!eter settin)s (or t%ose
syste! #o!"onentsH
-nterview "ersonnel
&b' Are #o!!on syste! se#urity "ara!eters settin)s
in#luded in t%e syste! #on(i)uration standardsH
Review syste! #on(i)uration
standards
PCI DSS v3.1 SAQ A-EP !ev. 1.1Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page9
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
17/54
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each uestion*
*es
*es with
CC; o =A
' Are se#urity "ara!eter settin)s set a""ro"riately on
syste! #o!"onentsH
a!ine syste! #o!"onents
a!ine se#urity "ara!eter
settin)s
+o!"are settin)s to syste!
#on(i)uration standards
2.2.5 &a' ?as all unne#essary (un#tionality=su#% as s#ri"ts
drivers (eatures subsyste!s (ile syste!s and
unne#essary web servers=been re!ovedH
a!ine se#urity "ara!eters on
syste! #o!"onents
&b' Are enabled (un#tions do#u!ented and do t%ey
su""ort se#ure #on(i)urationH
Review do#u!entation
a!ine se#urity "ara!eters on
syste! #o!"onents
' -s only do#u!ented (un#tionality "resent on syste!
#o!"onentsH
Review do#u!entation
a!ine se#urity "ara!eters on
syste! #o!"onents
2.3 -s non$#onsole ad!inistrative a##ess en#ry"ted as
(ollows
se te(hno#ogies su(h as SSF VP> or *S for e-
ase) management an) other non-(onso#e
a)ministrative a((ess.
Note:SS* an) ear#y *S are not (onsi)ere) strong
(ry,togra,hy an) (annot e use) as a se(urity (ontro#
after 30th "une $01'. Prior to this )ate e+isting
im,#ementations that use SS* an)or ear#y *S must
have a forma# !is4 7itigation an) 7igration P#an in ,#a(e.
Effe(tive imme)iate#y ne im,#ementations must not use
SS* or ear#y *S.
,;S ,;- ter!inals &and t%e SS/8S ter!ination "oints
to w%i#% t%ey #onne#t' t%at #an be veri(ied as not bein)
sus#e"tible to any Bnown e"loits (or SS and early 8S
!ay #ontinue usin) t%ese as a se#urity #ontrol a(ter 30t%
June 201.
PCI DSS v3.1 SAQ A-EP !ev. 1.1Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page10
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
18/54
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each uestion*
*es
*es with
CC; o =A
&a' -s all non$#onsole ad!inistrative a##ess en#ry"ted
wit% stron) #ry"to)ra"%y and is a stron) en#ry"tion
!et%od invoBed be(ore t%e ad!inistrator*s "assword
is reuestedH
a!ine syste! #o!"onents
a!ine syste! #on(i)urations
;bserve an ad!inistrator lo) on
&b' Are syste! servi#es and "ara!eter (iles #on(i)ured
to "revent t%e use o( 8elnet and ot%er inse#urere!ote lo)in #o!!andsH
a!ine syste! #o!"onents
a!ine servi#es and (iles
' -s ad!inistrator a##ess to web$based !ana)e!ent
inter(a#es en#ry"ted wit% stron) #ry"to)ra"%yH
a!ine syste! #o!"onents
;bserve an ad!inistrator lo) on
&d' For t%e te#%nolo)y in use is stron) #ry"to)ra"%y
i!"le!ented a##ordin) to industry best "ra#ti#e
and/or vendor re#o!!endationsH
a!ine syste! #o!"onents
Review vendor do#u!entation
-nterview "ersonnel
&e' 8or PS PI termina#s ;an) the SS**S
termination ,oints to hi(h they (onne(t< using SS*
an)or ear#y *S an) for hi(h the entity asserts are
not sus(e,ti#e to any 4non e+,#oits for those
,roto(o#s/
-s t%ere do#u!entation &(or ea!"le vendor
do#u!entation syste!/networB #on(i)uration
details et#.' t%at veri(ies t%e devi#es are not
sus#e"tible to any Bnown e"loits (or SS/early8SH
Review do#u!entation t%at veri(ies
,;S ,;- devi#es are not
sus#e"tible to any Bnown e"loits
(or SS/early 8S
PCI DSS v3.1 SAQ A-EP !ev. 1.1Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page11
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
19/54
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each uestion*
*es
*es with
CC; o =A
&(' 8or a## other environments using SS* an)or ear#y
*S/
oes t%e do#u!ented RisB Giti)ation and Gi)ration
,lan in#lude t%e (ollowin)H
es#ri"tion o( usa)e in#ludin)7 w%at
data is bein) trans!itted ty"es and nu!ber o(syste!s t%at use and/or su""ort SS/early
8S ty"e o( environ!ent7
RisB assess!ent results and risB
redu#tion #ontrols in "la#e7
es#ri"tion o( "ro#esses to !onitor (or
new vulnerabilities asso#iated wit% SS/early
8S7
es#ri"tion o( #%an)e #ontrol
"ro#esses t%at are i!"le!ented to ensure
SS/early 8S is not i!"le!ented into new
environ!ents7
;verview o( !i)ration "roDe#t "lan in#ludin) tar)et
!i)ration #o!"letion date no later t%an 30t% June 201.
Review RisB Giti)ation and
Gi)ration ,lan
PCI DSS v3.1 SAQ A-EP !ev. 1.1Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page12
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
20/54
Protect Cardholder Data
$euirement : rotect stored cardholder data
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each
uestion*
*es
*es with
CC; o =A
3.2 ' -s sensitive aut%enti#ation data deleted or
rendered unre#overable u"on #o!"letion o( t%eaut%ori@ation "ro#essH
Review "oli#ies and "ro#edures
a!ine syste! #on(i)urations
a!ine deletion "ro#esses
&d' o all syste!s ad%ere to t%e (ollowin)
reuire!ents re)ardin) non$stora)e o( sensitive
aut%enti#ation data a(ter aut%ori@ation &even i(
en#ry"ted'
3.2.2 8%e #ard veri(i#ation #ode or value &t%ree$di)it or (our$
di)it nu!ber "rinted on t%e (ront or ba#B o( a "ay!ent
#ard' is not stored a(ter aut%ori@ationH
a!ine data sour#es in#ludin)
-n#o!in) transa#tion data
All lo)s
?istory (iles
8ra#e (iles
atabase s#%e!a
atabase #ontents
3.2.3 8%e "ersonal identi(i#ation nu!ber &,-N' or t%een#ry"ted ,-N blo#B is not stored a(ter aut%ori@ationH
a!ine data sour#es in#ludin) -n#o!in) transa#tion data
All lo)s
?istory (iles
8ra#e (iles
atabase s#%e!a
atabase #ontents
PCI DSS v3.1 SAQ A-EP !ev. 1.1Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page13
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
21/54
$euirement /: Encrypt transmission of cardholder data across open0 public net&or)s
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each uestion*
*es
*es with
CC; o =A
4.1 a Are stron) #ry"to)ra"%y and se#urity "roto#ols
su#% as 8S SS? or -,S+ used to sa(e)uard
sensitive #ard%older data durin) trans!ission over
o"en "ubli# networBsHE+am,#es of o,en ,u#i( netor4s in(#u)e ut are not
#imite) to the InternetG ire#ess te(hno#ogies in(#u)ing
60$.11 an) @#uetoothG (e##u#ar te(hno#ogies for
e+am,#e =#oa# System for 7oi#e (ommuni(ations
;=S7
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
22/54
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each uestion*
*es
*es with
CC; o =A
&D' -s t%e "ro"er en#ry"tion stren)t% i!"le!ented (or
t%e en#ry"tion !et%odolo)y in use %e#B vendor
re#o!!endations/best "ra#ti#es'H
Review vendor do#u!entation
a!ine syste! #on(i)urations
&B' For 8S i!"le!entations is 8S enabled w%enever
#ard%older data is trans!itted or re#eivedH
8or e+am,#e for roser-ase) im,#ementations/ 9FPS: a,,ears as the roser niversa# !e(or)
*o(ator ;!*< ,roto(o# an)
Car)ho#)er )ata is on#y reueste) if 9FPS: a,,ears
as ,art of the !*.
a!ine syste! #on(i)urations
&(' 8or PS PI termina#s ;an) the SS**S
termination ,oints to hi(h they (onne(t< using SS*
an)or ear#y *S an) for hi(h the entity asserts
are not sus(e,ti#e to any 4non e+,#oits for those
,roto(o#s/
-s t%ere do#u!entation &(or ea!"le vendor
do#u!entation syste!/networB #on(i)uration
details et#.' t%at veri(ies t%e devi#es are not
sus#e"tible to any Bnown e"loits (or SS/early
8SH
Review do#u!entation t%at veri(ies
,;S ,;- devi#es are not
sus#e"tible to any Bnown e"loits (or
SS/early 8S
PCI DSS v3.1 SAQ A-EP !ev. 1.1Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page15
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
23/54
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each uestion*
*es
*es with
CC; o =A
&)' 8or a## other environments using SS* an)or ear#y
*S/
oes t%e do#u!ented RisB Giti)ation and Gi)ration
,lan in#lude t%e (ollowin)H
es#ri"tion o( usa)e in#ludin)7 w%at data is
bein) trans!itted ty"es and nu!ber o(syste!s t%at use and/or su""ort SS/early
8S ty"e o( environ!ent7
RisB assess!ent results and risB redu#tion
#ontrols in "la#e7
es#ri"tion o( "ro#esses to !onitor (or new
vulnerabilities asso#iated wit% SS/early 8S7
es#ri"tion o( #%an)e #ontrol "ro#esses t%at
are i!"le!ented to ensure SS/early 8S is
not i!"le!ented into new environ!ents7
;verview o( !i)ration "roDe#t "lan in#ludin)
tar)et !i)ration #o!"letion date no later t%an
30t% June 201.
Review RisB Giti)ation and Gi)ration
,lan
4.2 &b' Are "oli#ies in "la#e t%at state t%at un"rote#ted
,ANs are not to be sent via end$user !essa)in)
te#%nolo)iesH
Review "oli#ies and "ro#edures
PCI DSS v3.1 SAQ A-EP !ev. 1.1Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page16
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
24/54
5aintain a ulneraility 5ana$ement Pro$ram
$euirement 1: rotect all systems against mal&are and regularly update anti-"irus soft&are or programs
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each uestion*
*es
*es with
CC; o =A
5.1 -s anti$virus so(tware de"loyed on all syste!s
#o!!only a((e#ted by !ali#ious so(twareH
a!ine syste! #on(i)urations
5.1.1 Are anti$virus "ro)ra!s #a"able o( dete#tin) re!ovin)
and "rote#tin) a)ainst all Bnown ty"es o( !ali#ious
so(tware &(or ea!"le viruses 8roDans wor!s
s"yware adware and rootBits'H
Review vendor do#u!entation
a!ine syste! #on(i)urations
5.1.2 Are "eriodi# evaluations "er(or!ed to identi(y and
evaluate evolvin) !alware t%reats in order to #on(ir!
w%et%er t%ose syste!s #onsidered to not be #o!!only
a((e#ted by !ali#ious so(tware #ontinue as su#%H
-nterview "ersonnel
5.2 Are all anti$virus !e#%anis!s !aintained as (ollows
&a' Are all anti$virus so(tware and de(initions Be"t
#urrentH a!ine "oli#ies and "ro#edures
a!ine anti$virus #on(i)urations
in#ludin) t%e !aster installation
a!ine syste! #o!"onents
&b' Are auto!ati# u"dates and "eriodi# s#ans enabledand bein) "er(or!edH
a!ine anti$virus #on(i)urationsin#ludin) t%e !aster installation
a!ine syste! #o!"onents
' Are all anti$virus !e#%anis!s )eneratin) audit lo)s
and are lo)s retained in a##ordan#e wit% ,+- SS
Reuire!ent 10.LH
a!ine anti$virus #on(i)urations
Review lo) retention "ro#esses
PCI DSS v3.1 SAQ A-EP !ev. 1.1Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page17
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
25/54
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each uestion*
*es
*es with
CC; o =A
5.3 Are all anti$virus !e#%anis!s
A#tively runnin)H
nable to be disabled or altered by usersH
Note:Anti-virus so#utions may e tem,orari#y )isa#e)
on#y if there is #egitimate te(hni(a# nee) as authori?e)
y management on a (ase-y-(ase asis. If anti-virus,rote(tion nee)s to e )isa#e) for a s,e(ifi( ,ur,ose it
must e forma##y authori?e). A))itiona# se(urity
measures may a#so nee) to e im,#emente) for the
,erio) of time )uring hi(h anti-virus ,rote(tion is not
a(tive.
a!ine anti$virus #on(i)urations
a!ine syste! #o!"onents
;bserve "ro#esses
-nterview "ersonnel
PCI DSS v3.1 SAQ A-EP !ev. 1.1Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page18
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
26/54
$euirement 2: ,e"elop and maintain secure systems and applications
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each uestion*
*es
*es with
CC; o =A
.1 -s t%ere a "ro#ess to identi(y se#urity vulnerabilities
in#ludin) t%e (ollowin)
sin) re"utable outside sour#es (or vulnerability
in(or!ationH
Assi)nin) a risB ranBin) to vulnerabilities t%at
in#ludes identi(i#ation o( all %i)% risB and #riti#al
vulnerabilitiesH
Note/ !is4 ran4ings shou#) e ase) on in)ustry est
,ra(ti(es as e## as (onsi)eration of ,otentia# im,a(t.
8or e+am,#e (riteria for ran4ing vu#nerai#ities may
in(#u)e (onsi)eration of the CVSS ase s(ore an)or
the (#assifi(ation y the ven)or an)or ty,e of
systems affe(te).
7etho)s for eva#uating vu#nerai#ities an) assigning
ris4 ratings i## vary ase) on an organi?ations
environment an) ris4 assessment strategy. !is4
ran4ings shou#) at a minimum i)entify a##
vu#nerai#ities (onsi)ere) to e a 9high ris4: to the
environment. In a))ition to the ris4 ran4ing
vu#nerai#ities may e (onsi)ere) 9(riti(a#: if they,ose an imminent threat to the environment im,a(t
(riti(a# systems an)or ou#) resu#t in a ,otentia#
(om,romise if not a))resse). E+am,#es of (riti(a#
systems may in(#u)e se(urity systems ,u#i(-fa(ing
)evi(es an) systems )ataases an) other systems
that store ,ro(ess or transmit (ar)ho#)er )ata.
Review "oli#ies and "ro#edures
-nterview "ersonnel
;bserve "ro#esses
PCI DSS v3.1 SAQ A-EP !ev. 1.1Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page19
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
27/54
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each uestion*
*es
*es with
CC; o =A
.2 a Are all syste! #o!"onents and so(tware
"rote#ted (ro! Bnown vulnerabilities by installin)
a""li#able vendor$su""lied se#urity "at#%esH
Review "oli#ies and "ro#edures
&l' Are #riti#al se#urity "at#%es installed wit%in one
!ont% o( releaseH
Note/ Criti(a# se(urity ,at(hes shou#) e i)entifie)a((or)ing to the ris4 ran4ing ,ro(ess )efine) in
!euirement '.1.
Review "oli#ies and "ro#edures
a!ine syste! #o!"onents
+o!"are list o( se#urity "at#%es
installed to re#ent vendor "at#% lists
.4.5 a Are #%an)e$#ontrol "ro#edures (or i!"le!entin)
se#urity "at#%es and so(tware !odi(i#ations
do#u!ented and reuire t%e (ollowin)H
o#u!entation o( i!"a#t
o#u!ented #%an)e #ontrol
a""roval by aut%ori@ed "arties
Fun#tionality testin) to veri(y t%at
t%e #%an)e does not adversely i!"a#t t%e
se#urity o( t%e syste!
Ca#B$out "ro#edures
Review #%an)e #ontrol "ro#esses
and "ro#edures
&!' Are t%e (ollowin) "er(or!ed and do#u!ented (or
all #%an)es
.4.5.1 o#u!entation o( i!"a#tH 8ra#e #%an)es to #%an)e #ontrol
do#u!entation
a!ine #%an)e #ontrol
do#u!entation
.4.5.2 o#u!ented a""roval by aut%ori@ed "artiesH 8ra#e #%an)es to #%an)e #ontrol
do#u!entation
a!ine #%an)e #ontrol
do#u!entation
.4.5.3 a Fun#tionality testin) to veri(y t%at t%e #%an)e
does not adversely i!"a#t t%e se#urity o( t%e
syste!H
8ra#e #%an)es to #%an)e #ontrol
do#u!entation
a!ine #%an)e #ontrol
do#u!entation
PCI DSS v3.1 SAQ A-EP !ev. 1.1Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page20
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
28/54
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each uestion*
*es
*es with
CC; o =A
&n' For #usto! #ode #%an)es testin) o( u"dates (or
#o!"lian#e wit% ,+- SS Reuire!ent .5
be(ore bein) de"loyed into "rodu#tionH
8ra#e #%an)es to #%an)e #ontrol
do#u!entation
a!ine #%an)e #ontrol
do#u!entation
.4.5.4 Ca#B$out "ro#eduresH 8ra#e #%an)es to #%an)e #ontrol
do#u!entation
a!ine #%an)e #ontrol
do#u!entation
.5 ' Are a""li#ations develo"ed based on se#ure
#odin) )uidelines to "rote#t a""li#ations (ro! at
a !ini!u! t%e (ollowin) vulnerabilities
.5.1 o #odin) te#%niues address inDe#tion (laws
"arti#ularly SQ inDe#tionH
Note:A#so (onsi)er S Comman) InHe(tion *DAP
an) Path inHe(tion f#as as e## as other inHe(tion
f#as.
a!ine so(tware$develo"!ent
"oli#ies and "ro#edures
-nterview res"onsible "ersonnel
.5.2 o #odin) te#%niues address bu((er over(low
vulnerabilitiesH
a!ine so(tware$develo"!ent
"oli#ies and "ro#edures
-nterview res"onsible "ersonnel
For web a""li#ations and a""li#ation inter(a#es &internal or eternal' are a""li#ations develo"ed based onse#ure #odin) )uidelines to "rote#t a""li#ations (ro! t%e (ollowin) additional vulnerabilities
.5.L o #odin) te#%niues address #ross$site s#ri"tin)
&MSS' vulnerabilitiesH
a!ine so(tware$develo"!ent
"oli#ies and "ro#edures
-nterview res"onsible "ersonnel
.5.K o #odin) te#%niues address i!"ro"er a##ess
#ontrol su#% as inse#ure dire#t obDe#t re(eren#es
(ailure to restri#t R a##ess dire#tory traversal and
(ailure to restri#t user a##ess to (un#tionsH
a!ine so(tware$develo"!ent
"oli#ies and "ro#edures
-nterview res"onsible "ersonnel
.5. o #odin) te#%niues address #ross$site reuest
(or)ery &+SRF'H
a!ine so(tware$develo"!ent
"oli#ies and "ro#edures
-nterview res"onsible "ersonnel
PCI DSS v3.1 SAQ A-EP !ev. 1.1Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page21
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
29/54
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each uestion*
*es
*es with
CC; o =A
.5.10 o #odin) te#%niues address broBen aut%enti#ation
and session !ana)e!entH
a!ine so(tware$develo"!ent
"oli#ies and "ro#edures
-nterview res"onsible "ersonnel
PCI DSS v3.1 SAQ A-EP !ev. 1.1Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page22
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
30/54
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each uestion*
*es
*es with
CC; o =A
. For "ubli#$(a#in) web a""li#ations are new t%reats
and vulnerabilities addressed on an on)oin) basis
and are t%ese a""li#ations "rote#ted a)ainst Bnown
atta#Bs by a""lyin) eithero( t%e (ollowin) !et%odsH
Reviewin) "ubli#$(a#in) web a""li#ations via
!anual or auto!ated a""li#ation vulnerabilityse#urity assess!ent tools or !et%ods as (ollows
- At least annually
- A(ter any #%an)es
- Cy an or)ani@ation t%at s"e#iali@es in a""li#ation
se#urity
- 8%at at a !ini!u! all vulnerabilities in Reuire!ent
.5 are in#luded in t%e assess!ent
- 8%at all vulnerabilities are #orre#ted
- 8%at t%e a""li#ation is re$evaluated a(ter t%e
#orre#tions
Note/ his assessment is not the same as the
vu#nerai#ity s(ans ,erforme) for !euirement 11.$.
9 >%9 -nstallin) an auto!ated te#%ni#al solution t%at
dete#ts and "revents web$based atta#Bs &(or
ea!"le a web$a""li#ation (irewall' as (ollows
- -s situated in (ront o( "ubli#$(a#in) web a""li#ations to
dete#t and "revent web$based atta#Bs.
- -s a#tively runnin) and u" to date as a""li#able.
- -s )eneratin) audit lo)s.
- -s #on(i)ured to eit%er blo#B web$based atta#Bs or
)enerate an alert t%at is i!!ediately investi)ated.
Review do#u!ented "ro#esses
-nterview "ersonnel
a!ine re#ords o( a""li#ation
se#urity assess!ents
a!ine syste! #on(i)uration
settin)s
PCI DSS v3.1 SAQ A-EP !ev. 1.1Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page23
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
31/54
Implement Stron$ Access Control 5easures
$euirement 3: $estrict access to cardholder data by business need to )no&
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each uestion*
*es
*es with
CC; o =A
L.1 -s a##ess to syste! #o!"onents and #ard%older data
li!ited to only t%ose individuals w%ose Dobs reuire
su#% a##ess as (ollows
L.1.2-s a##ess to "rivile)ed user -s restri#ted as (ollows
8o least "rivile)es ne#essary to "er(or! Dob
res"onsibilitiesH
Assi)ned only to roles t%at s"e#i(i#ally reuire t%at
"rivile)ed a##essH
a!ine written a##ess #ontrol "oli#y
-nterview "ersonnel
-nterview !ana)e!ent
Review "rivile)ed user -s
L.1.3 Are a##ess assi)ned based on individual "ersonnel*s
Dob #lassi(i#ation and (un#tionH
a!ine written a##ess #ontrol "oli#y
-nterview !ana)e!ent
Review user -s
PCI DSS v3.1 SAQ A-EP !ev. 1.1Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page24
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
32/54
$euirement 4: !dentify and authenticate access to system components
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each uestion*
*es
*es with
CC; o =A
K.1.1 Are all users assi)ned a uniue - be(ore allowin)
t%e! to a##ess syste! #o!"onents or #ard%older
dataH
Review "assword "ro#edures
-nterview "ersonnel
K.1.3 -s a##ess (or any ter!inated users i!!ediatelydea#tivated or re!ovedH
Review "assword "ro#edures
a!ine ter!inated users a##ounts
Review #urrent a##ess lists
;bserve returned "%ysi#al
aut%enti#ation devi#es
K.1.5 a Are a##ounts used by vendors to a##ess su""ort
or !aintain syste! #o!"onents via re!ote
a##ess enabled only durin) t%e ti!e "eriod
needed and disabled w%en not in useH
Review "assword "ro#edures
-nterview "ersonnel
;bserve "ro#esses
&o' Are vendor re!ote a##ess a##ounts !onitored
w%en in useH -nterview "ersonnel
;bserve "ro#esses
K.1. &a' Are re"eated a##ess atte!"ts li!ited by lo#Bin)
out t%e user - a(ter no !ore t%an si atte!"tsH
Review "assword "ro#edures
a!ine syste! #on(i)uration settin)s
K.1.L ;n#e a user a##ount is lo#Bed out is t%e lo#Bout
duration set to a !ini!u! o( 30 !inutes or until an
ad!inistrator enables t%e user -H
Review "assword "ro#edures
a!ine syste! #on(i)uration settin)s
K.2 -n addition to assi)nin) a uniue - is one or !ore o(
t%e (ollowin) !et%ods e!"loyed to aut%enti#ate all
usersH
So!et%in) you Bnow su#% as a "assword or
"ass"%rase
So!et%in) you %ave su#% as a toBen devi#e or
s!art #ard
So!et%in) you are su#% as a bio!etri#
Review "assword "ro#edures
;bserve aut%enti#ation "ro#esses
PCI DSS v3.1 SAQ A-EP !ev. 1.1Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page25
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
33/54
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each uestion*
*es
*es with
CC; o =A
K.2.1 &a' -s stron) #ry"to)ra"%y used to render all
aut%enti#ation #redentials &su#% as
"asswords/"%rases' unreadable durin)
trans!ission and stora)e on all syste!
#o!"onentsH
Review "assword "ro#edures
Review vendor do#u!entation
a!ine syste! #on(i)uration settin)s
;bserve "assword (iles
;bserve data trans!issionsK.2.3 a Are user "assword "ara!eters #on(i)ured to
reuire "asswords/"ass"%rases !eet t%e
(ollowin)H
A !ini!u! "assword len)t% o( at
least seven #%ara#ters
+ontain bot% nu!eri# and
al"%abeti# #%ara#ters
Alternatively t%e "asswords/"%rases !ust %ave
#o!"leity and stren)t% at least euivalent to t%e
"ara!eters s"e#i(ied above.
a!ine syste! #on(i)uration settin)s
to veri(y "assword "ara!eters
K.2.4 &a' Are user "asswords/"ass"%rases #%an)ed at
least on#e every 0 daysH
Review "assword "ro#edures
a!ine syste! #on(i)uration settin)s
K.2.5 &a' Gust an individual sub!it a new "assword/"%rase
t%at is di((erent (ro! any o( t%e last (our
"asswords/"%rases %e or s%e %as usedH
Review "assword "ro#edures
Sa!"le syste! #o!"onents
a!ine syste! #on(i)uration settin)s
K.2. Are "asswords/"%rases set to a uniue value (or ea#%
user (or (irst$ti!e use and u"on reset and !ust ea#%
user #%an)e t%eir "assword i!!ediately a(ter t%e (irst
useH
Review "assword "ro#edures
a!ine syste! #on(i)uration settin)s
;bserve se#urity "ersonnel
PCI DSS v3.1 SAQ A-EP !ev. 1.1Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page26
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
34/54
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each uestion*
*es
*es with
CC; o =A
K.3 -s two$(a#tor aut%enti#ation in#or"orated (or re!ote
networB a##ess ori)inatin) (ro! outside t%e networB
by "ersonnel &in#ludin) users and ad!inistrators' and
all t%ird "arties &in#ludin) vendor a##ess (or su""ort or
!aintenan#e'H
Note:o-fa(tor authenti(ation reuires that to of
the three authenti(ation metho)s ;see PCI DSS
!euirement 6.$ for )es(ri,tions of authenti(ation
metho)s< e use) for authenti(ation. sing one fa(tor
ti(e ;for e+am,#e using to se,arate ,assor)s< is
not (onsi)ere) to-fa(tor authenti(ation.
E+am,#es of to-fa(tor te(hno#ogies in(#u)e remote
authenti(ation an) )ia#-in servi(e ;!ADIS< ith
to4ensG termina# a((ess (ontro##er a((ess (ontro#
system ;ACACS< ith to4ensG an) other te(hno#ogies
that fa(i#itate to-fa(tor authenti(ation.
Review "oli#ies and "ro#edures
a!ine syste! #on(i)urations
;bserve "ersonnel
K.5 Are )rou" s%ared or )eneri# a##ounts "asswords or
ot%er aut%enti#ation !et%ods "ro%ibited as (ollows
>eneri# user -s and a##ounts are disabled or
re!oved7
S%ared user -s (or syste! ad!inistration a#tivities
and ot%er #riti#al (un#tions do not eist7 and S%ared and )eneri# user -s are not used to
ad!inister any syste! #o!"onentsH
Review "oli#ies and "ro#edures
a!ine user - lists
-nterview "ersonnel
K. %ere ot%er aut%enti#ation !e#%anis!s are used &(or
ea!"le "%ysi#al or lo)i#al se#urity toBens s!art
#ards and #erti(i#ates et#.' is t%e use o( t%ese
!e#%anis!s assi)ned as (ollowsH
Aut%enti#ation !e#%anis!s !ust be assi)ned to an
individual a##ount and not s%ared a!on) !ulti"le
a##ounts
,%ysi#al and/or lo)i#al #ontrols !ust be in "la#e to
ensure only t%e intended a##ount #an use t%at
!e#%anis! to )ain a##ess
Review "oli#ies and "ro#edures
-nterview "ersonnel
a!ine syste! #on(i)uration settin)s
and/or "%ysi#al #ontrols
PCI DSS v3.1 SAQ A-EP !ev. 1.1Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page27
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
35/54
$euirement 5: $estrict physical access to cardholder data
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each
uestion*
*es
*es with
CC; o =A
.1 Are a""ro"riate (a#ility entry #ontrols in "la#e to li!it
and !onitor "%ysi#al a##ess to syste!s in t%e
#ard%older data environ!entH
;bserve "%ysi#al a##ess #ontrols
;bserve "ersonnel
.5 Are all !edia "%ysi#ally se#ured &in#ludin) but not
li!ited to #o!"uters re!ovable ele#troni# !edia
"a"er re#ei"ts "a"er re"orts and (aes'H
8or ,ur,oses of !euirement 5 9me)ia: refers to a##
,a,er an) e#e(troni( me)ia (ontaining (ar)ho#)er )ata.
Review "oli#ies and "ro#edures (or
"%ysi#ally se#urin) !edia
-nterview "ersonnel
. a -s stri#t #ontrol !aintained over t%e internal or
eternal distribution o( any Bind o( !ediaH Review "oli#ies and "ro#edures (or
distribution o( !edia
&"' o #ontrols in#lude t%e (ollowin)
..1 -s !edia #lassi(ied so t%e sensitivity o( t%e data #an be
deter!inedH
Review "oli#ies and "ro#edures (or
!edia #lassi(i#ation
-nterview se#urity "ersonnel
..2 -s !edia sent by se#ured #ourier or ot%er delivery
!et%od t%at #an be a##urately tra#BedH
-nterview "ersonnel
a!ine !edia distribution tra#Bin)
lo)s and do#u!entation
..3 -s !ana)e!ent a""roval obtained "rior to !ovin) t%e
!edia &es"e#ially w%en !edia is distributed to
individuals'H
-nterview "ersonnel
a!ine !edia distribution tra#Bin)
lo)s and do#u!entation
.L -s stri#t #ontrol !aintained over t%e stora)e and
a##essibility o( !ediaH
Review "oli#ies and "ro#edures
.K a -s all !edia destroyed w%en it is no lon)er needed
(or business or le)al reasonsH Review "eriodi# !edia destru#tion
"oli#ies and "ro#edures
' -s !edia destru#tion "er(or!ed as (ollows
PCI DSS v3.1 SAQ A-EP !ev. 1.1Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page28
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
36/54
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each
uestion*
*es
*es with
CC; o =A
.K.1 a Are %ard#o"y !aterials #ross$#ut s%redded
in#inerated or "ul"ed so t%at #ard%older data
#annot be re#onstru#tedH
Review "eriodi# !edia destru#tion
"oli#ies and "ro#edures
-nterview "ersonnel
;bserve "ro#esses
&' Are stora)e #ontainers used (or !aterials t%at #ontain
in(or!ation to be destroyed se#ured to "revent a##ess
to t%e #ontentsH
a!ine se#urity o( stora)e #ontainers
PCI DSS v3.1 SAQ A-EP !ev. 1.1Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page29
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
37/54
%e$ularly 5onitor and 'est etwor6s
$euirement %6: Trac) and monitor all access to net&or) resources and cardholder data
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each
uestion*
*es
*es with
CC; o =A
10.2 Are auto!ated audit trails i!"le!ented (or all syste!
#o!"onents to re#onstru#t t%e (ollowin) events
10.2.2 All a#tions taBen by any individual wit% root or
ad!inistrative "rivile)esH
-nterview "ersonnel
;bserve audit lo)s
a!ine audit lo) settin)s
10.2.4 -nvalid lo)i#al a##ess atte!"tsH -nterview "ersonnel
;bserve audit lo)s
a!ine audit lo) settin)s
10.2.5 se o( and #%an)es to identi(i#ation and aut%enti#ation
!e#%anis!s9in#ludin) but not li!ited to #reation o(
new a##ounts and elevation o( "rivile)es 9 and all
#%an)es additions or deletions to a##ounts wit% root
or ad!inistrative "rivile)esH
-nterview "ersonnel
;bserve audit lo)s
a!ine audit lo) settin)s
10.3 Are t%e (ollowin) audit trail entries re#orded (or all
syste! #o!"onents (or ea#% event
10.3.1 ser identi(i#ationH -nterview "ersonnel
;bserve audit lo)s
a!ine audit lo) settin)s
10.3.2 8y"e o( eventH -nterview "ersonnel
;bserve audit lo)s
a!ine audit lo) settin)s
10.3.3 ate and ti!eH -nterview "ersonnel
;bserve audit lo)s
a!ine audit lo) settin)s
PCI DSS v3.1 SAQ A-EP !ev. 1.1Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page30
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
38/54
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each
uestion*
*es
*es with
CC; o =A
10.3.4 Su##ess or (ailure indi#ationH -nterview "ersonnel
;bserve audit lo)s
a!ine audit lo) settin)s
10.3.5 ;ri)ination o( eventH -nterview "ersonnel
;bserve audit lo)s
a!ine audit lo) settin)s
10.3. -dentity or na!e o( a((e#ted data syste! #o!"onent
or resour#eH
-nterview "ersonnel
;bserve audit lo)s
a!ine audit lo) settin)s
10.5.4 Are lo)s (or eternal$(a#in) te#%nolo)ies &(or ea!"le
wireless (irewalls NS !ail' written onto a se#ure
#entrali@ed internal lo) server or !ediaH
-nterview syste! ad!inistrators
a!ine syste! #on(i)urations and
"er!issions
10. Are lo)s and se#urity events (or all syste! #o!"onents
reviewed to identi(y ano!alies or sus"i#ious a#tivity as
(ollowsH
Note:*og harvesting ,arsing an) a#erting too#s may
e use) to a(hieve (om,#ian(e ith !euirement 10.'.
PCI DSS v3.1 SAQ A-EP !ev. 1.1Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page31
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
39/54
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each
uestion*
*es
*es with
CC; o =A
10..1 &b' Are t%e (ollowin) lo)s and se#urity events
reviewed at least daily eit%er !anually or via lo)
toolsH
All se#urity events
o)s o( all syste! #o!"onents t%atstore "ro#ess or trans!it +? and/or SA
o)s o( all #riti#al syste!
#o!"onents
o)s o( all servers and syste!
#o!"onents t%at "er(or! se#urity (un#tions
&(or ea!"le (irewalls intrusion$dete#tion
syste!s/intrusion$"revention syste!s
&-S/-,S' aut%enti#ation servers e$#o!!er#e
redire#tion servers et#.'
Review se#urity "oli#ies and
"ro#edures
;bserve "ro#esses
-nterview "ersonnel
10..2 &b' Are lo)s o( all ot%er syste! #o!"onents
"eriodi#ally reviewed=eit%er !anually or via lo)
tools=based on t%e or)ani@ation*s "oli#ies and
risB !ana)e!ent strate)yH
Review se#urity "oli#ies and
"ro#edures
Review risB assess!ent
do#u!entation
-nterview "ersonnel
10..3 &b' -s (ollow u" to e#e"tions and ano!alies identi(ied
durin) t%e review "ro#ess "er(or!edH
Review se#urity "oli#ies and
"ro#edures
;bserve "ro#esses
-nterview "ersonnel
10.L &b' Are audit lo)s retained (or at least one yearH Review se#urity "oli#ies and
"ro#edures
-nterview "ersonnel
a!ine audit lo)s
' Are at least t%e last t%ree !ont%s* lo)s i!!ediately
available (or analysisH -nterview "ersonnel
;bserve "ro#esses
PCI DSS v3.1 SAQ A-EP !ev. 1.1Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page32
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
40/54
PCI DSS v3.1 SAQ A-EP !ev. 1.1Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page33
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
41/54
$euirement %%: $egularly test security systems and processes
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each
uestion*
*es
*es with
CC; o =A
11.2.2 a Are uarterly eternal vulnerability s#ans "er(or!edH
Note:Quarter#y e+terna# vu#nerai#ity s(ans must e
,erforme) y an A,,rove) S(anning Ven)or ;ASV
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
42/54
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each
uestion*
*es
*es with
CC; o =A
11.3 oes t%e "enetration$testin) !et%odolo)y in#lude t%e
(ollowin)H
-s based on industry$a##e"ted "enetration testin)
a""roa#%es &(or ea!"le N-S8 S,K00$115'
-n#ludes #overa)e (or t%e entire + "eri!eter and#riti#al syste!s
-n#ludes testin) (ro! bot% inside and outside t%e
networB
-n#ludes testin) to validate any se)!entation and
s#o"e$redu#tion #ontrols
e(ines a""li#ation$layer "enetration tests to in#lude at
a !ini!u! t%e vulnerabilities listed in Reuire!ent .5
e(ines networB$layer "enetration tests to in#lude
#o!"onents t%at su""ort networB (un#tions as well as
o"eratin) syste!s
-n#ludes review and #onsideration o( t%reats and
vulnerabilities e"erien#ed in t%e last 12 !ont%s
S"e#i(ies retention o( "enetration testin) results and
re!ediation a#tivities results
a!ine "enetration$testin)
!et%odolo)y
-nterview res"onsible "ersonnel
11.3.1 &a' -s e+terna#"enetration testin) "er(or!ed "er t%ede(ined !et%odolo)y at least annually and a(ter any
si)ni(i#ant in(rastru#ture or a""li#ation #%an)es to t%e
environ!ent &su#% as an o"eratin) syste! u")rade a
sub$networB added to t%e environ!ent or an added
web server'H
a!ine s#o"e o( worB
a!ine results (ro! t%e !ost
re#ent eternal "enetration test
&b' Are tests "er(or!ed by a uali(ied internal resour#e or
uali(ied eternal t%ird "arty and i( a""li#able does
or)ani@ational inde"enden#e o( t%e tester eist ¬
reuired to be a QSA or AS
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
43/54
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each
uestion*
*es
*es with
CC; o =A
11.3.3Are e"loitable vulnerabilities (ound durin) "enetration
testin) #orre#ted (ollowed by re"eated testin) to veri(y t%e
#orre#tionsH
a!ine "enetration testin)
results
11.3.4 -( se)!entation is used to isolate t%e + (ro! ot%er
networBs
&a' Are "enetration$testin) "ro#edures de(ined to test all
se)!entation !et%ods to #on(ir! t%ey are o"erational
and e((e#tive and isolate all out$o($s#o"e syste!s (ro!
syste!s in t%e +H
a!ine se)!entation #ontrols
Review "enetration$testin)
!et%odolo)y
&b' oes "enetration testin) to veri(y se)!entation
#ontrols !eet t%e (ollowin)H
,er(or!ed at least annually and a(ter any #%an)es
to se)!entation #ontrols/!et%ods
+overs all se)!entation #ontrols/!et%ods in use
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
44/54
PCI DSS Question E1pected 'estin$
%esponse
'(hec) one response for each
uestion*
*es
*es with
CC; o =A
11.5a -s a #%an)e$dete#tion !e#%anis! &(or ea!"le (ile$
inte)rity !onitorin) tools' de"loyed wit%in t%e
#ard%older data environ!ent to dete#t unaut%ori@ed
!odi(i#ation &in#ludin) #%an)es additions and
deletions' o( #riti#al syste! (iles #on(i)uration (iles or
#ontent (ilesH
E+am,#es of fi#es that shou#) e monitore) in(#u)e/
System e+e(uta#es
A,,#i(ation e+e(uta#es
Configuration an) ,arameter fi#es
Centra##y store) histori(a# or ar(hive) #og an) au)it fi#es
A))itiona# (riti(a# fi#es )etermine) y entity ;for e+am,#e
through ris4 assessment or other meansecti&e e(ine t%e obDe#tive o( t%e ori)inal
#ontrol7 identi(y t%e obDe#tive !et by t%e
#o!"ensatin) #ontrol.
!" Identified %is6 -denti(y any additional risB "osed by t%e
la#B o( t%e ori)inal #ontrol.
4" Definition of
Compensatin$
Controls
e(ine t%e #o!"ensatin) #ontrols and
e"lain %ow t%ey address t%e obDe#tives
o( t%e ori)inal #ontrol and t%e in#reased
risB i( any.
B" alidation of
Compensatin$
Controls
e(ine %ow t%e #o!"ensatin) #ontrols
were validated and tested.
9" 5aintenance e(ine "ro#ess and #ontrols in "la#e to!aintain #o!"ensatin) #ontrols.
PCI DSS v3.1 SAQ A-EP !ev. 1.1 Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page 43
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
51/54
Appendi1 C2 E1planation of on-Applicaility
If the 9>A: ;>ot A,,#i(a#e< (o#umn as (he(4e) in the uestionnaire use this or4sheet to e+,#ain hy
the re#ate) reuirement is not a,,#i(a#e to your organi?ation.
%e/uirement %eason %e/uirement is ot Applicale
E+am,#e/
3.4 +ard%older data is never stored ele#troni#ally
PCI DSS v3.1 SAQ A-EP !ev. 1.1 Se(tion $/ Se#f-Assessment Questionnaire "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page 44
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
52/54
Section !2 alidation and Attestation Details
Part !" PCI DSS alidation
Cased on t%e results noted in t%e SAQ A$, dated ;(om,#etion )ateame-C>5P0IA'ratin) t%ereby ;7er(hant Com,any >ame
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
53/54
Part !a" Ac6nowled$ement of Status ontinued'
No eviden#e o( (ull tra#B data0 +Aame/ it#e/
Part !c" QSA Ac6nowled$ement (if applicale)
-( a QSA was involved or assisted wit% t%is
assess!ent des#ribe t%e role "er(or!ed
Signature of Du#y Authori?e) ffi(er of QSA Com,any Date/
Du#y Authori?e) ffi(er>ame/ QSA Com,any/
Part !d" ISA Ac6nowled$ement (if applicale)
-( a -SA was involved or assisted wit% t%is
assess!ent des#ribe t%e role "er(or!ed
Signature of ISA Date/
ISA >ame/ it#e/
0ata en#oded in t%e !a)neti# stri"e or euivalent data on a #%i" used (or aut%ori@ation durin) a #ard$"resent transa#tion. ntities!ay not retain (ull tra#B data a(ter transa#tion aut%ori@ation. 8%e only ele!ents o( tra#B data t%at !ay be retained are "ri!ary
a##ount nu!ber &,AN' e"iration date and #ard%older na!e.
08%e t%ree$ or (our$di)it value "rinted by t%e si)nature "anel or on t%e (a#e o( a "ay!ent #ard used to veri(y #ard$not$"resenttransa#tions.
0,ersonal identi(i#ation nu!ber entered by #ard%older durin) a #ard$"resent transa#tion and/or en#ry"ted ,-N blo#B "resent wit%int%e transa#tion !essa)e.
PCI DSS v3.1 SAQ A-EP !ev. 1.1 Se(tion 3/ Va#i)ation an) Attestation Detai#s "u#y $01%
& $00'-$01% PCI Se(urity Stan)ar)s Coun(i# **C. A## !ights !eserve). Page 46
7/24/2019 Pci Dss v3-1 Saq a-ep Rev1-1
54/54
Part 4" Action Plan for on-Compliant %e/uirements
Sele#t t%e a""ro"riate res"onse (or +o!"liant to ,+- SS Reuire!ents (or ea#% reuire!ent. -( you
answer No to any o( t%e reuire!ents you !ay be reuired to "rovide t%e date your +o!"any e"e#ts to
be #o!"liant wit% t%e reuire!ent and a brie( des#ri"tion o( t%e a#tions bein) taBen to !eet t%e reuire!ent.
Che(4 ith your a(uirer or the ,ayment ran);s< efore (om,#eting Part .
PCI DSS
%e/uirementDescription of %e/uirement
Compliant to PCI
DSS %e/uirements
&Sele#t ;ne'
%emediation Date and Actions
&-( N; sele#ted (or any
Reuire!ent'*ES >
1
-nstall and !aintain a (irewall
#on(i)uration to "rote#t
#ard%older data
2 o not use vendor$su""lied
de(aults (or syste! "asswords
and ot%er se#urity "ara!eters
3 ,rote#t stored #ard%older data
4
n#ry"t trans!ission o(
#ard%older data a#ross o"en
"ubli# networBs
5
,rote#t all syste!s a)ainst
!alware and re)ularly u"date
anti$virus so(tware or "ro)ra!s
evelo" and !aintain se#ure
syste!s and a""li#ations
LRestri#t a##ess to #ard%older
data by business need to Bnow
K-denti(y and aut%enti#ate a##ess
to syste! #o!"onents
Restri#t "%ysi#al a##ess to
#ard%older data
10
8ra#B and !onitor all a##ess to
networB resour#es and
#ard%older data
11Re)ularly test se#urity syste!s
and "ro#esses
12
Gaintain a "oli#y t%at addresses
in(or!ation se#urity (or all"ersonnel
L PCI DSS !euirements in)i(ate) here refer to the uestions in Se(tion $ of the SAQ.