payment card industry (pci) data security standard self … · 2020. 1. 20. · payment card...
TRANSCRIPT
-
Payment Card Industry (PCI) Data Security StandardSelf-Assessment Questionnaire Dand Attestation of Compliance forService Providers
SAQ-Eligible Service ProvidersFor use with PCI DSS Version 3.2.1
-
PCI DSS v3.2.1 SAQ D for Service Providers, Rev. 1.0 June 2018 © 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page ii
Document Changes
Date PCI DSS VersionSAQ
Revision Description
PCI DSS – Summary of Changes from PCI DSS Version 3.0 to 3.1
PCI DSS – Summary of Changes from PCI DSS Version 3.1 to 3.2.
PCI DSS – Summary of Changes from PCI DSS Version 3.2 to 3.2.1.
-
PCI DSS v3.2.1 SAQ D for Service Providers, Rev. 1.0 June 2018 © 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page iii
Table of Contents
Document Changes ................................................................................................................. iiBefore You Begin.....................................................................................................................iv
PCI DSS Self-Assessment Completion Steps ...................................................................................... ivUnderstanding the Self-Assessment Questionnaire ........................................................................... iv
Expected Testing .................................................................................................................................... v
Completing the Self-Assessment Questionnaire ..................................................................................vGuidance for Non-Applicability of Certain, Specific Requirements.................................................... v
Understanding the difference between Not Applicable and Not Tested................................................. vi
Legal Exception ...................................................................................................................................viSection 1: Assessment Information ..................................................................................... 1Section 2: Self-Assessment Questionnaire D for Service Providers ................................. 7
Build and Maintain a Secure Network and Systems............................................................................. 7Requirement 1: Install and maintain a firewall configuration to protect data ........................................ 7Requirement 2: Do not use vendor-supplied defaults for system passwords and other security
parameters................................................................................................................ 12
Protect Cardholder Data ........................................................................................................................18Requirement 3: Protect stored cardholder data.................................................................................. 18Requirement 4: Encrypt transmission of cardholder data across open, public networks................... 26
Maintain a Vulnerability Management Program ..................................................................................28Requirement 5: Protect all systems against malware and regularly update anti-virus software or
programs................................................................................................................... 28Requirement 6: Develop and maintain secure systems and applications .......................................... 30
Implement Strong Access Control Measures......................................................................................39Requirement 7: Restrict access to cardholder data by business need to know................................. 39Requirement 8: Identify and authenticate access to system components ......................................... 41Requirement 9: Restrict physical access to cardholder data ............................................................. 48
Regularly Monitor and Test Networks..................................................................................................56Requirement 10: Track and monitor all access to network resources and cardholder data ................ 56Requirement 11: Regularly test security systems and processes........................................................ 63
Maintain an Information Security Policy ..............................................................................................71Requirement 12: Maintain a policy that addresses information security for all personnel ................... 71
Appendix A: Additional PCI DSS Requirements ........................................................................80Appendix A1: Additional PCI DSS Requirements for Shared Hosting Providers............................ 80Appendix A2: Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-
Present POS POI Terminal Connections.................................................................. 82Appendix A3: Designated Entities Supplemental Validation (DESV).............................................. 83
Appendix B: Compensating Controls Worksheet......................................................................84Appendix C: Explanation of Non-Applicability...........................................................................85Appendix D: Explanation of Requirements Not Tested ............................................................86
Section 3: Validation and Attestation Details .....................................................................87
-
PCI DSS v3.2.1 SAQ D for Service Providers, Rev. 1.0 June 2018 © 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page iv
Before You Begin
PCI DSS Self-Assessment Completion Steps
Understanding the Self-Assessment Questionnaire
Document Includes:
(PCI Data Security Standard Requirements and Security Assessment Procedures)
PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms
(www.pcisecuritystandards.org)
-
PCI DSS v3.2.1 SAQ D for Service Providers, Rev. 1.0 June 2018 © 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page v
Expected Testing
Completing the Self-Assessment Questionnaire
Only one response should be selected for each question.
Response When to use this response:
Yes
Yes with CCW
No
N/AGuidance for Non-Applicability of Certain, Specific Requirements
Not TestedUnderstanding the difference
between Not Applicable and Not Tested
Guidance for Non-Applicability of Certain, Specific Requirements
-
PCI DSS v3.2.1 SAQ D for Service Providers, Rev. 1.0 June 2018 © 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page vi
Understanding the difference between Not Applicable and Not Tested
could
Legal Exception
-
PCI DSS v3.2.1 SAQ D for Service Providers, Rev. 1.0 – Section 1: Assessment Information June 2018 © 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 1
Section 1: Assessment InformationInstructions for Submission
Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS).
Part 1. Service Provider and Qualified Security Assessor InformationPart 1a. Service Provider Organization Information
Part 1b. Qualified Security Assessor Company Information (if applicable)
-
PCI DSS v3.2.1 SAQ D for Service Providers, Rev. 1.0 – Section 1: Assessment Information June 2018 © 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 2
Part 2. Executive SummaryPart 2a. Scope Verification
Services that were INCLUDED in the scope of the PCI DSS Assessment
Hosting Provider: Managed Services (specify): Payment Processing:
Note: These categories are provided for assistance only, and are not intended to limit or predetermine an entity’s service description. If you feel these categories don’t apply to your service, complete “Others.” If you’re unsure whether a category could apply to your service, consult with the applicable payment brand.
-
PCI DSS v3.2.1 SAQ D for Service Providers, Rev. 1.0 – Section 1: Assessment Information June 2018 © 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 3
Part 2. Executive Summary (continued)Part 2a. Scope Verification (continued)
Services that are provided by the service provider but were NOT INCLUDED in the scope of the PCI DSS Assessment
Hosting Provider: Managed Services (specify): Payment Processing:
Part 2b. Description of Payment Card Business
Part 2c. Locations
Type of facility Number of facilities of this type Location(s) of facility (city, country)
Example: Retail outlets 3 Boston, MA, USA
-
PCI DSS v3.2.1 SAQ D for Service Providers, Rev. 1.0 – Section 1: Assessment Information June 2018 © 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 4
Part 2. Executive Summary (continued)Part 2d. Payment Applications
Payment Application Name
Version Number
Application Vendor
Is application PA-DSS Listed?
PA-DSS Listing Expiry date (if applicable)
Part 2e. Description of Environment
high-level
For example:Connections into and out of the cardholder dataenvironment (CDE).Critical system components within the CDE, such asPOS devices, databases, web servers, etc., and anyother necessary payment components, as applicable.
(Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation.)
Part 2f. Third-Party Service Providers
If Yes:
-
PCI DSS v3.2.1 SAQ D for Service Providers, Rev. 1.0 – Section 1: Assessment Information June 2018 © 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 5
Part 2. Executive Summary (continued)Part 2f. Third-Party Service Providers (continued)
If Yes:
Name of service provider: Description of services provided:
Note: Requirement 12.8 applies to all entities in this list.
-
PCI DSS v3.2.1 SAQ D for Service Providers, Rev. 1.0 – Section 1: Assessment Information June 2018 © 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 6
Part 2. Executive Summary (continued)Part 2g. Summary of Requirements Tested
Full
Partial
None
Note: One table to be completed for each service covered by this AOC. Additional copies of this section are available on the PCI SSC website
Name of Service Assessed:
PCI DSS Requirement
Details of Requirements Assessed
Full Partial None
Justification for Approach
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
7
Sect
ion
2:Se
lf-As
sess
men
t Que
stio
nnai
re D
for S
ervi
ce P
rovi
ders
Not
e:Th
e fo
llow
ing
ques
tions
are
num
bere
d ac
cord
ing
to P
CI D
SS
requ
irem
ents
and
test
ing
proc
edur
es, a
s de
fined
in th
e do
cum
ent.
Self-
asse
ssm
ent c
ompl
etio
n da
te:
Bui
ld a
nd M
aint
ain
a Se
cure
Net
wor
kan
d Sy
stem
sR
equi
rem
ent 1
:In
stal
l and
mai
ntai
n a
firew
all c
onfig
urat
ion
to p
rote
ct d
ata
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
8
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
Not
e:A
n “u
ntru
sted
net
wor
k” is
any
net
wor
kth
at is
ex
tern
al to
the
netw
orks
bel
ongi
ng to
the
entit
y un
der
revi
ew, a
nd/o
r whi
ch is
out
of t
he e
ntity
’s a
bilit
y to
con
trol
or m
anag
e.
X X X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
9
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
—
X X X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
10
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
Not
e:M
etho
ds to
obs
cure
IP a
ddre
ssin
g m
ay in
clud
e, b
ut
are
not l
imite
d to
:
X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
11
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
edX X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
12
Req
uire
men
t 2:
Do
not u
se v
endo
r-su
pplie
d de
faul
ts fo
r sys
tem
pas
swor
ds a
nd o
ther
sec
urity
par
amet
ers
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
This
app
lies
to A
LL d
efau
lt pa
ssw
ords
, inc
ludi
ng b
ut n
ot
limite
d to
thos
e us
ed b
y op
erat
ing
syst
ems,
sof
twar
e th
at
prov
ides
sec
urity
ser
vice
s, a
pplic
atio
n an
d sy
stem
ac
coun
ts, p
oint
-of-s
ale
(PO
S) t
erm
inal
s, p
aym
ent
appl
icat
ions
, Sim
ple
Net
wor
k M
anag
emen
t Pro
toco
l (S
NM
P) c
omm
unity
stri
ngs,
etc
.).
X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
13
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
(con
t.)
Sou
rces
of i
ndus
try-a
ccep
ted
syst
em h
arde
ning
st
anda
rds
may
incl
ude,
but
are
not
lim
ited
to, S
ysAd
min
A
udit
Net
wor
k Se
curit
y (S
AN
S) I
nstit
ute,
Nat
iona
l Ins
titut
e of
Sta
ndar
ds T
echn
olog
y (N
IST)
, Int
erna
tiona
l O
rgan
izat
ion
for S
tand
ardi
zatio
n (IS
O),
and
Cen
ter f
or
Inte
rnet
Sec
urity
(CIS
).
X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
14
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
(con
t.)- - - - - -
For e
xam
ple,
web
ser
vers
, dat
abas
e se
rver
s, a
nd D
NS
sh
ould
be
impl
emen
ted
on s
epar
ate
serv
ers.
X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
15
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
edX X X X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
16
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
(con
t.)X X X X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
17
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
See
App
endi
x A
1: A
dditi
onal
PC
I DS
S R
equi
rem
ents
for
Sha
red
Hos
ting
Pro
vide
rs fo
r spe
cific
requ
irem
ents
that
m
ust b
e m
et.
X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
18
Prot
ect C
ardh
olde
r Dat
aR
equi
rem
ent 3
:Pr
otec
t sto
red
card
hold
er d
ata
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
For e
xam
ple,
car
dhol
der d
ata
need
s to
be
held
for X
per
iod
for Y
bus
ines
s re
ason
s.
X X X X X
X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
19
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
(con
t.)
This
dat
a is
alte
rnat
ivel
y ca
lled
full
track
, tra
ck, t
rack
1,
track
2, a
nd m
agne
tic-s
tripe
dat
a.N
ote:
In th
e no
rmal
cou
rse
of b
usin
ess,
the
follo
win
g da
ta
elem
ents
from
the
mag
netic
stri
pe m
ay n
eed
to b
e re
tain
ed:
The
card
hold
er’s
nam
e,
Prim
ary
acco
unt n
umbe
r (P
AN
), E
xpira
tion
date
, and
S
ervi
ce c
ode
To
min
imiz
e ris
k, s
tore
onl
y th
ese
data
ele
men
ts a
sne
eded
for b
usin
ess.
- - - - - -
X
X
X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
20
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
- - - - - - - - - - - -
Not
e:Th
is re
quire
men
t doe
s no
t sup
erse
de s
trict
er
requ
irem
ents
in p
lace
for d
ispl
ays
of c
ardh
olde
r dat
a—fo
r ex
ampl
e, le
gal o
r pay
men
t car
d br
and
requ
irem
ents
for
poin
t-of-s
ale
(PO
S) r
ecei
pts.
X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
21
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
Not
e:It
is a
rela
tivel
y tri
vial
effo
rt fo
r a m
alic
ious
indi
vidu
al
to re
cons
truct
orig
inal
PA
N d
ata
if th
ey h
ave
acce
ss to
bo
th th
e tru
ncat
ed a
nd h
ashe
d ve
rsio
n of
a P
AN
. Whe
re
hash
ed a
nd tr
unca
ted
vers
ions
of t
he s
ame
PA
N a
re
pres
ent i
n an
ent
ity’s
env
ironm
ent,
addi
tiona
l con
trols
mus
tbe
in p
lace
to e
nsur
e th
at th
e ha
shed
and
trun
cate
d ve
rsio
ns c
anno
t be
corre
late
d to
reco
nstru
ct th
e or
igin
al
PA
N.
Not
e:Th
is re
quire
men
t app
lies
in a
dditi
on to
all
othe
r PC
I D
SS
enc
rypt
ion
and
key
man
agem
ent r
equi
rem
ents
.
X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
22
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
(con
t.)N
ote:
If di
sk e
ncry
ptio
n is
not
use
d to
enc
rypt
rem
ovab
le
med
ia, t
he d
ata
stor
ed o
n th
is m
edia
will
nee
d to
be
rend
ered
unr
eada
ble
thro
ugh
som
e ot
her m
etho
d.
Not
e:Th
is re
quire
men
t app
lies
to k
eys
used
to e
ncry
pt
stor
ed c
ardh
olde
r dat
a, a
nd a
lso
appl
ies
to k
ey-e
ncry
ptin
g ke
ys u
sed
to p
rote
ct d
ata-
encr
yptin
g ke
ys. S
uch
key-
encr
yptin
g ke
ys m
ust b
e at
leas
t as
stro
ng a
s th
e da
ta-
encr
yptin
g ke
y.
For s
ervi
cepr
ovid
ers
only
X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
23
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
Not
e:It
is n
ot re
quire
d th
at p
ublic
key
s be
sto
red
in o
ne o
f th
ese
form
s.
For s
ervi
ce p
rovi
ders
onl
y:
X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
24
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
edX X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
25
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
Not
e: E
xam
ples
of m
anua
l key
man
agem
ent o
pera
tions
in
clud
e, b
ut a
re n
ot li
mite
d to
: key
gen
erat
ion,
tra
nsm
issi
on, l
oadi
ng, s
tora
ge a
nd d
estru
ctio
n.
X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
26
Req
uire
men
t 4:
Encr
ypt t
rans
mis
sion
of c
ardh
olde
r dat
a ac
ross
ope
n, p
ublic
net
wor
ks
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
Not
e:E
xam
ples
of o
pen,
pub
lic n
etw
orks
incl
ude
but a
re n
ot
limite
d to
the
Inte
rnet
; wire
less
tech
nolo
gies
, inc
ludi
ng
802.
11 a
nd B
luet
ooth
; cel
lula
r tec
hnol
ogie
s, fo
r exa
mpl
e,
Glo
bal S
yste
m fo
r Mob
ile c
omm
unic
atio
ns (G
SM
), C
ode
divi
sion
mul
tiple
acc
ess
(CD
MA
); an
d G
ener
al P
acke
t Rad
io
Ser
vice
(GP
RS
).
For e
xam
ple,
for b
row
ser-
base
d im
plem
enta
tions
:“H
TTP
S” a
ppea
rs a
s th
e br
owse
r Uni
vers
al R
ecor
d Lo
cato
r (U
RL)
pro
toco
l, an
dC
ardh
olde
r dat
a is
onl
y re
ques
ted
if “H
TTP
S” a
ppea
rs a
s pa
rt of
the
UR
L.
X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
27
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
edX X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
28
Mai
ntai
n a
Vuln
erab
ility
Man
agem
ent P
rogr
amR
equi
rem
ent 5
:Pr
otec
t all
syst
ems
agai
nst m
alw
are
and
regu
larly
upd
ate
anti-
viru
s so
ftwar
e or
pro
gram
s
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
edX X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
29
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
Not
e:A
nti-v
irus
solu
tions
may
be
tem
pora
rily
disa
bled
on
ly if
ther
e is
legi
timat
e te
chni
cal n
eed,
as
auth
oriz
ed b
y m
anag
emen
t on
a ca
se-b
y-ca
se b
asis
. If a
nti-v
irus
prot
ectio
n ne
eds
to b
e di
sabl
ed fo
r a s
peci
fic p
urpo
se, i
t m
ust b
e fo
rmal
ly a
utho
rized
. Add
ition
al s
ecur
ity m
easu
res
may
als
o ne
ed to
be
impl
emen
ted
for t
he p
erio
d of
tim
e du
ring
whi
ch a
nti-v
irus
prot
ectio
n is
not
act
ive.
X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
30
Req
uire
men
t 6:
Dev
elop
and
mai
ntai
nse
cure
sys
tem
s an
d ap
plic
atio
ns
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
Not
e: R
isk
rank
ings
sho
uld
be b
ased
on
indu
stry
bes
t pr
actic
es a
s w
ell a
s co
nsid
erat
ion
of p
oten
tial i
mpa
ct. F
or
exam
ple,
crit
eria
for r
anki
ng v
ulne
rabi
litie
s m
ay in
clud
e co
nsid
erat
ion
of th
e C
VS
S b
ase
scor
e an
d/or
the
clas
sific
atio
n by
the
vend
or, a
nd/o
r typ
e of
sys
tem
s af
fect
ed.
Met
hods
for e
valu
atin
g vu
lner
abili
ties
and
assi
gnin
g ris
k ra
tings
will
var
y ba
sed
on a
n or
gani
zatio
n’s
envi
ronm
ent
and
risk
asse
ssm
ent s
trate
gy.
Ris
k ra
nkin
gs s
houl
d, a
t a
min
imum
, ide
ntify
all
vuln
erab
ilitie
s co
nsid
ered
to b
e a
“hig
h ris
k” to
the
envi
ronm
ent.
In a
dditi
on to
the
risk
rank
ing,
vul
nera
bilit
ies
may
be
cons
ider
ed “c
ritic
al” i
f the
y po
se a
n im
min
ent t
hrea
t to
the
envi
ronm
ent,
impa
ct c
ritic
al
syst
ems,
and
/or w
ould
resu
lt in
a p
oten
tial c
ompr
omis
e if
not a
ddre
ssed
. Exa
mpl
es o
f crit
ical
sys
tem
s m
ay in
clud
e se
curit
y sy
stem
s, p
ublic
-faci
ngde
vice
s an
d sy
stem
s,
data
base
s, a
nd o
ther
sys
tem
s th
at s
tore
, pro
cess
or
trans
mit
card
hold
er d
ata.
X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
31
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
(con
t.)N
ote:
Crit
ical
sec
urity
pat
ches
sho
uld
be id
entif
ied
acco
rdin
g to
the
risk
rank
ing
proc
ess
defin
ed in
R
equi
rem
ent 6
.1.
X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
32
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
Not
e: T
his
requ
irem
ent f
or c
ode
revi
ews
appl
ies
to a
ll cu
stom
cod
e (b
oth
inte
rnal
and
pub
lic-fa
cing
), as
par
t of
the
syst
em d
evel
opm
ent l
ife c
ycle
. Cod
e re
view
s ca
n be
co
nduc
ted
by k
now
ledg
eabl
e in
tern
al p
erso
nnel
or t
hird
pa
rties
. Pub
lic-fa
cing
web
app
licat
ions
are
als
o su
bjec
t to
addi
tiona
l con
trols
, to
addr
ess
ongo
ing
thre
ats
and
vuln
erab
ilitie
s af
ter i
mpl
emen
tatio
n, a
s de
fined
at P
CI D
SS
R
equi
rem
ent 6
.6.
X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
33
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
not
- - - -
X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
34
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
edX X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
35
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
Not
e:Th
e vu
lner
abili
ties
liste
d at
6.5
.1 th
roug
h 6.
5.10
w
ere
curre
nt w
ith in
dust
ry b
est p
ract
ices
whe
n th
is v
ersi
on
of P
CI D
SS
was
pub
lishe
d. H
owev
er, a
s in
dust
ry b
est
prac
tices
for v
ulne
rabi
lity
man
agem
ent a
re u
pdat
e d
(for
exam
ple,
the
Ope
n W
eb A
pplic
atio
n S
ecur
ity P
roje
ct
(OW
AS
P) G
uide
, SA
NS
CW
E T
op 2
5, C
ER
T S
ecur
e C
odin
g, e
tc.),
the
curr
ent b
est p
ract
ices
mus
t be
used
for
thes
e re
quire
men
ts.
Not
e:A
lso
cons
ider
OS
Com
man
d In
ject
ion,
LD
AP
and
X
Pat
h in
ject
ion
flaw
s as
wel
l as
othe
r inj
ectio
n fla
ws.
X X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
36
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
edX X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
37
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
eith
er
- - - - - -
Not
e: T
his
asse
ssm
ent i
s no
t the
sam
e as
the
vuln
erab
ility
scan
s pe
rform
ed fo
r Req
uire
men
t 11.
2.
OR
- - - -
X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
38
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
edX
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
39
Impl
emen
t Str
ong
Acce
ss C
ontr
ol M
easu
res
Req
uire
men
t 7:
Res
tric
t acc
ess
to c
ardh
olde
r dat
a by
bus
ines
s ne
ed to
kno
w
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
- - - -
X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
40
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
edX X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
41
Req
uire
men
t 8:
Iden
tify
and
auth
entic
ate
acce
ss to
sys
tem
com
pone
nts
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
X X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
42
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
For s
ervi
ce p
rovi
ders
onl
y
X X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
43
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
(con
t.)Fo
r ser
vice
pro
vide
rs o
nly
- - For s
ervi
ce p
rovi
ders
onl
y:
- - For s
ervi
ce p
rovi
ders
onl
y .
X X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
44
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
For s
ervi
ce p
rovi
ders
onl
y
Not
e:M
ulti-
fact
or a
uthe
ntic
atio
n re
quire
s th
ata
min
imum
of
two
of th
e th
ree
auth
entic
atio
n m
etho
ds (s
ee P
CI D
SS
R
equi
rem
ent 8
.2 fo
r des
crip
tions
of a
uthe
ntic
atio
n m
etho
ds) b
e us
ed fo
r aut
hent
icat
ion.
Usi
ng o
ne fa
ctor
tw
ice
(for e
xam
ple,
usi
ng tw
o se
para
te p
assw
ords
) is
not
cons
ider
ed m
ulti-
fact
or a
uthe
ntic
atio
n.
X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
45
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
- - - -
X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
46
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
edFo
r ser
vice
pro
vide
rs o
nly
Not
e:Th
is re
quire
men
t is
not i
nten
ded
to a
pply
to s
hare
d ho
stin
g pr
ovid
ers
acce
ssin
g th
eir o
wn
host
ing
envi
ronm
ent,
whe
re m
ultip
lecu
stom
er e
nviro
nmen
ts a
re
host
ed.
X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
47
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
48
Req
uire
men
t 9:
Res
tric
t phy
sica
l acc
ess
to c
ardh
olde
r dat
a
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
Not
e:“S
ensi
tive
area
s” re
fers
to a
ny d
ata
cent
er, s
erve
r ro
om, o
r any
are
a th
at h
ouse
s sy
stem
s th
at s
tore
,pr
oces
s, o
r tra
nsm
it ca
rdho
lder
dat
a. T
his
excl
udes
pu
blic
-faci
ng a
reas
whe
re o
nly
poin
t-of-s
ale
term
inal
s ar
e pr
esen
t suc
h as
the
cash
ier a
reas
in a
reta
il st
ore.
For e
xam
ple,
net
wor
k ja
cks
loca
ted
in p
ublic
are
as a
nd
area
s ac
cess
ible
to v
isito
rs c
ould
be
disa
bled
and
onl
y en
able
d w
hen
netw
ork
acce
ss is
exp
licitl
y au
thor
ized
. A
ltern
ativ
ely,
pro
cess
es c
ould
be
impl
emen
ted
to e
nsur
e th
at v
isito
rs a
re e
scor
ted
at a
ll tim
es in
are
as w
ith a
ctiv
e ne
twor
k ja
cks.
X X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
49
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
- - -
For t
he p
urpo
ses
of R
equi
rem
ent 9
, “on
site
per
sonn
el”
refe
rs to
full-
time
and
part-
time
empl
oyee
s, te
mpo
rary
em
ploy
ees,
con
tract
ors
and
cons
ulta
nts
who
are
ph
ysic
ally
pre
sent
on
the
entit
y’s
prem
ises
. A “v
isito
r” re
fers
to a
ven
dor,
gues
t of a
ny o
nsite
per
sonn
el, s
ervi
ce
wor
kers
, or a
nyon
e w
ho n
eeds
to e
nter
the
faci
lity
for a
sh
ort d
urat
ion,
usu
ally
not
mor
e th
an o
ne d
ay.
X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
50
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
For p
urpo
ses
of R
equi
rem
ent 9
, “m
edia
” ref
ers
to a
ll pa
per a
nd e
lect
roni
c m
edia
con
tain
ing
card
hold
er d
ata.
X X
X
X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
51
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
edX X
X
X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
52
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
- - -
X X
X
X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
53
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
Not
e:Th
is re
quire
men
t app
lies
to c
ard-
read
ing
devi
ces
used
in c
ard-
pres
ent t
rans
actio
ns (t
hat i
s, c
ard
swip
e or
di
p) a
t the
poi
nt o
f sal
e. T
his
requ
irem
ent i
s no
t int
ende
d to
app
ly to
man
ual k
ey-e
ntry
com
pone
nts
such
as
com
pute
r key
boar
ds a
nd P
OS
key
pads
.
- - -
X X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
54
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
Not
e:E
xam
ples
of s
igns
that
a d
evic
e m
ight
hav
e be
en
tam
pere
d w
ith o
r sub
stitu
ted
incl
ude
unex
pect
ed
atta
chm
ents
or c
able
s pl
ugge
d in
to th
e de
vice
, mis
sing
or
cha
nged
sec
urity
labe
ls, b
roke
n or
diff
eren
tly c
olor
ed
casi
ng, o
r cha
nges
to th
e se
rial n
umbe
r or o
ther
ext
erna
l m
arki
ngs.
- - - -
X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
55
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
(con
t.)X
X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
56
Reg
ular
ly M
onito
r and
Tes
t Net
wor
ksR
equi
rem
ent 1
0:
Trac
k an
d m
onito
r all
acce
ss to
net
wor
k re
sour
ces
and
card
hold
er d
ata
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
edX X X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
57
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
edX X X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
58
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
Not
e:O
ne e
xam
ple
of ti
me
sync
hron
izat
ion
tech
nolo
gy is
N
etw
ork
Tim
e P
roto
col (
NTP
).
X X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
59
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
Opt
iona
lly, t
hose
upd
ates
can
be
encr
ypte
d w
ith a
sy
mm
etric
key
, and
acc
ess
cont
rol l
ists
can
be
crea
ted
that
sp
ecify
the
IP a
ddre
sses
of c
lient
mac
hine
s th
at w
ill b
e pr
ovid
ed w
ith th
e tim
e up
date
s (to
pre
vent
una
utho
rized
us
e of
inte
rnal
tim
e se
rver
s).
X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
60
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
Not
e:Lo
g ha
rves
ting,
par
sing
, and
ale
rting
tool
s m
ay b
e us
ed to
ach
ieve
com
plia
nce
with
Req
uire
men
t 10.
6.
- - - -
X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
61
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
For s
ervi
ce p
rovi
ders
onl
y
- - - - - - - -
X X X X X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
62
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
edFo
r ser
vice
pro
vide
rs o
nly
- - - - - - - - -
X X X
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
63
Req
uire
men
t 11:
Reg
ular
ly te
st s
ecur
ity s
yste
ms
and
proc
esse
s
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
Not
e:M
etho
ds th
at m
ay b
e us
ed in
the
proc
ess
incl
ude,
but
ar
e no
t lim
ited
to, w
irele
ss n
etw
ork
scan
s, p
hysi
cal/l
ogic
al
insp
ectio
ns o
f sys
tem
com
pone
nts
and
infra
stru
ctur
e,
netw
ork
acce
ss c
ontro
l (N
AC
), or
wire
less
IDS
/IPS
.
Whi
chev
er m
etho
ds a
re u
sed,
they
mus
tbe
suffi
cien
t to
dete
ct a
nd id
entif
y an
y un
auth
oriz
ed d
evic
es.
- - -
x x x x x
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
64
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques
tion)
Yes
Yes
with
C
CW
No
N/A
Not
Test
ed
Not
e:M
ultip
le s
can
repo
rts c
an b
e co
mbi
ned
for t
he
quar
terly
sca
n pr
oces
s to
sho
w th
at a
ll sy
stem
s w
ere
scan
ned
and
all a
pplic
able
vul
nera
bilit
ies
have
bee
n ad
dres
sed.
Add
ition
al d
ocum
enta
tion
may
be
requ
ired
to
verif
y no
n-re
med
iate
d vu
lner
abili
ties
are
in th
epr
oces
s of
be
ing
addr
esse
d.
For i
nitia
l PC
I DS
S c
ompl
ianc
e, it
is n
ot re
quire
d th
at fo
ur
quar
ters
of p
assi
ng s
cans
be
com
plet
ed if
the
asse
ssor
ve
rifie
s 1)
the
mos
t rec
ent s
can
resu
lt w
as a
pas
sing
sca
n,
2) th
e en
tity
has
docu
men
ted
polic
ies
and
proc
edur
es
requ
iring
qua
rterly
sca
nnin
g, a
nd 3
) vul
nera
bilit
ies
note
d in
th
e sc
an re
sults
hav
e be
en c
orre
cted
as
show
n in
a re
-sc
an(s
). Fo
r sub
sequ
ent y
ears
afte
r the
initi
al P
CI D
SS
re
view
, fou
r qua
rters
of p
assi
ng s
cans
mus
t hav
e oc
curre
d.
x x x x
-
PC
IDS
Sv3
.2.1
SA
Q D
for S
ervi
ce P
rovi
ders
, Rev
. 1.0
–S
ectio
n 2:
Sel
f-Ass
essm
ent Q
uest
ionn
aire
June
201
8 ©
2006
-201
8P
CI S
ecur
ity S
tand
ards
Cou
ncil,
LLC
. All
Rig
hts
Res
erve
d.P
age
65
PCI D
SS Q
uest
ion
Expe
cted
Tes
ting
Res
pons
e(C
heck
one
resp
onse
for e
ach
ques