y^fi Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments - Service Providers Version 3.

Transcription

1 y^fi Security Stndrds Council Pyment Crd Industry (PCI) t Security Stndrd Attesttion of Complince for Onsite Assessments - Service Providers Version 3.2

2 Section 1: Assessment Informtion Instructions for Submission This Attesttion of Complince must be completed s declrtion of the results of the service provider's ssessment with the Pyment Crd Industry t Security Stndrd Requirements nd Security Assessment Procedures (PCI SS). Complete ll sections: The service provider is responsible for ensuring tht ech section is completed by the relevnt prties, s pplicble. Contct the requesting pyment brnd for reporting nd submission procedures. Prt 1. Service Provider nd Qulified Security Assessor Informtion Prt 1. Service Provider Orgniztion Informtion Compny Nme: Contct Nme: Telephone: Business Address: Stte/Province: URL: Auric Systems interntionl (A division of Approprite Solutions, Inc.) Rymond Cdte Grove Street NH Country: BA (doing business s): Title: E-mil: City: President ry.cote@auricsystems.co m Peterborough USA Zip: Prt 1b. Qulified Security Assessor Compny Informtion (if pplicble) Compny Nme: Led QSA Contct Nme: Telephone: Business Address: Stte/Province: URL: Pyment Softwre Compny, Inc. (PSC) Vernon vis W Hmilton Avenue, Suite 200 CA Country: Title: E-mil: City: USA Sr. Informtion Security Consultnt vdvis@pysw.com Cmpbell Zip: PCI SS v3.2 Attesttion of Complince for Onsite Assessments - Service Providers, Rev. 1, PCI Security Stndrds Council, LLC. All Rights Reserved. Pge 2

3 Prt 2. Executive Summry Prt 2. Scope Verifiction Services tht were INCLUE in the scope of the PCI SS Assessment (check ll tht pply): Nme of service(s) ssessed: PymentVult nd AuricVult Type of service(s) ssessed: Hosting Provider: Applictions / softwre Hrdwre Infrstructure / Network Physicl spce (co-loction) Storge Web Security services 3-0 Secure Hosting Provider Shred Hosting Provider Other Hosting (specify): Mnged Services (specify): Systems security services 13 IT support Physicl security Terminl Mngement System E3 Other services (specify): Tokeniztion nd secure storge Pyment Processing: POS / crd present Internet / e-commerce MOTO / Cll Center ATM Other processing (specify): Account Mngement Bck-Office Services G Billing Mngement Clering nd Settlement Network Provider Others (specify): d Frud nd Chrgebck Issuer Processing Loylty Progrms Merchnt Services Pyment Gtewy/Switch Prepid Services Records Mngement Tx/Government Pyments A/ote: These ctegories re provided for ssistnce only, nd re not intended to limit or predetermine n entity's service description. If you feel these ctegories dont pply to your service, complete "Others." If you're unsure whether ctegory could pply to your service, consult with the pplicble pyment brnd. PCI SS v3.2 Attesttion of Complince for Onsite Assessments - Service Providers, Rev PCI Security Stndrds Council, LLC. All Rights Reserved. Pge 3

4 Prt 2. Scope Verifiction (continued) Services tht re provided by the rvlpe provider but were NOT INCLUE In the scope of the PCI SS Assessment (check ll tht pply): ;.; r " Nme of service(s) not ssessed: None Type of service(s) not ssessed: Hosting Provider: G Applictions / softwre Hrdwre Infrstructure / Network Physicl spce (co-loction) Storge Web Security sen/ices 3- Secure Hosting Provider Shred Hosting Provider Other Hosting (specify): Mnged Services (specify): Systems security services IT support Physicl security Terminl Mngement System Other services (specify): Pyment Processing: Q POS / crd present Q Internet / e-commerce MOTO/Cll Center ATM Other processing (specify): Account Mngement Bck-Office Services Billing Mngement Clering nd Settlement Network Provider Frud nd Chrgebck G issuer Processing Loylty Progrms Q Merchnt Services Pyment Gtewy/Switch Q Prepid Services G Records Mngement Tx/Government Pyments Others (specify): Provide brief explntion why ny checked services were not included in the ssessment: Prt 2b. escription of Pyment Crd Business escribe how nd in wht cpcity your business stores, processes, nd/or trnsmits crdholder dt. escribe how nd in wht cpcity your business is otherwise involved in or hs the bility to impct the security of crdholder dt. Provides tokeniztion, token storge, nd pyment gtewy services. Tokenized dt cn be encrypted by client (PymentVult ) or vi our service (AuricVult ). The AuricVult service lso provides bility to pss through trnsctions to pyment processors. Supports processor-neutrl tokeniztion. Auric lso provides custom third-prty PCI-complint softwre development nd ppliction mngement. Not pplicble PCI SS v3.2 Attesttion of Complince for Onsite Assessments - Service Providers, Rev PCI Security Stndrds Council, LLC. All Rights Reserved. Pge 4

5 Prt 2c. Loctions List types of fcilities (for exmple, retil outlets, corporte offices, dt centers, cll centers, etc.) nd summry of loctions included in the PCI SS review. Type of fcility: Number of fcilities Loction(s) of fcility (city, country): of this type Exmple: Retil outlets Client min office t centers Boston, MA, USA Peterborough, NH, USA ViWest Inc., Allentown, PA, USA nd Settle. WA, USA Prt 2d. Pyment Applictions oes the orgniztion use one or more Pyment Applictions? Yes EI No Provide the following informtion regrding the Pyment Applictions your orgniztion uses: Pyment Appliction Nme Version Number Appliction Vendor Is ppliction PA-SS Listed? PA-SS Listing Expiry dte (if pplicble) Not pplicble Q Yes No Prt 2e. escription of Environment Provide high-level description of the environment covered by this ssessment. For exmple: Connections into nd out of the crdholder dt environment (CE). Criticl system components within the CE, such s POS devices, dtbses, web servers, etc., nd ny other necessry pyment components, s pplicble. Tokeniztion service tht stores encrypted crdholder dt nd provides customers with Token. The token cn lter be used by the customer to retrieve the decrypted crdholder dt. The Production environment (including networks nd servers) is hosted by PCI SS oes your business use network segmenttion to ffect the scope of your PCI SS environment? (Refer to "Network Segmenttion" section of PCI SS for guidnce on network segmenttion) complint Cloud service provider (ViWest). The Appliction tht performs the Tokeniztion is developed nd mnged by Auric. For the pyment processing tokeniztion storge opertions there re web servers, ppliction servers, dtbse servers tht operte cross firewlls nd switches t the ViWest loctions. ; Yes No PCI SS v3.2 Attesttion of Complince for Onsite Assessments - Service Providers, Rev PCI Security Stndrds Council, LLC. All Rights Reserved. PgeS

6 Prt 2f. Third-Prty Service Providers oes your compny hve reltionship with Qulified Integrtor & Reseller (QIR) for the purpose of the services being vlidted? If Yes: Nme of QIR Compny: QIR Individul Nme: escription of services provided by QIR: oes your compny hve reltionship with one or more third-prty service providers (for exmple, Qulified Integrtor Resellers (QIR), gtewys, pyment processors, pyment service providers (PSP), web-hosting compnies, irline booking gents, loylty progrm gents, etc.) for the purpose of the services being vlidted? Yes 3No SYes No If Yes: Nme of service provider: escription of services provided: Vi West, Inc. t center hosting provider Secure t estruction Hrd copy nd medi destruction Stripe, Inc. Secure pyment processing Armor Key mngement nd storge Note: Requirement 12.8 pplies to ll entitles In this list. PCI SS v3.2 Attesttion of Complince for Onsite Assessments - Service Providers, Rev PCi Security Stndrds Council, LLC. All Rights Reserved. Pge 6

7 Prt 2g. Summry of Requirements Tested For ech PCI SS Requirement, select one of the following: Full - The requirement nd ll sub-requirements of tht requirement were ssessed, nd no subrequirements were mrked s "Not Tested" or "Not Applicble" in the ROC. Prtil - One or more sub-requirements of tht requirement were mrked s "Not Tested" or "Not Applicble" in the ROC. None - All sub-requirements of tht requirement were mrked s "Not Tested" nd/or "Not Applicble" in the ROC. For ll requirements identified s either "Prtil" or "None," provide detils in the "Justifiction for Approch" column, including: etils of specific sub-requirements tht were mrked s either "Not Tested" nd/or "Not Applicble" in the ROC Reson why sub-requirement(s) were not tested or not pplicble Note: One tble to be completed for ech service covered by this AOC, Additionl copies of this section re vilble on the PCI SSC website. Nme of Service Assessed: PymentVult nd AuricVult etils of Requirements Assessed PCI SS Requirement Requirement 1: Full Prtil None Justifiction for Approch (Required for ll "Prtil" nd "None" responses. Identify which sub-requirements were not tested nd the reson.) 1.1,6.b & c: Not pplicble No Insecure services re used : Not pplicble Routers re out of scope. Requirement 2: B 2.1.1: Not pplicble Wireless is not in scope b: Not pplicble No insecure services re used : Not pplicble No insecure services re used. Requirement 3: 2.6: Not pplicble Client is not shred hosting provider & b: Not pplicble Client is not n issuing processor. 3.2.d: Not pplicble SA is not stored. 3.3.b & c: Not pplicble No displys exist on the system. All interction is API or SFTP, 3.4.c: Not pplicble Crd dt is not stored on removble medi. 3.4.e: Not pplicble Hshed PANs re not stored : Not pplicble isk encryption is not used : Not pplicble Best prctice until Jnury 31, PCI SS v3.2 Attesttion of Complince for Onsite Assessments - Service Providers, Rev PCI Security Stndrds Council, LLC. All Rights Reserved. Pge 7

8 3.6: Not pplicble Client does not shre keys with customers. Requirement 4: Requirement 5: Requirement 6: Requirement 7: Requirement 8: i Q H H IE! IE! 3.6.6: Not pplicble Client does not use mnul cler-text process to mnge keys : Not pplicble Wireless is not In scope. 4.2.: Not pplicble EU messging tech Is not used : Not pplicble Best prctice until Jnury 31, : Not pplicble Client hd no terminted users in the lst yer : Not pplicble Vendors re not llowed ccess to the crdholder environment c, d & e: Not pplicble Customers use certifictes : Not pplicble Best prctice until Jnury 31, Requirement 9: IE! 9.1.2: Not pplicble Client hs no publicly ccessible network jcks. 9.3.c: Not pplicble No terminted users : Not pplicble Medi is never sent offslte 9.6.2,9.6.3: Not pplicble Medi is never sent offslte 9.7.1: Not pplicble Crdholder dt is not stored on removble medi. 9.9: Not pplicble Client does not mnge or deploy POS systems. Requirement 10: Requirement 11: IE! IE! 10.8: Not pplicble Best prctice until Jnury 31, b, b & b: Not pplicble Externl nd Internl scns did not require rescns. Requirement 12: IE! : Not pplicble Best prctice until Jnury 31, : Not pplicble Best prctice until Jnury 31, Appendix A1: [ 12.11: Not pplicble Best prctice until Jnury 31, Not pplicble - client Is not shred hosting provider. PCI SS v3.2 Attesttion of Complince for Onsite Assessments - Service Providers, Rev PCI Security Stndrds Council, LLC. All Rights Reserved. Pge 8

9 Appendix A2: m A2.1: Not pplicble - Client does not hve POS terminls. Section 2: Report on Complince This Attesttion of Complince reflects the results of n onsite ssessment, which is documented ccompnying Report on Complince (ROC). nn The ssessment documented in this ttesttion nd in the ROC ws completed on: Hve compensting controls been used to meet ny requirement in the ROC? Were ny requirements in the ROC identified s being not pplicble (N/A)? Were ny requirements not tested? Were ny requirements in the ROC unble to be met due to legl constrint? 12/30/2016 QYes 0Yes Yes Yes 3 No No SNo No PCI SS v3.2 Attesttion of Complince for Onsite Assessments - Service Providers, Rev PCI Security Stndrds Council. LLC. Alt Rights Reserved. Pge 9

10 Section 3: Vlidtion nd Attesttion etils Prt 3. PCI SS Vlidtion This AOC is bsed on results noted In the ROC dted 12/30/2016. Bsed on the results documented in the ROC noted bove, the signtories identified in Prts 3b-3d, s pplicble, ssert(s) the following complince sttus for the entity identified in Prt 2 of this document (check one): B Complint: All sections of the PCI SS ROC re complete, ll questions nswered ffirmtively, resulting in n overll COMPLIANT rting; thereby Auric Systems Interntionl (A division of Approprite Solutions, Inc.) hs demonstrted full complince with the PCI SS. Non-Complint: Not ll sections of the PCI SS ROC re complete, or not ll questions re nswered ffirmtively, resulting in n overll NON-COMPLIANT rting, thereby (Service Provider Compny Nme) hs not demonstrted full complince with the PCI SS. Trget te for Complince: An entity submitting this form with sttus of Non-Complint my be required to complete the Action Pln in Prt 4 of this document. Check with the pyment brnd(s) before completing Prt 4. Complint but with Legl exception: One or more requirements re mrked "Not in Plce" due to legl restriction tht prevents the requirement from being met. This option requires dditionl review from cquirer or pyment brnd. If checked, complete the following: Affected Requirement etils of how legl constrint prevents requirement being met Prt 3. Acknowledgement of Sttus Signtory(s) confirms: (Check ll tht pply) The ROC ws completed ccording to the PCI SS Requirements nd Security Assessment Procedures, Version 3.2, nd ws completed ccording to the instructions therein. EI All informtion within the bove-referenced ROC nd in this ttesttion firly represents the results of my ssessment in ll mteril respects. I hve confirmed with my pyment ppliction vendor tht my pyment system does not store sensitive uthentiction dt fter uthoriztion. (3 I hve red the PCI SS nd I recognize tht i must mintin PCI SS complince, s pplicble to my environment, t ll times. If my environment chnges, I recognize I must ressess my environment nd implement ny dditionl PCI SS requirements tht pply. PCI SS v3.2 Attesttion of Complince for Onsite Assessments - Service Providers, Rev PCI Security Stndrds Council, LLC. All Rights Reserved. Pge 10

11 Prt 3. Acknowledgement of Sttus (continued) No evidence of full trck dt 1, CAV2, CVC2, CI, or CW2 dt 2, or PIN dt 3 storge fter trnsction uthoriztion ws found on ANY system reviewed during this ssessment. ASV scns re being completed by the PCI SSC Approved Scnning Vendor AlertLogic. Provider Attesttion ^ Cd^ Signtu&'bf Service Provider Executive Officer <f> te: /g-\$g* - OCJ^fmjser'T te: f >±_-\}*\ - Service Provider Executive Officer Nme: BMm*k C&i-2\ me: UK/, f/3j\e*$- Prt 3c. Qulified Security Assessor (QSA) Acknowledgement (if pplicble) If QSA ws involved or ssisted with this ssessment, describe the rote performed: Vernon vis completed PCI SS complince ssessment Signture of uty Authorized Officer of QSA Compny f uly Authorized Officer Nme: Nigel Trnter te: Jnury 13, 2017 QSA Compny: PSC Prt 3d. Internl Security Assessor (ISA) Involvement (if pplicble) If n ISA(s) ws involved or ssisted with this ssessment, identify the ISA personnel nd describe the role performed: t encoded in the mgnetic stripe or equivlent dt on chip used for uthoriztion during crd-present trnsction. Entities my not retin full trck dt fter trnsction uthoriztion. The only elements of trck dt tht my be retined re primry ccount number (PAN), expirtion dte, nd crdholder nme. The three- or four-digit vlue printed by the signture pnel or on the fce of pyment crd used to verify crd-not-present trnsctions. Personl identifiction number entered by crdholder during crd-present trnsction, nd/or encrypted PIN block present within the trnsction messge. PCI SS v3.2 Attesttion of Complince for Onsite Assessments - Service Providers, Rev PCI Security Stndrds Council, LLC. All Rights Reserved. Pge 11

12 Prt 4. Action Pln for Non-Complint Requirements Select the pproprite response for "Complint to PCI SS Requirements" for ech requirement. If you nswer "No" to ny of the requirements, you my be required to provide the dte your Compny expects to be complint with the requirement nd brief description of the ctions being tken to meet the requirement. Check with the pplicble pyment brnd(s) before completing Prt 4. PCI SS Requirement 1 escription of Requirement Instll nd mintin firewll configurtion to protect crdholder dt Complint to PCI SS Requirements (SelectOne) YES NO Remedition te nd Actions (If "NO" selected for ny Requirement) 2 o not use vendor-supplied defults for system psswords nd other security prmeters H 3 Protect stored crdholder dt 4 Encrypt trnsmission of crdholder dt cross open, public networks H! 5 Protect ll systems ginst mlwre nd regulrly updte nti-virus softwre or progrms EI! i 6 evelop nd mintin secure systems nd pplictions Restrict ccess to crdholder dt by business need to know Identify nd uthenticte ccess to system components Restrict physicl ccess to crdholder dt I 10 Trck nd monitor ll ccess to network resources nd crdholder dt 11 Regulrly test security systems nd processes! 12 Mintin policy tht ddresses informtion security for ll personnel E!! Appendix A1 Additionl PCI SS Requirements for Shred Hosting Providers H Appendix A2 Additionl PCI SS Requirements for Entities using SSL/erly TLS! ISCOVER MsterCrd VISA PCI SS v3.2 Attesttion of Complince for Onsite Assessments - Service Providers, Rev PCI Security Stndrds Council, LLC, All Rights Reserved. Pge 12