University of Maine System Payment Card Industry Data Security Standard (PCI DSS) Guide for Completing Self Assessment Questionnaire (SAQ) SAQ C

Size: px
Start display at page:

Download "University of Maine System Payment Card Industry Data Security Standard (PCI DSS) Guide for Completing Self Assessment Questionnaire (SAQ) SAQ C"

Transcription

1 University of Maine System Payment Card Industry Data Security Standard (PCI DSS) Guide for Completing Self Assessment Questionnaire (SAQ) SAQ C All university merchant departments accepting credit cards must comply with the Payment Card Industry Data Security Standard (PCI DSS), which is intended to ensure the safe handling of cardholder data. To validate PCI DSS compliance, a self-assessment questionnaire must be completed for each merchant ID assigned by the university s merchant acquirer. (e.g., Global Payments). A completed self-assessment questionnaire (SAQ) is required annually. It is the responsibility of the merchant department to complete the questionnaire when due. There are 5 different versions of the SAQ. The required SAQ for a merchant depends on the manner in which credit cards are processed. Category Description Examples SAQ Category A For card-not-present merchants where all cardholder data functions are outsourced. There are no face to face transactions. TouchNet marketplace e-commerce upay, ustore or Bill+Pay. SAQ Category B SAQ Category C SAQ Category C-VT For merchants using imprint or standalone dial-up terminals connected by phone line. There must be no electronic cardholder data storage. For merchants with payment applications connected to the internet. There must be no electronic data storage and no connection to other systems. For merchants using only web-based virtual terminal applications. Verifone VX570 connected only to phone line. Point-of-sale systems with card present, face to face transactions. Cardholder data environment isolated. Verifone VX570 connected to internet. TouchNet Payment Gateway Single Authorizations or office entry on behalf of others, using self service solutions. SAQ Category D All other merchants not included above. Point-of-sale systems with card present, face to face transactions. Cardholder data environment is not isolated from other functions. To obtain a copy of the SAQ s and the PCI DSS visit this web site: Before beginning your SAQ, please read the following documents: The PCI Data Security Standard Instructions and Guidelines provided by the PCI Security Standards Council

2 This guide is for merchant departments who process credit card transactions using credit card terminals connected to the internet or a point-of-sale (POS) system that is isolated and not connected to any other systems. In order to use this guide to complete SAQ C for your merchant, all of the following criteria must be met: Your department has a payment application system and an Internet connection on the same device; The payment application/internet device is not connected to any other systems within the merchant environment; The merchant store is not connected to other store locations, and any LAN is for a single store only. Your department does not store cardholder data in electronic format. If your department does store cardholder data, such data is only in paper reports or paper copies of receipts and is not received electronically; Your department does not store cardholder data in electronic format; and Your department s payment application vendor uses secure techniques to provide remote support to your payment system.

3 TrustKeeper Log-in If your merchant processes transactions consistent with the SAQ C requirements, you must login to TrustKeeper to complete your SAQ. Log in to TrustKeeper at trustkeeper.net. Contact your credit card campus coordinator to obtain your user ID and password.

4 TrustKeeper Home Page From the TrustKeeper home page, click on Learn about the Program do obtain the Getting Started Guide with instructions on how to proceed. Follow the instructions to complete your merchant profile and SAQ. More specific instructions or information that you might need is available later in this document. Click on the Merchant Profile link to edit/complete the Merchant Profile.

5 Merchant Profile Your merchant profile may indicate a complete status when you first log in. If you have not already done so, you should verify the Merchant Profile information, correct the answers, if necessary, and save. To see help context for a question, click on the question mark that follows each question. If you are uncertain about an answer to a question, contact your campus credit card coordinator.

6 Merchant Profile (continued) Click Save on the final page to save your profile and return to the home page.

7 Edit Compliance Questionnaire From the home page, click on Edit Compliance Questionnaire to begin the SAQ.

8 SAQ Selection Click on the Edit Compliance Questionnaire link to complete the SAQ. SAQ 2.0 Form C should already be selected. If it is not, review the merchant profile and check your answers. Click Begin to go to the SAQ questions.

9 Completing the SAQ When you log in for the first time, you may find that some of the questions have already been completed. You should review all of the questions and answers by clicking on the All Questions tab. Information you may need about each question is contained in the remaining pages of this guide. An Administrative Practice Letter (APL) IV-F Credit Debit Card Standards has been issued by the University of Maine System Office of the Treasurer to create standards for credit and debit card processing. You may want to reference that APL as you complete your SAQ. You can find it on the web at:

10 Eligibility Criteria Answer all eligibility questions. You are certifying your eligibility to complete SAQ C. Merchant has a payment application system and an Internet or public network connection on the same device and/or same local area network (LAN). Answer TRUE if the device or system used to process credit card payments is connected to the internet. The payment application system/internet device is not connected to any other system within the merchant environment. Answer TRUE only if your terminal, computer or system used for processing credit card payments is connected to your campus PCI Compliant Network and has access to only internet site(s) required for processing payments and related activity. Merchant store is not connected to other store locations, and any LAN is for a single store only does not store any cardholder data in electronic format. Merchant does not store any cardholder data in electronic format. APL IV-F Credit/Debit Card Standards states that electronic storage of cardholder data on any University computer is prohibited. If your device or system complies, answer TRUE. If Merchant does store cardholder data, such data is only in paper reports or copies of receipts and is not received electronically. Merchant departments must not send or receive cardholder data electronically and must comply with all PCI DSS requirements for storage of cardholder data. Answer TRUE if you comply with that requirement. Merchant's payment application software vendor uses secure techniques to provide remote support to merchant s payment application system. If your system vendor provides remote support to your system, they should log in using an account made available only when necessary, using two factor authentication and encryption. Answer TRUE if your vendor uses these secure techniques. Answer TRUE if you have no remote vendor support. If you are unable to answer all questions as TRUE, SAQ C is not the correct questionnaire. The remaining questions must all be answered YES or Not Applicable (N/A) for your merchant to be PCI DSS compliant and to pass the SAQ. All N/A answers must be explained in the comments section for that question. If you are unable to answer YES or N/A you likely need to make some changes in your credit card processing.

11 Firewall Configuration Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows? Note: An untrusted network is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage. Is inbound and outbound traffic restricted to that which is necessary for the cardholder data environment, and are the restrictions documented? (SAQ #1.2.1.a) If your system is connected to the campus PCI Compliant Network, answer YES. Is all other inbound and outbound traffic specifically denied (for example by using an explicit?deny all? or an implicit deny after allow statement)? (SAQ #1.2.1.b) If your system is connected to the campus PCI Compliant Network, answer YES. Are perimeter firewalls installed between any wireless networks and the cardholder data environment, and are these firewalls configured to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment? (SAQ #1.2.3) If your system is connected to the campus PCI Compliant Network, answer YES. Does the firewall configuration prohibit direct public access between the Internet and any system component in the cardholder data environment as follows? Are direct connections prohibited for inbound or outbound traffic between the Internet and the cardholder data environment? (SAQ #1.3.3) Is outbound traffic from the cardholder data environment to the Internet explicitly authorized? (SAQ #1.3.5) Is stateful inspection, also known as dynamic packet filtering, implemented (that is, only established connections are allowed into the network)? (SAQ #1.3.6) System Settings Answer YES if your system is connected to your campus s secure PCI Compliant Network. Are vendor-supplied defaults always changed before installing a system on the network? Vendor-supplied defaults include but are not limited to passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts.(saq #2.1) Each user should be using an individual account provided specifically to that user. Ensure that no vendor provided default settings are used. Answer YES only if you follow those practices. For wireless environments connected to the cardholder data environment or transmitting cardholder data, are defaults changed as follows:

12 Are encryption keys changed from default at installation, and changed anytime anyone with knowledge of the keys leaves the company or changes positions? (SAQ #2.1.1.a) Wireless devices should not be used to process cardholder data. The device you use should not have wireless access enabled. Answer: Not Applicable and Comments: Wireless devices are not permitted at this time. Are default SNMP community strings on wireless devices changed? (SAQ #2.1.1.b) The device you use as for virtual terminal access should not have wireless access enabled. Answer: Not Applicable and Comments: Wireless devices are not permitted at this time. Are default passwords/passphrases on access points changed? (SAQ #2.1.1.c) The device you use as for virtual terminal access should not have wireless access enabled. Answer: Not Applicable and Comments: Wireless devices are not permitted at this time. Is firmware on wireless devices updated to support strong encryption for authentication and transmission over wireless networks? (SAQ #2.1.1.d) The device you use as for virtual terminal access should not have wireless access enabled. Answer: Not Applicable and Comments: Wireless devices are not permitted at this time. Are other security-related wireless vendor defaults changed, if applicable? (SAQ #2.1.1.e) The device you use as for virtual terminal access should not have wireless access enabled. Answer: Not Applicable and Comments: Wireless devices are not permitted at this time. Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device's specified function are disabled) (SAQ #2.2.2a)? Answer YES if the personal computer(s) used to connect to virtual terminals have been customized by your IT administrator to include only the services and accounts needed for the authorized payment activities. Is all non-console administrative access encrypted as follows? (Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.) (SAQ #2.3) Is all non-console administrative access encrypted with strong cryptography, and is a strong encryption method invoked before the administrator's password is requested? (SAQ #2.3a)

13 If a vendor or third party accesses your system to modify the software configuration, the connection must use methods that require encryption of all traffic. If you have such access, verify that encryption is used and answer YES. If such methods are not used to modify configuration of your system, answer N/A, Add comment: Non-console administrative access is not used. Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? (SAQ #2.3b) Vendor implementation guidelines must ensure insecure protocols cannot be used for remote logins. Is administrator access to web-based management interfaces encrypted with strong cryptography? (SAQ #2.3c) Stored Data Protection Ensure the https: prefix for all URLs when using any web-based interfaces. If sensitive authentication data is received and deleted, are processes in place to securely delete the data to verify that the data is unrecoverable? (SAQ #3.2b) Magnetic stripe cardholder data or card validation values (CVV) must not be stored for any reason. Answer: YES if the answers to questions 2 4 in this section are YES or N/A. Do all systems adhere to the following requirements regarding non-storage of sensitive authentication data after authorization (even if encrypted) (SAQ #3.2c): The full contents of any track from the magnetic stripe (located on the back of a card, contained in a chip, or elsewhere) are not stored under any circumstance? This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data. (SAQ #3.2.1) Answer YES if your system does not store any contents of the magnetic stripe from the back of the card. The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored under any circumstance? (SAQ #3.2.2) Answer YES if your system does not store card validation codes when entered for card-not-present activity. If your system is not used for card-not-present transactions, Answer N/A, Add comment: Card present activity only. The personal identification number (PIN) or the encrypted PIN block are not stored under any circumstance? (SAQ #3.2.3) Answer YES if you accept debit cards and your system does not store personal identification (PIN) numbers from debit card transactions, or answer N/A, Add comment: Debit cards not accepted. Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed)? (SAQ #3.3)

14 Verify that your system masks the display of the card number for on-screen and printed reports or receipts. Answer: YES Transmitted Data Protection Are strong cryptography and security protocols, such as SSL/TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? (SAQ #4.1.a) Answer YES if you have confirmed that your payment applications use strong cryptographic protocols for all transmission of cardholder data. The application vendor will provide guidelines for proper implementation. For web-based applications, the https: prefix must precede all URL s to indicate proper encryption is being used to protect the transmission of your sensitive information, including cardholder data. Are only trusted keys and/or certificates accepted? (SAQ #4.1.b) The application vendor will provide guidelines for proper implementation. For ex, with SSL implementations, certificates must be signed by a trusted Certificate Authority. Your browser has a built-in mechanism to accept only trusted certificates. Answer YES only if you NEVER accept certificates that your web browser warns you could be invalid (e.g. expired, self-signed, wrong hostname). These are likely signs of malicious activity. Are security protocols implemented to use only secure configurations? (SAQ #4.1.c) Answer YES if you have confirmed that your payment applications are configured to use only strong cryptographic protocols for all transmission of cardholder data. The application vendor will provide guidelines for proper implementation. Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)? (SAQ #4.1.d) Answer YES if you have confirmed that your payment applications use strong cryptographic protocols for all transmission of cardholder data. The application vendor will provide guidelines for proper implementation. For SSL/TLS implementations (SAQ #4.1.e): Does HTTPS appear as part of the browser Universal Record Locator (URL)? Is cardholder data required only when HTTPS appears in the URL? Are industry best practices (for example, IEEE i) used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment? (SAQ #4.1.1) Answer: Not Applicable and Comments: Wireless devices are not permitted at this time.

15 Are policies in place that state that unprotected PANs are not to be by end-user messaging technologies (for example, , instant messaging, chat)? (SAQ #4.2.b) Anti-Virus Protection APL IV-F Credit/Debit Card Standards prohibits the use of such messaging technologies for sending or receiving credit card data. Answer: YES Is anti-virus software deployed on all systems commonly affected by malicious software? (SAQ #5.1) Verify that your system has the appropriate anti-virus software installed. Answer: YES Are all anti-virus programs capable of detecting, removing, and protecting against all known types of malicious software (for example, viruses, Trojans, worms, spyware, adware, and rootkits)? (SAQ #5.1.1) Verify that your system has the appropriate anti-virus software installed. Answer: YES Is all anti-virus software current, actively running, and generating audit logs as follows: Does the anti-virus policy require updating of anti-virus software and definitions? (SAQ #5.2.a) Answer YES, as this is a requirement of the Credit/Debit Card Standards APL Is the master installation of the software enabled for automatic updates and scans? (SAQ #5.2.b) Confirm with your IT administrators that automatic updates and scans are required by the default installation procedures. Answer: YES Are automatic updates and periodic scans enabled? (SAQ #5.2.c) Answer YES if you have confirmed these are enabled. Check the settings of your anti-virus software to confirm this is true. Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? (SAQ #5.2.d) Answer YES if you have confirmed audit logs are generated for all anti-virus activities. Check your anti-virus settings to confirm logs are not being deleted sooner than one-year and that you have sufficient disk space where the logs are being stored. Application and Systems Security Are all system components and software protected from known vulnerabilities by having the latest vendor-supplied security patches installed? (SAQ #6.1.a) Verify that security patches for your system components have the latest updates installed. (e.g., Windows, Internet Explorer) Answer: YES

16 Are critical security patches installed within one month of release? (SAQ #6.1.b) Verify that security patches for your system components are regularly installed. (e.g., Windows, Internet Explorer) Answer: YES Access Restrictions Is access to system components and cardholder data limited to only those individuals whose jobs require such access as follows: Are access rights for privileged user IDs restricted to least privileges necessary to perform job responsibilities? (SAQ #7.1.1) APL IV-F Credit/Debit Card Standards requires access limitations for paper documentation containing cardholder data and restrictions to devices or databases involved in processing, storing or communicating cardholder data. Access to systems or paper documentation must be limited to only the privileges required to perform necessary job responsibilities. Answer: YES Are privileges assigned to individuals based on job classification and function (also called "role-based access control" or RBAC)? (SAQ #7.1.2) Account Security Is two-factor authentication incorporated for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties? (SAQ #8.3) Are proper user identification and authentication management controls in place for nonconsumer users and administrators on all system components, as follows: Are accounts used by vendors for remote access, maintenance or support enabled only during the time period needed? (SAQ #8.5.6.a) If vendors access your system remotely to provide maintenance, verify that accounts used for access are enabled only as needed, Answer: YES. If your vendor does not access your system remotely, Answer: N/A, Add comment: No remote vendor access. Are vendor remote access accounts monitored when in use? (SAQ #8.5.6.b) If vendors access your system remotely to provide maintenance, verify that accounts used for access are enabled only as needed, Answer: YES. If your vendor does not access your system remotely, Answer: N/A, Add comment: No remote vendor access. Physical Access Controls Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (SAQ #9.6)

17 APL IV-F Credit/Debit Card Standards prohibits electronic storage of cardholder data. Verify that any paper media that contains cardholder data is properly destroyed once the transaction is complete or is physically secure. If proper procedures are in place, answer YES. If paper documents containing cardholder data are never created in the payment process, answer N/A, Add comment: No media is created containing cardholder data. Is strict control maintained over the internal or external distribution of any kind of media that contains cardholder data? (SAQ #9.7.a) APL IV-F Credit/Debit Card Standards prohibits electronic storage of cardholder data. Verify that proper controls are used if paper documents containing cardholder data are handled. If proper procedures are in place, answer: YES. If paper documents containing cardholder data are never created in the payment process, Answer: N/A, Add comment: No media is created containing cardholder data. Do controls include the following: Is the media classified so the sensitivity of the data can be determined? (SAQ #9.7.1) APL IV-F Credit/Debit Card Standards states that when documents containing cardholder data are moved from one place to another, they must be clearly marked as confidential information. If proper procedures are in place, answer YES. If paper documents containing cardholder data are never created in the payment process, Answer: N/A, Add comment: No media is created containing cardholder data. Is the media sent by secured courier or other delivery method that can be accurately tracked? (SAQ #9.7.2) APL IV-F Credit/Debit Card Standards states that when documents containing cardholder data are moved from one place to another, they must be delivered personally or by a trackable courier service. If proper procedures are in place, answer YES If paper documents containing cardholder data are never created in the payment process, answer N/A, Add comment: No media is created containing cardholder data. Are logs maintained to track all media that is moved from a secured area, and is management approval obtained prior to moving the media (especially when media is distributed to individuals)? (SAQ #9.8)

18 APL IV-F Credit/Debit Card Standards requires that, if paper media exists with cardholder information, movement or transfer of that media must be approved by management. If proper procedures are in place, answer YES. If paper documents containing cardholder data are never created in the payment process, answer: N/A, Add comment: No media is created containing cardholder data. Is strict control maintained over the storage and accessibility of media that contains cardholder data? (SAQ #9.9) APL IV-F Credit/Debit Card Standards requires that stored media must be kept in a locked file. If proper procedures are in place, answer YES. If paper documents containing cardholder data are never created in the payment process, answer: N/A, Add comment: No media is created containing cardholder data. Is media containing cardholder data destroyed when it is no longer needed for business or legal reasons? (SAQ #9.10) APL IV-F Credit/Debit Card Standards states that paper documents containing cardholder data should be kept only for as long as required for completion of the transaction. If proper procedures are in place, answer YES. If paper documents containing cardholder data are never created in the payment process, answer: N/A, Add comment: No media is created containing cardholder data. Is destruction performed as follows? Are hardcopy materials cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed? (SAQ # a) Are containers that store information to be destroyed secured to prevent access to the contents? (For example, a "to-be-shredded" container has a lock preventing access to its contents.) (SAQ # b) APL IV-F Credit/Debit Card Standards requires that destruction of any paper documents containing cardholder data must be done in such a way to make reconstruction of the data impossible. (e.g., cross-cut shredder, incineration) If proper procedures are in place, answer YES. If paper documents containing cardholder data are never created in the payment process, answer: N/A, Add comments: No media is created containing cardholder data.

19 Monitoring and Testing Is a documented process implemented to detect and identify wireless access points on a quarterly basis? (SAQ #11.1a) Confirm with System or Campus IT they have documented the process they will use on a quarterly basis to evaluate the wireless environment in the area of your payment devices. Answer YES if the below requirements, (SAQ #11.1 b, c, d, e ) are met. Does the methodology detect and identify any unauthorized wireless access points, including at least the following (SAQ #11.1b): WLAN cards inserted into system components; Portable wireless devices connected to system components (for example, by USB, etc.); Wireless devices attached to a network port or network device? Is the process to identify unauthorized wireless access points performed at least quarterly for all system components and facilities? (SAQ #11.1.c) If automated monitoring is utilized (for example, wireless IDS/IPS, NAC, etc.), is monitoring configured to generate alerts to personnel? (SAQ #11.1.d) Does the Incident Response Plan (Requirement 12.9) include a response in the event unauthorized wireless devices are detected? (SAQ #11.1.e) Are internal and external network vulnerability scans run at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades) as follows? Are quarterly internal vulnerability scans performed? (SAQ # a) The Information Security Office will ensure these scans are performed and provided to you. If you are getting these results as expected, answer YES. Does the quarterly internal scan process include rescans until passing results are obtained, or until all "High" vulnerabilities as defined in PCI DSS Requirement 6.2 are resolved? (SAQ # b) Are internal quarterly scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? (SAQ # c) If your internal vulnerability scans are being performed by your IT administrator or Information Security Office personnel, answer YES. Are quarterly external vulnerability scans performed? (SAQ # a) Do external quarterly scan results satisfy the ASV Program Guide requirements (for example, no vulnerabilities rated higher than a 4.0 by the CVSS and no automatic failures)? (SAQ # b)

20 If you are performing quarterly scans via TrustKeeper, answer YES. Are quarterly external vulnerability scans performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC)? (SAQ # c) If you are performing quarterly scans via TrustKeeper, answer YES. Are internal and external scans performed after any significant change (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades)? (SAQ # a) All significant changes to your payment environment must involve your IT administrators. If involved, they will ensure rescans are performed and results provided to you for remediation. Answer YES. Does the scan process include rescans until (SAQ # b): For external scans, no vulnerabilities exist that are scored greater than a 4.0 by the CVSS, For internal scans, a passing result is obtained or all "High" vulnerabilities as defined in PCI DSS Requirement 6.2 are resolved? Are scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? (SAQ # c) Answer YES if your internal scans are performed by the your IT administrator or Information Security Office personnel AND if your external scans are performed via TrustKeeper. Security Policies and Procedures Is a security policy established, published, maintained, and disseminated to all relevant personnel? (SAQ #12.1) APL IV-F Credit/Debit Card Standards defines credit card security practices to comply with UMS Policy Section 901 Information Security and is required to be distributed to all employees involved in handling cardholder data. Answer: YES Is the information security policy reviewed at least once a year and updated as needed to reflect changes to business objectives or the risk environment?(saq #12.1.3) APL IV-F Credit/Debit Card Standards will be updated and distributed at least annually. Answer: YES Are usage policies for critical technologies (for example, remote-access technologies, wireless technologies, removable electronic media, laptops, tablets personal data/digital

21 assistants [PDAs], , and Internet usage) developed to define proper use of these technologies for all personnel, and require the following? Explicit approval by authorized parties to use the technologies? (SAQ #12.3.1) Verify that personnel involved in payment card transactions understand that they are not authorized to use these devices in connection with payment card activities and must not attach such devices with payment card devices unless specifically authorized. Authentication for use of the technology? (SAQ #12.3.2) A list of all such devices and personnel with access? (SAQ #12.3.3) All devices used in connection with payment card activities must be specifically identified. Acceptable uses of the technologies? (SAQ #12.3.5) APL IV-F Credit/Debit Card Standards states that UMS CISO approval is required for use of any wireless technologies in processing credit card data. Answer: YES Acceptable network locations for the technologies? (SAQ #12.3.6) Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity? (SAQ # ) Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use? (SAQ # ) Do the security policy and procedures clearly define information security responsibilities for all personnel? (SAQ #12.4) Responsibilities for information security are defined in APL IV-F Credit/Debit Card Standards, APL VI-C Information Security and UMS Policy Section 901 Information Security. Answer: YES Are the following information security management responsibilities formally assigned to an individual or team? Establishing, documenting, and distributing security incident response and escalation procedures to ensure timely and effective handling of all situations? (SAQ #12.5.3) APL VI-C Information Security has established guidelines for incident response. Answer: YES

22 Is a formal security awareness program in place to make all personnel aware of the importance of cardholder data security? (SAQ #12.6) APL IV-F Credit/Debit Card Standards states that cardholder data security is a required part of security awareness program for all employees. Answer: YES If cardholder data is shared with service providers, are policies and procedures maintained and implemented to manage service providers, as follows: Is a list of service providers maintained? (SAQ #12.8.1) APL IV-F Credit/Debit Card Standards has a requirement that a listing of all service providers is maintained and is included as Appendix III. Answer: YES Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess? (SAQ #12.8.2) Is there an established process for engaging service providers, including proper due diligence prior to engagement? (SAQ #12.8.3) APL IV-F Credit/Debit Card Standards has a requirement to obtain such a written acknowledgement from service providers. Answer: YES Is there an established process for engaging service providers, including proper due diligence prior to engagement? (SAQ #12.8.3) APL IV-F Credit/Debit Card Standards requires that all new service providers involved in processing, transmitting or storing cardholder data must be approved by the UMS CIO and CISO. Answer: YES Is a program maintained to monitor service providers' PCI DSS compliance status at least annually? (SAQ #12.8.4) APL IV-F Credit/Debit Card Standards has a requirement for service providers to provide evidence of PCI DSS compliance at least annually. Answer: YES Confirmation and Acknowledgement You must be able to answer all questions YES in order to have a passing SAQ. PCI DSS Self-Assessment Questionnaire C, version 2.0 was completed according to the instructions therein. (SAQ #CA.1.C) All information within the above-referenced SAQ and in this attestation fairly represents the results of my assessment in all material respects. (SAQ #CA.2)

23 I have confirmed with my payment application vendor that my payment system does not store sensitive authentication data after authorization. (SAQ #CA.3) I have read the PCI DSS and I recognize that I must maintain full PCI DSS compliance at all times. (SAQ #CA.4) No evidence of magnetic stripe (i.e., track) data, CAV2, CVC2, CID, or CVV2 data, or PIN data storage subsequent to transaction authorization was found on ANY systems reviewed during this assessment. (SAQ #CA.5) Signature of Executive Officer Enter the full name of merchant department contact or supervisor. Title of Executive Officer Enter the title of the officer from (S.) above. Submitting your SAQ After you have answered all of the questions, submit your SAQ by clicking the Submit / Save button. From the home page, you can see your PCI status and expiration date at the top of the page. You will be notified when the expiration date approaches. You must complete an SAQ each year. You can view or print your report by clicking the Report link. This is the report that will be submitted to the merchant acquirer as evidence of your PCI compliance. Notify your campus coordinator for credit card processing if you have completed your SAQ and your status does not show Compliant. You can view your compliance certificate by clicking the View Compliance Certificate link at the bottom of the page.

Section 1: Assessment Information

Section 1: Assessment Information Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant s self-assessment with the Payment Card Industry Data Security

More information

University of Sunderland Business Assurance PCI Security Policy

University of Sunderland Business Assurance PCI Security Policy University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Interim Director

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Standalone Dial-out Terminals Only, No Electronic Cardholder Data Storage

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance Merchants with Web-Based Virtual Payment Terminals No Electronic Cardholder Data Storage

More information

Payment Card Industry Data Security Standard Self-Assessment Questionnaire C Guide

Payment Card Industry Data Security Standard Self-Assessment Questionnaire C Guide Payment Card Industry Data Security Standard Self-Assessment Questionnaire C Guide PCI DSS Version: V3.1, Rev 1.1 Prepared for: The University of Tennessee Merchants The University of Tennessee Foundation

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced For use with

More information

Section 1: Assessment Information

Section 1: Assessment Information Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant s self-assessment with the Payment Card Industry Data Security

More information

SAQ A AOC v3.2 Faria Systems LLC

SAQ A AOC v3.2 Faria Systems LLC SAQ A AOC v3.2 Faria Systems LLC Self-Assessment Questionnaire A and Attestation of Compliance Version 3.2 Section 1: Assessment Information Part 1. Merchant and Qualified Security Assessor Information

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals Electronic Cardholder

More information

Donor Credit Card Security Policy

Donor Credit Card Security Policy Donor Credit Card Security Policy INTRODUCTION This document explains the Community Foundation of Northeast Alabama s credit card security requirements for donors as required by the Payment Card Industry

More information

Payment Card Industry Data Security Standard Self-Assessment Questionnaire C-VT Guide

Payment Card Industry Data Security Standard Self-Assessment Questionnaire C-VT Guide Payment Card Industry Data Security Standard Self-Assessment Questionnaire C-VT Guide PCI DSS Version: V3.1, Rev 1.1 Prepared for: The University of Tennessee Merchants The University of Tennessee Foundation

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced For use with

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Merchants with Payment Application Systems Connected to the Internet No Electronic Cardholder

More information

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Google Cloud Platform: Customer Responsibility Matrix. December 2018 Google Cloud Platform: Customer Responsibility Matrix December 2018 Introduction 3 Definitions 4 PCI DSS Responsibility Matrix 5 Requirement 1 : Install and Maintain a Firewall Configuration to Protect

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Merchants with Payment Application Systems Connected to the Internet No Electronic Cardholder

More information

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Google Cloud Platform: Customer Responsibility Matrix. April 2017 Google Cloud Platform: Customer Responsibility Matrix April 2017 Introduction 3 Definitions 4 PCI DSS Responsibility Matrix 5 Requirement 1 : Install and Maintain a Firewall Configuration to Protect Cardholder

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B-IP and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B-IP and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B-IP and Attestation of Compliance Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) Terminals No Electronic

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance Merchants using Hardware Payment Terminals in a PCI SSC-Listed P2PE Solution Only No

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire A-EP For use with PCI DSS Version 3.2.1 July 2018 Section 1: Assessment Information Instructions

More information

The Prioritized Approach to Pursue PCI DSS Compliance

The Prioritized Approach to Pursue PCI DSS Compliance PCI DSS PrIorItIzeD APProACh The Prioritized Approach to Pursue PCI DSS Compliance The Payment Card Industry Data Security Standard (PCI DSS) provides a detailed, requirements structure for securing cardholder

More information

Self-Assessment Questionnaire A

Self-Assessment Questionnaire A Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance All cardholder data functions outsourced. No Electronic Storage, Processing, or Transmission

More information

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government

More information

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD SELF-ASSESSMENT QUESTIONNAIRE (SAQ) B GUIDE

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD SELF-ASSESSMENT QUESTIONNAIRE (SAQ) B GUIDE PAYMENT CARD INDUSTRY DATA SECURITY STANDARD SELF-ASSESSMENT QUESTIONNAIRE (SAQ) B GUIDE Last Reviewed: December 13, 2017 Last Updated: December 19, 2017 PCI DSS Version: V3.2, Rev 1.1 Prepared for: The

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Version 1.0 Release: December 2004 How to Complete the Questionnaire The questionnaire is divided into six sections. Each

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data Version 1.2 October

More information

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016 Section 3.9 PCI DSS Information Security Policy Issued: vember 2017 Replaces: June 2016 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect

More information

Attestation of Compliance, SAQ D

Attestation of Compliance, SAQ D Attestation of Compliance, SAQ D Instructions for Submission The merchant must complete this Attestation of Compliance as a declaration of the merchant's compliance status with the Payment Card Industry

More information

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

Payment Card Industry Internal Security Assessor: Quick Reference V1.0 PCI SSC by formed by: 1. AMEX 2. Discover 3. JCB 4. MasterCard 5. Visa Inc. PCI SSC consists of: 1. PCI DSS Standards 2. PA DSS Standards 3. P2PE - Standards 4. PTS (P01,HSM and PIN) Standards 5. PCI Card

More information

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core PCI PA - DSS Point ipos Implementation Guide Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core Version 1.02 POINT TRANSACTION SYSTEMS AB Box 92031,

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire A For use with PCI DSS Version 3.2 Revision 1.1 January 2017 Section 1: Assessment Information

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data Version 1.1 February

More information

Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1)

Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1) Appendixes Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1) 1.0 Scope All credit card data and its storage

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance Hardware Payment Terminals in a Validated P2PE Solution only, No Electronic Cardholder

More information

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures 1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants All other SAQ-Eligible Merchants Version 3.0 February 2014 Document Changes

More information

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure

More information

Payment Card Industry - Data Security Standard (PCI-DSS) v3.2 Systems Security Standard

Payment Card Industry - Data Security Standard (PCI-DSS) v3.2 Systems Security Standard Payment Card Industry - Data Security Standard (PCI-DSS) v3.2 Systems Security Standard Systems Security Standard ( v3.2) Page 1 of 11 Version and Ownership Version Date Author(s) Comments 0.01 26/9/2016

More information

Ready Theatre Systems RTS POS

Ready Theatre Systems RTS POS Ready Theatre Systems RTS POS PCI PA-DSS Implementation Guide Revision: 2.0 September, 2010 Ready Theatre Systems, LLC - www.rts-solutions.com Table of Contents: Introduction to PCI PA DSS Compliance 2

More information

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions. If your business processes Visa and MasterCard debit or credit card transactions, you need to have Payment Card Industry Data Security Standard (PCI DSS) compliance. We understand that PCI DSS requirements

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance Merchants using Hardware Payment Terminals in a PCI SSC-Listed P2PE Solution Only No

More information

PCI PA-DSS Implementation Guide

PCI PA-DSS Implementation Guide PCI PA-DSS Implementation Guide For Atos Worldline Banksys XENTA, XENTEO, XENTEO ECO, XENOA ECO YOMANI and YOMANI XR terminals using the Point BKX Payment Core Software Versions A05.01 and A05.02 Version

More information

Rural Computer Consultants

Rural Computer Consultants Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Rural Computer Consultants PCI 2-12-15 All other Merchants Version : 2.0 page 1 Part

More information

PCI PA - DSS. Point Vx Implementation Guide. Version For VeriFone Vx520, Vx680, Vx820 terminals using the Point Vx Payment Core (Point VxPC)

PCI PA - DSS. Point Vx Implementation Guide. Version For VeriFone Vx520, Vx680, Vx820 terminals using the Point Vx Payment Core (Point VxPC) PCI PA - DSS Point Vx Implementation Guide For VeriFone Vx520, Vx680, Vx820 terminals using the Point Vx Payment Core (Point VxPC) Version 2.02 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm,

More information

Table of Contents. PCI Information Security Policy

Table of Contents. PCI Information Security Policy PCI Information Security Policy Policy Number: ECOMM-P-002 Effective Date: December, 14, 2016 Version Number: 1.0 Date Last Reviewed: December, 14, 2016 Classification: Business, Finance, and Technology

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Merchants Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission This

More information

Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy

Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy 2008 Cisco Systems, Inc. All rights reserved. 1 1 The PCI Data Security

More information

Total Security Management PCI DSS Compliance Guide

Total Security Management PCI DSS Compliance Guide Total Security Management PCI DSS Guide The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations to help protect the security of credit card holders. These regulations apply to

More information

Data Security Standard

Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2 April 2016 2006-2016 PCI Security Standards Council, LLC. All Rights Reserved.

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants All other SAQ-Eligible Merchants For use PCI DSS Version 3.2 Revision 1.1

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants All other SAQ-Eligible Merchants Version 3.1 April 2015 Document Changes Date

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants All other SAQ-Eligible Merchants For use PCI DSS Version 3.1 Revision 1.1

More information

Document Title: PAYMENT CARD PROCESSING & SECURITY POLICY

Document Title: PAYMENT CARD PROCESSING & SECURITY POLICY Effective Date: 01 June 2016 Page 1 of 15 REVISION HISTORY Revision No. Revision Date Author Description of Changes 2.0 09 February 2016 Krista Theodore Update to Reflect Changes in the PCI DSS APPROVED

More information

The Prioritized Approach to Pursue PCI DSS Compliance

The Prioritized Approach to Pursue PCI DSS Compliance PCI DSS Prioritized Approach for PCI DSS.0 PCI DSS Prioritized Approach for PCI DSS.0 The Prioritized Approach to Pursue PCI DSS Compliance The Payment Card Industry Data Security Standard (PCI DSS) provides

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2 April 2016 Section 1: Assessment Information Instructions for Submission

More information

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0 Payment Card Industry (PCI) Data Security Standard Summary of s from PCI DSS Version 1.2.1 to 2.0 October 2010 General General Throughout Removed specific references to the Glossary as references are generally

More information

Daxko s PCI DSS Responsibilities

Daxko s PCI DSS Responsibilities ! Daxko s PCI DSS Responsibilities According to PCI DSS requirement 12.9, Daxko will maintain all applicable PCI DSS requirements to the extent the service prov ider handles, has access to, or otherwise

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.1 April 2015 Section 1: Assessment Information Instructions for Submission

More information

Navigating the PCI DSS Challenge. 29 April 2011

Navigating the PCI DSS Challenge. 29 April 2011 Navigating the PCI DSS Challenge 29 April 2011 Agenda 1. Overview of Threat and Compliance Landscape 2. Introduction to the PCI Security Standards 3. Payment Brand Compliance Programs 4. PCI DSS Scope

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced For use with

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire P2PE For use with PCI DSS Version 3.2.1 July 2018 Section 1: Assessment Information Instructions

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 2.0 October 2010 Document Changes Date Version Description Pages October 2008 July 2009 October

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2 April 2016 Section 1: Assessment Information Instructions for Submission

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2 April 2016 Section 1: Assessment Information Instructions for Submission

More information

CN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005

CN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005 85 Grove Street - Peterboro ugh, N H 0345 8 voice 603-924-6 079 fax 60 3-924- 8668 CN!Express CX-6000 Single User Version 3.38.4.4 PCI Compliance Status Version 1.0 28 June 2005 Overview Auric Systems

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2 April 2016 Section 1: Assessment Information Instructions for Submission

More information

Point PA-DSS. Implementation Guide. Banksys Yomani VeriFone & PAX VPFIPA0201

Point PA-DSS. Implementation Guide. Banksys Yomani VeriFone & PAX VPFIPA0201 Point PA-DSS Implementation Guide Banksys Yomani 1.04 VeriFone & PAX VPFIPA0201 Implementation Guide Contents 1 Revision history 1 2 Introduction 2 3 Document use 2 3.1 Important notes 2 4 Summary of requirements

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers SAQ-Eligible Service Providers For use PCI DSS Version 3.2 April 2016

More information

PA-DSS Implementation Guide for Sage MAS 90 and 200 ERP. and Sage MAS 90 and 200 Extended Enterprise Suite

PA-DSS Implementation Guide for Sage MAS 90 and 200 ERP. and Sage MAS 90 and 200 Extended Enterprise Suite for Sage MAS 90 and 200 ERP Versions 4.30.0.18 and 4.40.0.1 and Sage MAS 90 and 200 Extended Enterprise Suite Versions 1.3 with Sage MAS 90 and 200 ERP 4.30.0.18 and 1.4 with Sage MAS 90 and 200 ERP 4.40.0.1

More information

PCI COMPLIANCE IS NO LONGER OPTIONAL

PCI COMPLIANCE IS NO LONGER OPTIONAL PCI COMPLIANCE IS NO LONGER OPTIONAL YOUR PARTICIPATION IS MANDATORY To protect the data security of your business and your customers, the credit card industry introduced uniform Payment Card Industry

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2 April 2016 Section 1: Assessment Information Instructions for Submission

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire D Service Providers For use with PCI DSS Version 3.2 Revision 1.1 January 2017 Section 1:

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire D Version 3.2 Section 1: Assessment Information Instructions for Submission This document

More information

Requirements for University Related Activities that Accept Payment Cards

Requirements for University Related Activities that Accept Payment Cards Requirements for ersity Related Activities that Accept Payment Cards Last Updated: 20-Apr-2009 TABLE OF CONTENTS OBJECTIVE STATEMENT AND INTRODUCTION... 4 Compliance... 4 Environment... 4 Material... 5

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.1 April 2015 Section 1: Assessment Information Instructions for Submission

More information

PCI DSS Responsibility Matrix PCI DSS 3.2 Requirement

PCI DSS Responsibility Matrix PCI DSS 3.2 Requirement FTD Florist Requirement 1: Install and maintain a firewall configuration to protect 1.1 Establish firewall and router configuration standards that include the following: 1.1.1 A formal process for approving

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2 April 2016 Section 1: Assessment Information Instructions for Submission

More information

Payment Card Industry (PCI) Data Security Standard and Bsafe/Enterprise Security

Payment Card Industry (PCI) Data Security Standard and Bsafe/Enterprise Security Payment Card Industry (PCI) Data Security Standard and Bsafe/Enterprise Security Mapping of Bsafe/Enterprise Security Controls to PCI-DSS Requirements and Security Assessment Procedures Version 1.2 vember

More information

Stripe Terminal Implementation Guide

Stripe Terminal Implementation Guide Stripe Terminal Implementation Guide 12/27/2018 This document details how to install the Stripe Terminal application in compliance with PCI 1 PA-DSS Version 3.2. This guide applies to the Stripe Terminal

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2.1 June 2018 Section 1: Assessment Information Instructions for Submission

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2.1 June 2018 Section 1: Assessment Information Instructions for Submission

More information

Third-Party Service Provider/Auto Club Group (ACG) PCI DSS Responsibility Matrix

Third-Party Service Provider/Auto Club Group (ACG) PCI DSS Responsibility Matrix / PCI DSS Matrix Joint sub-requirements is Requirement 1: Install and maintain a firewall configuration to protect cardholder data 1.1 Establish firewall and router configuration standards that include

More information

Implementation Guide. Payment Card Industry Data Security Standard 2.0. Guide version 4.0

Implementation Guide. Payment Card Industry Data Security Standard 2.0. Guide version 4.0 Implementation Guide Payment Card Industry Data Security Standard 2.0 Guide version 4.0 Copyright 2012 Payment Processing Partners Inc. All rights reserved. ChargeItPro and ChargeItPro EasyIntegrator are

More information

Qualified Integrators and Resellers (QIR) TM. QIR Implementation Statement, v2.0

Qualified Integrators and Resellers (QIR) TM. QIR Implementation Statement, v2.0 Qualified Integrators and Resellers (QIR) TM Implementation Statement For each Qualified Installation performed, the QIR Employee must complete this document and confirm whether the Validated Payment Application

More information

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version May 2018

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version May 2018 Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2.1 May 2018 Document Changes Date Version Description Pages October 2008 1.2 July 2009 1.2.1

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2 April 2016 Section 1: Assessment Information Instructions for Submission

More information

PA-DSS Implementation Guide For

PA-DSS Implementation Guide For PA-DSS Implementation Guide For, CAGE (Card Authorization Gateway Engine), Version 4.0 PCI PADSS Certification 2.0 December 10, 2013. Table of Contents 1. Purpose... 4 2. Delete sensitive authentication

More information

Old requirement New requirement Detail Effect Impact

Old requirement New requirement Detail Effect Impact RISK ADVISORY THE POWER OF BEING UNDERSTOOD PCI DSS VERSION 3.2 How will it affect your organization? The payment card industry (PCI) security standards council developed version 3.2 of the Data Security

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2 April 2016 Section 1: Assessment Information Instructions for Submission

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2 April 2016 Document2 Section 1: Assessment Information Instructions for

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.1 April 2015 Section 1: Assessment Information Instructions for Submission

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.2)

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.2) PDQ has created an Answer Guide for the Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C to help wash operators complete questionnaires. Part of the Access Customer Management

More information

Simple and Powerful Security for PCI DSS

Simple and Powerful Security for PCI DSS Simple and Powerful Security for PCI DSS The regulations AccessEnforcer helps check off your list. Most merchants think they are too small to be targeted by hackers. In fact, their small size makes them

More information

PCI Compliance Assessment Module with Inspector

PCI Compliance Assessment Module with Inspector Quick Start Guide PCI Compliance Assessment Module with Inspector Instructions to Perform a PCI Compliance Assessment Performing a PCI Compliance Assessment (with Inspector) 2 PCI Compliance Assessment

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2 April 2016 Section 1: Assessment Information Instructions for Submission

More information

PCI PA DSS. PBMUECR Implementation Guide

PCI PA DSS. PBMUECR Implementation Guide Point Transaction Systems SIA PCI PA DSS PBMUECR 02.21.002 Implementation Guide Author: Filename: D01_PBMUECR_Implementation_Guide_v1_3.docx Version: 1.3 Date: 2014-07-17 Circulation: Edited : 2014-07-17

More information

PaymentVault TM Service PCI DSS Responsibility Matrix

PaymentVault TM Service PCI DSS Responsibility Matrix PaymentVault TM Service PCI DSS 3.2.1 Responsibility Matrix 5 November 2018 Compliance confirmed and details available in the Systems International Attestation of Compliance (AoC). A copy of the AoC is

More information

PCI PA-DSS Implementation Guide

PCI PA-DSS Implementation Guide PCI PA-DSS Implementation Guide For Verifone VX 820 and Verifone VX 825 terminals using the Verifone ipos payment core I02.01 Software Page number 2 (21) Revision History Version Name Date Comments 1.00

More information

Voltage SecureData Mobile PCI DSS Technical Assessment

Voltage SecureData Mobile PCI DSS Technical Assessment White Paper Security Voltage SecureData Mobile PCI DSS Technical Assessment Prepared for Micro Focus Data Security by Tim Winston, PCI/P2PE Practice Director, Coalfire Systems, Inc., June 2016 Table of

More information

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard Introduction Verba provides a complete compliance solution for merchants and service providers who accept and/or process payment card data over the telephone. Secure and compliant handling of a customer

More information