PCI-DSS EVIDENCE REFERENCE
|
|
- Juliet Wilkerson
- 5 years ago
- Views:
Transcription
1 PCI-DSS EVIDENCE REFERENCE
2 Version Reviewed/Changed By Date Comments 1.0 Stevie Heong 5 May 2016 First Draft Review 1.1 Anna Shah 2 August 2016 Update Note: This is a document for internal distribution for PKF Avant Edge Sdn. Bhd. Reproduction and distribution of this document outside of PKF Avant Edge Sdn. Bhd. is prohibited. This document is not endorsed by QSA and all evidences are based only on the experiences of our consultants in PCI-DSS. Evidences required by QSA for an organisation might change from time to time, and from business to business, therefore these samples should be used as a guidelines only and not actual reference to what is actually required for an organisation to certify for PCI-DSS.
3 EXECUTIVE SUMMARY & REQUIREMENT 1 QUESTION 1 Please provide the list of office locations, cloud environments and data centres that store, process or transmit information covered under this certification. NOTES 1. Expected Evidence: is the complete list of with detailed address of all the in-scope location, either physical or in cloud, the related business tight to the business and whether the process is card present or card not present REFERENCE
4 QUESTION 2 Please provide a list of applications that are involved in storing, processing or transmitting information covered under this certification NOTES 1. Expected Evidence: a complete list of all the payment application that are in scope 2. Payment applications are applications storing and processing card information, located in CDE 3. Off the shelf systems like Databases, Operating systems are excluded 4. Applications are generally divided as such: 5. If application has different URLs and authentication system, they will be treated as separate app. If one application having different roles but the login page is same, it is one application. If app has different modules e.g. Admin, supervisor, analyst where these modules have their own independent login pages, they will be considered as 3 apps. REFERENCE
5 QUESTION 3 Please provide a high-level network diagram for in-scope environment (See attached templates). NOTES REFERENCE Expected Evidence: a high-level network diagram that covers the following: - All connections into and out of the network, including demarcation points between the cardholder data environment (CDE) and other networks/zones - Connectivity type used for data transmission (IPSEC tunnel, SSL, SFTP etc.) - Internal, External and DMZ network zones with cardholder application and database systems in respective network zone OR PCI scope specific VLAN s (as well as their locations and the boundaries between them - All network devices firewall, IPS, Router, VPN devices, Switches devices as applicable - Third party connections having cardholder data shared with
6 QUESTION 4 Please provide your asset list, databases, data storage locations etc. NOTES REFERENCE Expected Evidence: inventory list of servers, network devices, software and application Caas Customer: Ensure that for LINUX servers, the hostname and IP is unique for that project and not having similar IP in different project sending to caas as the keys cannot be sync correctly having similar IP for LINUX Includes all network and server systems in CDE and Non CDE In Scope
7
8 QUESTION 5 Provide a list of all your external IP addresses and their function NOTES Expected Evidence: The complete list of ALL external IP that will be scan under the ASV scan, i.e in scope. If company has only one set of external IP addresses for PCI and Non-PCI, these need to be provided to ASV for scanning. Ensure that the list of External IP in Q5 is the same as in Q4. REFERENCE
9 QUESTION 6 Provide 3 sample firewall and router change forms or tickets. NOTES Expected Evidence: a change request form that specific the change of firewall and/or router change forms that should include the signoff from the head of IT In the form please include the following: 1. Firewall name, brand and IP 2. Reason/description for Change 3. Requestor name, signoff, date 4. Approval name signoff, date 5. Testing after review Forms can be in tickets as well or in electronic form as long as it fulfils the relevant criteria
10 REFERENCE
11 QUESTION 7 Provide detailed network diagram(s) NOTES Expected Evidence: Ensure that the detail network diagram cover the following REFERENCE - All boundaries of the in-scope environment - Any network segmentation point - Boundaries between trusted and un-trusted networks - Wireless (if available) and wired networks - All other connection points applicable to the assessment - Ensure the diagram(s) include enough detail to clearly understand how each communication point functions and is secured o The interface that the traffic pass through the firewall and the servers o The traffic flow of card holder data
12 QUESTION 8 Provide data flow diagrams that explain storage, processing and transmission of covered information NOTES Expected Evidence: please identity the business process of the entity that uses card data in their process, some of the process that may include CHD is: REFERENCE - Card capturing - Card acquiring and authorization - Card issuing - Charge back - Settlement - Fraud management Reconciliation - Recurring - etc
13
14
15 QUESTION 9 Provide roles and responsibilities for management of firewall and routers. NOTES Expected Evidence: An access matrix that specifies the UID and the user that is given permission to access the firewall and/or router and their permission REFERENCE
16 QUESTION 10 Provide business justification for use of all services, protocols, and ports allowed through firewall and router. NOTES Expected Evidence: A document that that contains all the justification for ALL open ports and services that are running in the firewall or router. QSA can also accept I the form justify Only the insecure services as well. However, these will be dependent on the amount of rule that the company have. These can be either be in a separate document or be merge together in the firewall hardening / firewall policy document REFERENCE
17
18 QUESTION 11 Provide two compliant semi-annual firewall and router rule set review reports along with evidence that the team performing the review has the necessary credentials and knowledge to perform the review. NOTES Expected Evidence: A report that outlines the review of All the firewall rules in scope of PCI. The report need to contains the changes made to the firewall that have been noted down in the Change Request form as well. The Firewall review is intended to ensure that all the rules are align towards PCI DSS compliance such as 1. Specific destination, sources, ports and services are allowed 2. Any-to-Any Deny 3. There is no direct communication between the CDE Zone and Internet 4. All rule must be properly describe or tag with a description REFERENCE
19
20 QUESTION 12 Provide system generated configuration showing inbound and outbound access list for all firewall(s)/router(s) in scope. NOTES Expected Evidence: 1. A raw system generated configuration file generated by the firewall that outlines all the configuration of the firewall/ router devices 2. A screenshot of every interface of the firewall/router that show all the inbound and outbound rules REFERENCE
21
22 QUESTION 13 Provide a written explanation of how a firewall/router full configuration backup is done and how are the backups secured. NOTES Expected Evidence: REFERENCE 1. A document that outlines the process on how the backup of the firewall config is being done and should contain the following a. The frequency of backup b. The destination of the backup c. The screenshot to show that the backup is stored in the designated place d. A test report on performing recovery of the backup to show that the backup works perfect
23
24 QUESTION 14 For in - scope wireless networks, provide system generated configuration showing inbound and outbound access list between wireless and wired network. NOTES Expected Evidence: 1. If the wireless in scope, then please show a screenshot of the firewall to show the ACL between the wired and wireless devices 2. If the wireless is not in scope, these is consider as Not Applicable, However a wireless scan in needed to ensure no wireless access is present REFERENCE
25 QUESTION 15 Provide explanation/justification for any scenarios where there is a direct connection from Internet to internal network or vice versa. NOTES Expected Evidence: 1. Provide a justification why there is a need for internal network to go directly out to the internet. 2. Only Non CDE in scope allowed, CDE cannot go directly out or in from internet 3. DMZ needs to be traversed REFERENCE
26 QUESTION 16 Provide screenshot for anti - spoofing access list or equivalent settings on external firewall and/or router. NOTES Expected Evidence: 1. Provide screenshot in the firewall that anti-spoofing is enabled to detect any incoming IP from external facing to reach the firewall 2. Show that every movement of IP to internet is NAT REFERENCE
27
28
29 QUESTION 17 Provide screenshot to show stateful inspection has been enabled on external firewalls in scope. NOTES Expected Evidence: 1. Provide screenshot in the firewall that the firewall maintains or permit only established connections into the network. 2. Sometime in certain cases, by default the firewall is already a stateful inspection firewall, therefore please get a newsletter or a whitepaper from the firewall vendor to shot that the firewall be default is stateful REFERENCE
30
31 QUESTION 18 For a sample of 5 laptops provide the following: - Evidence of a personal firewall running appropriately - Evidence that the personal firewall cannot be disabled by the user. NOTES Expected Evidence: 1. Provide screenshot from the laptop that is connecting to the PCI environment is protected with personal firewall and cannot be disabled unless by admin REFERENCE
32
33 QUESTION 19 If Wireless access point is used provide screenshot that shows the following - firmware version is the latest - strong encryption has been implemented - vendor defaults have been changed NOTES Expected Evidence: 1. If the wireless AP In scope: show screenshot from the wireless AP the version, the encryption (WPA2), and the password have been changed 2. If wireless AP not in scope than this will not be applicable, however wireless scan need to be conducted REFERENCE
34 REQUIREMENT 2 QUESTION 20 Provide hardening (secure configuration) documents for all system components identified in the asset inventory NOTES Expected Evidence: 1. A document that contains AT LEAST the basic hardening configuration for all the components in scope especially a. Server b. Firewall c. Router/Switches d. Databases e. Application 2. The basis hardening may contain the following a. Removal of default username and password supplied by vendors b. Password policy c. Audit log policy d. The removal of unused and insecure services, justification for needed services e. Etc. REFERENCE
35
36 QUESTION 21 Provide configuration scan (i.e. authenticated vulnerability scans) results that evidence the list of ports/services running on in - scope systems (servers and network devices) OR In the absence of configuration scan, you may provide results of running ControlCase scripts on in - scope systems. NOTES Expected Evidence: 1 Internal Vulnerability Scan Report (IVA). REFERENCE
37
38 QUESTION 22 For insecure services (such as HTTP, FTP, Telnet, SSL) provide details on what additional controls have been implemented to mitigate the risk of having that insecure service NOTES Expected Evidence: 1. Provide a list of justification of the services that are running in the servers especially the insecure services such as HTTP, FTP, Telnet, etc REFERENCE
39 QUESTION 23 Provide configuration scan (i.e. authenticated vulnerability scans) results that evidence the list of ports/services running on in - scope systems (servers and network devices) OR In the absence of configuration scan, you may provide results of running ControlCase scripts on in - scope systems. NOTES Expected Evidence: 1 Internal Vulnerability Scan Report (IVA). REFERENCE
40
41 QUESTION 24 For POS devices, provide evidence of strong cryptography being implemented. You must use the attached template to provide us the data. NOTES Expected Evidence: 1. If POS in scope: provide screenshot that the POS is having strong cryptography 2. In the event the POS is already PCI PIN PTS Certified, get the screenshot to show the model is certified. REFERENCE
42
43 REQUIREMENT 3 QUESTION 25 Provide the following for covered information, - defined retention period - process for secure data deletion based on the retention period - records that evidence process was followed. NOTES Expected Evidence: 1. Data retention & deletion policy document 2. CHD Matrix REFERENCE
44
45 QUESTION 26 Provide results that show card data was searched in all applicable assets. These could be a combination of process interviews, manual reviews of logs/transaction files and automated scans as long as they cover PAN, Track, CVV and PIN in all locations within cardholder data environment (CDE) and outside the CDE. NOTES Expected Evidence: 1. Clean Card Data Discovery Scan results REFERENCE
46 QUESTION 27 Provide the following for all physical media and applications - All screenshots where cardholder data is displayed - Business justification where full PAN is displayed NOTES Expected Evidence: 1. Screenshot where card data is being displayed in clear text 2. Justification on the display of card data REFERENCE
47
48 QUESTION 28 Provide the following for all filesystems, databases and any backup media - Details on method (encryption, hashing, truncation, tokenization) being used to protect covered information in storage - Evidence (screenshots or settings) showing covered information is protected NOTES Expected Evidence: 1. The methodology on how the client implement either encryption, truncation, or tokenization method 2. Screenshot showing the number have been encrypted, truncated or tokenize. 3. Provide screenshot showing Algorithm (e.g. AES, 3DES, RSA etc.) in use and key strength (e.g. 128/256/20148 bits). Also, describe process (e.g. program/hsm etc.) to generate the key. 4. If keys are distributed, describe how key distribution is done. 5. Describe how Secure cryptographic key storage is done and provide screenshot of locations where Key encryption key (KEK) and Data encryption key (DEK) is stored. 6. Show using screenshots who is having access to Data encryption key (DEK) and Key encryption key (KEK)? REFERENCE
49
50 REQUIREMENT 4 QUESTION 29 Provide evidence of encryption being used for transmission of in - scope data over any open or public communication channel (i.e. Internet, Wireless network, GSM, GPRS, VSAT technology etc.). Encryption must confirm to strong industry standards. NOTES Expected Evidence: 1. If data is send via internet: Show that is using strong cryptography such as HTTPS, SSL VPN, etc. 2. If no data is send via the internet: NOT Applicable REFERENCE
51
52 QUESTION 30 Provide evidence of encryption being used for transmission of in - scope data over messaging technologies such as , chat and SMS. Encryption must confirm to strong industry standards. NOTES Expected Evidence: 1. If data is send via SMS or social app: Show that is using a secure connection method such as secure 2. If no data is send via the SMS: NOT Applicable REFERENCE (No client are having this at the moment)
53 REQUIREMENT 5 QUESTION 31 For the selected sample, provide evidence of antivirus software. Provide the following, - Running in active mode - Antivirus version and - Signature version. - Evidence that user cannot disable or alter the antivirus settings NOTES Expected Evidence: 1. Screenshot from antivirus agent from ALL servers that satisfy the following requirement REFERENCE
54
55 QUESTION 32 Provide Antivirus Server Management Console screenshot that shows the following - Signature update frequency - Periodic scan frequency - Signature version - Log storage for 3 months online and further 9 months offline - Three summary scan run reports from the year NOTES Expected Evidence: 1. Screenshot from antivirus agent from the Antivirus Server console that satisfy the following requirement REFERENCE
56
57
58
59 REQUIREMENT 6 QUESTION 33 Provide evidence that any security alerts or threat notifications are analysed against the asset/application inventory and a risk ranking process applied to the alerts. NOTES Expected Evidence: 1. A risk methodology document need to be documented that outlined ANY incident or alerts found is being map into a risk methodology document based on industry based practices REFERENCE
60 QUESTION 34 Provide evidence of, - Current patch levels - Patches being deployed in a timely manner NOTES Expected Evidence: 1. A screenshot from firewall, IDS, switch, Servers, AV, DB and application showing that the patch is keep current and is updated to the latest patch 2. A process on how patching is being done such as the schedule, the frequency, etc. REFERENCE
61 QUESTION 35 Provide secure software development process document in accordance with industry best practices NOTES Expected Evidence: 1. A document on how the client perform their SDLC procedures REFERENCE
62
63 QUESTION 36 Provide system generated list of users on all applications that store, process or transmit covered information. NOTES Expected Evidence: 1. A screenshot showing the application user ID in the application. REFERENCE
64
65 QUESTION 37 Provide a recent secure code review report for an application that stores, processes, or transmits covered information. NOTES Expected Evidence: 1. A yearly report on code review to ensure that the application is free from the web app vulnerability especially OWASP top 10 REFERENCE
66 QUESTION 38 Provide evidence showing that higher environments (i.e. production) are logically separated from lower environments (such as test/development) NOTES Expected Evidence: 1. A document/ screenshot shows that developer and tester are logically separated from the operation REFERENCE
67 QUESTION 39 Provide evidence that there is segregation of duties between users having access to higher (production) and lower (test/development) environments. NOTES Expected Evidence: 1. A document/ screenshot shows that developer and tester are having a segregation of duties 2. If user have both roles, ensure that the username to access development and production is unique only to the respective environment exp: teo_dev is only use on development environment and teo_prod or teo_dba is only use in production REFERENCE
68
69
70 QUESTION 40 Provide a document that outlines - the process for generating test data to be used in lower (test/development) environments - the process for removing test data and test accounts prior to moving the system to the higher (production) environment. NOTES Expected Evidence: 1. A process or document to outlines the process on how the client generate the test card and how the test card is being remove before it goes to production REFERENCE
71 QUESTION 41 Provide 4 sample change request (2 for software modification and 2 for security patch implementation) from the last 6 months. NOTES Expected Evidence: 1. A sample of change request form for the following a. Software modification 2x b. Patch implementation, change to the servers 2x REFERENCE
72
73 QUESTION 42 Provide the following from a secure code training perspective, - Material used for training - Attendee list showing that all developers are covered NOTES Expected Evidence: 1. A secure code training module that was attended recently 2. A secure code training attendance list. REFERENCE
74 QUESTION 43 (Optional) Provide evidence that a web application firewall is in place to protect against well know web based vulnerabilities (such as OWASP). NOTES Expected Evidence: 1. A screenshot showing that Web Application Firewall (WAF) is implemented to protect the web application 2. A web application Penetration Test report If a WAF is already be in place, a web app PT will still need to be conducted to verify that the WAF is functional in protecting the application from external attacks REFERENCE
75 REQUIREMENT 7 & 8 QUESTION 44 Provide the organizational access control policy. NOTES Expected Evidence: 1. A document that outlines the policy for user access and privileged. The document must be sign off by the management REFERENCE ( Access Control Policy)
76 QUESTION 45 please provide, - List of users - Access permission for those users - Business justification for the level of access permission NOTES Expected Evidence: 1. A list of users from server/ active directory and the privileged given to the users. 2. Ensure that the users privileged is given as per need to know basis with least privileged unless there is a business justification why a higher privileged is needed REFERENCE
77
78 QUESTION 46 Provide two forms/tickets per platform (one for general user and one for administrative user) from the last 6 months for, - User access creation - User access deletion - User access modification NOTES Expected Evidence: 1. A sample of user form for user creation, deletion, and modification. Each scenario will need around 2-3 sample. If there is no deletion or modification then 5 sample of creation is needed REFERENCE
79
80 QUESTION 47 Provide three sample user termination forms/tickets that evidence timely removal of logical and physical access upon termination of an employee or contractor NOTES Expected Evidence: 1. A sample of user termination form and screenshot that the user is remove from the environment REFERENCE
81 QUESTION 48 Provide procedures that outline the process for monitoring inactive users for 90 days for all platforms in scope. In addition, provide reports showing inactive users either disabled or removed. NOTES Expected Evidence: 1. Based on last active login of a UID. Show that the user that are not active for more than 90 days are removed from the system. 2. In windows, AD stores a user's last logon time in the Last-Logon AD user object attribute 3. In Linux, please run a command lastb where it will show the last log file from /var/log/btmp, which contains all the bad login attempts 4. If there is AD present, capture users from AD and also any local user present in each server 5. If no AD, then only all users that are allowed to access each server need to be captured REFERENCE
82
83 QUESTION 49 Provide an inventory of vendors that are provided remote access to your organization. For each vendor please provide - Procedure for providing access only when needed - Access activity monitoring reports NOTES Expected Evidence: 1. An inventory list for all the third party that is involved in PCI environment REFERENCE
84 QUESTION 50 For all assets identified in the sample provide evidence of logical access account and password features to include, - Account lockout policy - Account lockout duration - Session timeout policy - Password length - Password complexity - Password history - Password expiry NOTES Expected Evidence: 1. If have AD: screenshot from the GPO, screenshot that all server follow GPO, all network device integrate with AD via RADIUS 2. If no AD: Screenshot of password policy from ALL servers, network devices REFERENCE
85
86 QUESTION 51 Provide evidence that passwords (for platform and/or consumer applications) are encrypted during transmission and storage. NOTES Expected Evidence: 1. Screenshot to show that the password for all components is encrypted during storage and transmission REFERENCE
87 QUESTION 52 Provide one sample per platform of recent password reset requests/forms for users. NOTES Expected Evidence: 1. Sample of password reset form for users for access to: a. Server 1x b. DB 1x c. Firewall 1x REFERENCE
88 QUESTION 53 Provide documented procedures for password change during new user creation or for a password reset for all platforms in scope. NOTES Expected Evidence: 1. A documentation on how the password change is being done 2. Screenshot showing that the password need to be change during first time and during password reset REFERENCE
89 QUESTION 54 Provide the following related to remote access, - Procedure that outlines the process of granting remote access as well as the description of the two - factor authentication technology used - List of internal and external users with remote access NOTES Expected Evidence: 1. A process on how users are granted remote access and 2. how does the two-factor authentication is being given 3. The list of users that are granted remote access REFERENCE
90
91 QUESTION 55 This is applicable only to service providers with remote access to multiple customers. Provide user list for up to (but not exceeding) 3 customers to prove unique credentials are being used per customer. NOTES Expected Evidence: 1. If customer have access to merchants, then we will need the list of merchants that are connecting to the client and every customer is having a unique ID REFERENCE (we have never encounter where service provider access the environment)
92 QUESTION 56 If other authentication mechanisms are used apart from normal passwords (for example, physical or logical security tokens, smart cards, certificates, etc.) then provide the list of users and that the authentication method assigned to an individual account. NOTES Expected Evidence: 1. Show the screenshot or evidence on the users that are having more than one authentication mechanism such as OTP for MFA REFERENCE
93 QUESTION 57 Provide the output screenshot of current active connections. NOTES Expected Evidence: For each Sampled Database, provide the screenshot for the followings (Please make sure that screenshots are clearly showing IP address/hostname and command used for displaying the current sessions):- - On Oracle database Sqlplus command prompt executed query"select * from gv$sessions" - On SQL database used SQL Query Analyzer and executed query"sp_who 'active'" - On Sybase database sql command prompt executed query"sp_who" - For any other type of databases, please check vendor documentation to provide screenshot 1. REFERENCE
94 REQUIREMENT 9 QUESTION 58 Provide the following for all physical locations in scope: - Sample records from physical access control system (such as a badge system) and /or video cameras showing 90 days of retention - List of users created on access control system (such as a badge system) for administrative access NOTES 1. Provide the access card badge log - latest up to 3 months 2. CCTV log screenshot at DC, make sure each row in DC have CCTV to monitor 3. screenshot of user in access badge control system, system version 4. Make sure there is no username ADMIN, ADMINISTRATOR. Username must be unique REFERENCE
95
96 QUESTION 59 Please provide two samples of user access creation and deletion forms/tickets from the last 6 months that evidence, - physical access allocation to the sensitive area is authorized and as per individual s job function. - timely removal of physical access upon termination of user NOTES samples of user access creation to physical samples of user deletion REFERENCE
97 QUESTION 60 Provide sample records or scanned copies of visitor log (for a 90 day period) for the facility /network rooms / data centers that contains: - The visitor s name - The date and time - The firm represented, and - The onsite personnel authorizing physical access. NOTES 1 either hardcopy/softcopy 2 Make sure latest 3 month REFERENCE
98 QUESTION 61 Provide a policy that outlines the following, - visitors can be distinguished from onsite personnel (employees) - visitors are escorted during access to sensitive areas - visitor badges are returned upon departure NOTES Physical access control policy or Physical security policy and make sure the points below are including in the document: visitors can be distinguished from onsite personnel (employees) visitors are escorted during access to sensitive areas visitor badges are returned upon departure QUESTION 62 This question is applicable only if physical media is used for backups of covered information and stored offsite. Provide evidence that a physical security has been performed of the backup facility. NOTES 1 Please provide the backup log 2 Media physical annual review REFERENCE
99
100
101
102 -Sample report-
103 QUESTION 63 This question is applicable only if physical media is used to store covered information. Provide the following, - Full media inventory - sample of 5 inbound and outbound media movement records (including information such as date/time of movement, approver name, delivery method) from last 6 months NOTES 1 Please provide the tape movement in and out
104 Sample template
105 QUESTION 64 Provide the physical media destruction procedure and a sample of media destruction records from within the last year. NOTES 1 Please provide data retention and disposal policy REFERENCE - Full report can be review from the shared folder-
106
107 QUESTION 65 Provide up-to-date list of point of sale devices (card-reading devices and terminals) with information that includes: - Make, model of device. - Location of device (for example, the address of the site or facility where the device is located). - Device serial number or other method of unique identification NOTES REFERENCE
108 QUESTION 66 Provide for POS devices, - documented procedures that outline the process for inspection for tampering. - material used for training personnel for inspection - records showing that personnel have been trained - sample of 3 records from different retail locations showing the schedule of inspection NOTES 1 Q66.Sample_POS_inspection_training_material REFERENCE
109
110
111
112 REQUIREMENT 10 QUESTION 67 Please wait on providing this information until assessor provides you with a sample after phase I. For the sample, provide the audit log policy settings. You may use the attached template or provide the required information in an alternative format. NOTES Please ensure that the audit log is setting to send all logs as per PCI requiremt for all server, network devices, application and database For Linux REFERENCE Windows
113
114 Sample 1: AIX
115
116
117 Sample 2: Checkpoint firewall
118 Sample 3: Cisco ACS
119 Sample 4: Cisco devices Sample 5: fortiget firewall
120
121 Sample 6: juniper firewall Sample 7: linux red hat
122
123 Sample 8: oracle
124 Sample 9: Sophos firewall
125 Sample 9: windows
126
127 QUESTION 68 Please wait on providing this information until assessor provides you with a sample after phase I. Provide actual event logs for each of the platforms identified in the sample. NOTES All of these scenario will require screenshot All individual access to cardholder data. All actions taken by any individual with root or administrative privileges. Access to all audit trails. All actions taken by any individual with root or administrative privileges. Use of identification and authentication mechanisms. All elevation of privileges. All changes, additions, or deletions to any account with root or administrative privileges. Initialization of audit logs. Stopping or pausing of audit logs. Creation and deletion of system level objects. Note: Above sample audit logs should show information such as user ID, date & time, type of event, success or failure indication of event, source and target system IP & hostname Reference
128
129 QUESTION 69 Provide the following NTP evidence to show that all devices have a common timestamp within logs, - Device being used as the central NTP server along with the NTP version number - Setting/Screenshot showing synch between NTP server and external time source - Access control list for NTP server - You must use the attached template to provide us the data. NOTES 1. The version of the NTP used (using the current version which is version 4) 2. The setting up of primary NTP server 3. The setting up of secondary NTP server 4. Ensure that all server is taking the time from secondary NTP server 5. Ensure that the time is having standard time, either GMT or UTC Central NTP: 1. Central NTP configuration. <Paste screenshot here> 2. Central NTP Version. <Paste screenshot here> 3. List of users Created on Central NTP server. <Paste screenshot here> Provide NTP Configuration for all flavor of following servers or network device: 1. Firewall (CISCO, Juniper, Nokia, Checkpoint, SonicWALL, Fsecure etc.) 2. Server (Linux, Windows, Solaris, AIX, Redhat etc.) 3. Switch 4. Router 5. IDS/IPS 6. Load Balancer
130 7. Desktops (if applicable) REFERENCE
131
132
133
134 QUESTION 70 Provide evidence of the following on the central syslog server - Access list of users with permission type (i.e. read only/modify) and business justification - Evidence of archived logs being protected by FIM NOTES CAAS REFERENCE RSA:
135 QUESTION 71 Provide - one daily daily log review reports/ for every sample. - Evidence of follow up to the event - Evidence of log rention for 12 months You must use the attached template to provide us the data. NOTES 1. At least 3 Sample report/ of daily log review 2. /Follow up to events 3. Screenshot showing logs stored for 12 Months with DATE clearly visible. REFERENCE
136
137
138
139 - Full report can be review in shared folder-
140 REQUIREMENT 11 QUESTION 72 Provide quarterly wireless analyzer reports along with details for authorized/unauthorized nature of the access point. The attached template is provided as a sample. NOTES Wireless scan report every quarter REFERENCE
141
142
143
144
145
146 QUESTION 73 Provide one sample incident response report in response to a rogue access point detection. REFERENCE
147
148
149 QUESTION 74 Provide quarterly internal vulnerability/configuration assessment reports for 4 last quarters. NOTES Each quarter Reports should contain at least following: 1. List of IP scanned in each quarter scan. 2. Date of scan started. 3. Testers Name. 4. Methodology used for testing. REFERENCE Internal vulnerability scan report QUESTION 75 Provide quarterly external vulnerability/asv scan reports for 4 last quarters. You must use the attached template to provide us the data. NOTES Reports should contain at least following: 1. List of IP scanned in each quarter scan. 2. Date of scan started. 3. Testers Name. 4. Methodology used for testing. REFERENCE ASV report
150 QUESTION 76 Provide a documented methodology being used for penetration testing. You must use the attached template to provide us the data. REFERENCE
151
152
153 QUESTION 77 Provide external penetration test report. You must use the attached template to provide us the data. NOTES Reports should contain at least following: 1. List of IP scanned. 2. Date of scan started. 3. Testers Name. 4. Methodology used for testing. REFERENCE External PT report
154 QUESTION 78 Provide internal penetration test report. You must use the attached template to provide us the data. NOTES Reports should contain at least following: 1. List of IP scanned. 2. Date of scan started. 3. Testers Name. 4. Methodology used for testing. REFERENCE Internal PT report QUESTION 79 Provide segmentation test results NOTES Reports should contain at least following: 1. List of IP/ Vlan in No-In-Scope. 2. List of IP/ Vlan in Scope and scanned. 3. Date of scan started. 4. Testers Name. 5. Methodology used for testing. REFERENCE Refer Segmentation PT report QUESTION 80 Provide evidence of the following from all IDS/IPS implemented, - Location on network
155 - Version number - Signatures - Alerting s - Follow up to alerts NOTES Provide evidence of the following from all IDS/IPS implemented, - Location on network (must monitor external as well as internal network) - Version number - Signatures - Alerting s (at least 3 sample) - Follow up to alerts (at least 3 sample) REFERENCE
156
157
158
159 QUESTION 81 Provide the following evidence for the sample, - FIM version installed - Files being monitored by FIM - Alerting s - Follow up to alerts You must use the attached template to provide us the data. NOTES - FIM version installed - Files being monitored by FIM - Alerting s (At least 3 sample /report) - Follow up to alerts (At least 3 sample /report) REFERENCE
160
161
162
163 REQUIREMENT 12 QUESTION 82 Provide annual user information security policy acknowledgement records for : - Existing employees (5 sample records) - Recent new joiner (5 sample records) - vendors, contractors (at-least 1 sample record) NOTES 1. Make sure it signs by existing employee and new joiner annually REFERENCE
164
165
166 QUESTION 83 Provide - All organizational information security policies and procedures - Evidence showing those are reviewed and updated on annual basis. The attached template is provided as a sample. NOTES 1. Policy must be updated 2. approval/sign REFERENCE Information security policy QUESTION 84 Provide your risk assessment methodology, risk acceptance criteria, formalized risk assessment report, risk treatment plan and a statement of applicability? (can be based on OCTAVE, ISO and NIST SP guidelines) REFERENCE Risk management policy Risk report details
167 QUESTION 85 If remote access to organization's network is allowed, provide configuration screenshot for remote access technology (such as Remote VPN) showing session time-out defined after specific period of inactivity REFERENCE Palo alto Juniper
168 Cisco ASDM
169 QUESTION 86 Provide a policy which requires the following for user accesses covered information remotely: - prohibit copying, moving, or storing of covered information onto local hard drives and removable electronic media unless a valid business justification exists - Incase of a business justification, provide evidence that target hard drives or electronic media are adequately protrected
170 NOTES 1. Remote access policy QUESTION 87 Provide an organization chart (or equivalent documentation) which clearly outlines the information security roles and responsibility for all personnel. In addition provide following records in support of assigned security responsibilities: - recent Information security policy review / approval record - Information security policy communication to all users - any security alert communication to affected parties REFERENCE
171 QUESTION 88 Provide information security awareness material used for user training. In addition provide 5 sample training attendance records from last one year period for: - existing employees - recent fires - contractors The attached template is provided as a sample. NOTES 1. Security awareness training - i.e. PCI training, ISO training 2. attendance list for new joiner and existing staff - must sign 3. conduct yearly REFERENCE PPT slide Awareness Received status
172 QUESTION 89 Provide sample of 10 employee background check records from last year. The attached template is provided as a sample. NOTES 1.background check must be conducted i.e check with previous employee
173 REFERENCE
174
175
176
177
178
179 QUESTION 90 Provide the list of third party service providers as per the following criterion, - All third party service providers used by assessed entity to store, process, or transmit covered information on their behalf for business purpose - All third party service providers used by assessed entity to manage the components such as routers, firewalls, databases, physical security, and/or servers. NOTES REFERENCE Non-Disclosure Agreement PCIDSS COC expiry Declaration-Third Party Management
180 QUESTION 91 For all identified in-scope third party service providers provide following: - Current service agreement which covers third party's security responsibilities for handling covered information - Current compliance status against applicable regulations / data security standards - List of security requirements which are managed by each third party service provider on your behalf REFERENCE Service Agreement and Certificate of Compliance
181
182 QUESTION 92 Provide documented process followed to perform due diligence before a new third party service provider engagement. In addition provide sample due diligence report for any recently contracted third party service provider REFERENCE Declaration-Third Party Management Non-Disclosure Agreement Q92.Sample Due diligence for Service Providers Q92.Sample Third Part Management Policy QUESTION 93 This question applies only to service providers. Provide a sample written acknowledgement that outlines that you are responsible for security of your customers data. REFERENCE Non-Disclosure Agreement PCI DSS compliance Declaration-Third Party Management
183 QUESTION 94 Provide Organization's Incident Response Plan. In addition provide one of the following as evidence to confirm that documented Incident response procedure was followed: 1. Annual Incident Response plan test report OR 2. Sample report for one recently report security incident NOTES 1.training agenda 2.incident response plan 3. incident test response plan
184 4.incident plan training attandance list REFERENCE IncidentResponse InfoSecurity_incident_rpt Ticket Number Dare of Report Incident Detector s Information Date and Time Detected Employee ID Employee Name Business unit Phone number Involved staff s Information Involved staff Name 1 Involved staff Name 2 Security Incident Information Security Incident Description Security Incident Detail Impact Assessment Type of Incident Security Impact Information Identify the corrective action, action owner, and next action Resolution Information Security Incident Report Form
185 Resolution By Resolution Date Resolution Detail Root Cause and Lessons Learnt Root Cause Lessons learnt/ Preventive Actions Managers signature with date CISO signature with date
186
187
188
189
190 QUESTION 95 Provide Incident handling training records for team with security breach response responsibilities REFERENCE Sample Training Records: Incident Handling Training Records Sr No. Name Of The Employee Date Of Training Signature Comment 1 Ram March 31 st 2016 <Signature> 2 Shyam March 31 st 2016 <Signature> 3 Krishna March 31 st 2016 <Signature> 4
191
192
Payment Card Industry Internal Security Assessor: Quick Reference V1.0
PCI SSC by formed by: 1. AMEX 2. Discover 3. JCB 4. MasterCard 5. Visa Inc. PCI SSC consists of: 1. PCI DSS Standards 2. PA DSS Standards 3. P2PE - Standards 4. PTS (P01,HSM and PIN) Standards 5. PCI Card
More informationGoogle Cloud Platform: Customer Responsibility Matrix. December 2018
Google Cloud Platform: Customer Responsibility Matrix December 2018 Introduction 3 Definitions 4 PCI DSS Responsibility Matrix 5 Requirement 1 : Install and Maintain a Firewall Configuration to Protect
More informationGoogle Cloud Platform: Customer Responsibility Matrix. April 2017
Google Cloud Platform: Customer Responsibility Matrix April 2017 Introduction 3 Definitions 4 PCI DSS Responsibility Matrix 5 Requirement 1 : Install and Maintain a Firewall Configuration to Protect Cardholder
More informationTotal Security Management PCI DSS Compliance Guide
Total Security Management PCI DSS Guide The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations to help protect the security of credit card holders. These regulations apply to
More informationPayment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0
Payment Card Industry (PCI) Data Security Standard Summary of s from PCI DSS Version 1.2.1 to 2.0 October 2010 General General Throughout Removed specific references to the Glossary as references are generally
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationPayment Card Industry - Data Security Standard (PCI-DSS) v3.2 Systems Security Standard
Payment Card Industry - Data Security Standard (PCI-DSS) v3.2 Systems Security Standard Systems Security Standard ( v3.2) Page 1 of 11 Version and Ownership Version Date Author(s) Comments 0.01 26/9/2016
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Interim Director
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Version 1.0 Release: December 2004 How to Complete the Questionnaire The questionnaire is divided into six sections. Each
More informationSECURITY PRACTICES OVERVIEW
SECURITY PRACTICES OVERVIEW 2018 Helcim Inc. Copyright 2006-2018 Helcim Inc. All Rights Reserved. The Helcim name and logo are trademarks of Helcim Inc. P a g e 1 Our Security at a Glance About Helcim
More informationReady Theatre Systems RTS POS
Ready Theatre Systems RTS POS PCI PA-DSS Implementation Guide Revision: 2.0 September, 2010 Ready Theatre Systems, LLC - www.rts-solutions.com Table of Contents: Introduction to PCI PA DSS Compliance 2
More informationInformation Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1)
Appendixes Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1) 1.0 Scope All credit card data and its storage
More informationEnforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy
Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy 2008 Cisco Systems, Inc. All rights reserved. 1 1 The PCI Data Security
More informationPCI Time-Based Requirements as a Starting Point for Business-As-Usual Process Monitoring
PCI Time-Based Requirements as a Starting Point for Business-As-Usual Process Monitoring By Chip Ross February 1, 2018 In the Verizon Payment Security Report published August 31, 2017, there was an alarming
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationThe Prioritized Approach to Pursue PCI DSS Compliance
PCI DSS PrIorItIzeD APProACh The Prioritized Approach to Pursue PCI DSS Compliance The Payment Card Industry Data Security Standard (PCI DSS) provides a detailed, requirements structure for securing cardholder
More informationPoint ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core
PCI PA - DSS Point ipos Implementation Guide Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core Version 1.02 POINT TRANSACTION SYSTEMS AB Box 92031,
More informationJuniper Vendor Security Requirements
Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks
More informationUniversity of Maine System Payment Card Industry Data Security Standard (PCI DSS) Guide for Completing Self Assessment Questionnaire (SAQ) SAQ C
University of Maine System Payment Card Industry Data Security Standard (PCI DSS) Guide for Completing Self Assessment Questionnaire (SAQ) SAQ C All university merchant departments accepting credit cards
More informationAuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives
AuthAnvil for Retail IT Exploring how AuthAnvil helps to reach compliance objectives AuthAnvil for Retail IT Exploring how AuthAnvil helps to reach compliance objectives As companies extend their online
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationDaxko s PCI DSS Responsibilities
! Daxko s PCI DSS Responsibilities According to PCI DSS requirement 12.9, Daxko will maintain all applicable PCI DSS requirements to the extent the service prov ider handles, has access to, or otherwise
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationAttestation of Compliance, SAQ D
Attestation of Compliance, SAQ D Instructions for Submission The merchant must complete this Attestation of Compliance as a declaration of the merchant's compliance status with the Payment Card Industry
More informationSection 1: Assessment Information
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant s self-assessment with the Payment Card Industry Data Security
More informationBest practices with Snare Enterprise Agents
Best practices with Snare Enterprise Agents Snare Solutions About this document The Payment Card Industry Data Security Standard (PCI/DSS) documentation provides guidance on a set of baseline security
More informationFirewall Configuration and Management Policy
Firewall Configuration and Management Policy Version Date Change/s Author/s Approver/s 1.0 01/01/2013 Initial written policy. Kyle Johnson Dean of Information Services Executive Director for Compliance
More informationPCI DSS Responsibility Matrix PCI DSS 3.2 Requirement
FTD Florist Requirement 1: Install and maintain a firewall configuration to protect 1.1 Establish firewall and router configuration standards that include the following: 1.1.1 A formal process for approving
More informationThe Prioritized Approach to Pursue PCI DSS Compliance
PCI DSS Prioritized Approach for PCI DSS.0 PCI DSS Prioritized Approach for PCI DSS.0 The Prioritized Approach to Pursue PCI DSS Compliance The Payment Card Industry Data Security Standard (PCI DSS) provides
More informationThird-Party Service Provider/Auto Club Group (ACG) PCI DSS Responsibility Matrix
/ PCI DSS Matrix Joint sub-requirements is Requirement 1: Install and maintain a firewall configuration to protect cardholder data 1.1 Establish firewall and router configuration standards that include
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants All other SAQ-Eligible Merchants Version 3.0 February 2014 Document Changes
More informationEnsuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard
Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure
More informationWazuh PCI Tagging. Page 1 of 17
Requirement 1: Install and maintain a firewall configuration to protect cardholder data. 1.1 Establish and implement firewall and router configuration standards that include the following: 1.1.1 A formal
More informationOld requirement New requirement Detail Effect Impact
RISK ADVISORY THE POWER OF BEING UNDERSTOOD PCI DSS VERSION 3.2 How will it affect your organization? The payment card industry (PCI) security standards council developed version 3.2 of the Data Security
More informationCyber Essentials Questionnaire Guidance
Cyber Essentials Questionnaire Guidance Introduction This document has been produced to help companies write a response to each of the questions and therefore provide a good commentary for the controls
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationINFORMATION SECURITY BRIEFING
INFORMATION SECURITY BRIEFING Session 1 - PCI DSS v3.0: What Has Changed? Session 2 - Malware Threats and Trends Session 3 - You've Been Breached: Now What? PONDURANCE: WHY ARE WE HERE? Goal: Position
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B-IP and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B-IP and Attestation of Compliance Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) Terminals No Electronic
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Merchants with Payment Application Systems Connected to the Internet No Electronic Cardholder
More informationTips for Passing an Audit or Assessment
Tips for Passing an Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor Senior Security Engineer Structured Communication Systems Who likes audits? Compliance
More informationPCI PA-DSS Implementation Guide
PCI PA-DSS Implementation Guide For Atos Worldline Banksys XENTA, XENTEO, XENTEO ECO, XENOA ECO YOMANI and YOMANI XR terminals using the Point BKX Payment Core Software Versions A05.01 and A05.02 Version
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 2.0 October 2010 Document Changes Date Version Description Pages October 2008 July 2009 October
More informationInterCall Virtual Environments and Webcasting
InterCall Virtual Environments and Webcasting Security, High Availability and Scalability Overview 1. Security 1.1. Policy and Procedures The InterCall VE ( Virtual Environments ) and Webcast Event IT
More informationTrust Services Principles and Criteria
Trust Services Principles and Criteria Security Principle and Criteria The security principle refers to the protection of the system from unauthorized access, both logical and physical. Limiting access
More informationLOGmanager and PCI Data Security Standard v3.2 compliance
LOGmanager and PCI Data Security Standard v3.2 compliance Whitepaper how deploying LOGmanager helps to maintain PCI DSS regulation requirements Many organizations struggle to understand what and where
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance Merchants with Web-Based Virtual Payment Terminals No Electronic Cardholder Data Storage
More informationCN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005
85 Grove Street - Peterboro ugh, N H 0345 8 voice 603-924-6 079 fax 60 3-924- 8668 CN!Express CX-6000 Single User Version 3.38.4.4 PCI Compliance Status Version 1.0 28 June 2005 Overview Auric Systems
More informationSection 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016
Section 3.9 PCI DSS Information Security Policy Issued: vember 2017 Replaces: June 2016 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationPCI DSS v3. Justin
PCI DSS v3 Justin Leapline justin.leapline@giftcards.com @jmleapline My Experience With PCI Just to lay the groundwork Currently work at Largest ecommerce in Pittsburgh My experience includes: QSA Acquirer
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced For use with
More informationPaymentVault TM Service PCI DSS Responsibility Matrix
PaymentVault TM Service PCI DSS 3.2.1 Responsibility Matrix 5 November 2018 Compliance confirmed and details available in the Systems International Attestation of Compliance (AoC). A copy of the AoC is
More informationPCI PA - DSS. Point Vx Implementation Guide. Version For VeriFone Vx520, Vx680, Vx820 terminals using the Point Vx Payment Core (Point VxPC)
PCI PA - DSS Point Vx Implementation Guide For VeriFone Vx520, Vx680, Vx820 terminals using the Point Vx Payment Core (Point VxPC) Version 2.02 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm,
More informationPayment Card Industry Data Security Standard (PCI-DSS) Implementation Guide For XERA POS Version 1
Payment Card Industry Data Security Standard (PCI-DSS) Implementation Guide For XERA POS Version 1 2 XERA POS Payment Card Industry Data Security Standard (PCI-DSS) Implementation Guide XERA POS Version
More informationNetwork Security Policy
Network Security Policy Date: January 2016 Policy Title Network Security Policy Policy Number: POL 030 Version 3.0 Policy Sponsor Policy Owner Committee Director of Business Support Head of ICU / ICT Business
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants All other SAQ-Eligible Merchants Version 3.1 April 2015 Document Changes Date
More informationSECTION: SUBJECT: PCI-DSS General Guidelines and Procedures
1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants All other SAQ-Eligible Merchants For use PCI DSS Version 3.1 Revision 1.1
More informationVMware vcloud Air SOC 1 Control Matrix
VMware vcloud Air SOC 1 Control Objectives/Activities Matrix VMware vcloud Air goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a
More informationPayment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version May 2018
Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2.1 May 2018 Document Changes Date Version Description Pages October 2008 1.2 July 2009 1.2.1
More informationPCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard
Introduction Verba provides a complete compliance solution for merchants and service providers who accept and/or process payment card data over the telephone. Secure and compliant handling of a customer
More informationPayment Card Industry Self-Assessment Questionnaire
Payment Card Industry Self-Assessment Questionnaire How to Complete the Questionnaire The questionnaire is divided into six sections. Each section focuses on a specific area of security, based on the requirements
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.1 April 2015 Section 1: Assessment Information Instructions for Submission
More informationPayment Card Industry Data Security Standard Self-Assessment Questionnaire C Guide
Payment Card Industry Data Security Standard Self-Assessment Questionnaire C Guide PCI DSS Version: V3.1, Rev 1.1 Prepared for: The University of Tennessee Merchants The University of Tennessee Foundation
More informationGlobalSCAPE EFT Server. HS Module. High Security. Detail Review. Facilitating Enterprise PCI DSS Compliance
GlobalSCAPE EFT Server HS Module High Security Facilitating Enterprise PCI DSS Compliance Detail Review Table of Contents Understanding the PCI DSS 3 The Case for Compliance 3 The Origin of the Standard
More informationPayment Card Industry (PCI) Data Security Standard and Bsafe/Enterprise Security
Payment Card Industry (PCI) Data Security Standard and Bsafe/Enterprise Security Mapping of Bsafe/Enterprise Security Controls to PCI-DSS Requirements and Security Assessment Procedures Version 1.2 vember
More informationRequirements for University Related Activities that Accept Payment Cards
Requirements for ersity Related Activities that Accept Payment Cards Last Updated: 20-Apr-2009 TABLE OF CONTENTS OBJECTIVE STATEMENT AND INTRODUCTION... 4 Compliance... 4 Environment... 4 Material... 5
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Merchants with Payment Application Systems Connected to the Internet No Electronic Cardholder
More informationNOTICE TO ALL PROSPECTIVE RESPONDENTS RFP 18-ITSS/CY. Addendum No. 1 issued September 7, RFI responses are in red bold print
DEDICATED TO THE HEALTH OF OUR COMMUNITY www.hcdpbc.org NOTICE TO ALL PROSPECTIVE RESPONDENTS RFP 18-ITSS/CY Addendum No. 1 issued September 7, 2018 RFI responses are in red bold print How many public
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.1 April 2015 Section 1: Assessment Information Instructions for Submission
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants All other SAQ-Eligible Merchants For use PCI DSS Version 3.2 Revision 1.1
More informationISO27001 Preparing your business with Snare
WHITEPAPER Complying with ISO27001 Preparing your business with Snare T he technical controls imposed by ISO (International Organisation for Standardization) Standard 27001 cover a wide range of security
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2 April 2016 Section 1: Assessment Information Instructions for Submission
More informationCASE STUDY - Preparing for a PCI-DSS Audit using Cryptosense Analyzer
CASE STUDY - Preparing for a PCI-DSS Audit using Cryptosense Analyzer v1.0 December 2017 pci-dss@cryptosense.com 1 Contents 1. Introduction 3 2. Technical and Procedural Requirements 3 3. Requirements
More informationPCI PA-DSS Implementation Guide Onslip PAYAPP V2.1.x for Onslip S80, Onslip S90
PCI PA-DSS Implementation Guide Onslip PAYAPP V2.1.x for Onslip S80, Onslip S90 Revision history Revision Date Author Comments 0.1 2013-10-04 Robert Hansson Created 1.0 2014-01-14 Robert Hansson Review
More informationPayment Card Industry (PCI) Qualified Integrator and Reseller (QIR)
Payment Card Industry (PCI) Qualified Integrator and Reseller (QIR) Implementation Instructions Version 4.0 March 2018 Document Changes Date Version Description August 2012 1.0 Original Publication November
More informationProjectplace: A Secure Project Collaboration Solution
Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the
More informationPoint PA-DSS. Implementation Guide. Banksys Yomani VeriFone & PAX VPFIPA0201
Point PA-DSS Implementation Guide Banksys Yomani 1.04 VeriFone & PAX VPFIPA0201 Implementation Guide Contents 1 Revision history 1 2 Introduction 2 3 Document use 2 3.1 Important notes 2 4 Summary of requirements
More informationEasy-to-Use PCI Kit to Enable PCI Compliance Audits
Easy-to-Use PCI Kit to Enable PCI Compliance Audits Version 2.0 and Above Table of Contents Executive Summary... 3 About This Guide... 3 What Is PCI?... 3 ForeScout CounterACT... 3 PCI Requirements Addressed
More informationPA-DSS Implementation Guide For
PA-DSS Implementation Guide For, CAGE (Card Authorization Gateway Engine), Version 4.0 PCI PADSS Certification 2.0 December 10, 2013. Table of Contents 1. Purpose... 4 2. Delete sensitive authentication
More informationAddressing PCI DSS 3.2
Organizational Challenges Securing the evergrowing landscape of devices while keeping pace with regulations Enforcing appropriate access for compliant and non-compliant endpoints Requiring tools that provide
More informationPA-DSS Implementation Guide for Sage MAS 90 and 200 ERP. and Sage MAS 90 and 200 Extended Enterprise Suite
for Sage MAS 90 and 200 ERP Versions 4.30.0.18 and 4.40.0.1 and Sage MAS 90 and 200 Extended Enterprise Suite Versions 1.3 with Sage MAS 90 and 200 ERP 4.30.0.18 and 1.4 with Sage MAS 90 and 200 ERP 4.40.0.1
More informationStripe Terminal Implementation Guide
Stripe Terminal Implementation Guide 12/27/2018 This document details how to install the Stripe Terminal application in compliance with PCI 1 PA-DSS Version 3.2. This guide applies to the Stripe Terminal
More informationPCI DSS REQUIREMENTS v3.2
Requirement 1: Install and maintain a firewall configuration to protect cardholder data 1.1 Establish and implement firewall and router configuration standards that include the following: 1.1.1 A formal
More informationFairWarning Mapping to PCI DSS 3.0, Requirement 10
FairWarning Mapping to PCI DSS 3.0, Requirement 10 Requirement 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationEducation Network Security
Education Network Security RECOMMENDATIONS CHECKLIST Learn INSTITUTE Education Network Security Recommendations Checklist This checklist is designed to assist in a quick review of your K-12 district or
More informationVoltage SecureData Mobile PCI DSS Technical Assessment
White Paper Security Voltage SecureData Mobile PCI DSS Technical Assessment Prepared for Micro Focus Data Security by Tim Winston, PCI/P2PE Practice Director, Coalfire Systems, Inc., June 2016 Table of
More informationAUTHORITY FOR ELECTRICITY REGULATION
SULTANATE OF OMAN AUTHORITY FOR ELECTRICITY REGULATION SCADA AND DCS CYBER SECURITY STANDARD FIRST EDITION AUGUST 2015 i Contents 1. Introduction... 1 2. Definitions... 1 3. Baseline Mandatory Requirements...
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2.1 June 2018 Section 1: Assessment Information Instructions for Submission
More informationRAPID7 INFORMATION SECURITY. An Overview of Rapid7 s Internal Security Practices and Procedures
RAPID7 INFORMATION SECURITY An Overview of Rapid7 s Internal Security Practices and Procedures 060418 TABLE OF CONTENTS Overview...3 Compliance...4 Organizational...6 Infrastructure & Endpoint Security...8
More informationPCI DSS 3.2 COMPLIANCE WITH TRIPWIRE SOLUTIONS
CONFIDENCE: SECURED WHITE PAPER PCI DSS 3.2 COMPLIANCE WITH TRIPWIRE SOLUTIONS TRIPWIRE ENTERPRISE TRIPWIRE LOG CENTER TRIPWIRE IP360 TRIPWIRE PURECLOUD A UL TRANSACTION SECURITY (QSA) AND TRIPWIRE WHITE
More informationRural Computer Consultants
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Rural Computer Consultants PCI 2-12-15 All other Merchants Version : 2.0 page 1 Part
More informationApplication Control Review. August 4, 2012
Application Control Review August 4, 2012 Application Controls Review - Scope Web security Access Controls Password Controls Service Level Agreement Database Access Controls Perimeter Security Controls
More informationPCI DSS 3.2 Responsibility Summary
PCI DSS 3.2 Responsibility Summary July 2018 BACKGROUND & PURPOSE The security of cardholder data and how it is displayed, transmitted, stored or otherwise used by Neto and Merchants is of utmost importance.
More informationSolution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites
Solution Pack Managed Services Virtual Private Cloud Security Features Selections and Prerequisites Subject Governing Agreement DXC Services Requirements Agreement between DXC and Customer including DXC
More informationSection 1: Assessment Information
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant s self-assessment with the Payment Card Industry Data Security
More informationCIS Controls Measures and Metrics for Version 7
Level One Level Two Level Three Level Four Level Five Level Six 1.1 Utilize an Active Discovery Tool Utilize an active discovery tool to identify devices connected to the organization's network and update
More informationPage 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES
002 5 R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: i. Control Centers and backup Control Centers; ii. Transmission
More informationCOMPLIANCE BRIEF: HOW VARONIS HELPS WITH PCI DSS 3.1
COMPLIANCE BRIEF: HOW VARONIS HELPS WITH OVERVIEW The Payment Card Industry Data Security Standard (PCI-DSS) 3.1 is a set of regulations that govern how firms that process credit card and other similar
More information