Qualified Integrators and Resellers (QIR) TM. QIR Implementation Statement, v2.0

Similar documents
Payment Card Industry (PCI) Qualified Integrator and Reseller (QIR)

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry - Data Security Standard (PCI-DSS) v3.2 Systems Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Section 1: Assessment Information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

Section 1: Assessment Information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants

SAQ A AOC v3.2 Faria Systems LLC

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

Ready Theatre Systems RTS POS

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B-IP and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance

Self-Assessment Questionnaire A

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers

Payment Card Industry (PCI) Data Security Standard

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

PCI PA-DSS Implementation Guide Onslip PAYAPP V2.1.x for Onslip S80, Onslip S90

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants

Implementation Guide paypoint version 5.08.xx, 5.11.xx, 5.13.xx, 5.14.xx, 5.15.xx

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Summary of Changes from PA-DSS Version 2.0 to 3.0

Instructions: SAQ-D for Merchants Using Shift4 s True P2PE

University of Maine System Payment Card Industry Data Security Standard (PCI DSS) Guide for Completing Self Assessment Questionnaire (SAQ) SAQ C

PCI PA-DSS Implementation Guide Onslip PAYAPP V2.0 for Onslip S80, Onslip S90

Attestation of Compliance for Onsite Assessments Service Providers

Stripe Terminal Implementation Guide

Payment Card Industry Data Security Standard (PCI-DSS) Implementation Guide For XERA POS Version 1

PCI DSS 3.2 AWARENESS NOVEMBER 2017

Data Security Standard

Payment Card Industry (PCI) Point-to-Point Encryption. Template for Report on Validation for use with P2PE v2.0 (Revision 1.1) for P2PE Solution

Advanced Certifications PA-DSS and P2PE. Erik Winkler, VP, ControlCase

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

QuickSale for QuickBooks Version 2.2.*.* Secure Payment Solutions Client Implementation Document PA-DSS 3.2 Last Revision: 03/14/2017

University of Sunderland Business Assurance PCI Security Policy

Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0

Payment Card Industry (PCI) Data Security Standard Payment Application Data Security. Template for Report on Validation for use with PA-DSS v3.

Total Security Management PCI DSS Compliance Guide

Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance

PA-DSS Implementation Guide

CN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005

PCI PA - DSS. Point Vx Implementation Guide. Version For VeriFone Vx520, Vx680, Vx820 terminals using the Point Vx Payment Core (Point VxPC)

Implementation Guide paypoint v5.08.x, 5.11.x, 5.12.x, 5.13.x and 5.14.x

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

Daxko s PCI DSS Responsibilities

Point PA-DSS. Implementation Guide. Banksys Yomani VeriFone & PAX VPFIPA0201

Payment Card Industry Data Security Standard Self-Assessment Questionnaire C Guide

Self-Assessment Questionnaire A

Segmentation, Compensating Controls and P2PE Summary

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Report on Compliance. PCI DSS v3.2.1 Template for Report on Compliance. Revision 1.

Sage Payment Solutions

Payment Card Industry (PCI) Data Security Standard Payment Application Data Security. Template for Report on Validation for use with PA-DSS v3.

PA-DSS Implementation Guide for Sage MAS 90 and 200 ERP. and Sage MAS 90 and 200 Extended Enterprise Suite

PCI PA-DSS Implementation Guide

Transcription:

Qualified Integrators and Resellers (QIR) TM Implementation Statement For each Qualified Installation performed, the QIR Employee must complete this document and confirm whether the Validated Payment Application was installed and configured in accordance with the PA-DSS Implementation Guide and in a manner that supports compliance with PCI DSS. A copy of this QIR Implementation Statement must be delivered to the customer no later than ten (10) business days after completion of the Qualified Installation, and a copy must be retained by the QIR Company with their work papers. Note: The customer may request the QIR Company to complete work beyond that required to install the payment application and that is outside the scope of the QIR Program. Any such work does not form part of the Qualified Installation. The QIR Company must adhere to the requirements defined in the QIR Qualification Requirements and QIR Program Guide for all Qualified Installations. Part 1: Implementation Statement Summary Customer Details Company Name: Customer Company Name Contact Name: Job Title: E-mail: Telephone: Business Address: City: State/Province: Country: Postal Code: URL: QIR Details QIR Company Name: QIR Primary Contact: Job Title: E-mail: Telephone: Business Address: City: State/Province: Country: Postal Code: URL: PA-DSS Validated Payment Application PCI SSC Listing Number: Payment Application Vendor: Payment Application Name: Application Version Number: QIR Implementation Statement, v2.0 2012-2014 PCI Security Standards Council, LLC November 2014 Page 1

Details of Qualified Installation Type of Qualified Installation Address of customer location(s) where application was installed: Type of systems application installed on Number of systems installed New Installation Upgrade to existing Installation Date Installed Confirmation of Implementation Approach This Implementation Statement confirms that: The validated payment application was installed in accordance with the PA-DSS Implementation Guide. (Yes/No) Yes No Yes No If No, please provide a brief explanation: The validated payment application was installed and in a manner that supports compliance with PCI DSS. (Yes/No) If No, reasons must be documented in Part 3. QIR Acceptance of Implementation Statement By accepting this Implementation Statement, Lead QIR Name validated payment application identified above, as of Date asserts the following for the : performed this installation in accordance with the requirements defined Lead QIR Name in the QIR Qualification Requirements, QIR Program Guide, and QIR Implementation Instructions. All information within this Implementation Statement represents the results of the implementation fairly and accurately in all material respects. has advised Customer Company Name of any potential Lead QIR Name compliance issues identified during the implementation, as documented in Part 3 of this Implementation Statement. Lead QIR Employee Signature: Lead QIR Employee Name: Lead QIR Name Date: QIR Peer Review Employee Signature: QIR Peer Review Employee Name: Date: Customer Acceptance of Implementation Statement Based on this Implementation Statement, Customer Company Name validated payment application identified above, as of Date asserts the following for the (each item to be confirmed): Customer Company Name accepts the Implementation Result documented above for implementation of the validated payment application implementation. Customer Company Name has read and understands all potential compliance issues identified in Part 3 of this Implementation Statement. Customer Company Name understands they are responsible for maintaining their PCI DSS compliance and that that any changes to the payment application or underlying systems should be made in accordance with PCI DSS Requirements. Customer Contact Signature: Customer Contact Name: QIR Implementation Statement, v2.0 2012-2014 PCI Security Standards Council, LLC Date: November 2014 Page 2

Part 2: Implementation Statement Details PA-DSS Implementation Guide and Training Materials Used Date and version of the PA-DSS Implementation Guide used during the installation of the payment application: Details of payment application training materials reviewed prior to the installation (including document name, version, date): QIR Access 1. Are all QIR personnel using unique accounts and passwords for each customer location? Yes. All QIR Company personnel are using unique accounts and passwords for each customer location. 2. Is the customer aware of all accounts set up by or used for QIR personnel access, and have instructions been provided on how to change the passwords and disable or remove those accounts? Yes. The customer is aware of all accounts set up by the QIR or used for QIR access, and instructions have been provided on how to change the passwords and disable those accounts. Remote Access 3. Is the customer aware that any remote access into their network must be configured as follows: Remote access to the payment application requires two-factor authentication? Yes. The customer is aware that remote access requires two-factor authentication. Remote access must be activated only when needed, monitored when in use, and immediately deactivated after use? Yes. The customer is aware that remote access must be activated only when needed, monitored when in use, and immediately deactivated after use. Remote access must be implemented securely? Yes. The customer is aware that remote access must be implemented securely. 2012-2014 PCI Security Standards Council, LLC Page 3

4. Will any QIR personnel access the customer site remotely or configure remote access on behalf of the customer? Yes. QIR personnel will access the customer site remotely and/or configure remote access to the customer site: Is remote access implemented to require two-factor authentication? Yes. Remote access was implemented to require two-factor authentication. Is remote access to the customer network activated only when needed, monitored while in use, and immediately deactivated after use? Yes. Remote access to the customer network is activated only when needed, monitored while in use, and deactivated immediately after use. Is remote access to the customer network implemented securely? Yes. Remote access to the customer network is implemented securely. No. The QIR will not access the customer site remotely and will not configure remote access on behalf of the customer. Network Configuration 5. Are any external connections required by the payment application? Yes. The payment application requires external connections: Is the customer aware of all connections required by the payment application? Yes. The customer is aware of all external connections required by the payment application. Is the customer aware they must use a firewall that allows only required ports on both inbound and outbound connections? Yes. The customer is aware they must use a firewall that allows only required ports on both inbound and outbound connections. Is the customer is aware that external connections to/from the payment application should only be permitted to specific (known) IP addresses? Yes. The customer is aware that external connections to/from the payment application should only be permitted to specific (known) IP addresses. 2012-2014 PCI Security Standards Council, LLC Page 4

Is the customer aware they should enable logging on the firewall? Yes. The customer is aware they should enable logging on the firewall. No. No external connections are required by the payment application. Sensitive Authentication Data (SAD) 6. Is the application configured to ensure that sensitive authentication data (including full track data, card verification codes/values and PIN or PIN block) is not stored after authorization, even if encrypted? Yes. The application is configured to ensure SAD is not stored after authorization. Troubleshooting and Maintenance 7. Does the QIR provide services to the customer that could potentially result in the collection of cardholder data and/or sensitive authentication data (for example, for troubleshooting or debugging purposes)? Yes. The QIR provides services to the customer that could potentially result in the collection of cardholder data and/or sensitive authentication data. Is sensitive authentication data collected only when needed and collection limited to only the amount needed to solve a specific problem? Yes. SAD is collected only when needed and collection limited to only the amount needed to solve a specific problem. Is sensitive authentication data stored encrypted in a secure location with limited access? Yes. SAD is stored encrypted in a secure location with limited access. Is sensitive authentication data securely deleted immediately after use? Yes. SAD is securely deleted immediately after use Is PAN rendered unreadable when stored? Yes. PAN is rendered unreadable when stored. No. The QIR does not provide any service to the customer that could result in collection of cardholder data and/or sensitive authentication data. 2012-2014 PCI Security Standards Council, LLC Page 5

Protection of Cardholder Data 8. Does the application store cardholder data? Yes. The application does store cardholder data. Is PAN rendered unreadable anywhere it is stored? Yes. PAN is rendered unreadable anywhere it is stored. Is the customer aware they must securely manage all cryptographic keys? Yes. The customer has been advised to securely manage all cryptographic keys. Is the customer aware they must not store cardholder data on Internet-accessible systems? Yes. The customer has been advised not to store cardholder data on Internet-accessible systems. No. The application does not store cardholder data. 9. Is the customer aware that cardholder data must be protected with strong cryptography if sent over public networks or end-user messaging technologies? Yes. The customer has been advised not to store cardholder data on Internet-accessible systems. 10. Is the customer aware that, if available, encryption of cardholder data transmissions from the customer to back-end processors and/or acquirer is recommended, even for private connections? Yes. The customer is aware that, if available, encryption of cardholder data transmissions from the customer to back-end processors and/or acquirer is recommended, even for private connections. 11. Is the customer aware that any non-console administrative access to systems in their CDE, including payment application must be secured? Yes. The customer is aware that any non-console administrative access to the payment application must be secured. 2012-2014 PCI Security Standards Council, LLC Page 6

Accounts and Passwords 12. Have all passwords been changed for all payment application default accounts, and have unnecessary default accounts been removed or disabled (including all user and administrative accounts used by operating systems, software that provides security services, application and system accounts, POS terminals, etc. installed by the QIR Company)? Yes. All passwords have been changed for all payment application default accounts, and unnecessary default accounts have been removed or disabled (including all user and administrative accounts used by operating systems, software that provides security services, application and system accounts, POS terminals, etc. installed by the QIR Company). 13. Is strong authentication configured for all application administrative accounts and for all application accounts with access to cardholder data? Yes. Strong authentication was configured for all application administrative accounts and for all application accounts with access to CHD. 14. Is the customer aware that all access to systems containing cardholder data (such as PCs, servers, and databases) should use unique user IDs and strong authentication? Yes. The customer is aware that all access to systems containing CHD should use unique accounts and strong authentication. 15. Is the customer aware that, for all accounts used by operating systems, security software, application systems, POS terminals, etc.: a. All vendor-supplied defaults should be changed, and b. All unnecessary default accounts should be removed or disabled? Logging Yes. The customer is aware that, for all accounts used by operating systems, security software, application systems, POS terminals, etc., all vendor-supplied defaults should be changed, and all unnecessary default accounts should be removed or disabled. 16. Is payment application logging enabled? Yes. Payment application logging is enabled. 17. Is the customer aware that logs should not be disabled and doing so will result in non-compliance with PCI DSS? Yes. The customer is aware that logs should not be disabled and doing so will result in non-compliance with PCI DSS. 2012-2014 PCI Security Standards Council, LLC Page 7

Wireless 18. Does the payment application use wireless technology? Patching Yes. The payment application uses wireless technology. Is the customer aware that all wireless vendor defaults must be changed? Yes. The customer is aware that all wireless vendor defaults must be changed. Is the customer aware they must install and properly configure a firewall between any wireless networks and systems in the cardholder data environment? Yes. The customer is aware they must install and properly configure a firewall between any wireless networks and systems in the CDE. Is the customer aware they must implement strong encryption for authentication and transmission of cardholder data over wireless networks? Yes. The customer is aware they must implement strong encryption for authentication and transmission of cardholder data over wireless networks. No. The payment application does not use wireless technology 19. Have the latest vendor-supplied security patches and updates been applied to all software installed by the QIR Employee, including the payment application? Yes. The latest vendor-supplied security patches and updates have been applied to all software installed by the QIR Employee, including the payment application. 20. Is the customer aware that vendor-supplied security patches and updates must be applied to the payment application and any underlying software or systems? Yes. The customer is aware that vendor-supplied security patches and updates must be applied to the payment application and any underlying software or systems. 2012-2014 PCI Security Standards Council, LLC Page 8

Part 3: QIR Employee Additional Observations The QIR Employee must use this section to: Explain all items identified in Part 2 as No Details provided in Part 3 ; and Document any observations or details they feel the customer should be aware of, including any potential compliance issues the QIR Employee is aware of in the customer environment. Observation # Observation Details Applicable Subject and Question Number from Part 2 Potential PCI DSS compliance issue? Yes No PCI DSS Reference (if applicable) 2012-2014 PCI Security Standards Council, LLC Page 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback