Payment Card Industry (pci) Data Security Standard Self-Assessment Questionnaire c-vt and Attestation of Compliance Web-Based Virtual Terminal, No Electronic Cardholder Data Storage Version 0




старонка1/6
Дата канвертавання28.04.2016
Памер287.9 Kb.
  1   2   3   4   5   6


Payment Card Industry (PCI)
Data Security Standard
Self-Assessment Questionnaire C-VT
and Attestation of Compliance


Web-Based Virtual Terminal, No Electronic Cardholder Data Storage

Version 2.0
October 2010

Document Changes


Date

Version

Description

October 28, 2010

2.0

New Self Assessment Questionnaire and Attestation of Compliance for merchants using only web-based virtual terminals. Aligned with PCI DSS v2.0 requirements and testing procedures.










Table of Contents

Document Changes i

PCI Data Security Standard: Related Documents iii

Before you Begin iv

Completing the Self-Assessment Questionnaire iv

PCI DSS Compliance – Completion Steps v

Guidance for Non-Applicability of Certain, Specific Requirements v

Attestation of Compliance, SAQ C-VT 1

Self-Assessment Questionnaire C-VT 5

Build and Maintain a Secure Network 5

Requirement 1: Install and maintain a firewall configuration to protect data 5

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 6

Protect Cardholder Data 7

Requirement 3: Protect stored cardholder data 7

Requirement 4: Encrypt transmission of cardholder data across open, public networks 7

Maintain a Vulnerability Management Program 8

Requirement 5: Use and regularly update anti-virus software or programs 8

Requirement 6: Develop and maintain secure systems and applications 8

Implement Strong Access Control Measures 9

Requirement 7: Restrict access to cardholder data by business need to know 9

Requirement 9: Restrict physical access to cardholder data 9

Maintain an Information Security Policy 11

Requirement 12: Maintain a policy that addresses information security for all personnel 11



Appendix A: (not used) 13

Appendix B: Compensating Controls 14

Appendix C: Compensating Controls Worksheet 15

Compensating Controls Worksheet—Completed Example 16

Appendix D: Explanation of Non-Applicability 17

PCI Data Security Standard: Related Documents


The following documents were created to assist merchants and service providers in understanding the PCI Data Security Standard and the PCI DSS SAQ.

Document

Audience

PCI Data Security Standard:

Requirements and Security Assessment Procedures

All merchants and service providers

Navigating PCI DSS:

Understanding the Intent of the Requirements

All merchants and service providers

PCI Data Security Standard:

Self-Assessment Guidelines and Instructions

All merchants and service providers

PCI Data Security Standard:

Self-Assessment Questionnaire A and Attestation

Eligible merchants1

PCI Data Security Standard:

Self-Assessment Questionnaire B and Attestation

Eligible merchants1

PCI Data Security Standard:

Self-Assessment Questionnaire C-VT and Attestation

Eligible merchants1

PCI Data Security Standard:

Self-Assessment Questionnaire C and Attestation

Eligible merchants1

PCI Data Security Standard:

Self-Assessment Questionnaire D and Attestation

Eligible merchants and service providers1

PCI Data Security Standard and Payment Application Data Security Standard:

Glossary of Terms, Abbreviations, and Acronyms

All merchants and service providers



Before you Begin

Completing the Self-Assessment Questionnaire


SAQ C-VT has been developed to address requirements applicable to merchants who process cardholder data only via isolated virtual terminals on personal computers connected to the Internet.

A virtual terminal is web-browser based access to an acquirer, processor or third party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual terminals are typically used instead of physical terminals in merchant environments with low transaction volumes.

These merchants process cardholder data only via a virtual terminal and do not store cardholder data on any computer system. These virtual terminals are connected to the Internet to access a third party that hosts the virtual terminal payment processing function. This third party may be a processor, acquirer, or other third-party service provider who stores, processes, and/or transmits cardholder data to authorize and/or settle merchants’ virtual terminal payment transactions.

This SAQ option is intended to apply only to merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution.

SAQ C-VT merchants process cardholder data via virtual terminals on personal computers connected to the Internet, do not store cardholder data on any computer system, and may be brick-and-mortar (card-present) or mail/telephone-order (card-not-present) merchants. Such merchants validate compliance by completing SAQ C-VT and the associated Attestation of Compliance, confirming that:


  • Your company’s only payment processing is done via a virtual terminal accessed by an Internet-connected web browser;

  • Your company’s virtual terminal solution is provided and hosted by a PCI DSS validated third-party service provider;

  • Your company accesses the PCI DSS compliant virtual terminal solution via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment (this can be achieved via a firewall or network segmentation to isolate the computer from other systems);

  • Your company’s computer does not have software installed that causes cardholder data to be stored (for example, there is no software for batch processing or store-and-forward);

  • Your company’s computer does not have any attached hardware devices that are used to capture or store cardholder data (for example, there are no card readers attached);

  • Your company does not otherwise receive or transmit cardholder data electronically through any channels (for example, via an internal network or the Internet);

  • Your company retains only paper reports or paper copies of receipts; and

  • Your company does not store cardholder data in electronic format.

This option would never apply to e-commerce merchants.

Each section of this questionnaire focuses on a specific area of security, based on the requirements in the PCI DSS Requirements and Security Assessment Procedures. This shortened version of the SAQ includes questions which apply to a specific type of small merchant environment, as defined in the above eligibility criteria. If there are PCI DSS requirements applicable to your environment which are not covered in this SAQ, it may be an indication that this SAQ is not suitable for your environment. Additionally, you must still comply with all applicable PCI DSS requirements in order to be PCI DSS compliant.


  1   2   3   4   5   6


База данных защищена авторским правом ©shkola.of.by 2016
звярнуцца да адміністрацыі

    Галоўная старонка