Payment Card Industry (pci) Data Security Standard Self-Assessment Questionnaire c-vt and Attestation of Compliance Web-Based Virtual Terminal, No Electronic Cardholder Data Storage Version 0

Дата канвертавання28.04.2016
Памер287.9 Kb.
1   2   3   4   5   6

Self-Assessment Questionnaire C-VT

Note: The following questions are numbered according to PCI DSS requirements and testing procedures, as defined in the PCI DSS Requirements and Security Assessment Procedures document.

Date of Completion:      

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect data

PCI DSS Question Response:





Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows:

Note: An “untrusted network” is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage.


(a) Is inbound and outbound traffic restricted to that which is necessary for the cardholder data environment, and are the restrictions documented?


(b) Is all other inbound and outbound traffic specifically denied (for example by using an explicit “deny all” or an implicit deny after allow statement)?



Are perimeter firewalls installed between any wireless networks and the cardholder data environment, and are these firewalls configured to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment?



Does the firewall configuration prohibit direct public access between the Internet and any system component in the cardholder data environment, as follows:


Are direct connections prohibited for inbound or outbound traffic between the Internet and the cardholder data environment?



Is outbound traffic from the cardholder data environment to the Internet explicitly authorized?



Is stateful inspection, also known as dynamic packet filtering, implemented (that is, only established connections are allowed into the network)?



(a) Is personal firewall software installed and active on any mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network?


(b) Is the personal firewall software configured to specific standards, and not alterable by mobile and/or employee-owned computer users?


Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

PCI DSS Question Response:





Are vendor-supplied defaults always changed before installing a system on the network?

Vendor-supplied defaults Include but are not limited to passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts.



For wireless environments connected to the cardholder data environment or transmitting cardholder data, are defaults changed as follows:

  1. Are encryption keys changed from default at installation, and changed anytime anyone with knowledge of the keys leaves the company or changes positions?


  1. Are default SNMP community strings on wireless devices changed?


  1. Are default passwords/passphrases on access points changed?


  1. Is firmware on wireless devices updated to support strong encryption for authentication and transmission over wireless networks?


  1. Are other security-related wireless vendor defaults changed, if applicable?



(a) Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)?


1   2   3   4   5   6

База данных защищена авторским правом © 2016
звярнуцца да адміністрацыі

    Галоўная старонка