Payment Card Industry (pci) Data Security Standard Self-Assessment Questionnaire c-vt and Attestation of Compliance Web-Based Virtual Terminal, No Electronic Cardholder Data Storage Version 0




старонка4/6
Дата канвертавання28.04.2016
Памер287.9 Kb.
1   2   3   4   5   6

Protect Cardholder Data

Requirement 3: Protect stored cardholder data





PCI DSS Question Response:

Yes

No

Special*

3.2.2

The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored under any circumstance?





     




3.3

Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed)?

Notes:

  • This requirement does not apply to employees and other parties with a specific need to see the full PAN;

  • This requirement does not supersede stricter requirements in place for displays of cardholder data—for example, for point-of-sale (POS) receipts.





     

Requirement 4: Encrypt transmission of cardholder data across open, public networks





PCI DSS Question Response:

Yes

No

Special*

4.1

  1. Are strong cryptography and security protocols, such as SSLTLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks?

Examples of open, public networks that are in scope of the PCI DSS include but are not limited to the Internet, wireless technologies, Global System for Mobile communications (GSM), and General Packet Radio Service (GPRS).





     

(b) Are only trusted keys and/or certificates accepted?





     

  1. For SSL/TLS implementations:

    • Does HTTPS appear as part of the browser Universal Record Locator (URL)?

    • Is cardholder data only required when HTTPS appears in the URL?





     

4.2

(b) Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies?





     

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software or programs





PCI DSS Question Response:

Yes

No

Special*

5.1


Is anti-virus software deployed on all systems commonly affected by malicious software?





     

5.1.1

Are all anti-virus programs capable of detecting, removing, and protecting against all known types of malicious software (for example, viruses, Trojans, worms, spyware, adware, and rootkits)?





     




5.2

Is all anti-virus software current, actively running, and generating audit logs, as follows:











  1. Does the anti-virus policy require updating of anti-virus software and definitions?





     




  1. Are automatic updates and periodic scans enabled?





     




  1. Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7?





     

Requirement 6: Develop and maintain secure systems and applications





PCI DSS Question Response:

Yes

No

Special*

6.1

  1. Are all system components and software protected from known vulnerabilities by having the latest vendor-supplied security patches installed?





     




  1. Are critical security patches installed within one month of release?





     



1   2   3   4   5   6


База данных защищена авторским правом ©shkola.of.by 2016
звярнуцца да адміністрацыі

    Галоўная старонка