Payment Card Industry (pci) Data Security Standard Self-Assessment Questionnaire c-vt and Attestation of Compliance Web-Based Virtual Terminal, No Electronic Cardholder Data Storage Version 0




старонка5/6
Дата канвертавання28.04.2016
Памер287.9 Kb.
1   2   3   4   5   6

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need to know





PCI DSS Question Response:

Yes

No

Special*

7.1

Is access to system components and cardholder data limited to only those individuals whose jobs require such access, as follows:








7.1.1

Are access rights for privileged user IDs restricted to least privileges necessary to perform job responsibilities?





     




7.1.2

Are privileges assigned to individuals based on job classification and function (also called “role-based access control” or RBAC)?





     






Requirement 9: Restrict physical access to cardholder data





PCI DSS Question Response:

Yes

No

Special*

9.6

Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)?

For purposes of Requirement 9, “media” refers to all paper and electronic media containing cardholder data





     

9.7

  1. Is strict control maintained over the internal or external distribution of any kind of media?





     

  1. Do controls include the following:










9.7.1

Is media classified so the sensitivity of the data can be determined?





     




9.7.2

Is media sent by secured courier or other delivery method that can be accurately tracked?





     




9.8

Are logs maintained to track all media that is moved from a secured area, and is management approval obtained prior to moving the media (especially when media is distributed to individuals)?





     

9.9

Is strict control maintained over the storage and accessibility of media?





     

9.10

Is all media destroyed when it is no longer needed for business or legal reasons?





     




Is destruction performed as follows:










9.10.1

(a) Are hardcopy materials cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed?





     







(b) Are containers that store information to be destroyed secured to prevent access to the contents? (For example, a “to-be-shredded” container has a lock preventing access to its contents.)





     



1   2   3   4   5   6


База данных защищена авторским правом ©shkola.of.by 2016
звярнуцца да адміністрацыі

    Галоўная старонка