Payment Card Industry (pci) Data Security Standard Self-Assessment Questionnaire c and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage Version 2




старонка1/5
Дата канвертавання28.04.2016
Памер250.07 Kb.
  1   2   3   4   5


Payment Card Industry (PCI)
Data Security Standard
Self-Assessment Questionnaire C
and Attestation of Compliance


Payment Application Connected to Internet,
No Electronic Cardholder Data Storage


Version 1.2
October 2008

Document Changes


Date

Version

Description

October 1, 2008

1.2

To align content with new PCI DSS v1.2 and to implement minor changes noted since original v1.1.




























Table of Contents

Document Changes i

PCI Data Security Standard: Related Documents iii

Before you Begin iv

Completing the Self-Assessment Questionnaire iv

PCI DSS Compliance – Completion Steps iv

Guidance for Non-Applicability and Exclusion of Certain, Specific Requirements v

Attestation of Compliance, SAQ C 1

Self-Assessment Questionnaire C 5

Build and Maintain a Secure Network 5

Requirement 1: Install and maintain a firewall configuration to protect data 5

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 5

Protect Cardholder Data 6

Requirement 3: Protect stored cardholder data 6

Requirement 4: Encrypt transmission of cardholder data across open, public networks 7

Maintain a Vulnerability Management Program 8

Requirement 5: Use and regularly update anti-virus software or programs 8

Requirement 6: Develop and maintain secure systems and applications 8

Implement Strong Access Control Measures 9

Requirement 7: Restrict access to cardholder data by business need-to-know 9

Requirement 8: Assign a unique ID to each person with computer access 9

Requirement 9: Restrict physical access to cardholder data 9



Regularly Monitor and Test Networks 10

Requirement 10: Track and monitor all access to network resources and cardholder data 10

Requirement 11: Regularly test security systems and processes 10

Maintain an Information Security Policy 11

Requirement 12: Maintain a policy that addresses information security for employees and contractors 11



Appendix A: (not used) 12

Appendix B: Compensating Controls 13

Appendix C: Compensating Controls Worksheet 14

Compensating Controls Worksheet—Completed Example 15

Appendix D: Explanation of Non-Applicability 16

PCI Data Security Standard: Related Documents


The following documents were created to assist merchants and service providers in understanding the PCI Data Security Standard and the PCI DSS SAQ.

Document

Audience

PCI Data Security Standard Requirements and Security Assessment Procedures

All merchants and service providers

Navigating PCI DSS: Understanding the Intent of the Requirements

All merchants and service providers

PCI Data Security Standard: Self-Assessment Guidelines and Instructions

All merchants and service providers

PCI Data Security Standard: Self-Assessment Questionnaire A and Attestation

Merchants1

PCI Data Security Standard: Self-Assessment Questionnaire B and Attestation

Merchants1

PCI Data Security Standard: Self-Assessment Questionnaire C and Attestation

Merchants1

PCI Data Security Standard: Self-Assessment Questionnaire D and Attestation

Merchants1 and all service providers

PCI Data Security Standard and Payment Application Data Security Standard Glossary of Terms, Abbreviations, and Acronyms

All merchants and service providers

Before you Begin

Completing the Self-Assessment Questionnaire


SAQ C has been developed to address requirements applicable to merchants who process cardholder data via payment applications (for example, POS systems) connected to the Internet (via high-speed connection, DSL, cable modem, etc.), but who do not store cardholder data on any computer system. These payment applications are connected to the Internet either because:

  1. The payment application is on a personal computer connected to the Internet, or

  2. The payment application is connected to the Internet to transmit cardholder data.

These merchants are defined as SAQ Validation Type 4, as defined here and in the PCI DSS Self-Assessment Questionnaire Instructions and Guidelines. Validation Type 4 merchants process cardholder data via POS machines connected to the Internet, do not store cardholder data on any computer system, and may be either brick-and-mortar (card-present) or e-commerce or mail/telephone-order (card-not-present) merchants. Such merchants must validate compliance by completing SAQ C and the associated Attestation of Compliance, confirming that:



  • Your company has a payment application system and an Internet connection on the same device;

  • The payment application/Internet device is not connected to any other systems within your environment;

  • Your company retains only paper reports or paper copies of receipts;

  • Your company does not store cardholder data in electronic format; and

  • Your company’s payment application vendor uses secure techniques to provide remote support to your payment system.

Each section of this questionnaire focuses on a specific area of security, based on the requirements in the PCI Data Security Standard.
  1   2   3   4   5


База данных защищена авторским правом ©shkola.of.by 2016
звярнуцца да адміністрацыі

    Галоўная старонка