Sei sulla pagina 1di 20

Payment Card Industry (PCI) Data Security Standard

Self-Assessment Questionnaire B
and Attestation of Compliance

Imprint Machines or Standalone Dial-out Terminals Only, No Electronic Cardholder Data Storage
Version .2.
October 2010

Document C!an"es
Date October 1, 2008 October 28, 2010 Version 1.2 2.0 Description To align content with new PCI DSS v1.2 and to implement minor change noted ince original v1.1. To align content with new PCI DSS v2.0 re!"irement and te ting proced"re .

PCI DSS SAQ B, v2.0, Document Changes Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C

October 2010 Page i

#a$le of Contents
Document C!an"es..........................................................................................................i PCI Data Security Standard% &elated Documents......................................................iii Before you Be"in............................................................................................................iii
Completin" t!e Self-Assessment Questionnaire.................................................................iii PCI DSS Compliance ' Completion Steps............................................................................i( )uidance for *on-Applica$ility of Certain+ Specific &e,uirements...................................i(

Attestation of Compliance+ SAQ B.................................................................................Self-Assessment Questionnaire B..................................................................................


Protect Card!older Data.......................................................................................................... $e%u rement &' Protect store! car!ho"!er !ata.....................................................................( $e%u rement )' *ncrypt transm ss on o+ car!ho"!er !ata across open, pub" c net,or-s........ Implement Stron" Access Control /easures........................................................................0 $e%u rement /' $estr ct access to car!ho"!er !ata by bus ness nee! to -no,...................../ $e%u rement 0' $estr ct phys ca" access to car!ho"!er !ata................................................./ /aintain an Information Security Policy................................................................................1 $e%u rement 12' 1a nta n a po" cy that a!!resses n+ormat on secur ty +or a"" personne".....0

Appendi2 A% (not used) ................................................................................................-Appendi2 B% Compensatin" Controls .........................................................................-2 Appendi2 C% Compensatin" Controls 3or4s!eet .....................................................-5
Compensatin" Controls 3or4s!eet ' Completed 62ample...............................................-7

Appendi2 D% 62planation of *on-Applica$ility...........................................................-.

PCI DSS SAQ B, v2.0, 2ab"e o+ Contents Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C

October 2010 Page ii

PCI Data Security Standard% &elated Documents


The #ollowing doc"ment were created to a i t merchant and ervice provider in "nder tanding the PCI Data Sec"rit$ Standard and the PCI DSS S%&. Document PCI Data Secur ty Stan!ar!' $e%u rements an! Secur ty Assessment Proce!ures 3av gat ng PCI DSS' 4n!erstan! ng the Intent o+ the $e%u rements PCI Data Secur ty Stan!ar!' Se"+5Assessment 6u !e" nes an! Instruct ons PCI Data Secur ty Stan!ar!' Se"+5Assessment Quest onna re A an! Attestat on PCI Data Secur ty Stan!ar!' Se"+5Assessment Quest onna re B an! Attestat on PCI Data Secur ty Stan!ar!' Se"+5Assessment Quest onna re C572 an! Attestat on PCI Data Secur ty Stan!ar!' Se"+5Assessment Quest onna re C an! Attestat on PCI Data Secur ty Stan!ar!' Se"+5Assessment Quest onna re D an! Attestat on PCI Data Secur ty Stan!ar! an! Payment App" cat on Data Secur ty Stan!ar!' 6"ossary o+ 2erms, Abbrev at ons, an! Acronyms Audience %ll merchant and ervice provider %ll merchant and ervice provider %ll merchant and ervice provider 'ligible merchant 'ligible merchant 'ligible merchant 'ligible merchant
1

'ligible merchant and ervice provider 1 %ll merchant and ervice provider

Before you Be"in


Completin" t!e Self-Assessment Questionnaire
S%& ( ha been developed to addre re!"irement applicable to merchant who proce data onl$ via imprint machine or tandalone, dial)o"t terminal . cardholder

S%& ( merchant are de#ined here and in the PCI DSS Se"+5Assessment Quest onna re Instruct ons an! 6u !e" nes. S%& ( merchant proce cardholder data onl$ via imprint machine or via tandalone, dial) o"t terminal , and ma$ be either bric*)and)mortar +card)pre ent, or e)commerce or mail-telephone order
1

To determine the appropriate Sel#)% e ment &"e tionnaire, ee PCI Data Secur ty Stan!ar!' Se"+5 Assessment 6u !e" nes an! Instruct ons, .Selecting the S%& and %tte tation That (e t %ppl$ to /o"r Organi0ation.1
October 2010 Page iii

PCI DSS SAQ B, v2.0, PCI Data Secur ty Stan!ar!' $e"ate! Documents Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C

+card)not)pre ent, merchant . The e merchant validate compliance b$ completing S%& ( and the a ociated %tte tation o# Compliance, con#irming that2 /o"r compan$ " e onl$ imprint machine and-or " e onl$ tandalone, dial)o"t terminal +connected via a phone line to $o"r proce or, to ta*e $o"r c" tomer 3 pa$ment card in#ormation4 The tandalone, dial)o"t terminal are not connected to an$ other $ tem within $o"r environment4 The tandalone, dial)o"t terminal are not connected to the Internet4 /o"r compan$ doe not tran mit cardholder data over a networ* +either an internal networ* or the Internet,4 /o"r compan$ retain onl$ paper report or paper copie o# receipt with cardholder data, and the e doc"ment are not received electronicall$4 and /o"r compan$ doe not tore cardholder data in electronic #ormat.

'ach ection o# the !"e tionnaire #oc" e on a peci#ic area o# ec"rit$, ba ed on the re!"irement in the PCI DSS $e%u rements an! Secur ty Assessment Proce!ures. Thi hortened ver ion o# the S%& incl"de !"e tion which appl$ to a peci#ic t$pe o# mall merchant environment, a de#ined in the above eligibilit$ criteria. I# there are PCI DSS re!"irement applicable to $o"r environment which are not covered in thi S%&, it ma$ be an indication that thi S%& i not "itable #or $o"r environment. %dditionall$, $o" m" t till compl$ with all applicable PCI DSS re!"irement in order to be PCI DSS compliant.

PCI DSS Compliance ' Completion Steps


1. % e $o"r environment #or compliance with the PCI DSS. 2. Complete the Sel#)% e ment &"e tionnaire +S%& (, according to the in tr"ction in the Se"+5 Assessment Quest onna re Instruct ons an! 6u !e" nes. 5. Complete the %tte tation o# Compliance in it entiret$. 6. S"bmit the S%& and the %tte tation o# Compliance, along with an$ other re!"e ted doc"mentation, to $o"r ac!"irer.

)uidance for *on-Applica$ility of Certain+ Specific &e,uirements


*on-Applica$ility% 7e!"irement deemed not applicable to $o"r environment m" t be indicated with .8-%1 in the .Special1 col"mn o# the S%&. %ccordingl$, complete the .'9planation o# 8on)%pplicabilit$1 wor* heet in %ppendi9 D #or each .8-%1 entr$.

PCI DSS SAQ B, v2.0, PCI Data Secur ty Stan!ar!' $e"ate! Documents Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C

October 2010 Page iv

Attestation of Compliance+ SAQ B


Instructions for Submission
The merchant m" t complete thi %tte tation o# Compliance a a declaration o# the merchant3 compliance tat" with the Payment Car! In!ustry Data Secur ty Stan!ar! 8PCI DSS9 $e%u rements an! Secur ty Assessment Proce!ures. Complete all applicable ection and re#er to the "bmi ion in tr"ction at .PCI DSS Compliance : Completion Step 1 in thi doc"ment.

Part -. /erc!ant and Qualified Security Assessor Information


Part -a. /erc!ant 8r"ani9ation Information
Compan$ 8ame2 Contact 8ame2 Telephone2 (" ine %ddre D(%+S,2 Title2 ')mail2 Cit$2 Co"ntr$2 ;IP2

State-Province2 <7=2

Part -$. Qualified Security Assessor Company Information (if applica$le)


Compan$ 8ame2 =ead &S% Contact 8ame2 Telephone2 (" ine %ddre Title2 ')mail2 Cit$2 Co"ntr$2 ;IP2

State-Province2 <7=2

Part 2. #ype of merc!ant $usiness (c!ec4 all t!at apply)%


7etailer ')Commerce Telecomm"nication ?ail-Telephone)Order >rocer$ and S"permar*et Other +plea e peci#$,2 Petrole"m

=i t #acilitie and location incl"ded in PCI DSS review2

Part 2a. &elations!ips


Doe $o"r compan$ have a relation hip with one or more third)part$ agent +#or e9ample, gatewa$ , web)ho ting companie , airline boo*ing agent , lo$alt$ program agent , etc.,@ Doe $o"r compan$ have a relation hip with more than one ac!"irer@ /e /e 8o 8o

PCI DSS SAQ B, v2.0, Attestat on o+ Comp" ance Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C

October 2010 Page 1

Part 2$. #ransaction Processin"


Aow and in what capacit$ doe $o"r b" ine tore, proce and-or tran mit cardholder data@ Plea e provide the #ollowing in#ormation regarding the Pa$ment %pplication $o"r organi0ation " e 2 Payment Application in :se Version *um$er ;ast Validated accordin" to PABP<PA-DSS

Part 2c. 6li"i$ility to Complete SAQ B


?erchant certi#ie eligibilit$ to complete thi hortened ver ion o# the Sel#)% e ment &"e tionnaire beca" e2 ?erchant " e onl$ an imprint machine to imprint c" tomer 3 pa$ment card in#ormation and doe not tran mit cardholder data over either a phone line or the Internet4 or ?erchant " e onl$ tandalone, dial)o"t terminal 4 and the tandalone, dial)o"t terminal are not connected to the Internet or an$ other $ tem within the merchant environment4 ?erchant doe not tore cardholder data in electronic #ormat4 and I# ?erchant doe tore cardholder data, "ch data i onl$ paper report or copie o# paper receipt and i not received electronicall$.

Part 5. PCI DSS Validation


(a ed on the re "lt noted in the S%& ( dated 8comp"et on !ate9, 81erchant Company 3ame9 a compliance tat" +chec* one,2 ert the #ollowing

Compliant% %ll ection o# the PCI S%& are complete, and all !"e tion an wered .$e ,1 re "lting in an overall C8/P;IA*# rating, thereb$ 81erchant Company 3ame9 ha demon trated #"ll compliance with the PCI DSS. *on-Compliant% 8ot all ection o# the PCI S%& are complete, or ome !"e tion are an wered .no,1 re "lting in an overall *8*-C8/P;IA*# rating, thereb$ 81erchant Company 3ame9 ha not demon trated #"ll compliance with the PCI DSS. #ar"et Date #or Compliance2 %n entit$ "bmitting thi #orm with a tat" o# 8on)Compliant ma$ be re!"ired to complete the %ction Plan in Part 6 o# thi doc"ment. Chec- , th your ac%u rer or the payment bran!8s9 be+ore comp"et ng Part ), s nce not a"" payment bran!s re%u re th s sect on.

Part 5a. Confirmation of Compliant Status


/erc!ant confirms% PCI DSS Sel#)% e ment &"e tionnaire (, Ber ion 8vers on o+ SAQ9, wa completed according to the in tr"ction therein. %ll in#ormation within the above)re#erenced S%& and in thi atte tation #airl$ repre ent the re "lt o# m$ a e ment. I have con#irmed with m$ pa$ment application vendor that m$ pa$ment $ tem doe not tore en itive a"thentication data a#ter a"thori0ation. I have read the PCI DSS and I recogni0e that I m" t maintain #"ll PCI DSS compliance at all time . 8o evidence o# magnetic tripe +i.e., trac*, data2, C%B2, CBC2, CID, or CBB2 data5, or PI8 data6 torage a#ter tran action a"thori0ation wa #o"nd on %8/ $ tem reviewed d"ring thi a e ment.

Part 5$. /erc!ant Ac4no=led"ement

S gnature o+ 1erchant *:ecut ve O++ cer 1erchant *:ecut ve O++ cer 3ame 1erchant Company $epresente! Date 2 t"e

Data encoded in the magnetic tripe or e!"ivalent data on a chip " ed #or a"thori0ation d"ring a card)pre ent tran action. 'ntitie ma$ not retain #"ll magnetic) tripe data a#ter tran action a"thori0ation. The onl$ element o# trac* data that ma$ be retained are acco"nt n"mber, e9piration date, and name. The three) or #o"r)digit val"e printed on or to the right o# the ignat"re panel or on the #ace o# a pa$ment card " ed to veri#$ card)not)pre ent tran action . Per onal Identi#ication 8"mber entered b$ cardholder d"ring a card)pre ent tran action, and-or encr$pted PI8 bloc* pre ent within the tran action me age.

Part 7. Action Plan for *on-Compliant Status


Plea e elect the appropriate .Compliance Stat" 1 #or each re!"irement. I# $o" an wer .8O1 to an$ o# the re!"irement , $o" are re!"ired to provide the date Compan$ will be compliant with the re!"irement and a brie# de cription o# the action being ta*en to meet the re!"irement. Chec- , th your ac%u rer or the payment bran!8s9 be+ore comp"et ng Part ), s nce not a"" payment bran!s re%u re th s sect on. Compliance Status (Select 8ne) Description of &e,uirement Protect tored cardholder data 'ncr$pt tran mi ion o# cardholder data acro open, p"blic networ* 7e trict acce to cardholder data b$ b" ine need to *now 7e trict ph$ ical acce cardholder data to @6S *8

PCI DSS &e,uirement 5 6

&emediation Date and Actions (if Compliance Status is >*8?)

12

?aintain a polic$ that addre in#ormation ec"rit$ #or all per onnel

Self-Assessment Questionnaire B
Note: 2he +o""o, ng %uest ons are numbere! accor! ng to PCI DSS re%u rements an! test ng proce!ures, as !e+ ne! n the PCI DSS 7e!"irement and Sec"rit$ % e ment Proced"re !ocument.

Date o# Completion2

Protect Card!older Data


Requirement 3: Protect stored cardholder data
PCI DSS Question 5.2 &esponse% @es *o SpecialA

+b, I# en itive a"thentication data i received and deleted, are proce e in place to ec"rel$ delete the data to veri#$ that the data i "nrecoverable@ +c, Do all $ tem adhere to the #ollowing re!"irement regarding non) torage o# en itive a"thentication data a#ter a"thori0ation +even i# encr$pted,@

5.2.1

The #"ll content o# an$ trac* #rom the magnetic tripe +located on the bac* o# a card, e!"ivalent data contained on a chip, or el ewhere, are not tored "nder an$ circ"m tance@ Thi data i alternativel$ called #"ll trac*, trac*, trac* 1, trac* 2, and magnetic) tripe data. In the norma" course o+ bus ness, the +o""o, ng !ata e"ements +rom the magnet c str pe may nee! to be reta ne!' 2he car!ho"!er;s name, Pr mary account number 8PA39, *:p rat on !ate, an! Serv ce co!e 2o m n m <e r s-, store on"y these !ata e"ements as nee!e! +or bus ness. The card veri#ication code or val"e +three)digit or #o"r)digit n"mber printed on the #ront or bac* o# a pa$ment card, i not tored "nder an$ circ"m tance@ The per onal identi#ication n"mber +PI8, or the encr$pted PI8 bloc* are not tored "nder an$ circ"m tance@ I the P%8 ma *ed when di pla$ed +the #ir t i9 and la t #o"r digit are the ma9im"m n"mber o# digit to be di pla$ed,@ 3otes' 2h s re%u rement !oes not app"y to emp"oyees an! other part es , th a spec + c nee! to see the +u"" PA3= 2h s re%u rement !oes not superse!e str cter re%u rements n p"ace +or ! sp"ays o+ car!ho"!er !ata>+or e:amp"e, +or po nt5o+5 sa"e 8POS9 rece pts.

5.2.2

5.2.5 5.5

.8ot %pplicable1 +8-%, or .Compen ating Control < ed.1 Organi0ation " ing thi ection m" t complete the Compen ating Control Eor* heet or '9planation o# 8on)%pplicabilit$ Eor* heet, a appropriate, in the %ppendi9.
October 2010 Page (

PCI DSS SAQ B, v2.0, Se"+5Assessment Quest onna re Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C

Requirement 4: Encrypt transmission of cardholder data across open, public networ s


PCI DSS Question 6.2 &esponse% @es *o SpecialA

+b, %re policie in place that tate that "nprotected P%8 are not to be ent via end)" er me aging technologie @

.8ot %pplicable1 +8-%, or .Compen ating Control < ed.1 Organi0ation " ing thi ection m" t complete the Compen ating Control Eor* heet or '9planation o# 8on)%pplicabilit$ Eor* heet, a appropriate, in the %ppendi9.
October 2010 Page .

PCI DSS SAQ B, v2.0, Se"+5Assessment Quest onna re Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C

Implement Stron" Access Control /easures


Requirement !: Restrict access to cardholder data by business need to now
PCI DSS Question C.1 C.1.1 C.1.2 &esponse% @es *o SpecialA

I acce to $ tem component and cardholder data limited to onl$ tho e individ"al who e Fob re!"ire "ch acce a #ollow 2 %re acce right #or privileged " er ID re tricted to lea t privilege nece ar$ to per#orm Fob re pon ibilitie @ %re privilege a igned to individ"al ba ed on Fob cla i#ication and #"nction +al o called .role)ba ed acce control1 or 7(%C,@

Requirement ": Restrict physical access to cardholder data


PCI DSS Question D.G &esponse% @es *o Special* %re all media ph$ icall$ ec"red +incl"ding b"t not limited to comp"ter , removable electronic media, paper receipt , paper report , and #a9e ,@ ?or purposes o+ $e%u rement 0, @me! aA re+ers to a"" paper an! e"ectron c me! a conta n ng car!ho"!er !ata. +a, I trict control maintained over the internal or e9ternal di trib"tion o# an$ *ind o# media@ +b, Do control incl"de the #ollowing2 D.C.1 D.C.2 D.8 I media cla i#ied o the en itivit$ o# the data can be determined@ I media ent b$ ec"red co"rier or other deliver$ method that can be acc"ratel$ trac*ed@ %re log maintained to trac* all media that i moved #rom a ec"red area, and i management approval obtained prior to moving the media +e peciall$ when media i di trib"ted to individ"al ,@ I trict control maintained over the torage and acce media@ ibilit$ o#

D.C

D.D

.8ot %pplicable1 +8-%, or .Compen ating Control < ed.1 Organi0ation " ing thi ection m" t complete the Compen ating Control Eor* heet or '9planation o# 8on)%pplicabilit$ Eor* heet, a appropriate, in the %ppendi9.
October 2010 Page /

PCI DSS SAQ B, v2.0, Se"+5Assessment Quest onna re Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C

PCI DSS Question D.10

&esponse% or

@es

*o

Special*

I all media de tro$ed when it i no longer needed #or b" ine legal rea on @ I de tr"ction per#ormed a #ollow 2 +a, %re hardcop$ material cro )c"t hredded, incinerated, or p"lped o that cardholder data cannot be recon tr"cted@

D.10.1

+b, %re container that tore in#ormation to be de tro$ed ec"red to prevent acce to the content @ +Hor e9ample, a .to)be) hredded1 container ha a loc* preventing acce to it content .,

PCI DSS SAQ B, v2.0, Se"+5Assessment Quest onna re Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C

October 2010 Page B

/aintain an Information Security Policy


Requirement #$: %aintain a policy that addresses information security for all personnel
PCI DSS Question 12.1 &esponse% @es *o SpecialA

I a ec"rit$ polic$ e tabli hed, p"bli hed, maintained, and di eminated to all relevant per onnel@ ?or the purposes o+ $e%u rement 12, @personne"A re+ers to +u""5t me part5t me emp"oyees, temporary emp"oyees an! personne", an! contractors an! consu"tants ,ho are @res !entA on the ent ty;s s te or other, se have access to the company;s s te car!ho"!er !ata env ronment. I the in#ormation ec"rit$ polic$ reviewed at lea t once a $ear and "pdated a needed to re#lect change to b" ine obFective or the ri * environment@ %re " age policie #or critical technologie +#or e9ample, remote) acce technologie , wirele technologie , removable electronic media, laptop , tablet , per onal data-digital a i tant IPD% J, e)mail, and Internet " age, developed to de#ine proper " e o# the e technologie #or all per onnel, and re!"ire the #ollowing2 '9plicit approval b$ a"thori0ed partie to " e the technologie @ % li t o# all "ch device and per onnel with acce %cceptable " e o# the technologie @ Do the ec"rit$ polic$ and proced"re clearl$ de#ine in#ormation ec"rit$ re pon ibilitie #or all per onnel@ %re the #ollowing in#ormation ec"rit$ management re pon ibilitie #ormall$ a igned to an individ"al or team2 ' tabli hing, doc"menting, and di trib"ting ec"rit$ incident re pon e and e calation proced"re to en "re timel$ and e##ective handling o# all it"ation @ +a, I a #ormal ec"rit$ awarene program in place to ma*e all per onnel aware o# the importance o# cardholder data ec"rit$@ I# cardholder data i hared with ervice provider , are policie and proced"re maintained and implemented to manage ervice provider , a #ollow @ I a li t o# ervice provider maintained@ I a written agreement maintained that incl"de an ac*nowledgement that the ervice provider are re pon ible #or the ec"rit$ o# cardholder data the ervice provider po e @

12.1.5

12.5

12.5.1 12.5.5 12.5.K 12.6 12.K 12.K.5

12.G 12.8

12.8.1 12.8.2

.8ot %pplicable1 +8-%, or .Compen ating Control < ed.1 Organi0ation " ing thi ection m" t complete the Compen ating Control Eor* heet or '9planation o# 8on)%pplicabilit$ Eor* heet, a appropriate, in the %ppendi9.
October 2010 Page 0

PCI DSS SAQ B, v2.0, Se"+5Assessment Quest onna re Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C

PCI DSS Question 12.8.5 I there an e tabli hed proce #or engaging ervice provider , incl"ding proper d"e diligence prior to engagement@

&esponse%

@es

*o

Special

12.8.6

I a program maintained to monitor ervice provider 3 PCI DSS compliance tat" @

PCI DSS SAQ B, v2.0, Se"+5Assessment Quest onna re Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C

October 2010 Page 10

Appendi2 A% (not used)

2h s page ntent ona""y "e+t b"an-

PCI DSS SAQ B, v2.0, Appen! : A' 8not use!9 Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C

October 2010 Page 11

Appendi2 B% Compensatin" Controls


Compen ating control ma$ be con idered #or mo t PCI DSS re!"irement when an entit$ cannot meet a re!"irement e9plicitl$ a tated, d"e to legitimate technical or doc"mented b" ine con traint , b"t ha "##icientl$ mitigated the ri * a ociated with the re!"irement thro"gh implementation o# other, or compen ating, control . Compen ating control m" t ati #$ the #ollowing criteria2 1. ?eet the intent and rigor o# the original PCI DSS re!"irement. 2. Provide a imilar level o# de#en e a the original PCI DSS re!"irement, "ch that the compen ating control "##icientl$ o## et the ri * that the original PCI DSS re!"irement wa de igned to de#end again t. +See 3av gat ng PCI DSS #or the intent o# each PCI DSS re!"irement., 5. (e .above and be$ond1 other PCI DSS re!"irement . +Simpl$ being in compliance with other PCI DSS re!"irement i not a compen ating control., Ehen eval"ating .above and be$ond1 #or compen ating control , con ider the #ollowing2 Note: &he items at a' throu(h c' below are intended as e)amples only* +ll compensatin( controls must be re,iewed and ,alidated for sufficiency by the assessor who conducts the P-I .SS re,iew* &he effecti,eness of a compensatin( control is dependent on the specifics of the en,ironment in which the control is implemented, the surroundin( security controls, and the confi(uration of the control* -ompanies should be aware that a particular compensatin( control will not be effecti,e in all en,ironments* a, '9i ting PCI DSS re!"irement C%88OT be con idered a compen ating control i# the$ are alread$ re!"ired #or the item "nder review. Hor e9ample, pa word #or non)con ole admini trative acce m" t be ent encr$pted to mitigate the ri * o# intercepting clear)te9t admini trative pa word . %n entit$ cannot " e other PCI DSS pa word re!"irement +intr"der loc*o"t, comple9 pa word , etc., to compen ate #or lac* o# encr$pted pa word , ince tho e other pa word re!"irement do not mitigate the ri * o# interception o# clear)te9t pa word . %l o, the other pa word control are alread$ PCI DSS re!"irement #or the item "nder review +pa word ,.

b, '9i ting PCI DSS re!"irement ?%/ be con idered a compen ating control i# the$ are re!"ired #or another area, b"t are not re!"ired #or the item "nder review. Hor e9ample, two)#actor a"thentication i a PCI DSS re!"irement #or remote acce . Two)#actor a"thentication +rom , th n the nterna" net,or- can al o be con idered a a compen ating control #or non)con ole admini trative acce when tran mi ion o# encr$pted pa word cannot be "pported. Two) #actor a"thentication ma$ be an acceptable compen ating control i#4 +1, it meet the intent o# the original re!"irement b$ addre ing the ri * o# intercepting clear)te9t admini trative pa word 4 and +2, it i et "p properl$ and in a ec"re environment. c, '9i ting PCI DSS re!"irement ma$ be combined with new control to become a compen ating control. Hor e9ample, i# a compan$ i "nable to render cardholder data "nreadable per re!"irement 5.6 +#or e9ample, b$ encr$ption,, a compen ating control co"ld con i t o# a device or combination o# device , application , and control that addre all o# the #ollowing2 +1, internal networ* egmentation4 +2, IP addre or ?%C addre #iltering4 and +5, two)#actor a"thentication #rom within the internal networ*. 6. (e commen "rate with the additional ri * impo ed b$ not adhering to the PCI DSS re!"irement. The a e or i re!"ired to thoro"ghl$ eval"ate compen ating control d"ring each ann"al PCI DSS a e ment to validate that each compen ating control ade!"atel$ addre e the ri * the original PCI DSS re!"irement wa de igned to addre , per item 1)6 above. To maintain compliance, proce e and control m" t be in place to en "re compen ating control remain e##ective a#ter the a e ment i complete.

PCI DSS SAQ B, v2.0, Appen! : B' Compensat ng Contro"s Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C

October 2010 Page 12

Appendi2 C% Compensatin" Controls 3or4s!eet


4se th s ,or-sheet to !e+ ne compensat ng contro"s +or any re%u rement ,here @C*SA ,as chec-e! an! compensat ng contro"s ,ere ment one! n the @Spec a"A co"umn. Note: On"y compan es that have un!erta-en a r s- ana"ys s an! have "eg t mate techno"og ca" or !ocumente! bus ness constra nts can cons !er the use o+ compensat ng contro"s to ach eve comp" ance. &e,uirement *um$er and Definition% Information &e,uired -. Constraints 2. 8$Becti(e =i t con traint precl"ding compliance with the original re!"irement. De#ine the obFective o# the original control4 identi#$ the obFective met b$ the compen ating control. Identi#$ an$ additional ri * po ed b$ the lac* o# the original control. De#ine the compen ating control and e9plain how the$ addre the obFective o# the original control and the increa ed ri *, i# an$. De#ine how the compen ating control were validated and te ted. De#ine proce and control in place to maintain compen ating control . 62planation

5. Identified &is4 7. Definition of Compensatin" Controls .. Validation of Compensatin" Controls C. /aintenance

PCI DSS SAQ B, v2.0, Appen! : C' Compensat ng Contro"s Dor-sheet Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C

October 2010 Page 13

Compensatin" Controls 3or4s!eet ' Completed 62ample


4se th s ,or-sheet to !e+ ne compensat ng contro"s +or any re%u rement ,here @C*SA ,as chec-e! an! compensat ng contro"s ,ere ment one! n the @Spec a"A co"umn. &e,uirement *um$er% B.1 E Are a"" users !ent + e! , th a un %ue user name be+ore a""o, ng them to access system components or car!ho"!er !ataF Information &e,uired -. Constraints =i t con traint precl"ding compliance with the original re!"irement. 62planation Company GCH emp"oys stan!5a"one 4n : Servers , thout #DAP. As such, they each re%u re a @rootA "og n. It s not poss b"e +or Company GCH to manage the @rootA "og n nor s t +eas b"e to "og a"" @rootA act v ty by each user. 2he obIect ve o+ re%u r ng un %ue "og ns s t,o+o"!. ? rst, t s not cons !ere! acceptab"e +rom a secur ty perspect ve to share "og n cre!ent a"s. Secon!"y, hav ng share! "og ns ma-es t mposs b"e to state !e+ n t ve"y that a person s respons b"e +or a part cu"ar act on. A!! t ona" r s- s ntro!uce! to the access contro" system by not ensur ng a"" users have a un %ue ID an! are ab"e to be trac-e!. Company GCH s go ng to re%u re a"" users to "og nto the servers +rom the r !es-tops us ng the S4 comman!. S4 a""o,s a user to access the @rootA account an! per+orm act ons un!er the @rootA account but s ab"e to be "ogge! n the S45"og ! rectory. In th s ,ay, each user;s act ons can be trac-e! through the S4 account. Company GCH !emonstrates to assessor that the S4 comman! be ng e:ecute! an! that those n! v !ua"s ut " < ng the comman! are "ogge! to !ent +y that the n! v !ua" s per+orm ng act ons un!er root pr v "eges Company GCH !ocuments processes an! proce!ures to ensure S4 con+ gurat ons are not change!, a"tere!, or remove! to a""o, n! v !ua" users to e:ecute root comman!s , thout be ng n! v !ua""y trac-e! or "ogge!

2. 8$Becti(e

De#ine the obFective o# the original control4 identi#$ the obFective met b$ the compen ating control.

5. Identified &is4

Identi#$ an$ additional ri * po ed b$ the lac* o# the original control. De#ine the compen ating control and e9plain how the$ addre the obFective o# the original control and the increa ed ri *, i# an$.

7. Definition of Compensatin" Controls

0. Validation of Compensatin" Controls

De#ine how the compen ating control were validated and te ted.

D. /aintenance

De#ine proce and control in place to maintain compen ating control .

PCI DSS SAQ B, v2.0, Appen! : C' Compensat ng Contro"s Dor-sheet Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C

October 2010 Page 1)

Appendi2 D% 62planation of *on-Applica$ility


I+ @3JAA or @3ot App" cab"eA ,as entere! n the @Spec a"A co"umn, use th s ,or-sheet to e:p"a n ,hy the re"ate! re%u rement s not app" cab"e to your organ <at on. &e,uirement *:amp"e' 12.B &eason &e,uirement is *ot Applica$le Car!ho"!er !ata s never share! , th serv ce prov !ers.

PCI DSS SAQ B, v2.0, Appen! : D' *:p"anat on o+ 3on5App" cab " ty Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C

October 2010 Page 15

Potrebbero piacerti anche