PCI-DSS-v4-0-ROC-Template-r1 - Ideas

**Payment Card Industry** Data Security Standard **PCI DSS v4.0 Report on Compliance Template** ### Revision 1 December 2022 ## Document Changes +--------+-------+----------------------------------------------------+ | ** | * | **Description** | | Date** | *Vers | | | | ion** | | +========+=======+====================================================+ | Fe | > PCI | To introduce the template for submitting Reports | | bruary | > DSS | on Compliance. | | 2014 | > | | | | 3.0, | This document is intended for use with version 3.0 | | | > | of the PCI Data Security Standard. | | | > Rev | | | | ision | | | | > 1.0 | | +--------+-------+----------------------------------------------------+ | July | > PCI | Errata - Minor edits made to address typos and | | 2014 | > DSS | general errors, slight addition of content. | | | > | | | | 3.0, | | | | > | | | | > Rev | | | | ision | | | | > 1.1 | | +--------+-------+----------------------------------------------------+ | April | > PCI | Revision to align with changes from PCI DSS 3.0 to | | 2015 | > DSS | PCI DSS 3.1 (see PCI DSS -- Summary of Changes | | | > | from PCI DSS Version 3.0 to 3.1 for details of | | | 3.1, | those changes). Also includes minor edits made for | | | > | clarification and/or format. | | | > Rev | | | | ision | | | | > 1.0 | | +--------+-------+----------------------------------------------------+ | April | > PCI | Revision to align with changes from PCI DSS 3.1 to | | 2016 | > DSS | PCI DSS 3.2 (see PCI DSS -- Summary of Changes | | | > | from PCI DSS Version 3.1 to 3.2 for details of | | | 3.2, | those changes). Also includes minor corrections | | | > | and edits made for clarification and/or format. | | | > Rev | | | | ision | | | | > 1.0 | | +--------+-------+----------------------------------------------------+ | June | > PCI | Revision to align with changes from PCI DSS 3.2 to | | 2018 | > DSS | PCI DSS 3.2.1 (see PCI DSS -- Summary of Changes | | | > | from PCI DSS Version 3.2 to 3.2.1 for details of | | | 3.2.1 | changes). Also includes minor corrections and | | | > | edits made for clarification and/or format. | | | > Rev | | | | ision | | | | > 1.0 | | +--------+-------+----------------------------------------------------+ | March | PCI | Updates to align with the changes from PCI DSS | | 2022 | DSS | v3.2.1 to PCI DSS v4.0 (see PCI DSS -- Summary of | | | 4.0 | Changes from PCI DSS Version 3.2.1 to 4.0 for | | | | details of changes). Also includes corrections and | | | | edits made for clarification and/or format. | +--------+-------+----------------------------------------------------+ | De | > PCI | Updates include minor clarifications, corrections | | cember | > DSS | to typographical errors, and removal of In Place | | 2022 | > 4.0 | with Remediation as a reporting option. | | | > | | | | > Rev | | | | ision | | | | > 1 | | +--------+-------+----------------------------------------------------+ **Table of Contents** **[[#ROC Template Instructions]]** [[#ROC Sections]] [[#Assessment Findings]] [[#What Is the Difference between Not Applicable and Not Tested?]] [[#Dependence on Another Service Provider's Compliance]] [[#Assessment Approach Reporting Options]] [[#Understanding the Reporting Instructions]] [[#Dos and Don'ts Reporting Expectations]] [[#PCI DSS v4.0 Report on Compliance Template]] **[[#Part I Assessment Overview]]** 1. [**Contact Information and Summary of Results 2**](#contact-information-and-summary-of-results) 1. [Contact Information 2](#contact-information) 2. [Date and Timeframe of Assessment 4](#date-and-timeframe-of-assessment) 3. [Remote Assessment Activities 4](#remote-assessment-activities) 4. [Additional Services Provided by QSA Company 6](#additional-services-provided-by-qsa-company) 5. [Use of Subcontractors 7](#use-of-subcontractors) 6. [Additional Information/Reporting 7](#additional-informationreporting) 7. [Overall Assessment Result 7](#overall-assessment-result) 8. [Summary of Assessment 8](#summary-of-assessment) 9. [Attestation Signatures 10](#attestation-signatures) ```{=html}  ``` 2. [Business Overview 11](#business-overview) 1. [Description of the Entity's Payment Card Business 11](#description-of-the-entitys-payment-card-business) 3. [Description of Scope of Work and Approach Taken 12](#description-of-scope-of-work-and-approach-taken) 1. [Assessor's Validation of Defined Scope Accuracy 12](#assessors-validation-of-defined-scope-accuracy) 2. [Segmentation 13](#segmentation) 3. [PCI SSC Validated Products and Solutions 14](#pci-ssc-validated-products-and-solutions) 4. [Sampling 15](#sampling) 4. [Details About Reviewed Environments 16](#details-about-reviewed-environments) 1. [Network Diagrams 16](#network-diagrams) 2. [Account Dataflow Diagrams 17](#account-dataflow-diagrams) 3. [Storage of Account Data 18](#storage-of-account-data) 4. [In-scope Third-Party Service Providers (TPSPs) 19](#in-scope-third-party-service-providers-tpsps) 5. [In-scope Networks 21](#in-scope-networks) 6. [In-scope Locations/Facilities 21](#in-scope-locationsfacilities) 7. [In-scope Business Functions 22](#in-scope-business-functions) 8. [In-scope System Component Types 22](#in-scope-system-component-types) 9. [Sample Sets for Reporting 25](#sample-sets-for-reporting) 5. [Quarterly Scan Results 26](#quarterly-scan-results) 1. [Quarterly External Scan Results 26](#quarterly-external-scan-results) 2. [Attestations of Scan Compliance 26](#attestations-of-scan-compliance) 3. [Quarterly Internal Scan Results 27](#quarterly-internal-scan-results) 6. [Evidence (Assessment Workpapers) 28](#evidence-assessment-workpapers) 1. [Evidence Retention 28](#evidence-retention) 2. [Documentation Evidence 28](#documentation-evidence) 3. [Interview Evidence 28](#interview-evidence) 4. [Observation Evidence 29](#observation-evidence) 5. [System Evidence 30](#system-evidence) [Part II Findings and Observations 31](#part-ii-findings-and-observations) [Build and Maintain a Secure Network and Systems 31](#build-and-maintain-a-secure-network-and-systems) [Requirement 1: Install and Maintain Network Security Controls 31](#requirement-1-install-and-maintain-network-security-controls) [Requirement 2: Apply Secure Configurations to All System Components 62](#requirement-2-apply-secure-configurations-to-all-system-components) [Protect Account Data 82](#protect-account-data) [Requirement 3: Protect Stored Account Data 82](#requirement-3-protect-stored-account-data) [Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks 129](#requirement-4-protect-cardholder-data-with-strong-cryptography-during-transmission-over-open-public-networks) [Maintain a Vulnerability Management Program 138](#maintain-a-vulnerability-management-program) [Requirement 5: Protect All Systems and Networks from Malicious Software 138](#requirement-5-protect-all-systems-and-networks-from-malicious-software) [Requirement 6: Develop and Maintain Secure Systems and Software 161](#requirement-6-develop-and-maintain-secure-systems-and-software) [Implement Strong Access Control Measures 196](#implement-strong-access-control-measures) [Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know 196](#requirement-7-restrict-access-to-system-components-and-cardholder-data-by-business-need-to-know) [Requirement 8: Identify Users and Authenticate Access to System Components 216](#requirement-8-identify-users-and-authenticate-access-to-system-components) [Requirement 9: Restrict Physical Access to Cardholder Data 265](#requirement-9-restrict-physical-access-to-cardholder-data) [Regularly Monitor and Test Networks 310](#regularly-monitor-and-test-networks) [Requirement 10: Log and Monitor All Access to System Components and Cardholder Data 310](#requirement-10-log-and-monitor-all-access-to-system-components-and-cardholder-data) [Requirement 11: Test Security of Systems and Networks Regularly 354](#requirement-11-test-security-of-systems-and-networks-regularly) [Maintain an Information Security Policy 392](#maintain-an-information-security-policy) [Requirement 12: Support Information Security with Organizational Policies and Programs 392](#requirement-12-support-information-security-with-organizational-policies-and-programs) [Appendix A Additional PCI DSS Requirements 449](#appendix-a-additional-pci-dss-requirements) [A1 Additional PCI DSS Requirements for Multi-Tenant Service Providers 449](#a1-additional-pci-dss-requirements-for-multi-tenant-service-providers) [A2 Additional PCI DSS Requirements for Entities Using SSL/Early TLS for Card-Present POS POI Terminal Connections 459](#a2-additional-pci-dss-requirements-for-entities-using-sslearly-tls-for-card-present-pos-poi-terminal-connections) [A3 Designated Entities Supplemental Validation (DESV) 463](#a3-designated-entities-supplemental-validation-desv) [Appendix B Compensating Controls 464](#appendix-b-compensating-controls) [Appendix C Compensating Controls Worksheet 466](#appendix-c-compensating-controls-worksheet) [Appendix D Customized Approach 467](#appendix-d-customized-approach) [Appendix E Customized Approach Template 469](#appendix-e-customized-approach-template) ### ROC Template Instructions This document, the PCI DSS v4.0 Report on Compliance Template ("ROC Template"), is the mandatory template for Qualified Security Assessors (QSAs) completing a Report on Compliance (ROC) for assessments against the *Payment Card Industry Data Security Standard (PCI DSS) Requirements and Testing Procedures*. The ROC Template provides the reporting instructions and template for QSAs to document PCI DSS assessments with the aim of ensuring a consistent level of reporting among assessors. Use of this ROC Template is mandatory for all PCI DSS v4.0 submissions. The tables in this template may be modified to increase/decrease the number of rows or to change the column width. Additional appendices may be added if the assessor feels there is relevant information to be included that is not addressed in the current format. However, the assessor must not remove any details from the tables provided in this document. Personalization, such as the addition of company logos to the title page below, is acceptable. Do not delete any content from Part I or Part II of this document. The Instruction pages may be deleted; however, the assessor must follow these instructions while documenting the assessment. The addition of text or rows is acceptable, within reason, as noted above. Refer to the *PCI DSS v4.x Report on Compliance Template - Frequently Asked Questions* document on the PCI SSC website for further guidance. The ROC is completed during PCI DSS assessments as part of an entity's validation process. The ROC provides details about the entity's environment and assessment methodology and documents the entity's assessment results for each PCI DSS requirement. A PCI DSS compliance assessment involves thorough testing and assessment activities, from which the assessor will generate evidence (assessment workpapers). These workpapers contain comprehensive records of the assessment activities, including observations, results of system testing, configuration data, file lists, interview notes, documentation excerpts, references, screenshots, and other evidence collected during the assessment. The ROC is effectively a summary of evidence derived from the assessor's workpapers to document how the assessor performed the validation activities and how the resultant findings were reached. At a high level, the ROC provides a comprehensive summary of testing activities performed and information collected during the assessment against the *Payment Card Industry Data Security Standard (PCI DSS) Requirements and Testing Procedures*. The information contained in a ROC must provide enough information and coverage to support the designated assessment findings. ### ROC Sections The ROC includes the following sections and appendices: - Part I: Assessment Overview - Section 1: Contact Information and Summary of Results - Section 2: Business Overview - Section 3: Description of Scope of Work and Approach Taken - Section 4: Details about Reviewed Environment - Section 5: Quarterly Scan Results - Section 6: Evidence (Assessment Workpapers) - Part II: Findings and Observations - Build and Maintain a Secure Network and Systems - Protect Account Data - Maintain a Vulnerability Management Program - Implement Strong Access Control Measures - Regularly Monitor and Test Networks - Maintain an Information Security Policy - Appendix A: Additional PCI DSS Requirements - Appendix B: Compensating Controls - Appendix C: Compensating Controls Worksheet - Appendix D: Customized Approach - Appendix E: Customized Approach Template Part I must be thoroughly and accurately completed to provide proper context for the assessment findings in Part II. The ROC Template includes tables with reporting instructions built-in to help assessors provide all required information throughout the document. Responses must be specific and focus on concise quality of detail, rather than lengthy, repeated verbiage. Use of template language for descriptions is discouraged and details must be specifically relevant to the assessed entity. ### Assessment Findings There are four possible assessment findings: In Place, Not Applicable, Not Tested, and Not in Place. At each sub-requirement there is a place to designate the result ("Assessment Findings"), which can be checked as appropriate. See the example format in [*Figure 1*.](#_bookmark3) Refer to the following table when considering which selection to make. Only one assessment finding may be selected at the sub-requirement level and reporting associated with that assessment finding must be consistent across all required documents, including the AOC. Refer to the *PCI DSS v4.x Report on Compliance Template - Frequently Asked Questions* document on the PCI SSC website for further guidance. | Assessment Finding | When to Use This Assessment Finding | Using Figure 1 | Required Reporting | | --- | --- | --- | --- | | In Place | The expected testing has been performed, and all elements of the requirement have been met. | In _Figure 1_, the Assessment Finding at 1.1.1 is In Place if all report findings are In Place for 1.1.1.a and 1.1.1.b or a combination of In Place and Not Applicable. | Describe how the testing and evidence demonstrates the requirement is In Place. | | Not Applicable | | > Not | The requirement does | In *Figure 1*, the | Describe | | > | not apply to the | Assessment Finding at | the | | Appli | organization's | 1.1.1 is Not | testing | | cable | environment. | Applicable if both | performed | | | | 1.1.1.a and 1.1.1.b | and the | | | Not Applicable | are concluded to be | results | | | responses require | Not Applicable. A | of the | | | reporting on testing | requirement is | testing | | | performed to confirm | applicable if any | that | | | the Not Applicable | aspects of the | dem | | | status including a | requirement apply to | onstrates | | | detailed description | the environment being | the | | | explaining how it was | assessed, and a Not | re | | | determined that the | Applicable | quirement | | | requirement does not | designation in the | is Not | | | apply. | Assessment Findings | Ap | | | | should not be used in | plicable. | | | Note that reporting | this scenario. | | | | instructions that start | | | | | with "If Yes" or "If | ***Note:** | | | | No" do not require | Requirements and/or | | | | additional testing to | individual bullets | | | | confirm the Not | within a requirement | | | | Applicable status. For | noted as a best | | | | example, if the | practice until its | | | | Reporting Instruction | effective date are | | | | was "If Yes, complete | considered Not | | | | the following" and the | Applicable until the | | | | response was "No" then | future date has | | | | the assessor would | passed. While it is | | | | simply mark that | true that the | | | | section as Not | requirement is likely | | | | Applicable or N/A and | not tested (hence the | | | | no further testing is | original | | | | required. | instructions), it is | | | | | not required to be | | | | | tested until the | | | | | future date has | | | | | passed, and the | | | | | requirement is | | | | | therefore not | | | | | applicable until that | | | | | date. As such, a Not | | | | | Applicable response | | | | | to future-dated | | | | | requirements is | | | | | accurate, whereas a | | | | | Not Tested response | | | | | would imply there was | | | | | not any consideration | | | | | as to whether it | | | | | could apply.* | | | | | | | | | | Once the effective | | | | | date has passed, | | | | | responses to those | | | | | requirements should | | | | | be consistent with | | | | | instructions for all | | | | | requirements. | | +-------+-------------------------+-----------------------+-----------+ +------+--------------------------+-----------------------+-----------+ | **As | > **When to Use This | **Using Figure 1** | > * | | sess | > Assessment Finding** | | *Required | | ment | | | > Re | | F | | | porting** | | indi | | | | | ng** | | | | +======+==========================+=======================+===========+ | Not | The requirement (or any | In *Figure 1*, the | Describe | | Te | single aspect of the | Assessment Finding at | why this | | sted | requirement) was not | 1.1.1 is Not Tested | re | | | included for | if either 1.1.1.a or | quirement | | | consideration in the | 1.1.1.b are concluded | was | | | assessment and was not | to be Not Tested. | excluded | | | tested in any way. | | from the | | | | | as | | | (See "What is the | | sessment. | | | difference between Not | | | | | Applicable and Not | | | | | Tested?" in the | | | | | following section for | | | | | examples of when this | | | | | option should be used.) | | | | | | | | | | ***Note**: Where Not | | | | | Tested is used, the | | | | | assessment is considered | | | | | a Partial Assessment.* | | | +------+--------------------------+-----------------------+-----------+ | Not | Some or all elements of | In *Figure 1*, the | Describe | | in | the requirement have not | Assessment Finding at | how the | | P | been met, are in the | 1.1.1 is Not in Place | testing | | lace | process of being | if either 1.1.1.a or | and | | | implemented, or require | 1.1.1.b are concluded | evidence | | | further testing before | to be Not in Place. | dem | | | it will be known if they | | onstrates | | | are In Place. | | the | | | | | re | | | This response is also | | quirement | | | used if a requirement | | is Not in | | | cannot be met due to a | | Place. | | | legal restriction, | | | | | meaning that meeting the | | If the | | | requirement would | | re | | | contravene a local or | | quirement | | | regional law or | | is Not in | | | regulation. The assessor | | Place due | | | must confirm that a | | to a | | | statutory law or | | legal | | | regulation exists that | | res | | | prohibits the | | triction, | | | requirement from being | | the | | | met. | | assessor | | | | | must | | | ***Note:** Contractual | | describe | | | obligations or legal | | the | | | advice are not legal | | statutory | | | restrictions.* | | law or | | | | | r | | | | | egulation | | | | | that | | | | | prohibits | | | | | the | | | | | re | | | | | quirement | | | | | from | | | | | being | | | | | met. | +------+--------------------------+-----------------------+-----------+ > []{#_bookmark3 .anchor}**Figure 1. Example Requirement** +---------------+---+----------------+---+--------------+---------------+ | > | | | | | | | **Requirement | | | | | | | > | | | | | | | Description** | | | | | | +===============+===+================+===+==============+===============+ | **1.1** | | | | | | | Example | | | | | | | Requirement | | | | | | | Description | | | | | | +---------------+---+----------------+---+--------------+---------------+ | **PCI DSS | | | | | | | Requirement** | | | | | | +---------------+---+----------------+---+--------------+---------------+ | **1.1.1** | | | | | | | Example | | | | | | | Requirement | | | | | | +---------------+---+----------------+---+--------------+---------------+ | > | | | | | | | **Assessment | | | | | | | > Findings | | | | | | | > (select | | | | | | | > one)** | | | | | | +---------------+---+----------------+---+--------------+---------------+ | **In Place** | > | | * | | **Not in | | | | | * | | Place** | | | * | | N | | | | | * | | o | | | | | N | | t | | | | | o | | T | | | | | t | | e | | | | | > | | s | | | | | | | t | | | | | A | | e | | | | | p | | d | | | | | p | | * | | | | | l | | * | | | | | i | | | | | | | c | | | | | | | a | | | | | | | b | | | | | | | l | | | | | | | e | | | | | | | * | | | | | | | * | | | | | +---------------+---+----------------+---+--------------+---------------+ | ☐ | ☐ | | ☐ | | ☐ | +---------------+---+----------------+---+--------------+---------------+ | Describe why | | | | \<Enter | | | the | | | | Response | | | assessment | | | | Here\> | | | finding was | | | | | | | selected. | | | | | | | | | | | | | | ***Note**: | | | | | | | Include all | | | | | | | details as | | | | | | | noted in the | | | | | | | "Required | | | | | | | Reporting" | | | | | | | column of the | | | | | | | table in | | | | | | | [Assessment | | | | | | | Findi | | | | | | | ngs](#assessm | | | | | | | ent-findings) | | | | | | | in the ROC | | | | | | | Template | | | | | | | I | | | | | | | nstructions.* | | | | | | +---------------+---+----------------+---+--------------+---------------+ | **Validation | | | | | | | Method -- | | | | | | | Customized | | | | | | | Approach** | | | | | | +---------------+---+----------------+---+--------------+---------------+ | **Indicate** | | | | - Yes ☐ No | | | whether a | | | | | | | Customized | | | | | | | Approach was | | | | | | | used: | | | | | | +---------------+---+----------------+---+--------------+---------------+ | **If "Yes", | | | | \<Enter | | | Identify** | | | | Response | | | the aspect(s) | | | | Here\> | | | of the | | | | | | | requirement | | | | | | | where the | | | | | | | Customized | | | | | | | Approach was | | | | | | | used. | | | | | | | | | | | | | | ***Note:** | | | | | | | The use of | | | | | | | Customized | | | | | | | Approach must | | | | | | | also be | | | | | | | documented in | | | | | | | [Appendix | | | | | | | E.](#ap | | | | | | | pendix-e-cust | | | | | | | omized-approa | | | | | | | ch-template)* | | | | | | +---------------+---+----------------+---+--------------+---------------+ | **Validation | | | | | | | Method -- | | | | | | | Defined | | | | | | | Approach** | | | | | | +---------------+---+----------------+---+--------------+---------------+ | **Indicate** | | | | - Yes ☐ No | | | whether a | | | | | | | Compensating | | | | | | | Control was | | | | | | | used: | | | | | | +---------------+---+----------------+---+--------------+---------------+ | **If "Yes", | | | | \<Enter | | | Identify** | | | | Response | | | the aspect(s) | | | | Here\> | | | of the | | | | | | | requirement | | | | | | | where the | | | | | | | Compensating | | | | | | | Control(s) | | | | | | | was used. | | | | | | | | | | | | | | ***Note:** | | | | | | | The use of | | | | | | | Compensating | | | | | | | Controls must | | | | | | | also be | | | | | | | documented in | | | | | | | [Appendix | | | | | | | C.](#appen | | | | | | | dix-c-compens | | | | | | | ating-control | | | | | | | s-worksheet)* | | | | | | +---------------+---+----------------+---+--------------+---------------+ | > **Testing | | > **Reporting | | > | | | > | | > | | **Reporting | | | Procedures** | | Instructions** | | > Details: | | | | | | | > Assessor's | | | | | | | > Response** | | +---------------+---+----------------+---+--------------+---------------+ | **1.1.1.a** | | Example | | \<Enter | | | Example | | reporting | | Response | | | testing | | instruction | | Here\> | | | procedure | | | | | | +---------------+---+----------------+---+--------------+---------------+ | **1.1.1.b** | | Example | | \<Enter | | | Example | | reporting | | Response | | | testing | | instruction | | Here\> | | | procedure | | | | | | +---------------+---+----------------+---+--------------+---------------+ ### What Is the Difference between Not Applicable and Not Tested? > Requirements that are Not Applicable to an environment must be > verified as such. Using the example of wireless and an organization > that does not use wireless technology in any capacity, an assessor > could select Not Applicable for Requirements 1.3.3, 2.3.1 - 2.3.3, and > 4.2.1.2 after the assessor confirms through testing that there are no > wireless technologies used in their CDE or that connect to their CDE. > Once this has been confirmed, the assessor may select Not Applicable > for those specific requirements, and the accompanying reporting must > reflect the testing performed to confirm the Not Applicable status. > > If a requirement is completely excluded from review without any > consideration as to whether it could apply, the Not Tested option must > be selected. Examples of situations where this could occur may > include: - An organization may be asked by their acquirer or brand to validate a subset of requirements---for example, using the prioritized approach to validate certain milestones. - An organization may want to validate a new security control that impacts only a subset of requirements---for example, implementation of a new encryption method that requires assessment of PCI DSS Requirements 2, 3, and 4. - A service provider organization might offer a service that covers only a limited number of PCI DSS requirements---for example, a physical storage provider may want only to validate the physical security controls per PCI DSS Requirement 9 for their storage facility. > In these scenarios, the organization wants only to validate certain > PCI DSS requirements, even though other requirements might also apply > to their environment. The resulting AOC(s) must be clear in what was > tested and not tested. > > Items marked as Not Applicable require that the assessor render an > opinion that the item is not applicable; however, with Not Tested, the > assessor is simply following the entity's instructions to not test > something with no opinion needed from the assessor. ### Dependence on Another Service Provider's Compliance > Generally, when reporting on a requirement where a third-party service > provider is responsible for the task(s), the response is minimally > captured at each requirement in the "Describe why the assessment > finding was selected" section and the corresponding evidence is > identified in the evidence section of the requirement. An acceptable > response for an In Place finding for 1.1.1.a would be documented at > the requirement and may be something like: > > *Assessor verified this is the responsibility of Service Provider X, > as verified through review of x/y contract (document). Assessor > reviewed the AOC for Service Provider X, dated YYYY-MM-DD, and > confirmed the service provider was found to be PCI DSS compliant > against PCI DSS vX.X for all applicable requirements, and that it > covers the scope of the services used by the assessed entity.* > > That response could vary, but what's important is that it is noted as > In Place, and that there has been a level of testing by the assessor > to support the conclusion that this responsibility is verified and > that the responsible party has been tested against the requirement and > found to be compliant. ### Assessment Approach Reporting Options > There are two main reporting options for the assessment approach for > PCI DSS. It is possible for different aspects of a requirement to meet > any combination of these approaches. For example, if there are several > types of system components that apply to a certain requirement, system > component X may be validated by using a compensating control, while > system component Y may be validated by using the defined approach, and > system component Z may be validated by using the customized approach. > Therefore, it is important to document the aspects of the requirement > where Compensating Controls and the Customized Approach are used. +-----------+---------------------------+------------------------------+ | > **A | > **When to Use This | **Using Figure 2** | | ssessment | > Approach** | | | > A | | | | pproach** | | | +===========+===========================+==============================+ | **C | Focuses on the Customized | **For "Validation Method -- | | ustomized | Approach Objective of | Customized Approach"** | | A | each PCI DSS Requirement | | | pproach** | (if applicable), allowing | - If the Customized | | | entities to implement | Approach is not used, | | | controls to meet the | select "No" for | | | requirement's stated | Customized Approach | | | Customized Approach | acknowledgement check | | | Objective in a way that | box, and mark the | | | does not strictly follow | relevant reporting | | | the defined requirement. | instruction as Not | | | The customized approach | Applicable. | | | supports innovation in | | | | security practices, | - If the Customized | | | allowing entities greater | Approach is used, | | | flexibility to show how | complete the following: | | | their current security | | | | controls meet PCI DSS | - Select "Yes" for | | | requirements. | Customized Approach | | | | acknowledgement | | | Refer to the *Payment | check box. | | | Card Industry Data | | | | Security Standard (PCI | - Identify the aspects | | | DSS) Requirements and | of the requirement | | | Testing Procedures* for | where the Customized | | | the Customized Approach | Approach was used. | | | Objective. | | | | | - Complete the | | | ***Note:** Compensating | Customized Approach | | | Controls are not an | Template in | | | option for the Customized | | | | Approach* | > *[Appendix | | | | > E](#appendix-e-cu | | | | stomized-approach-template)* | | | | > (not pictured). | +-----------+---------------------------+------------------------------+ | **Defined | The traditional method | **For "Validation Method -- | | A | for implementing and | Defined Approach"** | | pproach** | validating PCI DSS and | | | | uses the Requirements and | - If Compensating Controls | | | Testing Procedures | are not used, select | | | defined within the | "No" for Compensating | | | standard. The entity | Control acknowledgement | | | implements security | check box, and mark the | | | controls to meet the | relevant reporting | | | stated requirements, and | instruction as Not | | | the assessor follows the | Applicable. | | | defined testing | | | | procedures to verify that | - If Compensating | | | the requirement has been | Control(s) are used, | | | met. | complete the following: | | | | | | | **Note on using | - Select "Yes" for | | | Compensating | Compensating Control | | | Control(s)**: As part of | acknowledgement | | | the defined approach, | check box. | | | entities that cannot meet | | | | a PCI DSS requirement | - Identify the aspects | | | explicitly as stated due | of the requirement | | | to a legitimate and | where a compensating | | | documented technical or | control(s) is used. | | | business constraint may | | | | implement other or | - Complete the | | | compensating controls | Compensating | | | that sufficiently | Controls Worksheet | | | mitigate the risk | in | | | associated with the | | | | requirement. On an annual | > *[Appendix | | | basis, any compensating | > C](#appendix-c-compe | | | controls must be | nsating-controls-worksheet)* | | | documented by the entity | > (not pictured). | | | and reviewed and | | | | validated by the assessor | | | | and included with the | | | | Report on Compliance | | | | submission. | | +-----------+---------------------------+------------------------------+ **Figure 2. Assessment Approach Reporting Options** +------------------+------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +==================+==================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +------------------+------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of the | | | | requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E.](#appendix- | | | | e-customized-app | | | | roach-template)* | | | +------------------+------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +------------------+------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +------------------+------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of the | | | | requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C | | | | .](#appendix-c-c | | | | ompensating-cont | | | | rols-worksheet)* | | | +------------------+------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +------------------+------------------+--------------------------------+ | **1.1.1.a** | Example | \<Enter Response Here\> | | Example testing | reporting | | | procedure | instruction | | +------------------+------------------+--------------------------------+ | **1.1.1.b** | Example | \<Enter Response Here\> | | Example testing | reporting | | | procedure | instruction | | +------------------+------------------+--------------------------------+ ### Understanding the Reporting Instructions > The reporting instructions in the Reporting Template explain the > intent of the response required. Responses should be specific and > relevant to the assessed entity. Details provided should focus on > concise quality of detail, rather than lengthy, repeated verbiage and > should avoid generic templated language. > > Assessor responses generally fall into categories, such as the > following: +---------+----------------------+------------------------------------+ | > **Re | > **Example Usage** | **Description of Response** | | porting | | | | > Inst | | | | ruction | | | | > | | | | Term** | | | +=========+======================+====================================+ | I | Indicate whether the | The response would be either "Yes" | | ndicate | assessed entity is | or "No" as shown: | | | an issuer or | | | | supports issuing | - Yes ☐ No | | | services. | | | | | ***Note**: The applicability of | | | | some reporting instructions may be | | | | dependent on the response of a | | | | previous reporting instruction. If | | | | applicable, the reporting | | | | instruction will direct the | | | | assessor to a subsequent | | | | instruction based on the yes/no | | | | answer.* | +---------+----------------------+------------------------------------+ | I | Identify the | The response would include the | | dentify | evidence reference | relevant item(s) requested. | | | number(s) from | | | | [Section | Example Reporting Instruction: | | | 6](#evidence-as | "Identify the evidence reference | | | sessment-workpapers) | number(s) from [Section | | | for all | 6 | | | documentation | ](#evidence-assessment-workpapers) | | | examined for this | for all documentation examined for | | | testing procedure. | this testing procedure." | | | | | | | | Example Response: Doc-01 OR | | | | | | | | Doc-01 (Company XYZ Information | | | | Security Policy) | | | | | | | | ***Note:** When a reference number | | | | is available, it is required; | | | | however, the assessor also has the | | | | option to list individual items in | | | | addition to the reference number.* | +---------+----------------------+------------------------------------+ | D | Describe why the | The response would include a | | escribe | assessment finding | detailed description of the item | | | was selected. | or activity in question --- for | | | | example, details of how the | | | | evidence examined or individuals | | | | interviewed demonstrate a | | | | requirement was met, or how the | | | | assessor concluded a control | | | | implemented is fit-for-purpose. | | | | The response should be of | | | | sufficient detail to provide the | | | | reader with a comprehensive | | | | understanding of the item or | | | | activity being described. | +---------+----------------------+------------------------------------+ | Attest | Identify the name of | The assessor's name is simply | | | the QSA who attests. | provided in the response. This | | | | "signature" adds more weight than | | | | a simple "yes" or "checkmark" | | | | response and is used when no | | | | additional reporting is needed. | +---------+----------------------+------------------------------------+ ### Dos and Don'ts: Reporting Expectations +----------------------------------+-----------------------------------+ | **DO:** | **DON'T:** | +==================================+===================================+ | - Use this Reporting Template | - Don't select the In Place | | when assessing against v4.0 | response without verification | | of the PCI DSS. | that the requirement is met | | | (plans to meet a requirement | | - Read and understand the | in the future do not warrant | | intent of each Requirement | an In Place response) | | and Testing Procedure. | | | | - Don't copy responses from one | | - Provide a response for every | Testing Procedure to another. | | Testing Procedure. | | | | - Don't copy responses from | | - Provide sufficient detail | previous assessments. | | and information to | | | thoroughly document the | - Don't include information | | assessment. | irrelevant to the assessment. | | | | | - Ensure sufficient detail and | - Don't leave any spaces blank. | | information are included in | If a section does not apply, | | the workpaper evidence. | annotate it as such. | | | | | - Ensure all parts of the | | | Testing Procedure and | | | Reporting Instruction are | | | addressed. | | | | | | - Ensure the response covers | | | all applicable system | | | components, business | | | functions, or facilities. | | | | | | - Perform an internal quality | | | assurance review of the ROC | | | for clarity, accuracy, and | | | quality. | | | | | | - Provide useful, meaningful | | | diagrams as directed. | | +----------------------------------+-----------------------------------+ ### PCI DSS v4.0 Report on Compliance Template > Complete the following ROC Template per these instructions. The > following title page can be populated according to the assessor > company's corporate document guidelines (for example, company name, > logo, date, version, etc.). All instructional content (this page and > pages up to the table of contents) may be deleted by the assessor > prior to finalizing the report. > > **PCI DSS v4.0 Report on Compliance** > > **Entity Name:** > > **Date of Report:** > > **Assessment End Date:** # Part I Assessment Overview ## Contact Information and Summary of Results ### Contact Information **Assessed Entity** Company name: \<Enter Response Here\> DBA (doing business as): \<Enter Response Here\> Mailing address: \<Enter Response Here\> Company main website: \<Enter Response Here\> Contact name: \<Enter Response Here\> Contact title: \<Enter Response Here\> Contact phone number: \<Enter Response Here\> Contact e-mail address: \<Enter Response Here\> **Assessed Entity Internal Security Assessors** Identify all Internal Security Assessors (ISAs) involved in the assessment. If there were none, mark as Not Applicable. (Add rows as needed) ISA name: \<Enter Response Here\> **Qualified Security Assessor Company** Company name: \<Enter Response Here\> Mailing address: \<Enter Response Here\> Company website: \<Enter Response Here\> +-----------------+----------------------------------------------------+ | **Lead | | | Qualified | | | Security | | | Assessor** | | +=================+====================================================+ | Lead Assessor | \<Enter Response Here\> | | name: | | +-----------------+----------------------------------------------------+ | Assessor phone | \<Enter Response Here\> | | number: | | +-----------------+----------------------------------------------------+ | Assessor e-mail | \<Enter Response Here\> | | address: | | +-----------------+----------------------------------------------------+ | Assessor PCI | \<Enter Response Here\> | | credentials and | | | certificate | | | number: | | | | | | (QSA, Secure | | | Software | | | Assessor, etc.) | | +-----------------+----------------------------------------------------+ | **Additional | | | Assessors** | | +-----------------+----------------------------------------------------+ | Identify all | | | Associate QSAs | | | involved in the | | | assessment. If | | | there were | | | none, mark as | | | Not Applicable. | | | (Add rows as | | | needed) | | +-----------------+----------------------------------------------------+ | Associate QSA | Associate QSA mentor name: | | name: | | +-----------------+----------------------------------------------------+ | \<Enter | \<Enter Response Here\> | | Response Here\> | | +-----------------+----------------------------------------------------+ | Identify all | | | other assessors | | | involved in the | | | assessment. If | | | there were | | | none, mark as | | | Not Applicable. | | | (Add rows as | | | needed) | | +-----------------+----------------------------------------------------+ | Assessor name: | Assessor PCI credentials: (QSA, Secure Software | | | Assessor, etc.) | +-----------------+----------------------------------------------------+ | \<Enter | \<Enter Response Here\> | | Response Here\> | | +-----------------+----------------------------------------------------+ | **Assessor | | | Quality | | | Assurance (QA) | | | Primary | | | Reviewer for | | | this specific | | | report (not the | | | general QA | | | contact for the | | | QSA Company)** | | +-----------------+----------------------------------------------------+ | QA reviewer | \<Enter Response Here\> | | name: | | +-----------------+----------------------------------------------------+ | QA reviewer | \<Enter Response Here\> | | phone number: | | +-----------------+----------------------------------------------------+ | QA reviewer | \<Enter Response Here\> | | e-mail address: | | +-----------------+----------------------------------------------------+ | QA Reviewer's | \<Enter Response Here\> | | PCI | | | Credentials: | | | | | | (See the | | | current QSA | | | Qualification | | | Requirements | | | for acceptable | | | credentials) | | +-----------------+----------------------------------------------------+ ### Date and Timeframe of Assessment +-----------------------+----------------------------------------------+ | Date of Report: | \<Enter Response Here\> | | | | | ***Note:** The "Date | | | of Report" indicates | | | the completion date | | | of the ROC, and | | | therefore must be no | | | earlier than the date | | | on which the QSA | | | Company and assessed | | | entity agree on the | | | final version of the | | | ROC.* | | +=======================+==============================================+ | Date assessment | \<Enter Response Here\> | | began: | | | | | | ***Note:** This is | | | the first date that | | | evidence was | | | gathered, or | | | observations were | | | made.* | | +-----------------------+----------------------------------------------+ | Date assessment | \<Enter Response Here\> | | ended: | | | | | | ***Note:** This is | | | the last date that | | | evidence was | | | gathered, or | | | observations were | | | made.* | | +-----------------------+----------------------------------------------+ | Identify the date(s) | \<Enter Response Here\> | | spent onsite at the | | | assessed entity. | | +-----------------------+----------------------------------------------+ ### Remote Assessment Activities ***Overview of Remote Testing > Activity*** +----------------------------+-----------------------------------------+ | To what extent were remote | - All testing was performed onsite | | testing methods used for | | | this assessment? | - A combination of onsite and remote | | | testing methods was used | | | | | | - All testing was performed remotely | +============================+=========================================+ | If remote testing was used | \<Enter Response Here\> | | for any part of the | | | assessment, briefly | | | describe why onsite | | | testing was not feasible | | | or practical. | | +----------------------------+-----------------------------------------+ ***Summary of Testing Performed > Remotely*** +-------------+-------+------+------------------+---------------------+ | > **Type of | > * | | **For all | | | > Testing | *Were | | testing | | | > | > r | | activities | | | Activity** | emote | | performed using | | | | > te | | remote | | | | sting | | methods:** | | | | > me | | | | | | thods | | | | | | > | | | | | | used | | | | | | > to | | | | | | > pe | | | | | | rform | | | | | | > | | | | | | this | | | | | | > te | | | | | | sting | | | | | | > act | | | | | | ivity | | | | | | > dur | | | | | | ing** | | | | | | | | | | | | **the | | | | | | ass | | | | | | essme | | | | | | nt?** | | | | +=============+=======+======+==================+=====================+ | | | | > Describe the | Describe any | | | | | > methods used | alternative and any | | | | | > to perform the | additional testing | | | | | > remote | activities that | | | | | > testing. | were performed to | | | | | | confirm assurance | | | | | | in the test result. | +-------------+-------+------+------------------+---------------------+ | Examine | - | - | \<Enter Response | \<Enter Response | | do | Yes | No | Here\> | Here\> | | cumentation | | | | | +-------------+-------+------+------------------+---------------------+ | Interview | - | - | \<Enter Response | \<Enter Response | | personnel | Yes | No | Here\> | Here\> | +-------------+-------+------+------------------+---------------------+ | Exam | - | - | \<Enter Response | \<Enter Response | | ine/observe | Yes | No | Here\> | Here\> | | live data | | | | | +-------------+-------+------+------------------+---------------------+ | Observe | - | - | \<Enter Response | \<Enter Response | | process | Yes | No | Here\> | Here\> | | being | | | | | | performed | | | | | +-------------+-------+------+------------------+---------------------+ | Observe | - | - | \<Enter Response | \<Enter Response | | physical | Yes | No | Here\> | Here\> | | environment | | | | | +-------------+-------+------+------------------+---------------------+ | Interactive | - | - | \<Enter Response | \<Enter Response | | testing | Yes | No | Here\> | Here\> | +-------------+-------+------+------------------+---------------------+ ***Assessor Assurance in Assessment > Result*** +------------------------------------------------------+------+-------+ | **If remote testing methods were used for the | | | | assessment, identify whether the assessor was able | | | | to:** | | | +======================================================+======+=======+ | Complete a thorough assessment using appropriate | - | - | | remote testing activities as described in QSA | Yes | No | | Program Guide? | | | +------------------------------------------------------+------+-------+ | Achieve a high degree of confidence that the | - | - | | assessment resulted in a complete evaluation of the | Yes | No | | entity's in-scope environment for all applicable | | | | requirements? | | | +------------------------------------------------------+------+-------+ | Achieve a high degree of confidence in the accuracy | - | - | | and integrity of the evidence observed and reviewed? | Yes | No | +------------------------------------------------------+------+-------+ | Achieve a level of confidence in the remote testing | - | - | | results that is commensurate to the level of | Yes | No | | confidence that would have been achieved via onsite | | | | testing? | | | +------------------------------------------------------+------+-------+ | Achieve a high degree of assurance in the overall | - | - | | assessment result? | Yes | No | +------------------------------------------------------+------+-------+ ***Requirements That Could Not be Fully > Verified*** +------------------------------------------------------+------+-------+ | Were any requirements unable to be fully tested, or | - | - | | was the assessor otherwise unable to reach a finding | Yes | No | | for any requirement due to an inability to perform | | | | onsite testing? | | | | | | | | **If yes**, complete the following table. | | | +======================================================+======+=======+ +------------------------------------------------------+------+-------+ +-------------+-------+-------+------------------+-------------------+ | > ** | > | | > **Describe | > **Describe what | | Requirement | **Was | | > what (if any) | > aspects of the | | > number** | > any | | > aspects of the | > requirement | | | > te | | > requirement | > could not be | | | sting | | > could be | > verified** | | | > | | > verified** | | | | able | | | | | | > to | | | | | | > be | | | | | | > | | | | | | comp | | | | | | leted | | | | | | > for | | | | | | > | | | | | | this | | | | | | > | | | | | | requ | | | | | | ireme | | | | | | nt?** | | | | +=============+=======+=======+==================+===================+ | \<Enter | - | - | \<Enter Response | \<Enter Response | | Response | Yes | No | Here\> | Here\> | | Here\> | | | | | +-------------+-------+-------+------------------+-------------------+ | \<Enter | - | - | \<Enter Response | \<Enter Response | | Response | Yes | No | Here\> | Here\> | | Here\> | | | | | +-------------+-------+-------+------------------+-------------------+ | \<Enter | - | - | \<Enter Response | \<Enter Response | | Response | Yes | No | Here\> | Here\> | | Here\> | | | | | +-------------+-------+-------+------------------+-------------------+ ### Additional Services Provided by QSA Company > The *PCI SSC Qualification Requirements for Qualified Security > Assessors (QSA)* includes content on "Independence," which specifies > requirements for assessor disclosure of services and/or offerings that > could reasonably be viewed to affect the independence of assessment. > Complete the section below after reviewing the relevant portions of > the Qualification Requirements to ensure responses are consistent with > documented obligations. +-----------------------------------+----------------------------------+ | Indicate whether the QSA Company | - Yes ☐ No | | provided any consultation on the | | | development or implementation of | | | controls used for the Customized | | | Approach. | | | | | | ***Note**: This does not apply to | | | the assessment of the Customized | | | Approach.* | | +===================================+==================================+ | If "**Yes**," describe the nature | \<Enter Response Here\> | | of the consultation. | | +-----------------------------------+----------------------------------+ | Disclose all products or services | \<Enter Response Here\> | | provided to the assessed entity | | | by the QSA Company that are not | | | listed above and that were | | | reviewed during this assessment | | | or could reasonably be viewed to | | | affect independence of | | | assessment. | | +-----------------------------------+----------------------------------+ | Describe efforts made to ensure | \<Enter Response Here\> | | no conflict of interest resulted | | | from the above- mentioned | | | products and services provided by | | | the QSA Company. | | +-----------------------------------+----------------------------------+ ### Use of Subcontractors +-----------------------------------+----------------------------------+ | Indicate whether any assessment | - Yes ☐ No | | activities were subcontracted to | | | another Assessor Company. | | | | | | ***Note:** The use of | | | subcontractors must conform with | | | the requirements defined in the | | | Qualification Requirements for | | | Qualified Security Assessors | | | (QSA) and Qualified Security | | | Assessor Program Guide.* | | +===================================+==================================+ | **If yes, identify** the Assessor | \<Enter Response Here\> | | Company(s) utilized during the | | | assessment. | | +-----------------------------------+----------------------------------+ ### Additional Information/Reporting ----------------------------------------------------------------------- Identify the number of consecutive \<Enter Response Here\> years (including the current year) the QSA Company has issued ROCs for this entity. ----------------------------------- ----------------------------------- ----------------------------------------------------------------------- ### Overall Assessment Result +--------+-------------------------------------------------------------+ | In | | | dicate | | | below | | | w | | | hether | | | a full | | | or | | | p | | | artial | | | asse | | | ssment | | | was | | | comp | | | leted. | | | Select | | | only | | | one. | | +========+=============================================================+ | - | **Full Assessment:** All requirements have been assessed | | | and therefore no requirements were marked as Not Tested. | +--------+-------------------------------------------------------------+ | - | **Partial Assessment:** One or more requirements have not | | | been assessed and were therefore marked as Not Tested. Any | | | requirement not assessed is noted as Not Tested in section | | | 1.8.1 below. | +--------+-------------------------------------------------------------+ +--------+-------------------------------------------------------------+ | > **O | | | verall | | | > Asse | | | ssment | | | > | | | Result | | | > ( | | | Select | | | > only | | | > | | | one)** | | +========+=============================================================+ | - | **Compliant:** All sections of the PCI DSS ROC are | | | complete, and all assessed requirements are marked as being | | | either In Place or Not Applicable, resulting in an overall | | | COMPLIANT rating; thereby the assessed entity has | | | demonstrated compliance with all PCI DSS requirements | | | except those noted as Not Tested above. | +--------+-------------------------------------------------------------+ | - | **Non-Compliant:** Not all sections of the PCI DSS ROC are | | | complete, or one or more requirements are marked as Not in | | | Place, resulting in an overall NON-COMPLIANT rating; | | | thereby the assessed entity has not demonstrated compliance | | | with PCI DSS requirements. | +--------+-------------------------------------------------------------+ | - | **Compliant but with Legal Exception:** One or more | | | assessed requirements in the ROC are marked as Not in Place | | | due to a legal restriction that prevents the requirement | | | from being met and all other assessed requirements are | | | marked as being either In Place or Not Applicable, | | | resulting in an overall COMPLIANT BUT WITH LEGAL EXCEPTION | | | rating, thereby the assessed entity has demonstrated | | | compliance with all PCI DSS requirements except those noted | | | as Not Tested above or as Not in Place due to a legal | | | restriction. | +--------+-------------------------------------------------------------+ ### Summary of Assessment ***Summary of Assessment Findings and > Methods*** > > Indicate all the findings and assessment methods within each PCI DSS > principal requirement. Select all that apply. For example, ***In > Place*** and ***Not Applicable*** must both be selected for > Requirement 1 if there is at least one sub-requirement marked ***In > Place*** and one sub-requirement marked ***Not Applicable***. The > columns for Compensating Controls and Customized Approach must be > selected if there is at least one sub- requirement within the > principal requirement that utilizes the respective method. For > example, Compensating Control and Customized Approach must both be > checked if at least one sub-requirement utilizes Compensating Controls > and at least one sub requirement utilizes a Customized Approach. If > neither Compensating Controls nor Customized Approach are used, then > leave both blank. **PCI DSS** **Requirement** **Assessment Finding** **Select all options that apply.** **Select If Below Method(s) Was Used** **In Place Not Applicable Not Tested Not in Place** **Compensating Control** Requirement 1: ☐ Requirement 2: Requirement 3: ☐ ☐ Requirement 4: ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ > ☐ > > ☐ > > ☐ ☐ Requirement 5: Requirement 6: ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ > ☐ > > ☐ > > ☐ > > ☐ > > ☐ > > ☐ > > ☐ > > ☐ > > ☐ > > ☐ > > ☐ **Customized Approach** ☐ ☐ ☐ ☐ ☐ ☐ Requirement 7: Requirement 8: ☐ ☐ ☐ Requirement 9: ☐ ☐ ☐ Requirement 10: Requirement 11: ☐ Requirement 12: ☐ ☐ ☐ ☐ <table style="width:100%;"> <colgroup> <col style="width: 13%" /> <col style="width: 4%" /> <col style="width: 10%" /> <col style="width: 6%" /> <col style="width: 8%" /> <col style="width: 8%" /> <col style="width: 6%" /> <col style="width: 13%" /> <col style="width: 14%" /> <col style="width: 12%" /> </colgroup> <thead> <tr class="header"> <th>Appendix A1:</th> <th colspan="2"><ul> <li></li> </ul></th> <th colspan="2"><ul> <li></li> </ul></th> <th colspan="2"><ul> <li></li> </ul></th> <th><ul> <li></li> </ul></th> <th><ul> <li></li> </ul></th> <th><ul> <li></li> </ul></th> </tr> </thead> <tbody> <tr class="odd"> <td>Appendix A2:</td> <td colspan="2"><ul> <li></li> </ul></td> <td colspan="2"><ul> <li></li> </ul></td> <td colspan="2"><ul> <li></li> </ul></td> <td><ul> <li></li> </ul></td> <td><ul> <li></li> </ul></td> <td><ul> <li></li> </ul></td> </tr> <tr class="even"> <td>Appendix A3:</td> <td colspan="2"><ul> <li></li> </ul></td> <td colspan="2"><ul> <li></li> </ul></td> <td colspan="2"><ul> <li></li> </ul></td> <td><ul> <li></li> </ul></td> <td><ul> <li></li> </ul></td> <td><ul> <li></li> </ul></td> </tr> <tr class="odd"> <td colspan="10">In the sections below identify the sub-requirements with the following results and assessment methods. If there are none, enter “Not Applicable.” Note: Natural grouping of requirements is allowed (for example, Req. 3, 1.1, 1.1.1, 1.1.2, or 1.2.1 through 1.2.3, etc.) to reduce the number of individual requirements listed.</td> </tr> <tr class="even"> <td colspan="2"><blockquote> Not Applicable </blockquote></td> <td colspan="2"><blockquote> Not Tested </blockquote></td> <td colspan="2">Not in Place Due to a Legal Restriction</td> <td colspan="2"><blockquote> Not in Place Not Due to a Legal Restriction </blockquote></td> <td><blockquote> Compensating Control </blockquote></td> <td><blockquote> Customized Approach </blockquote></td> </tr> <tr class="odd"> <td colspan="2"><Enter Response Here></td> <td colspan="2"><Enter Response Here></td> <td colspan="2"><Enter Response Here></td> <td colspan="2"><Enter Response Here></td> <td><Enter Response Here></td> <td><Enter Response Here></td> </tr> </tbody> </table> ***Optional: Additional Assessor > Comments*** > > This optional field is provided for the assessor to document any > additional information that is relevant to the entity being assessed > and that may or may not have impacted the findings of this assessment. > > \<Enter Response Here\> ### Attestation Signatures > When a QSA company has performed the assessment, the Lead Assessor > thereby confirms the following: +----------------------------------+-----------------------------------+ | **Attestation of independence** | | +==================================+===================================+ | - This assessment was | | | conducted strictly in | | | accordance with all | | | applicable requirements set | | | forth in the *Payment Card | | | Industry Data Security | | | Standard Qualification | | | Requirements for Assessors*, | | | including but not limited to | | | the requirements therein | | | regarding independence, | | | independent judgment and | | | objectivity, disclosure, | | | conflicts of interest, | | | misrepresentations, and | | | instruction of employees; | | | | | | - This assessment was | | | conducted in a manner | | | intended to preserve at all | | | times the professional | | | judgment, integrity, | | | impartiality, and | | | professional skepticism of | | | the Assessor Company; | | | | | | - This Report on Compliance | | | accurately identifies, | | | describes, represents, and | | | characterizes all factual | | | evidence that the QSA | | | Company and its Assessor | | | Employees gathered, | | | generated, discovered, | | | reviewed, and/or determined | | | in their sole discretion to | | | be relevant to this | | | assessment in the course of | | | performing the assessment; | | | and | | | | | | - The judgments, conclusions, | | | and findings contained in | | | this Report on | | | Compliance (a) accurately | | | reflect and are based solely | | | upon the factual evidence | | | described immediately | | | above, (b) reflect the | | | independent judgments, | | | findings, and conclusions of | | | the QSA Company and its | | | Assessor Employees only, | | | acting in their sole | | | discretion, and (c) were not | | | in any manner influenced, | | | directed, controlled, | | | modified, provided, or | | | subjected to any prior | | | approval by the assessed | | | entity, any contractor, | | | representative, professional | | | advisor, agent or affiliate | | | thereof, or any other person | | | or entity other than the QSA | | | Company and its Assessor | | | Employees. | | +----------------------------------+-----------------------------------+ | **Attestation of scoping | | | accuracy** | | +----------------------------------+-----------------------------------+ | To the best of my knowledge, the | | | scope of this PCI DSS assessment | | | is complete and accurate and all | | | information pertaining to the | | | scope of this PCI DSS Assessment | | | is accurately represented in | | | Section 3, "Description of Scope | | | of Work and Approach Taken," and | | | Section 4, "Details about | | | Reviewed Environment." | | +----------------------------------+-----------------------------------+ | **Attestation of sampling** | | +----------------------------------+-----------------------------------+ | To the best of my knowledge, all | | | sample sets used for this PCI | | | DSS Assessment are accurately | | | represented in [Section | | | 4 | | | .9,](#sample-sets-for-reporting) | | | "Sample sets for reporting." | | +----------------------------------+-----------------------------------+ | **Signatures** | | +----------------------------------+-----------------------------------+ | *Signature of Lead Assessor:* | *Date*: \<Enter Response Here\> | +----------------------------------+-----------------------------------+ | *Lead Assessor Name:* \<Enter | *QSA Company Name:* \<Enter | | Response Here\> | Response Here\> | +----------------------------------+-----------------------------------+ | ***Note:** This section must be | | | printed and signed manually or | | | digitally signed using a PCI | | | SSC-accepted electronic/digital | | | signature.* | | +----------------------------------+-----------------------------------+ ## Business Overview ### Description of the Entity's Payment Card Business > Provide an overview of the entity's payment card business, including: +-----------------------------+----------------------------------------+ | Describe the nature of the | \<Enter Response Here\> | | entity's business (what | | | kind of work they do, | | | etc.). | | | | | | ***Note**: This is not | | | intended to be a | | | cut-and-paste from the | | | entity's website but should | | | be a tailored description | | | that shows the assessor | | | understands the business of | | | the entity being assessed.* | | +=============================+========================================+ | Describe the entity's | \<Enter Response Here\> | | business, services, or | | | functions that store, | | | process, or transmit | | | account data or could | | | impact the security of | | | account data. | | +-----------------------------+----------------------------------------+ | Identify any of the | \<Enter Response Here\> | | entity's businesses | | | services or functions that | | | have been excluded from the | | | scope of this assessment. | | +-----------------------------+----------------------------------------+ | Identify the card-present | \<Enter Response Here\> | | payment channels the entity | | | utilizes. | | +-----------------------------+----------------------------------------+ | Identify the | \<Enter Response Here\> | | card-not-present payment | | | channels the entity | | | utilizes. (For example, | | | mail order/telephone order | | | \[MOTO\], e-commerce) | | +-----------------------------+----------------------------------------+ | Describe how the entity | \<Enter Response Here\> | | stores, processes, and/or | | | transmits account data. | | +-----------------------------+----------------------------------------+ | Describe how any other | \<Enter Response Here\> | | in-scope services or | | | functions that the entity | | | performs impact the | | | security of account data. | | | | | | (For example, if the entity | | | provides managed services) | | +-----------------------------+----------------------------------------+ | Indicate whether any | - Yes ☐ No | | payment channels or | | | services that impact the | | | security of account data | | | have been excluded from | | | this assessment. | | +-----------------------------+----------------------------------------+ | If "**Yes**," identify any | | | payment channels or | | | services that impact the | | | security of account data | | | that were not included in | | | this assessment below. (Add | | | rows as necessary) | | +-----------------------------+----------------------------------------+ | \<Enter Response Here\> | | +-----------------------------+----------------------------------------+ | Other details, if | \<Enter Response Here\> | | applicable: | | +-----------------------------+----------------------------------------+ ## Description of Scope of Work and Approach Taken ### Assessor's Validation of Defined Scope Accuracy > Describe how the assessor validated the accuracy of the defined PCI > DSS scope for the assessment: > > As noted in *Payment Card Industry Data Security Standard (PCI DSS) > Requirements and Testing Procedures*: "The minimum steps for an entity > to confirm the accuracy of their PCI DSS scope are specified in PCI > DSS Requirement 12.5.2. The entity is expected to retain documentation > to show how PCI DSS scope was determined. The documentation is > retained for assessor review and for reference during the entity's > next PCI DSS scope confirmation activity. For each PCI DSS assessment, > the assessor validates that the scope of the assessment is accurately > defined and documented." +-----------------------------------+----------------------------------+ | Describe how the assessor's | \<Enter Response Here\> | | evaluation of scope differs from | | | the assessed entity's evaluation | | | of scope as documented in | | | Requirement 12.5. | | | | | | If no difference was identified, | | | mark as "Not Applicable." | | +===================================+==================================+ | Provide the name of the assessor | \<Enter Response Here\> | | who attests that: | | | | | | - They have performed an | | | independent evaluation of the | | | scope of the assessed | | | entity's PCI DSS environment. | | | | | | - If the assessor's evaluation | | | identified areas of scope not | | | included in the assessed | | | entity's documented scope, | | | the assessed entity has | | | updated their scoping | | | documentation. | | | | | | - The scope of the assessment | | | is complete and accurate to | | | the best of the assessor's | | | knowledge. | | +-----------------------------------+----------------------------------+ | Describe any areas of scope that | \<Enter Response Here\> | | were excluded from the assessment | | | including the following: | | | | | | - What was excluded. | | | | | | - Why was it excluded. | | | | | | - If it was included in a | | | separate assessment. If none, | | | mark as "Not Applicable." | | +-----------------------------------+----------------------------------+ | Identify any factors that | \<Enter Response Here\> | | resulted in reducing or limiting | | | scope (for example, segmentation | | | of the environment, use of a P2PE | | | solution, etc.) | | | | | | If none, mark as "Not | | | Applicable." | | +-----------------------------------+----------------------------------+ +-----------------------------------+----------------------------------+ | Describe any use of SAQ | \<Enter Response Here\> | | eligibility criteria in | | | determining applicability of PCI | | | DSS requirements for this | | | assessment, including the | | | following: | | | | | | - The type of SAQ applied. | | | | | | - The eligibility criteria for | | | the applicable SAQ. | | | | | | - How the assessor verified | | | that the assessed entity's | | | environment meets the | | | eligibility criteria. | | | | | | If not used mark as "Not | | | Applicable." | | +===================================+==================================+ | Additional information, if | \<Enter Response Here\> | | applicable: | | +-----------------------------------+----------------------------------+ ### Segmentation +-----------------------------------+----------------------------------+ | Indicate whether the assessed | - Yes ☐ No | | entity has used segmentation to | | | reduce the scope of the | | | assessment. | | | | | | ***Note:** An environment with no | | | segmentation is considered a | | | "flat" network where all systems | | | are considered to be in scope.* | | +===================================+==================================+ | - If "No," provide the name of | \<Enter Response Here\> | | the assessor who attests that | | | the entire network has been | | | included in the scope of the | | | assessment. | | +-----------------------------------+----------------------------------+ | - If "Yes," complete the | | | following: | | +-----------------------------------+----------------------------------+ | > -- Describe how the | \<Enter Response Here\> | | > segmentation is implemented, | | | > including the | | | > | | | > technologies and processes | | | > used. | | +-----------------------------------+----------------------------------+ | > -- Describe the environments | \<Enter Response Here\> | | > that were confirmed to be out | | | > of scope | | | > | | | > as a result of the segmentation | | | > methods. | | +-----------------------------------+----------------------------------+ | > -- Provide the name of the | \<Enter Response Here\> | | > assessor who attests that the | | | > | | | > segmentation was verified to be | | | > adequate to reduce the scope of | | | > | | | > the assessment AND that the | | | > technologies/processes used to | | | > implement segmentation were | | | > included in this PCI DSS | | | > assessment. | | +-----------------------------------+----------------------------------+ ### PCI SSC Validated Products and Solutions > For purposes of this document, "Lists of Validated Products and > Solutions" means the lists of validated products, solutions, and/or > components, appearing on the PCI SSC website > (www.pcisecuritystandards.org) (For example: 3DS Software Development > Kits, Approved PTS Devices, Validated Payment Software, Payment > Applications \[PA-DSS\], Point to Point Encryption \[P2PE\] solutions, > Software-Based PIN Entry on COTS \[SPoC\] solutions, and Contactless > Payments on COTS \[CPoC\] solutions.) +-----------------------------------+----------------------------------+ | Indicate whether the assessed | - Yes ☐ No | | entity uses one or more PCI SSC | | | validated products or solutions. | | +===================================+==================================+ | If "**Yes**," provide the | | | following information regarding | | | items the organization uses from | | | PCI SSC\'s Lists of Validated | | | Products and Solutions: | | +-----------------------------------+----------------------------------+ +-------------+-------------+-------------+-------------+-------------+ | > **Name of | > **Version | > **PCI SSC | > **PCI SSC | > **Expiry | | > PCI SSC | > of | > Standard | > listing | > date of | | > validated | > product | > to which | > reference | > listing** | | > product | > or | > product | > number** | | | > or | > | > or | | | | > | solution** | > solution | | | | solution** | | > was | | | | | | > | | | | | | validated** | | | +=============+=============+=============+=============+=============+ | \<Enter | \<Enter | \<Enter | \<Enter | \<Enter | | Response | Response | Response | Response | Response | | Here\> | Here\> | Here\> | Here\> | Here\> | +-------------+-------------+-------------+-------------+-------------+ | \<Enter | \<Enter | \<Enter | \<Enter | \<Enter | | Response | Response | Response | Response | Response | | Here\> | Here\> | Here\> | Here\> | Here\> | +-------------+-------------+-------------+-------------+-------------+ | Provide the | | \<Enter | | | | name of the | | Response | | | | assessor | | Here\> | | | | who attests | | | | | | that they | | | | | | have read | | | | | | the | | | | | | instruction | | | | | | manual | | | | | | associated | | | | | | with each | | | | | | of the | | | | | | software/ | | | | | | solution(s) | | | | | | listed | | | | | | above and | | | | | | confirmed | | | | | | that the | | | | | | merchant | | | | | | has | | | | | | implemented | | | | | | the | | | | | | solution | | | | | | per the | | | | | | i | | | | | | nstructions | | | | | | and detail | | | | | | in the | | | | | | instruction | | | | | | manual. | | | | | +-------------+-------------+-------------+-------------+-------------+ | Any | | \<Enter | | | | additional | | Response | | | | comments or | | Here\> | | | | findings | | | | | | the | | | | | | assessor | | | | | | would like | | | | | | to include, | | | | | | if | | | | | | applicable. | | | | | +-------------+-------------+-------------+-------------+-------------+ ### Sampling +-----------------------------------+----------------------------------+ | Indicate whether sampling is | - Yes ☐ No | | used. | | +===================================+==================================+ | - If "No," provide the name of | \<Enter Response Here\> | | the assessor who attests that | | | every item in each population | | | has been assessed. | | +-----------------------------------+----------------------------------+ | - If "Yes," complete the | | | following: | | | | | | ***Note**: If multiple sampling | | | methodologies are used, clearly | | | respond for each methodology.* | | +-----------------------------------+----------------------------------+ | > -- Describe the sampling | \<Enter Response Here\> | | > rationale(s) used for selecting | | | > sample sizes | | | > | | | > (for people, process evidence, | | | > technologies, devices, | | | > | | | > locations/sites, etc.). | | +-----------------------------------+----------------------------------+ | > -- Describe how the samples are | \<Enter Response Here\> | | > appropriate and representative | | | > of | | | > | | | > the overall populations. | | +-----------------------------------+----------------------------------+ | > -- Indicate whether | - Yes ☐ No | | > standardized processes and | | | > controls are in place | | | > | | | > that provide consistency | | | > between each item in the | | | > samples---for | | | > | | | > example, automated system build | | | > processes, configuration change | | | > detection, etc. | | +-----------------------------------+----------------------------------+ | - If "**Yes**," describe how | \<Enter Response Here\> | | the processes and controls | | | were validated by the | | | assessor to be in place and | | | effective. | | +-----------------------------------+----------------------------------+ ## Details About Reviewed Environments ### Network Diagrams > Provide one or more network diagrams that: - Shows all connections between the CDE and other networks, including any wireless networks. - Is accurate and up to date with any changes to the environment. - Illustrates all network security controls that are defined for connection points between trusted and untrusted networks. - Illustrates how system components storing cardholder data are not directly accessible from the untrusted networks. - Includes the techniques (such as intrusion-detection systems and/or intrusion-prevention systems) that are in place to monitor all traffic: - At the perimeter of the cardholder data environment. - At critical points in the cardholder data environment. > Insert Diagrams ### Account Dataflow Diagrams > Provide one or more dataflow diagrams that: - Shows all account data flows across systems and networks. - Are accurate and up to date. > Insert Diagrams > ***Description of Account Data Flows*** +-------------------+--------------------------------------------------+ | Identify in which | | | of the following | | | account data | | | flows the | | | assessed entity | | | participates: | | | | | | ***Note:** These | | | data flows must | | | be described in | | | detail in the | | | sections of the | | | table that | | | follow.* | | +===================+==================================================+ | - Authorization | | | ☐ Capture ☐ | | | Settlement ☐ | | | C | | | hargeback/Dispute | | | ☐ Refunds ☐ | | | Other | | +-------------------+--------------------------------------------------+ | **Identify and | | | describe all data | | | flows**. | | | Descriptions | | | should include | | | how and where | | | account data | | | enters the | | | environment, is | | | transmitted, is | | | processed, is | | | stored, and how | | | and why any | | | personnel access | | | the account data. | | | Add rows as | | | necessary. | | +-------------------+--------------------------------------------------+ | **Account data | **Description** | | flows** | | | | **(Include the type of account data)** | | **(For example, | | | account data flow | | | 1, account data | | | flow 2)** | | +-------------------+--------------------------------------------------+ | \<Enter Response | \<Enter Response Here\> | | Here\> | | +-------------------+--------------------------------------------------+ | \<Enter Response | \<Enter Response Here\> | | Here\> | | +-------------------+--------------------------------------------------+ ### Storage of Account Data > Identify all databases, tables, and files storing account data and > provide the following details: > > ***Note:** The list of files and tables that store account data in the > table below must be supported by an inventory created (or obtained > from the assessed entity) and retained by the assessor in the > workpapers.* +------------+-----------+-------------+-------------+----------------+ | > **Data | **File | > **Account | > **How | **How Access | | > | name(s), | > Data | > Data Is | to Data Stores | | Store^1^** | Table | > Elements | > S | Is Logged^4^** | | | names(s) | > | ecured^3^** | | | | and/or | Stored^2^** | | | | | Field | | | | | | Names** | | | | +============+===========+=============+=============+================+ | \<Enter | \<Enter | \<Enter | \<Enter | \<Enter | | Response | Response | Response | Response | Response | | Here\> | Here\> | Here\> | Here\> | Here\> | +------------+-----------+-------------+-------------+----------------+ | \<Enter | \<Enter | \<Enter | \<Enter | \<Enter | | Response | Response | Response | Response | Response | | Here\> | Here\> | Here\> | Here\> | Here\> | +------------+-----------+-------------+-------------+----------------+ | \<Enter | \<Enter | \<Enter | \<Enter | \<Enter | | Response | Response | Response | Response | Response | | Here\> | Here\> | Here\> | Here\> | Here\> | +------------+-----------+-------------+-------------+----------------+ | \<Enter | \<Enter | \<Enter | \<Enter | \<Enter | | Response | Response | Response | Response | Response | | Here\> | Here\> | Here\> | Here\> | Here\> | +------------+-----------+-------------+-------------+----------------+ 1. Database name, file server name, and so on. 2. For example, PAN, expiry, cardholder name, and so on. 3. For example, what type of encryption and strength. 4. Description of logging mechanism used for logging access to data---for example, describe the enterprise log management solution, application-level logging, operating system logging, etc. in place ***Storage of SAD*** > > Identify all databases, tables, and files storing Sensitive Account > Data (SAD) and provide the following details: > > ***Note**: The list of files and tables that store SAD in the table > below must be supported by an inventory created (or obtained from the > assessed entity) and retained by the assessor in the workpapers.* +-----------+-----------+----------+----------+----------------------+ | **Data | **File | > **Is | > **Is | > **How Data Is | | S | name(s), | > SAD | > SAD | > Secured^2^** | | tore^1^** | Table | > Stored | > Stored | | | | names(s) | > Pre- | > as | | | | and/or | > | > Part | | | | Field | authoriz | > of | | | | Names** | ation?** | > Issuer | | | | | | > Func | | | | | | tions?** | | +===========+===========+==========+==========+======================+ | \<Enter | \<Enter | - Yes | - Yes | \<Enter Response | | Response | Response | | | Here\> | | Here\> | Here\> | - No | - No | | +-----------+-----------+----------+----------+----------------------+ | \<Enter | \<Enter | - Yes | - Yes | \<Enter Response | | Response | Response | | | Here\> | | Here\> | Here\> | - No | - No | | +-----------+-----------+----------+----------+----------------------+ | \<Enter | \<Enter | - Yes | - Yes | \<Enter Response | | Response | Response | | | Here\> | | Here\> | Here\> | - No | - No | | +-----------+-----------+----------+----------+----------------------+ | \<Enter | \<Enter | - Yes | - Yes | \<Enter Response | | Response | Response | | | Here\> | | Here\> | Here\> | - No | - No | | +-----------+-----------+----------+----------+----------------------+ 1. Database name, file server name, and so on. 2. For example, what type of encryption and strength, and so on. ### In-scope Third-Party Service Providers (TPSPs) > Third-party service providers include, but are not limited to, third > parties that: - Store, process, or transmit account data on the entity's behalf (for example, payment gateways, payment processors, payment service providers \[PSPs\]) - Manage system components included in the entity's PCI DSS assessment (for example, via network security control services, anti- malware services, security incident and event management \[SIEM\], web-hosting companies, IaaS, PaaS, SaaS, FaaS, etc.) - Could impact the security of the entity's account data (for example, vendors providing support via remote access, and/or bespoke software developers). > These entities are subject to PCI DSS Requirement 12.8. > > For each service provider or third party, provide: +----------+-----------+--------------+---+---+------+------+---+---+ | > * | > * | **Describe | > | | > | | * | | | *Company | *Identify | the purpose | | | **If | | * | | | > Name** | > what | for | * | | > | | I | | | | > account | utilizing** | * | | Yes, | | f | | | | > data is | | H | | > | | N | | | | > shared | **the | a | | iden | | o | | | | > or, if | service | s | | tify | | , | | | | > account | p | > | | > | | w | | | | > data is | rovider^2^** | | | the | | e | | | | > not | | t | | > | | r | | | | > shared, | | h | | date | | e | | | | > how the | | e | | > a | | t | | | | > org | | > | | nd** | | h | | | | anization | | | | | | e | | | | > could | | t | | * | | s | | | | > impact | | h | | *PCI | | e | | | | > the | | i | | DSS | | r | | | | > | | r | | ver | | v | | | | security | | d | | sion | | i | | | | > of | | > | | of | | c | | | | > account | | | | t | | e | | | | > | | p | | he** | | s | | | | data^1^** | | a | | | | p | | | | | | r | | **AO | | r | | | | | | t | | C.** | | o | | | | | | y | | | | v | | | | | | > | | | | i | | | | | | | | | | d | | | | | | b | | | | e | | | | | | e | | | | d | | | | | | e | | | | b | | | | | | n | | | | y | | | | | | > | | | | t | | | | | | | | | | h | | | | | | a | | | | e | | | | | | s | | | | t | | | | | | s | | | | h | | | | | | e | | | | i | | | | | | s | | | | r | | | | | | s | | | | d | | | | | | e | | | | p | | | | | | d | | | | a | | | | | | > | | | | r | | | | | | | | | | t | | | | | | s | | | | y | | | | | | e | | | | i | | | | | | p | | | | n | | | | | | a | | | | c | | | | | | r | | | | l | | | | | | a | | | | u | | | | | | t | | | | d | | | | | | e | | | | e | | | | | | l | | | | d | | | | | | y | | | | i | | | | | | > | | | | n | | | | | | | | | | t | | | | | | a | | | | h | | | | | | g | | | | i | | | | | | a | | | | s | | | | | | i | | | | a | | | | | | n | | | | s | | | | | | s | | | | s | | | | | | t | | | | e | | | | | | > | | | | s | | | | | | | | | | s | | | | | | P | | | | m | | | | | | C | | | | e | | | | | | I | | | | n | | | | | | > | | | | t | | | | | | | | | | ? | | | | | | D | | | | * | | | | | | S | | | | * | | | | | | S | | | | | | | | | | ? | | | | | | | | | | * | | | | | | | | | | * | | | | | | +==========+===========+==============+===+===+======+======+===+===+ | | | | Y | N | Date | > | Y | N | | | | | e | o | | Ver | e | o | | | | | s | | | sion | s | | +----------+-----------+--------------+---+---+------+------+---+---+ | \<Enter | \<Enter | \<Enter | - | - | \<E | \<E | - | - | | Response | Response | Response | | | nter | nter | | | | Here\> | Here\> | Here\> | | | Resp | Resp | | | | | | | | | onse | onse | | | | | | | | | He | He | | | | | | | | | re\> | re\> | | | +----------+-----------+--------------+---+---+------+------+---+---+ | \<Enter | \<Enter | \<Enter | - | - | \<E | \<E | - | - | | Response | Response | Response | | | nter | nter | | | | Here\> | Here\> | Here\> | | | Resp | Resp | | | | | | | | | onse | onse | | | | | | | | | He | He | | | | | | | | | re\> | re\> | | | +----------+-----------+--------------+---+---+------+------+---+---+ | \<Enter | \<Enter | \<Enter | - | - | \<E | \<E | - | - | | Response | Response | Response | | | nter | nter | | | | Here\> | Here\> | Here\> | | | Resp | Resp | | | | | | | | | onse | onse | | | | | | | | | He | He | | | | | | | | | re\> | re\> | | | +----------+-----------+--------------+---+---+------+------+---+---+ | \<Enter | \<Enter | \<Enter | - | - | \<E | \<E | - | - | | Response | Response | Response | | | nter | nter | | | | Here\> | Here\> | Here\> | | | Resp | Resp | | | | | | | | | onse | onse | | | | | | | | | He | He | | | | | | | | | re\> | re\> | | | +----------+-----------+--------------+---+---+------+------+---+---+ | \<Enter | \<Enter | \<Enter | - | - | \<E | \<E | - | - | | Response | Response | Response | | | nter | nter | | | | Here\> | Here\> | Here\> | | | Resp | Resp | | | | | | | | | onse | onse | | | | | | | | | He | He | | | | | | | | | re\> | re\> | | | +----------+-----------+--------------+---+---+------+------+---+---+ 1. For example, PAN, expiry date, providing support via remote access, and so on. 2. For example, third-party storage, transaction processing, custom software development, and so on. ### In-scope Networks > Identify all in-scope networks including the type of network (for > example, wired, Wi-Fi, cloud, etc.). > > ***Note:** This section must align with networks identified on the > network diagram.* > > Describe all networks that store, process, and/or transmit Account > Data: +-----------------------+----------------------+-----------------------+ | > **Network Name (In | > **Type of | > **Function/ Purpose | | > scope)** | > Network** | > of Network** | +=======================+======================+=======================+ | \<Enter Response | \<Enter Response | \<Enter Response | | Here\> | Here\> | Here\> | +-----------------------+----------------------+-----------------------+ | \<Enter Response | \<Enter Response | \<Enter Response | | Here\> | Here\> | Here\> | +-----------------------+----------------------+-----------------------+ > Describe all networks that do not store, process, and/or transmit > Account Data but are still in scope---for example, connected to the > CDE or provide management functions to the CDE, etc.: +-----------------------+----------------------+----------------------+ | > **Network Name (In | > **Type of | > **Function/Purpose | | > Scope)** | > Network** | > of Network** | +=======================+======================+======================+ | > \<Enter Response | \<Enter Response | \<Enter Response | | > Here\> | Here\> | Here\> | +-----------------------+----------------------+----------------------+ | > \<Enter Response | \<Enter Response | \<Enter Response | | > Here\> | Here\> | Here\> | +-----------------------+----------------------+----------------------+ | > \<Enter Response | \<Enter Response | \<Enter Response | | > Here\> | Here\> | Here\> | +-----------------------+----------------------+----------------------+ | > \<Enter Response | \<Enter Response | \<Enter Response | | > Here\> | Here\> | Here\> | +-----------------------+----------------------+----------------------+ | > \<Enter Response | \<Enter Response | \<Enter Response | | > Here\> | Here\> | Here\> | +-----------------------+----------------------+----------------------+ ### In-scope Locations/Facilities > Identify and provide details for all types of physical > locations/facilities (for example, retail locations, corporate > offices, data centers, call centers and mail rooms) in scope. Add > rows, as needed. +-----------------------+----------------------+----------------------+ | > **Facility Type** | **Total Number of | > **Location(s) of | | | Locations** | > Facility (for | | **(Datacenters, | | > example, city, | | corporate office, | **(How many | > country)** | | call center, mail | locations of this | | | processing facility, | type are in scope)** | | | etc.)** | | | +=======================+======================+======================+ | > *Example 1: Data | *1* | *Los Angeles, | | > center* | | California, United | | | | States* | +-----------------------+----------------------+----------------------+ | > *Example 2: retail | *132* | *92 locations in the | | > locations* | | United States and 40 | | | | in Canada* | +-----------------------+----------------------+----------------------+ | > \<Enter Response | \<Enter Response | \<Enter Response | | > Here\> | Here\> | Here\> | +-----------------------+----------------------+----------------------+ | > \<Enter Response | \<Enter Response | \<Enter Response | | > Here\> | Here\> | Here\> | +-----------------------+----------------------+----------------------+ | > \<Enter Response | \<Enter Response | \<Enter Response | | > Here\> | Here\> | Here\> | +-----------------------+----------------------+----------------------+ ### In-scope Business Functions > Identify and provide details for all business and operational > functions in scope. Functions could include telephone transaction > handling, mail transaction handling, change control, development, > system build and hardening, etc. Add rows as needed. +----------------+-----------------------------------------------------+ | > **Function | **Function Description** | | > Name** | | +================+=====================================================+ | > \<Enter | \<Enter Response Here\> | | > Response | | | > Here\> | | +----------------+-----------------------------------------------------+ | > \<Enter | \<Enter Response Here\> | | > Response | | | > Here\> | | +----------------+-----------------------------------------------------+ | > \<Enter | \<Enter Response Here\> | | > Response | | | > Here\> | | +----------------+-----------------------------------------------------+ ### In-scope System Component Types > Identify all types of system components in scope. > > "System components" include network devices, servers, computing > devices, virtual components, cloud components, and software. Examples > of system components include, but are not limited to: - Systems that store, process, or transmit account data (for example, payment terminals, authorization systems, clearing systems, payment middleware systems, payment back-office systems, shopping cart and store front systems, payment gateway/switch systems, fraud monitoring systems). - Systems that provide security services (for example, authentication servers, access control servers, security information and event management (SIEM) systems, physical security systems (for example, badge access or CCTV), multi-factor authentication systems, anti-malware systems). - Systems that facilitate segmentation (for example, internal network security controls). - Systems that could impact the security of account data or the CDE (for example, name resolution, or e-commerce \[web\] redirection servers). - Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. - Cloud infrastructure and components, both external and on premises, and including instantiations of containers or images, virtual private clouds, cloud-based identity and access management, CDEs residing on premises or in the cloud, service meshes with containerized applications, and container orchestration tools. - Network components, including but not limited to network security controls, switches, routers, VoIP network devices, wireless access points, network appliances, and other security appliances. - Server types, including but not limited to web, application, database, authentication, mail, proxy, Network Time Protocol (NTP), and Domain Name System (DNS). - End-user devices, such as computers, laptops, workstations, administrative workstations, tablets, and mobile devices. - Printers, and multi-function devices that scan, print, and fax. - Storage of account data in any format (for example, paper, data files, audio files, images, and video recordings). - Applications, software, and software components, serverless applications, including all purchased, subscribed (for example, Software- as-a-Service), bespoke and custom software, including internal and external (for example, Internet) applications. - Tools, code repositories, and systems that implement software configuration management or for deployment of objects to the CDE or to systems that can impact the CDE. > For each item, even if they reside with other system components, list > them below with each component with different roles, vendors, or > make/model/version on separate rows. Add rows as needed. +------------+------------+-----------+------------+------------------+ | > **Type | > **Total | * | > | > | | > of | > Number | *Vendor** | **Product | **Role/Function | | > System | > of | | > Name and | > Description** | | > Comp | > System | | > | | | onent^1^** | > Compo | | Version** | | | | nents^2^** | | | | +============+============+===========+============+==================+ | \<Enter | \<Enter | \<Enter | \<Enter | \<Enter Response | | Response | Response | Response | Response | Here\> | | Here\> | Here\> | Here\> | Here\> | | +------------+------------+-----------+------------+------------------+ | \<Enter | \<Enter | \<Enter | \<Enter | \<Enter Response | | Response | Response | Response | Response | Here\> | | Here\> | Here\> | Here\> | Here\> | | +------------+------------+-----------+------------+------------------+ | \<Enter | \<Enter | \<Enter | \<Enter | \<Enter Response | | Response | Response | Response | Response | Here\> | | Here\> | Here\> | Here\> | Here\> | | +------------+------------+-----------+------------+------------------+ ------------------------------------------------------------------------ \<Enter \<Enter \<Enter \<Enter \<Enter Response Response Response Response Response Here\> Here\> Here\> Here\> Here\> ------------ ------------- ------------ ------------- ------------------ \<Enter \<Enter \<Enter \<Enter \<Enter Response Response Response Response Response Here\> Here\> Here\> Here\> Here\> \<Enter \<Enter \<Enter \<Enter \<Enter Response Response Response Response Response Here\> Here\> Here\> Here\> Here\> ------------------------------------------------------------------------ 1. For example, application, firewall, server, IDS, Anti-malware software, database, and so on. 2. How many system components of this type are in scope. ### 4.9 Sample Sets for Reporting Identify all sample sets used during testing. When sampling is used the assessor must identify the items in the population that were tested (for example, as "Sample Set-1") as part of the sample in the table below and include all of the sub-requirements where that sample set was used. All unique sample sets must be documented in this table. ***Note:*** For items where the total population fluctuates or is difficult to determine, the assessor may work with the assessed entity to provide an estimated total population in the total population column below. | Tested Sample Set Reference Number | Identify All Sub- Requirements Where the Sample Set is Used | Sample Type Description ^1 | Identify All Items in the Sample Set ^2 | Selection Method ^3 | totaled Sampled | Total Population | | --- | --- | --- | --- | --- | --- | --- | | | | | | | | | | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | 1. For example, firewalls, datacenters, change records, User IDs, and so on. 2. For example, unique system identifiers, location addresses/identifiers, change record numbers/identifiers, personnel identifier, and so on. 3. Describe the method for selecting individual items in the sample sets. ## 5 Quarterly Scan Results ### 5.1 Quarterly External Scan Results Identify each quarterly ASV scan performed within the last 12 months in the table below. It is not required that four passing quarterly scans must be completed for initial PCI DSS compliance if the assessor verified: - The most recent scan result was a passing scan, - The entity has documented policies and procedures requiring quarterly scanning going forward, and - Any vulnerabilities noted in the initial scan have been corrected as shown in a re-scan. For subsequent years after the initial PCI DSS assessment, four passing quarterly scans must have occurred. +-------------+------------+-----+------+-----------------------------+ | > **Date of | > **Name | > | | **For all scans resulting | | > the | > of ASV | **W | | in a Fail, provide date(s) | | > Scan(s)** | > that | ere | | of re- scans showing that | | | > | > | | the vulnerabilities have | | | Performed | any | | been corrected** | | | > the | > | | | | | > Scan** | vul | | | | | | ner | | | | | | abi | | | | | | lit | | | | | | ies | | | | | | > | | | | | | fo | | | | | | und | | | | | | > t | | | | | | hat | | | | | | > | | | | | | re | | | | | | sul | | | | | | ted | | | | | | > | | | | | | in | | | | | | > a | | | | | | > | | | | | | fai | | | | | | led | | | | | | > i | | | | | | nit | | | | | | ial | | | | | | > s | | | | | | can | | | | | | ?** | | | +=============+============+=====+======+=============================+ | | | * | ** | | | | | *Ye | No** | | | | | s** | | | +-------------+------------+-----+------+-----------------------------+ | \<Enter | \<Enter | ☐ | ☐ | \<Enter Response Here\> | | Response | Response | | | | | Here\> | Here\> | | | | +-------------+------------+-----+------+-----------------------------+ | \<Enter | \<Enter | ☐ | ☐ | \<Enter Response Here\> | | Response | Response | | | | | Here\> | Here\> | | | | +-------------+------------+-----+------+-----------------------------+ | \<Enter | \<Enter | ☐ | ☐ | \<Enter Response Here\> | | Response | Response | | | | | Here\> | Here\> | | | | +-------------+------------+-----+------+-----------------------------+ | \<Enter | \<Enter | ☐ | ☐ | \<Enter Response Here\> | | Response | Response | | | | | Here\> | Here\> | | | | +-------------+------------+-----+------+-----------------------------+ | Indicate | | | | - Yes ☐ No | | whether | | | | | | this is the | | | | | | assessed | | | | | | entity's | | | | | | initial PCI | | | | | | DSS | | | | | | compliance | | | | | | validation. | | | | | +-------------+------------+-----+------+-----------------------------+ | If **yes**, | | | | \<Enter Response Here\> | | Identify | | | | | | the name of | | | | | | the | | | | | | document | | | | | | the | | | | | | assessor | | | | | | verified to | | | | | | include the | | | | | | entity's | | | | | | documented | | | | | | policies | | | | | | and | | | | | | procedures | | | | | | requiring | | | | | | quarterly | | | | | | scanning | | | | | | going | | | | | | forward. | | | | | +-------------+------------+-----+------+-----------------------------+ | Assessor | | | | \<Enter Response Here\> | | comments, | | | | | | if | | | | | | applicable: | | | | | +-------------+------------+-----+------+-----------------------------+ ### 5.2 Attestations of Scan Compliance The scans must cover all externally accessible (Internet-facing) IP addresses in existence at the entity, in accordance with the PCI DSS Approved Scanning Vendors (ASV) Program Guide. +-------------------------------------+---------------------------------+ | Indicate whether the ASV and the | - Yes ☐ No | | entity completed the Attestations | | | of Scan Compliance confirming that | | | all externally accessible | | | (Internet-facing) IP addresses in | | | existence at the entity were | | | appropriately scoped for the ASV | | | scans? | | +=====================================+=================================+ +-------------------------------------+---------------------------------+ ### 5.3 Quarterly Internal Scan Results In the table below identify each quarterly internal vulnerability scan performed within the last 12 months. It is not required that quarterly scans are completed for initial PCI DSS compliance if the assessor verified that: - The entity has documented policies and procedures requiring quarterly scanning going forward, and - Any vulnerabilities noted in the initial scan have been corrected as shown in a re-scan. For subsequent years after the initial PCI DSS review, four passing quarterly scans must have occurred. +-----------+-----+-----+------+------+-------------------------------+ | > **Date | > | | ** | | > **For all scans where | | > of the | ** | | Were | | > high-risk or critical | | > | Was | | any | | > vulnerabilities were found, | | Scan(s)** | > | | h | | > provide date(s) of re-scans | | | the | | igh- | | > showing that the | | | > s | | risk | | > vulnerabilities have been | | | can | | or | | > corrected.** | | | > | | crit | | | | | per | | ical | | | | | for | | vul | | | | | med | | nera | | | | | > | | bili | | | | | via | | ties | | | | | > a | | per | | | | | uth | | the | | | | | ent | | enti | | | | | ica | | ty's | | | | | ted | | v | | | | | > | | ulne | | | | | sc | | rabi | | | | | ann | | lity | | | | | ing | | risk | | | | | ?** | | rank | | | | | | | ings | | | | | | | at | | | | | | | Req | | | | | | | uire | | | | | | | ment | | | | | | | 6 | | | | | | | .3.1 | | | | | | | foun | | | | | | | d?** | | | +===========+=====+=====+======+======+===============================+ | | * | **N | **Y | ** | | | | *Ye | o** | es** | No** | | | | s** | | | | | +-----------+-----+-----+------+------+-------------------------------+ | \<Enter | - | - | - | - | \<Enter Response Here\> | | Response | | | | | | | Here\> | | | | | | +-----------+-----+-----+------+------+-------------------------------+ | \<Enter | - | - | - | - | \<Enter Response Here\> | | Response | | | | | | | Here\> | | | | | | +-----------+-----+-----+------+------+-------------------------------+ | \<Enter | - | - | - | - | \<Enter Response Here\> | | Response | | | | | | | Here\> | | | | | | +-----------+-----+-----+------+------+-------------------------------+ | \<Enter | - | - | - | - | \<Enter Response Here\> | | Response | | | | | | | Here\> | | | | | | +-----------+-----+-----+------+------+-------------------------------+ | Indicate | | | | | - Yes ☐ No | | if this | | | | | | | is the | | | | | | | assessed | | | | | | | entity's | | | | | | | initial | | | | | | | PCI DSS | | | | | | | c | | | | | | | ompliance | | | | | | | v | | | | | | | alidation | | | | | | +-----------+-----+-----+------+------+-------------------------------+ | If | | | | | \<Enter Response Here\> | | **yes**, | | | | | | | Identify | | | | | | | the name | | | | | | | of the | | | | | | | document | | | | | | | the | | | | | | | assessor | | | | | | | verified | | | | | | | to | | | | | | | include | | | | | | | the | | | | | | | entity's | | | | | | | d | | | | | | | ocumented | | | | | | | policies | | | | | | | and | | | | | | | p | | | | | | | rocedures | | | | | | | requiring | | | | | | | quarterly | | | | | | | scanning | | | | | | | going | | | | | | | forward. | | | | | | +-----------+-----+-----+------+------+-------------------------------+ | Assessor | | | | | \<Enter Response Here\> | | comments, | | | | | | | if | | | | | | | ap | | | | | | | plicable: | | | | | | +-----------+-----+-----+------+------+-------------------------------+ ## Evidence (Assessment Workpapers) ### Evidence Retention +----------------------------------+-----------------------------------+ | Describe the repositories where | \<Enter Response Here\> | | the evidence collected during | | | this assessment is stored | | | including the names of the | | | repositories and how the data is | | | secured. | | +==================================+===================================+ | Identify the entity or entities | \<Enter Response Here\> | | who controls the evidence | | | repositories. | | +----------------------------------+-----------------------------------+ | Indicate whether the entity or | - Yes ☐ No | | entities in control of the | | | evidence repositories | | | understands that all evidence | | | from this assessment must be | | | maintained for a minimum of 3 | | | years and must be made available | | | to PCI SSC upon request. | | +----------------------------------+-----------------------------------+ ### 6.2 Documentation Evidence Identify all evidence for any testing procedure requiring a review of documents such as policies, procedures, standards, records, inventories, vendor documentation, and diagrams. Include the following: (Add rows as needed) | Reference Number | Document Name (including version, if applicable | Brief Description of Document Purpose | Document Revision Date (if applicable) | | --- | --- | --- | --- | | | | | | | *EXAMPLE: Doc-1* | Company XPY Information Security Policy | Information security policy | 2021-02-18 | | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | ### 6.3 Interview Evidence Identify all evidence for testing procedures requiring an interview, such as interview notes. Include the following: (Add rows as needed) | Reference Number | Title of Workpaper with Interview Notes | Brief Description of the Topics Covered | Role(s) of Interviewee(s) | | --- | --- | --- | --- | | | | | | | *EXAMPLE: Int-01* | Assessor notes from interview with Information Security Manager | Information security processes including security vulnerability risk ranking, anti-malware configurations, and cryptographic key management | Information Security Manager | | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | ### 6.4 Observation Evidence Identify all evidence for testing procedures requiring an observation, such as observation notes for observed processes. Include the following: (Add rows as needed) | Reference Number | Title of Workpaper with Observation Notes | Observed Process | Brief Description of the Process | | --- | --- | --- | --- | | | | | | | *EXAMPLE: Proc-1* | Assessor notes from observation of visitor badge process | Visitor Badge Process | Process for allocating and collecting/expiring visitor badges | | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | ### 6.5 System Evidence Identify all evidence for testing procedures requiring a review of a system components such as configurations, settings, access control lists, user accounts, or audit logs. Include the following: (Add rows as needed) | Reference Number | System Components Reviewed (Uniquely Identified system components or reference a sample set) | Brief Description of the Evidence | | --- | --- | --- | | | | | | *EXAMPLE: Conf-1* | *System1, system2, Sample Set-1* | *Group Policy settings for Windows servers | | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | | \<Enter Response Here\> | \<Enter Response Here\> | \<Enter Response Here\> | # Part II Findings and Observations {#part-ii-findings-and-observations .unnumbered} ## Build and Maintain a Secure Network and Systems {#build-and-maintain-a-secure-network-and-systems .unnumbered} ### Requirement 1: Install and Maintain Network Security Controls {#requirement-1-install-and-maintain-network-security-controls .unnumbered} +-----------------+----------------+----------------+-----------------+ | **Requirement | | | | | Description** | | | | +=================+================+================+=================+ | 1. Processes | | | | | and | | | | | mechanisms | | | | | for | | | | | installing | | | | | and | | | | | maintaining | | | | | network | | | | | security | | | | | controls | | | | | are defined | | | | | and | | | | | understood. | | | | +-----------------+----------------+----------------+-----------------+ | > **PCI DSS | | | | | > Requirement** | | | | +-----------------+----------------+----------------+-----------------+ | 1. All | | | | | security | | | | | policies | | | | | and | | | | | operational | | | | | procedures | | | | | that are | | | | | identified | | | | | in | | | | | Requirement | | | | | 1 are: | | | | | | | | | | | | | | | - Documented. | | | | | | | | | | - Kept up | | | | | to | | | | | date. | | | | | | | | | | - In use. | | | | | | | | | | - Known | | | | | to all | | | | | | | | | | affected | | | | | | | | | | parties. | | | | +-----------------+----------------+----------------+-----------------+ | > **Assessment | | | | | > Findings | | | | | > (select | | | | | > one)** | | | | +-----------------+----------------+----------------+-----------------+ | **In Place** | **Not | **Not Tested** | **Not in | | | Applicable** | | Place** | +-----------------+----------------+----------------+-----------------+ | ☐ | ☐ | ☐ | ☐ | +-----------------+----------------+----------------+-----------------+ | Describe why | | \<Enter | | | the assessment | | Response | | | finding was | | Here\> | | | selected. | | | | | | | | | | ***Note**: | | | | | Include all | | | | | details as | | | | | noted in the | | | | | "Required | | | | | Reporting" | | | | | column of the | | | | | table in | | | | | [Assessment | | | | | F | | | | | indings](#asses | | | | | sment-findings) | | | | | in the ROC | | | | | Template | | | | | Instructions.* | | | | +-----------------+----------------+----------------+-----------------+ +---------------+------------------+-----------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +===============+==================+===================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +---------------+------------------+-----------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** | | | | the aspect(s) | | | | of the | | | | requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** | | | | The use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E.](#ap | | | | pendix-e-cust | | | | omized-approa | | | | ch-template)* | | | +---------------+------------------+-----------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +---------------+------------------+-----------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +---------------+------------------+-----------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** | | | | the aspect(s) | | | | of the | | | | requirement | | | | where the | | | | Compensating | | | | Control(s) | | | | was used. | | | | | | | | ***Note:** | | | | The use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.](#appen | | | | dix-c-compens | | | | ating-control | | | | s-worksheet)* | | | +---------------+------------------+-----------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: Assessor's | | > | > Instructions** | > Response** | | Procedures** | | | +---------------+------------------+-----------------------------------+ | **1.1.1** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | and interview | number(s) from | | | personnel to | [Section | | | verify that | 6]( | | | security | #evidence-assess | | | policies and | ment-workpapers) | | | operational | for all | | | procedures | * | | | identified in | *documentation** | | | Requirement 1 | examined for | | | are managed | this testing | | | in accordance | procedure. | | | with all | | | | elements | | | | specified in | | | | this | | | | requirement. | | | +---------------+------------------+-----------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6]( | | | | #evidence-assess | | | | ment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +---------------+------------------+-----------------------------------+ +-----------------+----------------+----------------+-----------------+ | > **PCI DSS | | | | | > Requirement** | | | | +=================+================+================+=================+ | **1.1.2** Roles | | | | | and | | | | | r | | | | | esponsibilities | | | | | for performing | | | | | activities in | | | | | Requirement 1 | | | | | are documented, | | | | | assigned, and | | | | | understood. | | | | +-----------------+----------------+----------------+-----------------+ | > **Assessment | | | | | > Findings | | | | | > (select | | | | | > one)** | | | | +-----------------+----------------+----------------+-----------------+ | **In Place** | **Not | **Not Tested** | **Not in | | | Applicable** | | Place** | +-----------------+----------------+----------------+-----------------+ | ☐ | ☐ | ☐ | ☐ | +-----------------+----------------+----------------+-----------------+ | Describe why | | \<Enter | | | the assessment | | Response | | | finding was | | Here\> | | | selected. | | | | | | | | | | ***Note**: | | | | | Include all | | | | | details as | | | | | noted in the | | | | | "Required | | | | | Reporting" | | | | | column of the | | | | | table in | | | | | [Assessment | | | | | F | | | | | indings](#asses | | | | | sment-findings) | | | | | in the ROC | | | | | Template | | | | | Instructions.* | | | | +-----------------+----------------+----------------+-----------------+ | **Validation | | | | | Method -- | | | | | Customized | | | | | Approach** | | | | +-----------------+----------------+----------------+-----------------+ | **Indicate** | | - Yes ☐ No | | | whether a | | | | | Customized | | | | | Approach was | | | | | used: | | | | +-----------------+----------------+----------------+-----------------+ | **If "Yes", | | \<Enter | | | Identify** the | | Response | | | aspect(s) of | | Here\> | | | the requirement | | | | | where the | | | | | Customized | | | | | Approach was | | | | | used. | | | | | | | | | | ***Note:** The | | | | | use of | | | | | Customized | | | | | Approach must | | | | | also be | | | | | documented in | | | | | [Appendix | | | | | E | | | | | .](#appendix-e- | | | | | customized-appr | | | | | oach-template)* | | | | +-----------------+----------------+----------------+-----------------+ | **Validation | | | | | Method -- | | | | | Defined | | | | | Approach** | | | | +-----------------+----------------+----------------+-----------------+ | **Indicate** | | - Yes ☐ No | | | whether a | | | | | Compensating | | | | | Control was | | | | | used: | | | | +-----------------+----------------+----------------+-----------------+ | **If "Yes", | | \<Enter | | | Identify** the | | Response | | | aspect(s) of | | Here\> | | | the requirement | | | | | where the | | | | | Compensating | | | | | Control(s) was | | | | | used. | | | | | | | | | | ***Note:** The | | | | | use of | | | | | Compensating | | | | | Controls must | | | | | also be | | | | | documented in | | | | | [Appendix | | | | | C.]( | | | | | #appendix-c-com | | | | | pensating-contr | | | | | ols-worksheet)* | | | | +-----------------+----------------+----------------+-----------------+ +---------------+------------------+-----------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: Assessor's | | > | > Instructions** | > Response** | | Procedures** | | | +===============+==================+===================================+ | **1.1.2.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | to verify | number(s) from | | | that | [Section | | | descriptions | 6]( | | | of roles and | #evidence-assess | | | res | ment-workpapers) | | | ponsibilities | for all | | | for | * | | | performing | *documentation** | | | activities in | examined for | | | Requirement 1 | this testing | | | are | procedure. | | | documented | | | | and assigned. | | | +---------------+------------------+-----------------------------------+ | **1.1.2.b** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | personnel | reference | | | responsible | number(s) from | | | for | [Section | | | performing | 6]( | | | activities in | #evidence-assess | | | Requirement 1 | ment-workpapers) | | | to verify | for all | | | that roles | **interview(s)** | | | and | conducted for | | | res | this testing | | | ponsibilities | procedure. | | | are assigned | | | | as documented | | | | and are | | | | understood. | | | +---------------+------------------+-----------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **Requirement | | | | | | Description** | | | | | +=================+================+===+==============+=================+ | **1.2** Network | | | | | | security | | | | | | controls (NSCs) | | | | | | are configured | | | | | | and maintained. | | | | | +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | 1. | | | | | | Configuration | | | | | | standards | | | | | | for NSC | | | | | | rulesets | | | | | | are: | | | | | | | | | | | | | | | | | | - Defined. | | | | | | | | | | | | - | | | | | | Implemented. | | | | | | | | | | | | | | | | | | - Maintained. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (Select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | **Note:** *The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in* | | | | | | [Appendix | | | | | | C*.*] | | | | | | (#appendix-c-co | | | | | | mpensating-cont | | | | | | rols-worksheet) | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **1.2.1.a** | **Identify** | | \<Enter | | | Examine the | the evidence | | Response | | | configuration | reference | | Here\> | | | standards for | number(s) from | | | | | NSC rulesets to | [Section | | | | | verify the | 6](#evi | | | | | standards are | dence-assessme | | | | | in accordance | nt-workpapers) | | | | | with all | for all | | | | | elements | * | | | | | specified in | *configuration | | | | | this | standards** | | | | | requirement. | examined for | | | | | | this testing | | | | | | procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **1.2.1.b** | **Identify** | | \<Enter | | | Examine | the evidence | | Response | | | configuration | reference | | Here\> | | | settings for | number(s) from | | | | | NSC rulesets to | [Section | | | | | verify that | 6](#evi | | | | | rulesets are | dence-assessme | | | | | implemented | nt-workpapers) | | | | | according to | for all | | | | | the | * | | | | | configuration | *configuration | | | | | standards. | settings** | | | | | | examined for | | | | | | this testing | | | | | | procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **1.2.2** All | | | | | | changes to | | | | | | network | | | | | | connections and | | | | | | to | | | | | | configurations | | | | | | of NSCs are | | | | | | approved and | | | | | | managed in | | | | | | accordance with | | | | | | the change | | | | | | control process | | | | | | defined at | | | | | | Requirement | | | | | | 6.5.1. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **1.2.2.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documented | reference | | | procedures to | number(s) from | | | verify that | [Section | | | changes to | 6 | | | network | ](#evidence-asses | | | connections and | sment-workpapers) | | | configurations | for all | | | of NSCs are | **documented | | | included in the | procedures** | | | formal change | examined for this | | | control process | testing | | | in accordance | procedure. | | | with | | | | Requirement | | | | 6.5.1. | | | +-----------------+-------------------+--------------------------------+ | **1.2.2.b** | **Identify** the | \<Enter Response Here\> | | Examine network | evidence | | | configuration | reference | | | settings to | number(s) from | | | identify | [Section | | | changes made to | 6 | | | network | ](#evidence-asses | | | connections. | sment-workpapers) | | | Interview | for all **network | | | responsible | configuration | | | personnel and | settings** | | | examine change | examined for this | | | control records | testing | | | to verify that | procedure. | | | identified | | | | changes to | | | | network | | | | connections | | | | were approved | | | | and managed in | | | | accordance with | | | | Requirement | | | | 6.5.1. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **change | | | | control records** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **1.2.2.c** | **Identify** | | \<Enter | | | Examine network | the evidence | | Response | | | configuration | reference | | Here\> | | | settings to | number(s) from | | | | | identify | [Section | | | | | changes made to | 6](#evi | | | | | configurations | dence-assessme | | | | | of NSCs. | nt-workpapers) | | | | | Interview | for all | | | | | responsible | **network | | | | | personnel and | configuration | | | | | examine change | settings** | | | | | control records | examined for | | | | | to verify that | this testing | | | | | identified | procedure. | | | | | changes to | | | | | | configurations | | | | | | of NSCs were | | | | | | approved and | | | | | | managed in | | | | | | accordance with | | | | | | Requirement | | | | | | 6.5.1. | | | | | +=================+================+===+==============+=================+ | | **Identify** | | \<Enter | | | | the evidence | | Response | | | | reference | | Here\> | | | | number(s) from | | | | | | [Section | | | | | | 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | for all | | | | | | ** | | | | | | interview(s)** | | | | | | conducted for | | | | | | this testing | | | | | | procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | | **Identify** | | \<Enter | | | | the evidence | | Response | | | | reference | | Here\> | | | | number(s) from | | | | | | [Section | | | | | | 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | for all | | | | | | **change | | | | | | control | | | | | | records** | | | | | | examined for | | | | | | this testing | | | | | | procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **1.2.3** An | | | | | | accurate | | | | | | network | | | | | | diagram(s) is | | | | | | maintained that | | | | | | shows all | | | | | | connections | | | | | | between the CDE | | | | | | and other | | | | | | networks, | | | | | | including any | | | | | | wireless | | | | | | networks. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +=================+================+===+==============+=================+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **1.2.3.a** | **Identify** | | \<Enter | | | Examine | the evidence | | Response | | | diagram(s) and | reference | | Here\> | | | network | number(s) from | | | | | configurations | [Section | | | | | to verify that | 6](#evi | | | | | an accurate | dence-assessme | | | | | network | nt-workpapers) | | | | | diagram(s) | for all | | | | | exists in | **diagrams** | | | | | accordance with | examined for | | | | | all elements | this testing | | | | | specified in | procedure. | | | | | this | | | | | | requirement. | | | | | +-----------------+----------------+---+--------------+-----------------+ | | **Identify** | | \<Enter | | | | the evidence | | Response | | | | reference | | Here\> | | | | number(s) from | | | | | | [Section | | | | | | 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | for all | | | | | | **network | | | | | | co | | | | | | nfigurations** | | | | | | examined for | | | | | | this testing | | | | | | procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **1.2.3.b** | **Identify** | | \<Enter | | | Examine | the evidence | | Response | | | documentation | reference | | Here\> | | | and interview | number(s) from | | | | | responsible | [Section | | | | | personnel to | 6](#evi | | | | | verify that the | dence-assessme | | | | | network | nt-workpapers) | | | | | diagram(s) is | for all | | | | | accurate and | **d | | | | | updated when | ocumentation** | | | | | there are | examined for | | | | | changes to the | this testing | | | | | environment. | procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | | **Identify** | | \<Enter | | | | the evidence | | Response | | | | reference | | Here\> | | | | number(s) from | | | | | | [Section | | | | | | 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | for all | | | | | | ** | | | | | | interview(s)** | | | | | | conducted for | | | | | | this testing | | | | | | procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **1.2.4** An | | | | | | accurate | | | | | | data-flow | | | | | | diagram(s) is | | | | | | maintained that | | | | | | meets the | | | | | | following: | | | | | | | | | | | | - Shows all | | | | | | account | | | | | | data flows | | | | | | across | | | | | | systems and | | | | | | networks. | | | | | | | | | | | | - Updated as | | | | | | needed upon | | | | | | changes to | | | | | | the | | | | | | | | | | | | environment. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------------------------+ | Describe why | | \ | | | the assessment | | < | | | finding was | | E | | | selected. | | n | | | | | t | | | ***Note**: | | e | | | Include all | | r | | | details as | | R | | | noted in the | | e | | | "Required | | s | | | Reporting" | | p | | | column of the | | o | | | table in | | n | | | [Assessment | | s | | | F | | e | | | indings](#asses | | H | | | sment-findings) | | e | | | in the ROC | | r | | | Template | | e | | | Instructions.* | | \ | | | | | > | | +=================+================+===+================================+ | **Validation | | | | | Method -- | | | | | Customized | | | | | Approach** | | | | +-----------------+----------------+---+--------------------------------+ | **Indicate** | | | - Yes ☐ No | | whether a | | | | | Customized | | | | | Approach was | | | | | used: | | | | +-----------------+----------------+---+--------------------------------+ | **If "Yes", | | | \<Enter Response Here\> | | Identify** the | | | | | aspect(s) of | | | | | the requirement | | | | | where the | | | | | Customized | | | | | Approach was | | | | | used. | | | | | | | | | | ***Note:** The | | | | | use of | | | | | Customized | | | | | Approach must | | | | | also be | | | | | documented in | | | | | [Appendix | | | | | E | | | | | .](#appendix-e- | | | | | customized-appr | | | | | oach-template)* | | | | +-----------------+----------------+---+--------------------------------+ | **Validation | | | | | Method -- | | | | | Defined | | | | | Approach** | | | | +-----------------+----------------+---+--------------------------------+ | **Indicate** | | | - Yes ☐ No | | whether a | | | | | Compensating | | | | | Control was | | | | | used: | | | | +-----------------+----------------+---+--------------------------------+ | **If "Yes", | | | \<Enter Response Here\> | | Identify** the | | | | | aspect(s) of | | | | | the requirement | | | | | where the | | | | | Compensating | | | | | Control(s) was | | | | | used. | | | | | | | | | | ***Note:** The | | | | | use of | | | | | Compensating | | | | | Controls must | | | | | also be | | | | | documented in | | | | | [Appendix | | | | | C.]( | | | | | #appendix-c-com | | | | | pensating-contr | | | | | ols-worksheet)* | | | | +-----------------+----------------+---+--------------------------------+ | > **Testing | > **Reporting | | > **Reporting Details: | | > Procedures** | > | | > Assessor's Response** | | | Instructions** | | | +-----------------+----------------+---+--------------------------------+ | **1.2.4.a** | **Identify** | | \<Enter Response Here\> | | Examine | the evidence | | | | data-flow | reference | | | | diagram(s) and | number(s) from | | | | interview | [Section | | | | personnel to | 6](#evi | | | | verify the | dence-assessme | | | | diagram(s) show | nt-workpapers) | | | | all account | for all | | | | data flows in | **data-flow | | | | accordance with | diagram(s)** | | | | all elements | examined for | | | | specified in | this testing | | | | this | procedure. | | | | requirement. | | | | +-----------------+----------------+---+--------------------------------+ | | **Identify** | | \<Enter Response Here\> | | | the evidence | | | | | reference | | | | | number(s) from | | | | | [Section | | | | | 6](#evi | | | | | dence-assessme | | | | | nt-workpapers) | | | | | for all | | | | | ** | | | | | interview(s)** | | | | | conducted for | | | | | this testing | | | | | procedure. | | | +-----------------+----------------+---+--------------------------------+ | **1.2.4.b** | **Identify** | | \<Enter Response Here\> | | Examine | the evidence | | | | documentation | reference | | | | and interview | number(s) from | | | | responsible | [Section | | | | personnel to | 6](#evi | | | | verify that the | dence-assessme | | | | data-flow | nt-workpapers) | | | | diagram(s) is | for all | | | | accurate and | **d | | | | updated when | ocumentation** | | | | there are | examined for | | | | changes to the | this testing | | | | environment. | procedure. | | | +-----------------+----------------+---+--------------------------------+ | | **Identify** | | \<Enter Response Here\> | | | the evidence | | | | | reference | | | | | number(s) from | | | | | [Section | | | | | 6](#evi | | | | | dence-assessme | | | | | nt-workpapers) | | | | | for all | | | | | ** | | | | | interview(s)** | | | | | conducted for | | | | | this testing | | | | | procedure. | | | +-----------------+----------------+---+--------------------------------+ +-----------------+----------------+----------------+-----------------+ | > **PCI DSS | | | | | > Requirement** | | | | +-----------------+----------------+----------------+-----------------+ | **1.2.5** All | | | | | services, | | | | | protocols, and | | | | | ports allowed | | | | | are identified, | | | | | approved, and | | | | | have a defined | | | | | business need. | | | | +-----------------+----------------+----------------+-----------------+ | > **Assessment | | | | | > Findings | | | | | > (select | | | | | > one)** | | | | +-----------------+----------------+----------------+-----------------+ | **In Place** | **Not | **Not Tested** | **Not in | | | Applicable** | | Place** | +-----------------+----------------+----------------+-----------------+ | ☐ | ☐ | ☐ | ☐ | +-----------------+----------------+----------------+-----------------+ | Describe why | | \<Enter | | | the assessment | | Response | | | finding was | | Here\> | | | selected. | | | | | | | | | | ***Note**: | | | | | Include all | | | | | details as | | | | | noted in the | | | | | "Required | | | | | Reporting" | | | | | column of the | | | | | table in* | | | | | [Assessment | | | | | F | | | | | indings](#asses | | | | | sment-findings) | | | | | *in the ROC | | | | | Template | | | | | Instructions.* | | | | +-----------------+----------------+----------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **1.2.5.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | to verify that | number(s) from | | | a list exists | [Section | | | of all allowed | 6 | | | services, | ](#evidence-asses | | | protocols, and | sment-workpapers) | | | ports, | for all | | | including | **documentation** | | | business | examined for this | | | justification | testing | | | and approval | procedure. | | | for each. | | | +-----------------+-------------------+--------------------------------+ | **1.2.5.b** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | configuration | reference | | | settings for | number(s) from | | | NSCs to verify | [Section | | | that only | 6 | | | approved | ](#evidence-asses | | | services, | sment-workpapers) | | | protocols, and | for all | | | ports are in | **configuration | | | use. | settings** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +------------+---------------------+---+---------------+---------------+ | > **PCI | | | | | | > DSS | | | | | | > Req | | | | | | uirement** | | | | | +------------+---------------------+---+---------------+---------------+ | **1.2.6** | | | | | | Security | | | | | | features | | | | | | are | | | | | | defined | | | | | | and | | | | | | i | | | | | | mplemented | | | | | | for all | | | | | | services, | | | | | | protocols, | | | | | | and ports | | | | | | that are | | | | | | in use and | | | | | | considered | | | | | | to be | | | | | | insecure, | | | | | | such that | | | | | | the risk | | | | | | is | | | | | | mitigated. | | | | | +------------+---------------------+---+---------------+---------------+ | > ** | | | | | | Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +------------+---------------------+---+---------------+---------------+ | **In | **Not Applicable** | * | | **Not in | | Place** | | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +------------+---------------------+---+---------------+---------------+ | ☐ | ☐ | ☐ | | ☐ | +------------+---------------------+---+---------------+---------------+ | Describe | | \ | | | | why the | | < | | | | assessment | | E | | | | finding | | n | | | | was | | t | | | | selected. | | e | | | | | | r | | | | ***Note**: | | R | | | | Include | | e | | | | all | | s | | | | details as | | p | | | | noted in | | o | | | | the | | n | | | | "Required | | s | | | | Reporting" | | e | | | | column of | | H | | | | the table | | e | | | | in | | r | | | | [ | | e | | | | Assessment | | \ | | | | F | | > | | | | indings](# | | | | | | assessment | | | | | | -findings) | | | | | | in the ROC | | | | | | Template | | | | | | Inst | | | | | | ructions.* | | | | | +------------+---------------------+---+---------------+---------------+ | ** | | | | | | Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +------------+---------------------+---+---------------+---------------+ | ** | | | - Yes ☐ No | | | Indicate** | | | | | | whether a | | | | | | Customized | | | | | | Approach | | | | | | was used: | | | | | +------------+---------------------+---+---------------+---------------+ | **If | | | \<Enter | | | "Yes", | | | Response | | | Identify** | | | Here\> | | | the | | | | | | aspect(s) | | | | | | of the | | | | | | r | | | | | | equirement | | | | | | where the | | | | | | Customized | | | | | | Approach | | | | | | was used. | | | | | | | | | | | | ***Note:** | | | | | | The use of | | | | | | Customized | | | | | | Approach | | | | | | must also | | | | | | be | | | | | | documented | | | | | | in | | | | | | [Appendix | | | | | | E.](#a | | | | | | ppendix-e- | | | | | | customized | | | | | | -approach- | | | | | | template)* | | | | | +------------+---------------------+---+---------------+---------------+ | ** | | | | | | Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +------------+---------------------+---+---------------+---------------+ | ** | | | - Yes ☐ No | | | Indicate** | | | | | | whether a | | | | | | Co | | | | | | mpensating | | | | | | Control | | | | | | was used: | | | | | +------------+---------------------+---+---------------+---------------+ | **If | | | \<Enter | | | "Yes", | | | Response | | | Identify** | | | Here\> | | | the | | | | | | aspect(s) | | | | | | of the | | | | | | r | | | | | | equirement | | | | | | where the | | | | | | Co | | | | | | mpensating | | | | | | Control(s) | | | | | | was used. | | | | | | | | | | | | ***Note:** | | | | | | The use of | | | | | | Co | | | | | | mpensating | | | | | | Controls | | | | | | must also | | | | | | be | | | | | | documented | | | | | | in | | | | | | [Appendix | | | | | | C.](#appe | | | | | | ndix-c-com | | | | | | pensating- | | | | | | controls-w | | | | | | orksheet)* | | | | | +------------+---------------------+---+---------------+---------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **1.2.6.a** | **Identify** | | \<Enter | | | Examine | the evidence | | Response | | | documentation | reference | | Here\> | | | that identifies | number(s) from | | | | | all insecure | [Section | | | | | services, | 6](#evi | | | | | protocols, and | dence-assessme | | | | | ports in use to | nt-workpapers) | | | | | verify that for | for all | | | | | each, security | **d | | | | | features are | ocumentation** | | | | | defined to | examined for | | | | | mitigate the | this testing | | | | | risk. | procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **1.2.6.b** | **Identify** | | \<Enter | | | Examine | the evidence | | Response | | | configuration | reference | | Here\> | | | settings for | number(s) from | | | | | NSCs to verify | [Section | | | | | that the | 6](#evi | | | | | defined | dence-assessme | | | | | security | nt-workpapers) | | | | | features are | for all | | | | | implemented for | * | | | | | each identified | *configuration | | | | | insecure | settings** | | | | | service, | examined for | | | | | protocol, and | this testing | | | | | port. | procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **1.2.7** | | | | | | Configurations | | | | | | of NSCs are | | | | | | reviewed at | | | | | | least once | | | | | | every six | | | | | | months to | | | | | | confirm they | | | | | | are relevant | | | | | | and effective. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **1.2.7.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | to verify | number(s) from | | | procedures are | [Section | | | defined for | 6 | | | reviewing | ](#evidence-asses | | | configurations | sment-workpapers) | | | of NSCs at | for all | | | least once | **documentation** | | | every six | examined for this | | | months. | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **1.2.7.b** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | of reviews of | number(s) from | | | configurations | [Section | | | for NSCs and | 6 | | | interview | ](#evidence-asses | | | responsible | sment-workpapers) | | | personnel to | for all | | | verify that | **documentation** | | | reviews occur | examined for this | | | at least once | testing | | | every six | procedure. | | | months. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **1.2.7.c** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | configurations | reference | | | for NSCs to | number(s) from | | | verify that | [Section | | | configurations | 6 | | | identified as | ](#evidence-asses | | | no longer being | sment-workpapers) | | | supported by a | for all | | | business | * | | | justification | *configurations** | | | are removed or | examined for this | | | updated. | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **1.2.8** | | | | | | Configuration | | | | | | files for NSCs | | | | | | are: | | | | | | | | | | | | - Secured | | | | | | from | | | | | | | | | | | | unauthorized | | | | | | access. | | | | | | | | | | | | - Kept | | | | | | consistent | | | | | | with active | | | | | | network | | | | | | | | | | | | configurations. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **1.2.8** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | configuration | reference | | | files for NSCs | number(s) from | | | to verify they | [Section | | | are in | 6 | | | accordance with | ](#evidence-asses | | | all elements | sment-workpapers) | | | specified in | for all | | | this | **configuration | | | requirement. | files** examined | | | | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+================+===+==============+=================+ | **1.3** Network | | | | | | access to and | | | | | | from the | | | | | | cardholder data | | | | | | environment is | | | | | | restricted. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | 1. Inbound | | | | | | traffic to | | | | | | the CDE is | | | | | | restricted | | | | | | as follows: | | | | | | | | | | | | - To only | | | | | | traffic | | | | | | that is | | | | | | | | | | | | necessary. | | | | | | | | | | | | - All | | | | | | other | | | | | | traffic | | | | | | is | | | | | | | | | | | | specifically | | | | | | denied. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +=================+===================+================================+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **1.3.1.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | configuration | reference | | | standards for | number(s) from | | | NSCs to verify | [Section | | | that they | 6 | | | define | ](#evidence-asses | | | restricting | sment-workpapers) | | | inbound traffic | for all | | | to the CDE is | **configuration | | | in accordance | standards** | | | with all | examined for this | | | elements | testing | | | specified in | procedure. | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **1.3.1.b** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | configurations | reference | | | of NSCs to | number(s) from | | | verify that | [Section | | | inbound traffic | 6 | | | to the CDE is | ](#evidence-asses | | | restricted in | sment-workpapers) | | | accordance with | for all | | | all elements | * | | | specified in | *configurations** | | | this | examined for this | | | requirement. | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **1.3.2** | | | | | | Outbound | | | | | | traffic from | | | | | | the CDE is | | | | | | restricted as | | | | | | follows: | | | | | | | | | | | | - To only | | | | | | traffic | | | | | | that is | | | | | | necessary. | | | | | | | | | | | | - All other | | | | | | traffic is | | | | | | | | | | | | specifically | | | | | | denied. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **1.3.2.a** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | configuration | > reference | | Here\> | | | standards for | > number(s) | | | | | NSCs to verify | > from | | | | | that they | > [Section | | | | | define | > 6](#evi | | | | | restricting | dence-assessme | | | | | outbound | nt-workpapers) | | | | | traffic from | > for all | | | | | the CDE in | > * | | | | | accordance with | *configuration | | | | | all elements | > standards** | | | | | specified in | > examined for | | | | | this | > this testing | | | | | requirement. | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **1.3.2.b** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | configurations | > reference | | Here\> | | | of NSCs to | > number(s) | | | | | verify that | > from | | | | | outbound | > [Section | | | | | traffic from | > 6](#evi | | | | | the CDE is | dence-assessme | | | | | restricted in | nt-workpapers) | | | | | accordance with | > for all | | | | | all elements | > **co | | | | | specified in | nfigurations** | | | | | this | > examined for | | | | | requirement. | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **1.3.3** NSCs | | | | | | are installed | | | | | | between all | | | | | | wireless | | | | | | networks and | | | | | | the CDE, | | | | | | regardless of | | | | | | whether the | | | | | | wireless | | | | | | network is a | | | | | | CDE, such that: | | | | | | | | | | | | - All | | | | | | wireless | | | | | | traffic | | | | | | from | | | | | | wireless | | | | | | networks | | | | | | into the | | | | | | CDE is | | | | | | denied by | | | | | | default. | | | | | | | | | | | | - Only | | | | | | wireless | | | | | | traffic | | | | | | with an | | | | | | authorized | | | | | | business | | | | | | purpose is | | | | | | allowed | | | | | | into the | | | | | | CDE. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | *Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected.* | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in* | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | *in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +=================+===================+================================+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **1.3.3** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | configuration | reference | | | settings and | number(s) from | | | network | [Section | | | diagrams to | 6 | | | verify that | ](#evidence-asses | | | NSCs are | sment-workpapers) | | | implemented | for all | | | between all | **configuration | | | wireless | settings** | | | networks and | examined for this | | | the CDE, in | testing | | | accordance with | procedure. | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **network | | | | diagrams** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+-----------------+----------------+ | > **Requirement | | | | | > Description** | | | | +=================+================+=================+================+ | **1.4** Network | | | | | connections | | | | | between trusted | | | | | and untrusted | | | | | networks are | | | | | controlled. | | | | +-----------------+----------------+-----------------+----------------+ | > **PCI DSS | | | | | > Requirement** | | | | +-----------------+----------------+-----------------+----------------+ | **1.4.1** NSCs | | | | | are implemented | | | | | between trusted | | | | | and untrusted | | | | | networks. | | | | +-----------------+----------------+-----------------+----------------+ | > **Assessment | | | | | > Findings | | | | | > (select | | | | | > one)** | | | | +-----------------+----------------+-----------------+----------------+ | **In Place** | **Not | **Not Tested** | **Not in | | | Applicable** | | Place** | +-----------------+----------------+-----------------+----------------+ | ☐ | ☐ | ☐ | ☐ | +-----------------+----------------+-----------------+----------------+ | Describe why | | \<Enter | | | the assessment | | Response Here\> | | | finding was | | | | | selected. | | | | | | | | | | ***Note**: | | | | | Include all | | | | | details as | | | | | noted in the | | | | | "Required | | | | | Reporting" | | | | | column of the | | | | | table in | | | | | [Assessment | | | | | F | | | | | indings](#asses | | | | | sment-findings) | | | | | in the ROC | | | | | Template | | | | | Instructions.* | | | | +-----------------+----------------+-----------------+----------------+ | **Validation | | | | | Method -- | | | | | Customized | | | | | Approach** | | | | +-----------------+----------------+-----------------+----------------+ | **Indicate** | | - Yes ☐ No | | | whether a | | | | | Customized | | | | | Approach was | | | | | used: | | | | +-----------------+----------------+-----------------+----------------+ | **If "Yes", | | \<Enter | | | Identify** the | | Response Here\> | | | aspect(s) of | | | | | the requirement | | | | | where the | | | | | Customized | | | | | Approach was | | | | | used. | | | | | | | | | | ***Note:** The | | | | | use of | | | | | Customized | | | | | Approach must | | | | | also be | | | | | documented in | | | | | [Appendix | | | | | E | | | | | .](#appendix-e- | | | | | customized-appr | | | | | oach-template)* | | | | +-----------------+----------------+-----------------+----------------+ | **Validation | | | | | Method -- | | | | | Defined | | | | | Approach** | | | | +-----------------+----------------+-----------------+----------------+ | **Indicate** | | - Yes ☐ No | | | whether a | | | | | Compensating | | | | | Control was | | | | | used: | | | | +-----------------+----------------+-----------------+----------------+ | **If "Yes", | | \<Enter | | | Identify** the | | Response Here\> | | | aspect(s) of | | | | | the requirement | | | | | where the | | | | | Compensating | | | | | Control(s) was | | | | | used. | | | | | | | | | | ***Note:** The | | | | | use of | | | | | Compensating | | | | | Controls must | | | | | also be | | | | | documented in | | | | | [Appendix | | | | | C.]( | | | | | #appendix-c-com | | | | | pensating-contr | | | | | ols-worksheet)* | | | | +-----------------+----------------+-----------------+----------------+ +-----------------+----------------+-----------------+----------------+ | **Testing | **Reporting | > **Reporting | | | Procedures** | Instructions** | > Details: | | | | | > Assessor's | | | | | > Response** | | +=================+================+=================+================+ | **1.4.1.a** | **Identify** | \<Enter | | | Examine | the evidence | Response Here\> | | | configuration | reference | | | | standards and | number(s) from | | | | network | [Section | | | | diagrams to | 6](#evi | | | | verify that | dence-assessme | | | | NSCs are | nt-workpapers) | | | | defined between | for all | | | | trusted and | * | | | | untrusted | *configuration | | | | networks. | standards** | | | | | examined for | | | | | this testing | | | | | procedure. | | | +-----------------+----------------+-----------------+----------------+ | | **Identify** | \<Enter | | | | the evidence | Response Here\> | | | | reference | | | | | number(s) from | | | | | [Section | | | | | 6](#evi | | | | | dence-assessme | | | | | nt-workpapers) | | | | | for all | | | | | **network | | | | | diagrams** | | | | | examined for | | | | | this testing | | | | | procedure. | | | +-----------------+----------------+-----------------+----------------+ | **1.4.1.b** | **Identify** | \<Enter | | | Examine network | the evidence | Response Here\> | | | configurations | reference | | | | to verify that | number(s) from | | | | NSCs are in | [Section | | | | place between | 6](#evi | | | | trusted and | dence-assessme | | | | untrusted | nt-workpapers) | | | | networks, in | for all | | | | accordance with | **network | | | | the documented | co | | | | configuration | nfigurations** | | | | standards and | examined for | | | | network | this testing | | | | diagrams. | procedure. | | | +-----------------+----------------+-----------------+----------------+ | > **PCI DSS | | | | | > Requirement** | | | | +-----------------+----------------+-----------------+----------------+ | **1.4.2** | | | | | Inbound traffic | | | | | from untrusted | | | | | networks to | | | | | trusted | | | | | networks is | | | | | restricted to: | | | | | | | | | | - | | | | | Communications | | | | | with system | | | | | components | | | | | that are | | | | | authorized | | | | | to provide | | | | | publicly | | | | | accessible | | | | | services, | | | | | protocols, | | | | | and ports. | | | | | | | | | | - Stateful | | | | | responses | | | | | to | | | | | | | | | | communications | | | | | initiated | | | | | by system | | | | | components | | | | | in a | | | | | trusted | | | | | network. | | | | | | | | | | - All other | | | | | traffic is | | | | | denied. | | | | +-----------------+----------------+-----------------+----------------+ | > **Assessment | | | | | > Findings | | | | | > (select | | | | | > one)** | | | | +-----------------+----------------+-----------------+----------------+ | **In Place** | **Not | **Not Tested** | **Not in | | | Applicable** | | Place** | +-----------------+----------------+-----------------+----------------+ | ☐ | ☐ | ☐ | ☐ | +-----------------+----------------+-----------------+----------------+ +-----------------+----------------+-----------------------------------+ | Describe why | | \<Enter Response Here\> | | the assessment | | | | finding was | | | | selected. | | | | | | | | ***Note**: | | | | Include all | | | | details as | | | | noted in the | | | | "Required | | | | Reporting" | | | | column of the | | | | table in | | | | [Assessment | | | | F | | | | indings](#asses | | | | sment-findings) | | | | in the ROC | | | | Template | | | | Instructions.* | | | +=================+================+===================================+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +-----------------+----------------+-----------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+----------------+-----------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+----------------+-----------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+----------------+-----------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+----------------+-----------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+----------------+-----------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: Assessor's | | > Procedures** | > | > Response** | | | Instructions** | | +-----------------+----------------+-----------------------------------+ | **1.4.2** | **Identify** | \<Enter Response Here\> | | Examine vendor | the evidence | | | documentation | reference | | | and | number(s) from | | | configurations | [Section | | | of NSCs to | 6](#evi | | | verify that | dence-assessme | | | inbound traffic | nt-workpapers) | | | from untrusted | for all | | | networks to | **vendor | | | trusted | d | | | networks is | ocumentation** | | | restricted in | examined for | | | accordance with | this testing | | | all elements | procedure. | | | specified in | | | | this | | | | requirement. | | | +-----------------+----------------+-----------------------------------+ | | **Identify** | \<Enter Response Here\> | | | the evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6](#evi | | | | dence-assessme | | | | nt-workpapers) | | | | for all | | | | **co | | | | nfigurations** | | | | examined for | | | | this testing | | | | procedure. | | +-----------------+----------------+-----------------------------------+ +-----------------+----------------+-----------------+----------------+ | > **PCI DSS | | | | | > Requirement** | | | | +=================+================+=================+================+ | **1.4.3** | | | | | Anti-spoofing | | | | | measures are | | | | | implemented to | | | | | detect and | | | | | block forged | | | | | source IP | | | | | addresses from | | | | | entering the | | | | | trusted | | | | | network. | | | | +-----------------+----------------+-----------------+----------------+ | > **Assessment | | | | | > Findings | | | | | > (select | | | | | > one)** | | | | +-----------------+----------------+-----------------+----------------+ | **In Place** | **Not | **Not Tested** | **Not in | | | Applicable** | | Place** | +-----------------+----------------+-----------------+----------------+ | ☐ | ☐ | ☐ | ☐ | +-----------------+----------------+-----------------+----------------+ | Describe why | | \<Enter | | | the assessment | | Response Here\> | | | finding was | | | | | selected. | | | | | | | | | | ***Note**: | | | | | Include all | | | | | details as | | | | | noted in the | | | | | "Required | | | | | Reporting" | | | | | column of the | | | | | table in | | | | | [Assessment | | | | | F | | | | | indings](#asses | | | | | sment-findings) | | | | | in the ROC | | | | | Template | | | | | Instructions.* | | | | +-----------------+----------------+-----------------+----------------+ | **Validation | | | | | Method -- | | | | | Customized | | | | | Approach** | | | | +-----------------+----------------+-----------------+----------------+ | **Indicate** | | - Yes ☐ No | | | whether a | | | | | Customized | | | | | Approach was | | | | | used: | | | | +-----------------+----------------+-----------------+----------------+ | **If "Yes", | | \<Enter | | | Identify** the | | Response Here\> | | | aspect(s) of | | | | | the requirement | | | | | where the | | | | | Customized | | | | | Approach was | | | | | used. | | | | | | | | | | ***Note:** The | | | | | use of | | | | | Customized | | | | | Approach must | | | | | also be | | | | | documented in | | | | | [Appendix | | | | | E | | | | | .](#appendix-e- | | | | | customized-appr | | | | | oach-template)* | | | | +-----------------+----------------+-----------------+----------------+ | **Validation | | | | | Method -- | | | | | Defined | | | | | Approach** | | | | +-----------------+----------------+-----------------+----------------+ | **Indicate** | | - Yes ☐ No | | | whether a | | | | | Compensating | | | | | Control was | | | | | used: | | | | +-----------------+----------------+-----------------+----------------+ | **If "Yes", | | \<Enter | | | Identify** the | | Response Here\> | | | aspect(s) of | | | | | the requirement | | | | | where the | | | | | Compensating | | | | | Control(s) was | | | | | used. | | | | | | | | | | ***Note:** The | | | | | use of | | | | | Compensating | | | | | Controls must | | | | | also be | | | | | documented in | | | | | [Appendix | | | | | C.]( | | | | | #appendix-c-com | | | | | pensating-contr | | | | | ols-worksheet)* | | | | +-----------------+----------------+-----------------+----------------+ +-----------------+----------------+-----------------+----------------+ | **Testing | **Reporting | > **Reporting | | | Procedures** | Instructions** | > Details: | | | | | > Assessor's | | | | | > Response** | | +=================+================+=================+================+ | **1.4.3** | > **Identify** | \<Enter | | | Examine vendor | > the evidence | Response Here\> | | | documentation | > reference | | | | and | > number(s) | | | | configurations | > from | | | | for NSCs to | > [Section | | | | verify that | > 6](#evi | | | | anti-spoofing | dence-assessme | | | | measures are | nt-workpapers) | | | | implemented to | > for all | | | | detect and | > **vendor | | | | block forged | > d | | | | source IP | ocumentation** | | | | addresses from | > examined for | | | | entering the | > this testing | | | | trusted | > procedure. | | | | network. | | | | +-----------------+----------------+-----------------+----------------+ | | > **Identify** | \<Enter | | | | > the evidence | Response Here\> | | | | > reference | | | | | > number(s) | | | | | > from | | | | | > [Section | | | | | > 6](#evi | | | | | dence-assessme | | | | | nt-workpapers) | | | | | > for all | | | | | > **co | | | | | nfigurations** | | | | | > examined for | | | | | > this testing | | | | | > procedure. | | | +-----------------+----------------+-----------------+----------------+ | > **PCI DSS | | | | | > Requirement** | | | | +-----------------+----------------+-----------------+----------------+ | **1.4.4** | | | | | System | | | | | components that | | | | | store | | | | | cardholder data | | | | | are not | | | | | directly | | | | | accessible from | | | | | untrusted | | | | | networks. | | | | +-----------------+----------------+-----------------+----------------+ | > **Assessment | | | | | > Findings | | | | | > (select | | | | | > one)** | | | | +-----------------+----------------+-----------------+----------------+ | **In Place** | **Not | **Not Tested** | **Not in | | | Applicable** | | Place** | +-----------------+----------------+-----------------+----------------+ | ☐ | ☐ | ☐ | ☐ | +-----------------+----------------+-----------------+----------------+ | Describe why | | \<Enter | | | the assessment | | Response Here\> | | | finding was | | | | | selected. | | | | | | | | | | ***Note**: | | | | | Include all | | | | | details as | | | | | noted in the | | | | | "Required | | | | | Reporting" | | | | | column of the | | | | | table in | | | | | [Assessment | | | | | F | | | | | indings](#asses | | | | | sment-findings) | | | | | in the ROC | | | | | Template | | | | | Instructions.* | | | | +-----------------+----------------+-----------------+----------------+ +-----------------+----------------+-----------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+================+===================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+----------------+-----------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+----------------+-----------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+----------------+-----------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+----------------+-----------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+----------------+-----------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: Assessor's | | > Procedures** | > | > Response** | | | Instructions** | | +-----------------+----------------+-----------------------------------+ | **1.4.4.a** | **Identify** | \<Enter Response Here\> | | Examine the | the evidence | | | data-flow | reference | | | diagram and | number(s) from | | | network diagram | [Section | | | to verify that | 6](#evi | | | it is | dence-assessme | | | documented that | nt-workpapers) | | | system | for all | | | components | **data-flow | | | storing | diagram** | | | cardholder data | examined for | | | are not | this testing | | | directly | procedure. | | | accessible from | | | | the untrusted | | | | networks. | | | +-----------------+----------------+-----------------------------------+ | | **Identify** | \<Enter Response Here\> | | | the evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6](#evi | | | | dence-assessme | | | | nt-workpapers) | | | | for all | | | | **network | | | | diagram** | | | | examined for | | | | this testing | | | | procedure. | | +-----------------+----------------+-----------------------------------+ | **1.4.4.b** | **Identify** | \<Enter Response Here\> | | Examine | the evidence | | | configurations | reference | | | of NSCs to | number(s) from | | | verify that | [Section | | | controls are | 6](#evi | | | implemented | dence-assessme | | | such that | nt-workpapers) | | | system | for all | | | components | **co | | | storing | nfigurations** | | | cardholder data | examined for | | | are not | this testing | | | directly | procedure. | | | accessible from | | | | untrusted | | | | networks. | | | +-----------------+----------------+-----------------------------------+ +-----------------+----------------+-----------------+----------------+ | > **PCI DSS | | | | | > Requirement** | | | | +=================+================+=================+================+ | **1.4.5** The | | | | | disclosure of | | | | | internal IP | | | | | addresses and | | | | | routing | | | | | information is | | | | | limited to only | | | | | authorized | | | | | parties. | | | | +-----------------+----------------+-----------------+----------------+ | > **Assessment | | | | | > Findings | | | | | > (select | | | | | > one)** | | | | +-----------------+----------------+-----------------+----------------+ | **In Place** | **Not | **Not Tested** | **Not in | | | Applicable** | | Place** | +-----------------+----------------+-----------------+----------------+ | ☐ | ☐ | ☐ | ☐ | +-----------------+----------------+-----------------+----------------+ | Describe why | | \<Enter | | | the assessment | | Response Here\> | | | finding was | | | | | selected. | | | | | | | | | | ***Note**: | | | | | Include all | | | | | details as | | | | | noted in the | | | | | "Required | | | | | Reporting" | | | | | column of the | | | | | table in | | | | | [Assessment | | | | | F | | | | | indings](#asses | | | | | sment-findings) | | | | | in the ROC | | | | | Template | | | | | Instructions.* | | | | +-----------------+----------------+-----------------+----------------+ | **Validation | | | | | Method -- | | | | | Customized | | | | | Approach** | | | | +-----------------+----------------+-----------------+----------------+ | **Indicate** | | - Yes ☐ No | | | whether a | | | | | Customized | | | | | Approach was | | | | | used: | | | | +-----------------+----------------+-----------------+----------------+ | **If "Yes", | | \<Enter | | | Identify** the | | Response Here\> | | | aspect(s) of | | | | | the requirement | | | | | where the | | | | | Customized | | | | | Approach was | | | | | used. | | | | | | | | | | ***Note:** The | | | | | use of | | | | | Customized | | | | | Approach must | | | | | also be | | | | | documented in | | | | | [Appendix | | | | | E | | | | | .](#appendix-e- | | | | | customized-appr | | | | | oach-template)* | | | | +-----------------+----------------+-----------------+----------------+ | **Validation | | | | | Method -- | | | | | Defined | | | | | Approach** | | | | +-----------------+----------------+-----------------+----------------+ | **Indicate** | | - Yes ☐ No | | | whether a | | | | | Compensating | | | | | Control was | | | | | used: | | | | +-----------------+----------------+-----------------+----------------+ | **If "Yes", | | \<Enter | | | Identify** the | | Response Here\> | | | aspect(s) of | | | | | the requirement | | | | | where the | | | | | Compensating | | | | | Control(s) was | | | | | used. | | | | | | | | | | ***Note:** The | | | | | use of | | | | | Compensating | | | | | Controls must | | | | | also be | | | | | documented in | | | | | [Appendix | | | | | C.]( | | | | | #appendix-c-com | | | | | pensating-contr | | | | | ols-worksheet)* | | | | +-----------------+----------------+-----------------+----------------+ +-----------------+----------------+-----------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: Assessor's | | > Procedures** | > | > Response** | | | Instructions** | | +=================+================+===================================+ | **1.4.5.a** | **Identify** | \<Enter Response Here\> | | Examine | the evidence | | | configurations | reference | | | of NSCs to | number(s) from | | | verify that the | [Section | | | disclosure of | 6](#evi | | | internal IP | dence-assessme | | | addresses and | nt-workpapers) | | | routing | for all | | | information is | **co | | | limited to only | nfigurations** | | | authorized | examined for | | | parties. | this testing | | | | procedure. | | +-----------------+----------------+-----------------------------------+ | **1.4.5.b** | **Identify** | \<Enter Response Here\> | | Interview | the evidence | | | personnel and | reference | | | examine | number(s) from | | | documentation | [Section | | | to verify that | 6](#evi | | | controls are | dence-assessme | | | implemented | nt-workpapers) | | | such that any | for all | | | disclosure of | ** | | | internal IP | interview(s)** | | | addresses and | conducted for | | | routing | this testing | | | information is | procedure. | | | limited to only | | | | authorized | | | | parties. | | | +-----------------+----------------+-----------------------------------+ | | **Identify** | \<Enter Response Here\> | | | the evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6](#evi | | | | dence-assessme | | | | nt-workpapers) | | | | for all | | | | **d | | | | ocumentation** | | | | examined for | | | | this testing | | | | procedure. | | +-----------------+----------------+-----------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+================+===+==============+=================+ | **1.5** Risks | | | | | | to the CDE from | | | | | | computing | | | | | | devices that | | | | | | are able to | | | | | | connect to both | | | | | | untrusted | | | | | | networks and | | | | | | the CDE are | | | | | | mitigated. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | 1. Security | | | | | | controls | | | | | | are | | | | | | implemented | | | | | | on any | | | | | | computing | | | | | | devices, | | | | | | including | | | | | | company- | | | | | | and | | | | | | | | | | | | employee-owned | | | | | | devices, | | | | | | that | | | | | | connect to | | | | | | both | | | | | | untrusted | | | | | | networks | | | | | | (including | | | | | | the | | | | | | Internet) | | | | | | and the CDE | | | | | | as follows: | | | | | | | | | | | | | | | | | | - Specific | | | | | | | | | | | | configuration | | | | | | | | | | | | settings | | | | | | are | | | | | | defined | | | | | | to | | | | | | prevent | | | | | | threats | | | | | | being | | | | | | | | | | | | introduced | | | | | | into | | | | | | the | | | | | | | | | | | | entity's | | | | | | | | | | | | network. | | | | | | | | | | | | | | | | | | - Security | | | | | | | | | | | | controls | | | | | | are | | | | | | | | | | | | actively | | | | | | | | | | | | running. | | | | | | | | | | | | | | | | | | - Security | | | | | | | | | | | | controls | | | | | | are not | | | | | | | | | | | | alterable | | | | | | by | | | | | | users | | | | | | of the | | | | | | | | | | | | computing | | | | | | devices | | | | | | unless | | | | | | | | | | | | specifically | | | | | | | | | | | | documented | | | | | | and | | | | | | | | | | | | authorized | | | | | | by | | | | | | | | | | | | management | | | | | | on a | | | | | | | | | | | | case-by-case | | | | | | basis | | | | | | for a | | | | | | limited | | | | | | period. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **1.5.1.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | policies and | reference | | | configuration | number(s) from | | | standards and | [Section | | | interview | 6 | | | personnel to | ](#evidence-asses | | | verify security | sment-workpapers) | | | controls for | for all | | | computing | **policies** | | | devices that | examined for this | | | connect to both | testing | | | untrusted | procedure. | | | networks, and | | | | the CDE, are | | | | implemented in | | | | accordance with | | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **configuration | | | | standards** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **1.5.1.b** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | configuration | reference | | | settings on | number(s) from | | | computing | [Section | | | devices that | 6 | | | connect to both | ](#evidence-asses | | | untrusted | sment-workpapers) | | | networks and | for all | | | the CDE to | **configuration | | | verify settings | settings** | | | are implemented | examined for this | | | in accordance | testing | | | with all | procedure. | | | elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ ### Requirement 2: Apply Secure Configurations to All System Components {#requirement-2-apply-secure-configurations-to-all-system-components .unnumbered} +-----------------+----------------+---+--------------+-----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+================+===+==============+=================+ | 1. Processes | | | | | | and | | | | | | mechanisms | | | | | | for | | | | | | applying | | | | | | secure | | | | | | | | | | | | configurations | | | | | | to all | | | | | | system | | | | | | components | | | | | | are defined | | | | | | and | | | | | | understood. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | 1. All | | | | | | security | | | | | | policies | | | | | | and | | | | | | operational | | | | | | procedures | | | | | | that are | | | | | | identified | | | | | | in | | | | | | Requirement | | | | | | 2 are: | | | | | | | | | | | | | | | | | | - Documented. | | | | | | | | | | | | - Kept up | | | | | | to | | | | | | date. | | | | | | | | | | | | - In use. | | | | | | | | | | | | - Known | | | | | | to all | | | | | | | | | | | | affected | | | | | | | | | | | | parties. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +=================+================+===+==============+=================+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **2.1.1** | **Identify** | | \<Enter | | | Examine | the evidence | | Response | | | documentation | reference | | Here\> | | | and interview | number(s) from | | | | | personnel to | [Section | | | | | verify that | 6](#evi | | | | | security | dence-assessme | | | | | policies and | nt-workpapers) | | | | | operational | for all | | | | | procedures | **d | | | | | identified in | ocumentation** | | | | | Requirement 2 | examined for | | | | | are managed in | this testing | | | | | accordance with | procedure. | | | | | all elements | | | | | | specified in | | | | | | this | | | | | | requirement. | | | | | +-----------------+----------------+---+--------------+-----------------+ | | **Identify** | | \<Enter | | | | the evidence | | Response | | | | reference | | Here\> | | | | number(s) from | | | | | | [Section | | | | | | 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | for all | | | | | | ** | | | | | | interview(s)** | | | | | | conducted for | | | | | | this testing | | | | | | procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **2.1.2** Roles | | | | | | and | | | | | | r | | | | | | esponsibilities | | | | | | for performing | | | | | | activities in | | | | | | Requirement 2 | | | | | | are documented, | | | | | | assigned, and | | | | | | understood. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +=================+===================+================================+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **2.1.2.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | to verify that | number(s) from | | | descriptions of | [Section | | | roles and | 6 | | | r | ](#evidence-asses | | | esponsibilities | sment-workpapers) | | | for performing | for all | | | activities in | **documentation** | | | Requirement 2 | examined for this | | | are documented | testing | | | and assigned. | procedure. | | +-----------------+-------------------+--------------------------------+ | **2.1.2.b** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | personnel with | reference | | | responsibility | number(s) from | | | for performing | [Section | | | activities in | 6 | | | Requirement 2 | ](#evidence-asses | | | to verify that | sment-workpapers) | | | roles and | for all | | | r | **interview(s)** | | | esponsibilities | conducted for | | | are assigned as | this testing | | | documented and | procedure. | | | are understood. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **Requirement | | | | | | Description** | | | | | +=================+================+===+==============+=================+ | **2.2** System | | | | | | components are | | | | | | configured and | | | | | | managed | | | | | | securely. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | 1. | | | | | | Configuration | | | | | | standards | | | | | | are | | | | | | developed, | | | | | | | | | | | | implemented, | | | | | | and | | | | | | maintained | | | | | | to: | | | | | | | | | | | | - Cover | | | | | | all | | | | | | system | | | | | | | | | | | | components. | | | | | | | | | | | | - Address | | | | | | all | | | | | | known | | | | | | | | | | | | security | | | | | | v | | | | | | ulnerabilities. | | | | | | | | | | | | - Be | | | | | | | | | | | | consistent | | | | | | with | | | | | | in | | | | | | dustry-accepted | | | | | | system | | | | | | | | | | | | hardening | | | | | | | | | | | | standards | | | | | | or | | | | | | vendor | | | | | | | | | | | | hardening | | | | | | r | | | | | | ecommendations. | | | | | | | | | | | | - Be | | | | | | updated | | | | | | as new | | | | | | | | | | | | vulnerability | | | | | | issues | | | | | | are | | | | | | | | | | | | identified, | | | | | | as | | | | | | defined | | | | | | in | | | | | | | | | | | | Requirement | | | | | | 6.3.1. | | | | | | | | | | | | - Be | | | | | | applied | | | | | | when | | | | | | new | | | | | | systems | | | | | | are | | | | | | | | | | | | configured | | | | | | and | | | | | | | | | | | | verified | | | | | | as in | | | | | | place | | | | | | before | | | | | | or | | | | | | | | | | | | immediately | | | | | | after a | | | | | | system | | | | | | | | | | | | component | | | | | | is | | | | | | | | | | | | connected | | | | | | to a | | | | | | | | | | | | production | | | | | | | | | | | | environment. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **2.2.1.a** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | configuration | reference | | | standards to | number(s) from | | | verify they | [Section | | | define | 6 | | | processes that | ](#evidence-asses | | | include all | sment-workpapers) | | | elements | for all **system | | | specified in | configuration | | | this | standards** | | | requirement. | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **2.2.1.b** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | policies and | reference | | | procedures and | number(s) from | | | interview | [Section | | | personnel to | 6 | | | verify that | ](#evidence-asses | | | system | sment-workpapers) | | | configuration | for all | | | standards are | **policies and | | | updated as new | procedures** | | | vulnerability | examined for this | | | issues are | testing | | | identified, as | procedure. | | | defined in | | | | Requirement | | | | 6.3.1. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **2.2.1.c** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | configuration | reference | | | settings and | number(s) from | | | interview | [Section | | | personnel to | 6 | | | verify that | ](#evidence-asses | | | system | sment-workpapers) | | | configuration | for all | | | standards are | **configuration | | | applied when | settings** | | | new systems are | examined for this | | | configured and | testing | | | verified as | procedure. | | | being in place | | | | before or | | | | immediately | | | | after a system | | | | component is | | | | connected to a | | | | production | | | | environment. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **2.2.2** | | | | | | Vendor default | | | | | | accounts are | | | | | | managed as | | | | | | follows: | | | | | | | | | | | | - If the | | | | | | vendor | | | | | | default | | | | | | account(s) | | | | | | will be | | | | | | used, the | | | | | | default | | | | | | password is | | | | | | changed per | | | | | | Requirement | | | | | | 8.3.6. | | | | | | | | | | | | - If the | | | | | | vendor | | | | | | default | | | | | | account(s) | | | | | | will not be | | | | | | used, the | | | | | | account is | | | | | | removed or | | | | | | disabled. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **2.2.2.a** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | configuration | reference | | | standards to | number(s) from | | | verify they | [Section | | | include | 6 | | | managing vendor | ](#evidence-asses | | | default | sment-workpapers) | | | accounts in | for all **system | | | accordance with | configuration | | | all elements | standards** | | | specified in | examined for this | | | this | testing | | | requirement. | procedure. | | +-----------------+-------------------+--------------------------------+ | **2.2.2.b** | **Identify** the | \<Enter Response Here\> | | Examine vendor | evidence | | | documentation | reference | | | and observe a | number(s) from | | | system | [Section | | | administrator | 6 | | | logging on | ](#evidence-asses | | | using vendor | sment-workpapers) | | | default | for all **vendor | | | accounts to | documentation** | | | verify accounts | examined for this | | | are implemented | testing | | | in accordance | procedure. | | | with all | | | | elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | ** | | | | observations(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **2.2.2.c** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | configuration | reference | | | files and | number(s) from | | | interview | [Section | | | personnel to | 6 | | | verify that all | ](#evidence-asses | | | vendor default | sment-workpapers) | | | accounts that | for all | | | will not be | **configuration | | | used are | files** examined | | | removed or | for this testing | | | disabled. | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **2.2.3** | | | | | | Primary | | | | | | functions | | | | | | requiring | | | | | | different | | | | | | security levels | | | | | | are managed as | | | | | | follows: | | | | | | | | | | | | - Only one | | | | | | primary | | | | | | function | | | | | | exists on a | | | | | | system | | | | | | component, | | | | | | OR | | | | | | | | | | | | - Primary | | | | | | functions | | | | | | with | | | | | | differing | | | | | | security | | | | | | levels that | | | | | | exist on | | | | | | the same | | | | | | system | | | | | | component | | | | | | are | | | | | | isolated | | | | | | from each | | | | | | other, OR | | | | | | | | | | | | - Primary | | | | | | functions | | | | | | with | | | | | | differing | | | | | | security | | | | | | levels on | | | | | | the same | | | | | | system | | | | | | component | | | | | | are all | | | | | | secured to | | | | | | the level | | | | | | required by | | | | | | the | | | | | | function | | | | | | with the | | | | | | highest | | | | | | security | | | | | | need. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **2.2.3.a** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | configuration | reference | | | standards to | number(s) from | | | verify they | [Section | | | include | 6 | | | managing | ](#evidence-asses | | | primary | sment-workpapers) | | | functions | for all **system | | | requiring | configuration | | | different | standards** | | | security levels | examined for this | | | as specified in | testing | | | this | procedure. | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **2.2.3.b** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | configurations | reference | | | to verify that | number(s) from | | | primary | [Section | | | functions | 6 | | | requiring | ](#evidence-asses | | | different | sment-workpapers) | | | security levels | for all **system | | | are managed per | configurations** | | | one of the ways | examined for this | | | specified in | testing | | | this | procedure. | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **2.2.3.c** | **Identify** the | \<Enter Response Here\> | | Where | evidence | | | virtualization | reference | | | technologies | number(s) from | | | are used, | [Section | | | examine the | 6 | | | system | ](#evidence-asses | | | configurations | sment-workpapers) | | | to verify that | for all **system | | | system | configurations** | | | functions | examined for this | | | requiring | testing | | | different | procedure. | | | security levels | | | | are managed in | | | | one of the | | | | following ways: | | | | | | | | - Functions | | | | with | | | | differing | | | | security | | | | needs do | | | | not | | | | co-exist on | | | | the same | | | | system | | | | component. | | | | | | | | - Functions | | | | with | | | | differing | | | | security | | | | needs that | | | | exist on | | | | the same | | | | system | | | | component | | | | are | | | | isolated | | | | from each | | | | other. | | | | | | | | - Functions | | | | with | | | | differing | | | | security | | | | needs on | | | | the same | | | | system | | | | component | | | | are all | | | | secured to | | | | the level | | | | required by | | | | the | | | | function | | | | with the | | | | highest | | | | security | | | | need. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **2.2.4** Only | | | | | | necessary | | | | | | services, | | | | | | protocols, | | | | | | daemons, and | | | | | | functions are | | | | | | enabled, and | | | | | | all unnecessary | | | | | | functionality | | | | | | is removed or | | | | | | disabled. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **2.2.4.a** | > **Identify** | | \<Enter | | | Examine system | > the evidence | | Response | | | configuration | > reference | | Here\> | | | standards to | > number(s) | | | | | verify | > from | | | | | necessary | > [Section | | | | | system | > 6](#evi | | | | | services, | dence-assessme | | | | | protocols, and | nt-workpapers) | | | | | daemons are | > for all | | | | | identified and | > **system | | | | | documented. | > | | | | | | configuration | | | | | | > standards** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **2.2.4.b** | > **Identify** | | \<Enter | | | Examine system | > the evidence | | Response | | | configurations | > reference | | Here\> | | | to verify the | > number(s) | | | | | following: | > from | | | | | | > [Section | | | | | - All | > 6](#evi | | | | | unnecessary | dence-assessme | | | | | | nt-workpapers) | | | | | functionality | > for all | | | | | is removed | > **system | | | | | or | > co | | | | | disabled. | nfigurations** | | | | | | > examined for | | | | | - Only | > this testing | | | | | required | > procedure. | | | | | | | | | | | functionality, | | | | | | as | | | | | | documented | | | | | | in the | | | | | | | | | | | | configuration | | | | | | standards, | | | | | | is enabled. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **2.2.5** If | | | | | | any insecure | | | | | | services, | | | | | | protocols, or | | | | | | daemons are | | | | | | present: | | | | | | | | | | | | - Business | | | | | | | | | | | | justification | | | | | | is | | | | | | documented. | | | | | | | | | | | | - Additional | | | | | | security | | | | | | features | | | | | | are | | | | | | documented | | | | | | and | | | | | | implemented | | | | | | that reduce | | | | | | the risk of | | | | | | using | | | | | | insecure | | | | | | services, | | | | | | protocols, | | | | | | or daemons. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **2.2.5.a** If | **Identify** the | \<Enter Response Here\> | | any insecure | evidence | | | services, | reference | | | protocols, or | number(s) from | | | daemons are | [Section | | | present, | 6 | | | examine system | ](#evidence-asses | | | configuration | sment-workpapers) | | | standards and | for all **system | | | interview | configuration | | | personnel to | standards** | | | verify they are | examined for this | | | managed and | testing | | | implemented in | procedure. | | | accordance with | | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **2.2.5.b** If | **Identify** the | \<Enter Response Here\> | | any insecure | evidence | | | services, | reference | | | protocols, or | number(s) from | | | daemons, are | [Section | | | present, | 6 | | | examine | ](#evidence-asses | | | configuration | sment-workpapers) | | | settings to | for all | | | verify that | **configuration | | | additional | settings** | | | security | examined for this | | | features are | testing | | | implemented to | procedure. | | | reduce the risk | | | | of using | | | | insecure | | | | services, | | | | daemons, and | | | | protocols. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **2.2.6** | | | | | | System security | | | | | | parameters are | | | | | | configured to | | | | | | prevent misuse. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **2.2.6.a** | > **Identify** | | \<Enter | | | Examine system | > the evidence | | Response | | | configuration | > reference | | Here\> | | | standards to | > number(s) | | | | | verify they | > from | | | | | include | > [Section | | | | | configuring | > 6](#evi | | | | | system security | dence-assessme | | | | | parameters to | nt-workpapers) | | | | | prevent misuse. | > for all | | | | | | > **system | | | | | | > | | | | | | configuration | | | | | | > standards** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **2.2.6.b** | > **Identify** | | \<Enter | | | Interview | > the evidence | | Response | | | system | > reference | | Here\> | | | administrators | > number(s) | | | | | and/or security | > from | | | | | managers to | > [Section | | | | | verify they | > 6](#evi | | | | | have knowledge | dence-assessme | | | | | of common | nt-workpapers) | | | | | security | > for all | | | | | parameter | > ** | | | | | settings for | interview(s)** | | | | | system | > conducted | | | | | components. | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **2.2.6.c** | > **Identify** | | \<Enter | | | Examine system | > the evidence | | Response | | | configurations | > reference | | Here\> | | | to verify that | > number(s) | | | | | common security | > from | | | | | parameters are | > [Section | | | | | set | > 6](#evi | | | | | appropriately | dence-assessme | | | | | and in | nt-workpapers) | | | | | accordance with | > for all | | | | | the system | > **system | | | | | configuration | > co | | | | | standards. | nfigurations** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **2.2.7** All | | | | | | non-console | | | | | | administrative | | | | | | access is | | | | | | encrypted using | | | | | | strong | | | | | | cryptography. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **2.2.7.a** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | configuration | reference | | | standards to | number(s) from | | | verify they | [Section | | | include | 6 | | | encrypting all | ](#evidence-asses | | | non-console | sment-workpapers) | | | administrative | for all **system | | | access using | configuration | | | strong | standards** | | | cryptography. | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **2.2.7.b** | **Identify** the | \<Enter Response Here\> | | Observe an | evidence | | | administrator | reference | | | log on to | number(s) from | | | system | [Section | | | components and | 6 | | | examine system | ](#evidence-asses | | | configurations | sment-workpapers) | | | to verify that | for all | | | non-console | **observation(s) | | | administrative | of administrator | | | access is | log on(s)** for | | | managed in | this testing | | | accordance with | procedure. | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **system | | | | configurations** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ ----------------------------------------------------------------------------------------- **2.2.7.c** **Identify** the evidence reference \<Enter Response Here\> Examine settings number(s) from [Section for system 6](#evidence-assessment-workpapers) components and for all **settings for system authentication components and authentication services to verify services** examined for this testing that insecure procedure. remote login services are not available for non-console administrative access. ------------------ ------------------------------------- -------------------------------- **2.2.7.d** **Identify** the evidence reference \<Enter Response Here\> Examine vendor number(s) from [Section documentation and 6](#evidence-assessment-workpapers) interview for all **vendor documentation** personnel to examined for this testing procedure. verify that strong cryptography for the technology in use is implemented according to industry best practices and/or vendor recommendations. **Identify** the evidence reference \<Enter Response Here\> number(s) from [Section 6](#evidence-assessment-workpapers) for all **interview(s)** conducted for this testing procedure. ----------------------------------------------------------------------------------------- +-----------------+----------------+---+--------------+-----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+================+===+==============+=================+ | **2.3** | | | | | | Wireless | | | | | | environments | | | | | | are configured | | | | | | and managed | | | | | | securely. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | 1. For | | | | | | wireless | | | | | | | | | | | | environments | | | | | | connected | | | | | | to the CDE | | | | | | or | | | | | | | | | | | | transmitting | | | | | | account | | | | | | data, all | | | | | | wireless | | | | | | vendor | | | | | | defaults | | | | | | are changed | | | | | | at | | | | | | | | | | | | installation | | | | | | or are | | | | | | confirmed | | | | | | to be | | | | | | secure, | | | | | | including | | | | | | but not | | | | | | limited to: | | | | | | | | | | | | - Default | | | | | | | | | | | | wireless | | | | | | | | | | | | encryption | | | | | | keys. | | | | | | | | | | | | | | | | | | - Passwords | | | | | | on | | | | | | | | | | | | wireless | | | | | | access | | | | | | points. | | | | | | | | | | | | - SNMP | | | | | | | | | | | | defaults. | | | | | | | | | | | | - Any | | | | | | other | | | | | | s | | | | | | ecurity-related | | | | | | | | | | | | wireless | | | | | | vendor | | | | | | | | | | | | defaults. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **2.3.1.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | policies and | reference | | | procedures and | number(s) from | | | interview | [Section | | | responsible | 6 | | | personnel to | ](#evidence-asses | | | verify that | sment-workpapers) | | | processes are | for all | | | defined for | **policies and | | | wireless vendor | procedures** | | | defaults to | examined for this | | | either change | testing | | | them upon | procedure. | | | installation or | | | | to confirm them | | | | to be secure in | | | | accordance with | | | | all elements of | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **2.3.1.b** | **Identify** the | \<Enter Response Here\> | | Examine vendor | evidence | | | documentation | reference | | | and observe a | number(s) from | | | system | [Section | | | administrator | 6 | | | logging into | ](#evidence-asses | | | wireless | sment-workpapers) | | | devices to | for all **vendor | | | verify: | documentation** | | | | examined for this | | | - SNMP | testing | | | defaults | procedure. | | | are not | | | | used. | | | | | | | | - Default | | | | passwo | | | | rds/passphrases | | | | on wireless | | | | access | | | | points are | | | | not used. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for the | | | | **observation(s) | | | | of administrator | | | | log in(s)** for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **2.3.1.c** | **Identify** the | \<Enter Response Here\> | | Examine vendor | evidence | | | documentation | reference | | | and wireless | number(s) from | | | configuration | [Section | | | settings to | 6 | | | verify other | ](#evidence-asses | | | s | sment-workpapers) | | | ecurity-related | for all **vendor | | | wireless vendor | documentation** | | | defaults were | examined for this | | | changed, if | testing | | | applicable. | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **wireless | | | | configuration | | | | settings** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **2.3.2** For | | | | | | wireless | | | | | | environments | | | | | | connected to | | | | | | the CDE or | | | | | | transmitting | | | | | | account data, | | | | | | wireless | | | | | | encryption keys | | | | | | are changed as | | | | | | follows: | | | | | | | | | | | | - Whenever | | | | | | personnel | | | | | | with | | | | | | knowledge | | | | | | of the key | | | | | | leave the | | | | | | company or | | | | | | the role | | | | | | for which | | | | | | the | | | | | | knowledge | | | | | | was | | | | | | necessary. | | | | | | | | | | | | - Whenever a | | | | | | key is | | | | | | suspected | | | | | | of or known | | | | | | to be | | | | | | | | | | | | compromised. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **2.3.2** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | responsible | reference | | | personnel and | number(s) from | | | examine | [Section | | | key-management | 6 | | | documentation | ](#evidence-asses | | | to verify that | sment-workpapers) | | | wireless | for all | | | encryption keys | **interview(s)** | | | are changed in | conducted for | | | accordance with | this testing | | | all elements | procedure. | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **key-management | | | | documentation** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ ## Protect Account Data {#protect-account-data .unnumbered} ### Requirement 3: Protect Stored Account Data {#requirement-3-protect-stored-account-data .unnumbered} +-----------------+----------------+---+--------------+-----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+================+===+==============+=================+ | 1. Processes | | | | | | and | | | | | | mechanisms | | | | | | for | | | | | | protecting | | | | | | stored | | | | | | account | | | | | | data are | | | | | | defined and | | | | | | understood. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | 1. All | | | | | | security | | | | | | policies | | | | | | and | | | | | | operational | | | | | | procedures | | | | | | that are | | | | | | identified | | | | | | in | | | | | | Requirement | | | | | | 3 are: | | | | | | | | | | | | | | | | | | - Documented. | | | | | | | | | | | | - Kept up | | | | | | to | | | | | | date. | | | | | | | | | | | | - In use. | | | | | | | | | | | | - Known | | | | | | to all | | | | | | | | | | | | affected | | | | | | | | | | | | parties. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +=================+================+===+==============+=================+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **3.1.1** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | documentation | > reference | | Here\> | | | and interview | > number(s) | | | | | personnel to | > from | | | | | verify that | > [Section | | | | | security | > 6](#evi | | | | | policies and | dence-assessme | | | | | operational | nt-workpapers) | | | | | procedures | > for all | | | | | identified in | > **d | | | | | Requirement 3 | ocumentation** | | | | | are managed in | > examined for | | | | | accordance with | > this testing | | | | | all elements | > procedure. | | | | | specified in | | | | | | this | | | | | | requirement. | | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | interview(s)** | | | | | | > conducted | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **3.1.2** Roles | | | | | | and | | | | | | r | | | | | | esponsibilities | | | | | | for performing | | | | | | activities in | | | | | | Requirement 3 | | | | | | are documented, | | | | | | assigned, and | | | | | | understood. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **3.1.2.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | to verify that | number(s) from | | | descriptions of | [Section | | | roles and | 6 | | | r | ](#evidence-asses | | | esponsibilities | sment-workpapers) | | | performing | for all | | | activities in | **documentation** | | | Requirement 3 | examined for this | | | are documented | testing | | | and assigned. | procedure. | | +-----------------+-------------------+--------------------------------+ | **3.1.2.b** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | personnel with | reference | | | responsibility | number(s) from | | | for performing | [Section | | | activities in | 6 | | | Requirement 3 | ](#evidence-asses | | | to verify that | sment-workpapers) | | | roles and | for all | | | r | **interview(s)** | | | esponsibilities | conducted for | | | are assigned as | this testing | | | documented and | procedure. | | | are understood. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+================+===+==============+=================+ | **3.2** Storage | | | | | | of account data | | | | | | is kept to a | | | | | | minimum. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | 1. Account | | | | | | data | | | | | | storage is | | | | | | kept to a | | | | | | minimum | | | | | | through | | | | | | | | | | | | implementation | | | | | | of data | | | | | | retention | | | | | | and | | | | | | disposal | | | | | | policies, | | | | | | procedures, | | | | | | and | | | | | | processes | | | | | | that | | | | | | include at | | | | | | least the | | | | | | following: | | | | | | | | | | | | | | | | | | - Coverage | | | | | | for all | | | | | | | | | | | | locations | | | | | | of | | | | | | stored | | | | | | account | | | | | | data. | | | | | | | | | | | | | | | | | | - Coverage | | | | | | for any | | | | | | | | | | | | sensitive | | | | | | | | | | | | authentication | | | | | | data | | | | | | (SAD) | | | | | | stored | | | | | | prior | | | | | | to | | | | | | | | | | | | completion | | | | | | of | | | | | | | | | | | | authorization. | | | | | | *This | | | | | | bullet | | | | | | is a | | | | | | **best | | | | | | | | | | | | practice** | | | | | | until | | | | | | **31 | | | | | | March | | | | | | 2025**, | | | | | | after | | | | | | which | | | | | | it will | | | | | | be | | | | | | | | | | | | required | | | | | | as part | | | | | | of | | | | | | | | | | | | Requirement | | | | | | 3.2.1 | | | | | | and | | | | | | must be | | | | | | fully | | | | | | | | | | | | considered | | | | | | during | | | | | | a PCI | | | | | | DSS | | | | | | | | | | | | assessment.* | | | | | | | | | | | | | | | | | | - Limiting | | | | | | data | | | | | | storage | | | | | | amount | | | | | | and | | | | | | | | | | | | retention | | | | | | time to | | | | | | that | | | | | | which | | | | | | is | | | | | | | | | | | | required | | | | | | for | | | | | | legal | | | | | | or | | | | | | | | | | | | regulatory, | | | | | | and/or | | | | | | | | | | | | business | | | | | | | | | | | | requirements. | | | | | | | | | | | | | | | | | | - Specific | | | | | | | | | | | | retention | | | | | | | | | | | | requirements | | | | | | for | | | | | | stored | | | | | | account | | | | | | data | | | | | | that | | | | | | defines | | | | | | length | | | | | | of | | | | | | | | | | | | retention | | | | | | period | | | | | | and | | | | | | | | | | | | includes | | | | | | a | | | | | | | | | | | | documented | | | | | | | | | | | | business | | | | | | | | | | | | justification. | | | | | | | | | | | | | | | | | | - Processes | | | | | | for | | | | | | secure | | | | | | | | | | | | deletion | | | | | | or | | | | | | | | | | | | rendering | | | | | | account | | | | | | data | | | | | | | | | | | | unrecoverable | | | | | | when no | | | | | | longer | | | | | | needed | | | | | | per the | | | | | | | | | | | | retention | | | | | | policy. | | | | | | | | | | | | - A | | | | | | process | | | | | | for | | | | | | | | | | | | verifying, | | | | | | at | | | | | | least | | | | | | once | | | | | | every | | | | | | three | | | | | | months, | | | | | | that | | | | | | stored | | | | | | account | | | | | | data | | | | | | | | | | | | exceeding | | | | | | the | | | | | | defined | | | | | | | | | | | | retention | | | | | | period | | | | | | has | | | | | | been | | | | | | | | | | | | securely | | | | | | deleted | | | | | | or | | | | | | | | | | | | rendered | | | | | | | | | | | | unrecoverable. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **3.2.1.a** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence | | | data retention | reference | | | and disposal | number(s) from | | | policies, | [Section | | | procedures, and | 6 | | | processes and | ](#evidence-asses | | | interview | sment-workpapers) | | | personnel to | for all **data | | | verify | retention and | | | processes are | disposal | | | defined to | policies, | | | include all | procedures, and | | | elements | processes** | | | specified in | examined for this | | | this | testing | | | requirement. | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **3.2.1.b** | **Identify** the | \<Enter Response Here\> | | Examine files | evidence | | | and system | reference | | | records on | number(s) from | | | system | [Section | | | components | 6 | | | where account | ](#evidence-asses | | | data is stored | sment-workpapers) | | | to verify that | for all **files | | | the data | and system | | | storage amount | records** | | | and retention | examined for this | | | time does not | testing | | | exceed the | procedure. | | | requirements | | | | defined in the | | | | data retention | | | | policy. | | | +-----------------+-------------------+--------------------------------+ | **3.2.1.c** | **Identify** the | \<Enter Response Here\> | | Observe the | evidence | | | mechanisms used | reference | | | to render | number(s) from | | | account data | [Section | | | unrecoverable | 6 | | | to verify data | ](#evidence-asses | | | cannot be | sment-workpapers) | | | recovered. | for the | | | | **observation(s) | | | | of the mechanisms | | | | used** for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+================+===+==============+=================+ | **3.3** | | | | | | Sensitive | | | | | | authentication | | | | | | data (SAD) is | | | | | | not stored | | | | | | after | | | | | | authorization. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **3.3.1** SAD | | | | | | is not retained | | | | | | after | | | | | | authorization, | | | | | | even if | | | | | | encrypted. All | | | | | | sensitive | | | | | | authentication | | | | | | data received | | | | | | is rendered | | | | | | unrecoverable | | | | | | upon completion | | | | | | of the | | | | | | authorization | | | | | | process. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | This | | | | | | requirement is | | | | | | not eligible | | | | | | for the | | | | | | customized | | | | | | approach. | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **3.3.1.a** If | **Identify** the | \<Enter Response Here\> | | SAD is | evidence | | | received, | reference | | | examine | number(s) from | | | documented | [Section | | | policies, | 6 | | | procedures, and | ](#evidence-asses | | | system | sment-workpapers) | | | configurations | for all | | | to verify the | **documented | | | data is not | policies and | | | retained after | procedures** | | | authorization. | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **system | | | | configurations** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **3.3.1.b** If | **Identify** the | \<Enter Response Here\> | | SAD is | evidence | | | received, | reference | | | examine the | number(s) from | | | documented | [Section | | | procedures and | 6 | | | observe the | ](#evidence-asses | | | secure data | sment-workpapers) | | | deletion | for all | | | processes to | **documented | | | verify the data | procedures** | | | is rendered | examined for this | | | unrecoverable | testing | | | upon completion | procedure. | | | of the | | | | authorization | | | | process. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for the | | | | **observation(s) | | | | of the secure | | | | data deletion | | | | processes** for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+---+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | | > Requirement** | | | | | | +=================+===+================+===+==============+=================+ | **3.3.1.1** The | | | | | | | full contents | | | | | | | of any track | | | | | | | are not | | | | | | | retained upon | | | | | | | completion of | | | | | | | the | | | | | | | authorization | | | | | | | process. | | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | | > Findings | | | | | | | > (select | | | | | | | > one)** | | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | **In Place** | > | | * | | **Not in | | | | | * | | Place** | | | * | | N | | | | | * | | o | | | | | N | | t | | | | | o | | T | | | | | t | | e | | | | | > | | s | | | | | | | t | | | | | A | | e | | | | | p | | d | | | | | p | | * | | | | | l | | * | | | | | i | | | | | | | c | | | | | | | a | | | | | | | b | | | | | | | l | | | | | | | e | | | | | | | * | | | | | | | * | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | ☐ | ☐ | | ☐ | | ☐ | +-----------------+---+----------------+---+--------------+-----------------+ | Describe why | | | \ | | | | the assessment | | | < | | | | finding was | | | E | | | | selected. | | | n | | | | | | | t | | | | ***Note**: | | | e | | | | Include all | | | r | | | | details as | | | R | | | | noted in the | | | e | | | | "Required | | | s | | | | Reporting" | | | p | | | | column of the | | | o | | | | table in | | | n | | | | [Assessment | | | s | | | | F | | | e | | | | indings](#asses | | | H | | | | sment-findings) | | | e | | | | in the ROC | | | r | | | | Template | | | e | | | | Instructions.* | | | \ | | | | | | | > | | | +-----------------+---+----------------+---+--------------+-----------------+ | **Validation | | | | | | | Method -- | | | | | | | Customized | | | | | | | Approach** | | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | This | | | | | | | requirement is | | | | | | | not eligible | | | | | | | for the | | | | | | | customized | | | | | | | approach. | | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | **Validation | | | | | | | Method -- | | | | | | | Defined | | | | | | | Approach** | | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | **Indicate** | | | | - Yes ☐ No | | | whether a | | | | | | | Compensating | | | | | | | Control was | | | | | | | used: | | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | **If "Yes", | | | | \<Enter | | | Identify** the | | | | Response | | | aspect(s) of | | | | Here\> | | | the requirement | | | | | | | where the | | | | | | | Compensating | | | | | | | Control(s) was | | | | | | | used. | | | | | | | | | | | | | | ***Note:** The | | | | | | | use of | | | | | | | Compensating | | | | | | | Controls must | | | | | | | also be | | | | | | | documented in | | | | | | | [Appendix | | | | | | | C.]( | | | | | | | #appendix-c-com | | | | | | | pensating-contr | | | | | | | ols-worksheet)* | | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | > **Testing | | > **Reporting | | > | | | > Procedures** | | > | | **Reporting | | | | | Instructions** | | > Details: | | | | | | | > Assessor's | | | | | | | > Response** | | +-----------------+---+----------------+---+--------------+-----------------+ | **3.3.1.1** | | **Identify** | | \<Enter | | | Examine data | | the evidence | | Response | | | sources to | | reference | | Here\> | | | verify that the | | number(s) from | | | | | full contents | | [Section | | | | | of any track | | 6](#evi | | | | | are not stored | | dence-assessme | | | | | upon completion | | nt-workpapers) | | | | | of the | | for all **data | | | | | authorization | | sources** | | | | | process. | | examined for | | | | | | | this testing | | | | | | | procedure. | | | | +-----------------+---+----------------+---+--------------+-----------------+ +-----------------+---+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | | > Requirement** | | | | | | +=================+===+================+===+==============+=================+ | **3.3.1.2** The | | | | | | | card | | | | | | | verification | | | | | | | code is not | | | | | | | retained upon | | | | | | | completion of | | | | | | | the | | | | | | | authorization | | | | | | | process. | | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | | > Findings | | | | | | | > (select | | | | | | | > one)** | | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | **In Place** | > | | * | | **Not in | | | | | * | | Place** | | | * | | N | | | | | * | | o | | | | | N | | t | | | | | o | | T | | | | | t | | e | | | | | > | | s | | | | | | | t | | | | | A | | e | | | | | p | | d | | | | | p | | * | | | | | l | | * | | | | | i | | | | | | | c | | | | | | | a | | | | | | | b | | | | | | | l | | | | | | | e | | | | | | | * | | | | | | | * | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | ☐ | ☐ | | ☐ | | ☐ | +-----------------+---+----------------+---+--------------+-----------------+ | Describe why | | | \ | | | | the assessment | | | < | | | | finding was | | | E | | | | selected. | | | n | | | | | | | t | | | | ***Note**: | | | e | | | | Include all | | | r | | | | details as | | | R | | | | noted in the | | | e | | | | "Required | | | s | | | | Reporting" | | | p | | | | column of the | | | o | | | | table in | | | n | | | | [Assessment | | | s | | | | F | | | e | | | | indings](#asses | | | H | | | | sment-findings) | | | e | | | | in the ROC | | | r | | | | Template | | | e | | | | Instructions.* | | | \ | | | | | | | > | | | +-----------------+---+----------------+---+--------------+-----------------+ | **Validation | | | | | | | Method -- | | | | | | | Customized | | | | | | | Approach** | | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | This | | | | | | | requirement is | | | | | | | not eligible | | | | | | | for the | | | | | | | customized | | | | | | | approach. | | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | **Validation | | | | | | | Method -- | | | | | | | Defined | | | | | | | Approach** | | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | **Indicate** | | | | - Yes ☐ No | | | whether a | | | | | | | Compensating | | | | | | | Control was | | | | | | | used: | | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | **If "Yes", | | | | \<Enter | | | Identify** the | | | | Response | | | aspect(s) of | | | | Here\> | | | the requirement | | | | | | | where the | | | | | | | Compensating | | | | | | | Control(s) was | | | | | | | used. | | | | | | | | | | | | | | ***Note:** The | | | | | | | use of | | | | | | | Compensating | | | | | | | Controls must | | | | | | | also be | | | | | | | documented in | | | | | | | [Appendix | | | | | | | C.]( | | | | | | | #appendix-c-com | | | | | | | pensating-contr | | | | | | | ols-worksheet)* | | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | > **Testing | | > **Reporting | | > | | | > Procedures** | | > | | **Reporting | | | | | Instructions** | | > Details: | | | | | | | > Assessor's | | | | | | | > Response** | | +-----------------+---+----------------+---+--------------+-----------------+ | **3.3.1.2** | | **Identify** | | \<Enter | | | Examine data | | the evidence | | Response | | | sources, to | | reference | | Here\> | | | verify that the | | number(s) from | | | | | card | | [Section | | | | | verification | | 6](#evi | | | | | code is not | | dence-assessme | | | | | stored upon | | nt-workpapers) | | | | | completion of | | for all **data | | | | | the | | sources** | | | | | authorization | | examined for | | | | | process. | | this testing | | | | | | | procedure. | | | | +-----------------+---+----------------+---+--------------+-----------------+ +-----------------+---+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | | > Requirement** | | | | | | +=================+===+================+===+==============+=================+ | **3.3.1.3** The | | | | | | | personal | | | | | | | identification | | | | | | | number (PIN) | | | | | | | and the PIN | | | | | | | block are not | | | | | | | retained upon | | | | | | | completion of | | | | | | | the | | | | | | | authorization | | | | | | | process. | | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | | > Findings | | | | | | | > (select | | | | | | | > one)** | | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | **In Place** | > | | * | | **Not in | | | | | * | | Place** | | | * | | N | | | | | * | | o | | | | | N | | t | | | | | o | | T | | | | | t | | e | | | | | > | | s | | | | | | | t | | | | | A | | e | | | | | p | | d | | | | | p | | * | | | | | l | | * | | | | | i | | | | | | | c | | | | | | | a | | | | | | | b | | | | | | | l | | | | | | | e | | | | | | | * | | | | | | | * | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | ☐ | ☐ | | ☐ | | ☐ | +-----------------+---+----------------+---+--------------+-----------------+ | Describe why | | | \ | | | | the assessment | | | < | | | | finding was | | | E | | | | selected. | | | n | | | | | | | t | | | | ***Note**: | | | e | | | | Include all | | | r | | | | details as | | | R | | | | noted in the | | | e | | | | "Required | | | s | | | | Reporting" | | | p | | | | column of the | | | o | | | | table in | | | n | | | | [Assessment | | | s | | | | F | | | e | | | | indings](#asses | | | H | | | | sment-findings) | | | e | | | | in the ROC | | | r | | | | Template | | | e | | | | Instructions.* | | | \ | | | | | | | > | | | +-----------------+---+----------------+---+--------------+-----------------+ | **Validation | | | | | | | Method -- | | | | | | | Customized | | | | | | | Approach** | | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | This | | | | | | | requirement is | | | | | | | not eligible | | | | | | | for the | | | | | | | customized | | | | | | | approach. | | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | **Validation | | | | | | | Method -- | | | | | | | Defined | | | | | | | Approach** | | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | **Indicate** | | | | - Yes ☐ No | | | whether a | | | | | | | Compensating | | | | | | | Control was | | | | | | | used: | | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | **If "Yes", | | | | \<Enter | | | Identify** the | | | | Response | | | aspect(s) of | | | | Here\> | | | the requirement | | | | | | | where the | | | | | | | Compensating | | | | | | | Control(s) was | | | | | | | used. | | | | | | | | | | | | | | ***Note:** The | | | | | | | use of | | | | | | | Compensating | | | | | | | Controls must | | | | | | | also be | | | | | | | documented in | | | | | | | [Appendix | | | | | | | C.]( | | | | | | | #appendix-c-com | | | | | | | pensating-contr | | | | | | | ols-worksheet)* | | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | > **Testing | | > **Reporting | | > | | | > Procedures** | | > | | **Reporting | | | | | Instructions** | | > Details: | | | | | | | > Assessor's | | | | | | | > Response** | | +-----------------+---+----------------+---+--------------+-----------------+ | **3.3.1.3** | | **Identify** | | \<Enter | | | Examine data | | the evidence | | Response | | | sources, to | | reference | | Here\> | | | verify that | | number(s) from | | | | | PINs and PIN | | [Section | | | | | blocks are not | | 6](#evi | | | | | stored upon | | dence-assessme | | | | | completion of | | nt-workpapers) | | | | | the | | for all **data | | | | | authorization | | sources** | | | | | process. | | examined for | | | | | | | this testing | | | | | | | procedure. | | | | +-----------------+---+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **3.3.2** SAD | | | | | | that is stored | | | | | | electronically | | | | | | prior to | | | | | | completion of | | | | | | authorization | | | | | | is encrypted | | | | | | using strong | | | | | | cryptography. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | This | | | | | | requirement is | | | | | | not eligible | | | | | | for the | | | | | | customized | | | | | | approach. | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+---+----------------+---+--------------+-----------------+ | > **Testing | | > **Reporting | | > | | | > Procedures** | | > | | **Reporting | | | | | Instructions** | | > Details: | | | | | | | > Assessor's | | | | | | | > Response** | | +=================+===+================+===+==============+=================+ | **3.3.2** | | **Identify** | | \<Enter | | | Examine data | | the evidence | | Response | | | stores, system | | reference | | Here\> | | | configurations, | | number(s) from | | | | | and/or vendor | | [Section | | | | | documentation | | 6](#evi | | | | | to verify that | | dence-assessme | | | | | all SAD that is | | nt-workpapers) | | | | | stored | | for all **data | | | | | electronically | | stores** | | | | | prior to | | examined for | | | | | completion of | | this testing | | | | | authorization | | procedure. | | | | | is encrypted | | | | | | | using strong | | | | | | | cryptography. | | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | | | **Identify** | | \<Enter | | | | | the evidence | | Response | | | | | reference | | Here\> | | | | | number(s) from | | | | | | | [Section | | | | | | | 6](#evi | | | | | | | dence-assessme | | | | | | | nt-workpapers) | | | | | | | for all | | | | | | | **system | | | | | | | co | | | | | | | nfigurations** | | | | | | | examined for | | | | | | | this testing | | | | | | | procedure. | | | | +-----------------+---+----------------+---+--------------+-----------------+ | | | **Identify** | | \<Enter | | | | | the evidence | | Response | | | | | reference | | Here\> | | | | | number(s) from | | | | | | | [Section | | | | | | | 6](#evi | | | | | | | dence-assessme | | | | | | | nt-workpapers) | | | | | | | for all | | | | | | | **vendor | | | | | | | d | | | | | | | ocumentation** | | | | | | | examined for | | | | | | | this testing | | | | | | | procedure. | | | | +-----------------+---+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | | > Requirement** | | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | **3.3.3 | | | | | | | *Additional | | | | | | | requirement for | | | | | | | issuers and | | | | | | | companies that | | | | | | | support issuing | | | | | | | services and | | | | | | | store sensitive | | | | | | | authentication | | | | | | | data: ***Any | | | | | | | storage of | | | | | | | sensitive | | | | | | | authentication | | | | | | | data is: | | | | | | | | | | | | | | - Limited to | | | | | | | that which | | | | | | | is needed | | | | | | | for a | | | | | | | legitimate | | | | | | | issuing | | | | | | | business | | | | | | | need and is | | | | | | | secured. | | | | | | | | | | | | | | - Encrypted | | | | | | | using | | | | | | | strong | | | | | | | | | | | | | | cryptography. | | | | | | | *This | | | | | | | bullet is a | | | | | | | **best | | | | | | | practice** | | | | | | | until **31 | | | | | | | March | | | | | | | 2025**, | | | | | | | after which | | | | | | | it will be | | | | | | | required as | | | | | | | part of | | | | | | | Requirement | | | | | | | 3.3.3 and | | | | | | | must be | | | | | | | fully | | | | | | | considered | | | | | | | during a | | | | | | | PCI DSS | | | | | | | | | | | | | | assessment.* | | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | | > Findings | | | | | | | > (select | | | | | | | > one)** | | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | **In Place** | > | | * | | **Not in | | | | | * | | Place** | | | * | | N | | | | | * | | o | | | | | N | | t | | | | | o | | T | | | | | t | | e | | | | | > | | s | | | | | | | t | | | | | A | | e | | | | | p | | d | | | | | p | | * | | | | | l | | * | | | | | i | | | | | | | c | | | | | | | a | | | | | | | b | | | | | | | l | | | | | | | e | | | | | | | * | | | | | | | * | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | ☐ | ☐ | | ☐ | | ☐ | +-----------------+---+----------------+---+--------------+-----------------+ | Describe why | | | \ | | | | the assessment | | | < | | | | finding was | | | E | | | | selected. | | | n | | | | | | | t | | | | ***Note**: | | | e | | | | Include all | | | r | | | | details as | | | R | | | | noted in the | | | e | | | | "Required | | | s | | | | Reporting" | | | p | | | | column of the | | | o | | | | table in | | | n | | | | [Assessment | | | s | | | | F | | | e | | | | indings](#asses | | | H | | | | sment-findings) | | | e | | | | in the ROC | | | r | | | | Template | | | e | | | | Instructions.* | | | \ | | | | | | | > | | | +-----------------+---+----------------+---+--------------+-----------------+ | **Validation | | | | | | | Method -- | | | | | | | Customized | | | | | | | Approach** | | | | | | +-----------------+---+----------------+---+--------------+-----------------+ | **Indicate** | | | | - Yes ☐ No | | | whether a | | | | | | | Customized | | | | | | | Approach was | | | | | | | used: | | | | | | +-----------------+---+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +=================+===================+================================+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **3.3.3.a | Identify the | \<Enter Response Here\> | | *Additional | evidence | | | testing | reference | | | procedure for | number(s) from | | | issuers and | [Section | | | companies that | 6 | | | support issuing | ](#evidence-asses | | | services and | sment-workpapers) | | | store sensitive | for all | | | authentication | **documented | | | data: | policies** | | | ***Examine | examined for this | | | documented | testing | | | policies and | procedure. | | | interview | | | | personnel to | | | | verify there is | | | | a documented | | | | business | | | | justification | | | | for the storage | | | | of sensitive | | | | authentication | | | | data. | | | +-----------------+-------------------+--------------------------------+ | | Identify the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **3.3.3.b | Identify the | \<Enter Response Here\> | | *Additional | evidence | | | testing | reference | | | procedure for | number(s) from | | | issuers and | [Section | | | companies that | 6 | | | support issuing | ](#evidence-asses | | | services and | sment-workpapers) | | | store sensitive | for all **data | | | authentication | stores** examined | | | data: | for this testing | | | ***Examine data | procedure. | | | stores and | | | | system | | | | configurations | | | | to verify that | | | | the sensitive | | | | authentication | | | | data is stored | | | | securely. | | | +-----------------+-------------------+--------------------------------+ | | Identify the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **system | | | | configurations** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------------------------------------------------------------+ | > **Requirement Description** | +=======================================================================+ | **3.4** Access to displays of full PAN and ability to copy PAN is | | restricted. | +-----------------------------------------------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **3.4.1** PAN | | | | | | is masked when | | | | | | displayed (the | | | | | | BIN and last | | | | | | four digits | | | | | | **are the | | | | | | maximum | | | | | | number** of | | | | | | digits to be | | | | | | displayed), | | | | | | such that only | | | | | | personnel with | | | | | | a legitimate | | | | | | business need | | | | | | can see **more | | | | | | than** the BIN | | | | | | and last four | | | | | | digits of the | | | | | | PAN. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **3.4.1.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documented | reference | | | policies and | number(s) from | | | procedures for | [Section | | | masking the | 6 | | | display of PANs | ](#evidence-asses | | | to verify: | sment-workpapers) | | | | for all | | | - A list of | **documented | | | roles that | policies and | | | need access | procedures** | | | to more | examined for this | | | than the | testing | | | BIN and | procedure. | | | last four | | | | digits of | | | | the PAN | | | | (includes | | | | full PAN) | | | | is | | | | documented, | | | | together | | | | with a | | | | legitimate | | | | business | | | | need for | | | | each role | | | | to have | | | | such | | | | access. | | | | | | | | - PAN is | | | | masked when | | | | displayed | | | | such that | | | | only | | | | personnel | | | | with a | | | | legitimate | | | | business | | | | need can | | | | see more | | | | than the | | | | BIN and | | | | last four | | | | digits of | | | | the PAN. | | | | | | | | - All roles | | | | not | | | | | | | | specifically | | | | authorized | | | | to see the | | | | full PAN | | | | must only | | | | see masked | | | | PANs. | | | +-----------------+-------------------+--------------------------------+ | **3.4.1.b** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | configurations | reference | | | to verify that | number(s) from | | | full PAN is | [Section | | | only displayed | 6 | | | for roles with | ](#evidence-asses | | | a documented | sment-workpapers) | | | business need, | for all **system | | | and that PAN is | configurations** | | | masked for all | examined for this | | | other requests. | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **3.4.1.c** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | displays of PAN | reference | | | (for example, | number(s) from | | | on screen, on | [Section | | | paper receipts) | 6 | | | to verify that | ](#evidence-asses | | | PANs are masked | sment-workpapers) | | | when displayed, | for all | | | and that only | **displays of | | | those with a | PAN** examined | | | legitimate | for this testing | | | business need | procedure. | | | are able to see | | | | more than the | | | | BIN and/or last | | | | four digits of | | | | the PAN. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | ***3.4.2*** | | | | | | When using | | | | | | remote-access | | | | | | technologies, | | | | | | technical | | | | | | controls | | | | | | prevent copy | | | | | | and/or | | | | | | relocation of | | | | | | PAN for all | | | | | | personnel, | | | | | | except for | | | | | | those with | | | | | | documented, | | | | | | explicit | | | | | | authorization | | | | | | and a | | | | | | legitimate, | | | | | | defined | | | | | | business | | | | | | need*.* | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **3.4.2.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documented | reference | | | policies and | number(s) from | | | procedures and | [Section | | | documented | 6 | | | evidence for | ](#evidence-asses | | | technical | sment-workpapers) | | | controls that | for all | | | prevent copy | **documented | | | and/or | policies and | | | relocation of | procedures** | | | PAN when using | examined for this | | | remote-access | testing | | | technologies | procedure. | | | onto local hard | | | | drives or | | | | removable | | | | electronic | | | | media to verify | | | | the following: | | | | | | | | - Technical | | | | controls | | | | prevent all | | | | personnel | | | | not | | | | | | | | specifically | | | | authorized | | | | from | | | | copying | | | | and/or | | | | relocating | | | | PAN. | | | | | | | | - A list of | | | | personnel | | | | with | | | | permission | | | | to copy | | | | and/or | | | | relocate | | | | PAN is | | | | maintained, | | | | together | | | | with the | | | | documented, | | | | explicit | | | | | | | | authorization | | | | and | | | | legitimate, | | | | defined | | | | business | | | | need. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **documented | | | | evidence for | | | | technical | | | | controls** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **3.4.2.b** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | configurations | reference | | | for | number(s) from | | | remote-access | [Section | | | technologies to | 6 | | | verify that | ](#evidence-asses | | | technical | sment-workpapers) | | | controls to | for all | | | prevent copy | * | | | and/or | *configurations** | | | relocation of | examined for this | | | PAN for all | testing | | | personnel, | procedure. | | | unless | | | | explicitly | | | | authorized. | | | +-----------------+-------------------+--------------------------------+ | **3.4.2.c** | **Identify** the | \<Enter Response Here\> | | Observe | evidence | | | processes and | reference | | | interview | number(s) from | | | personnel to | [Section | | | verify that | 6 | | | only personnel | ](#evidence-asses | | | with | sment-workpapers) | | | documented, | for all | | | explicit | ** | | | authorization | observations(s)** | | | and a | conducted for | | | legitimate, | this testing | | | defined | procedure. | | | business need | | | | have permission | | | | to copy and/or | | | | relocate PAN | | | | when using | | | | remote-access | | | | technologies. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------------------------------------------------------------+ | > **Requirement Description** | +=======================================================================+ | **3.5** Primary account number (PAN) is secured wherever it is | | stored. | +-----------------------------------------------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | 1. PAN is | | | | | | rendered | | | | | | unreadable | | | | | | anywhere it | | | | | | is stored | | | | | | by using | | | | | | any of the | | | | | | following | | | | | | approaches: | | | | | | | | | | | | - One-way | | | | | | hashes | | | | | | based | | | | | | on | | | | | | strong | | | | | | | | | | | | cryptography | | | | | | of the | | | | | | entire | | | | | | PAN. | | | | | | | | | | | | | | | | | | - Truncation | | | | | | | | | | | | (hashing | | | | | | cannot | | | | | | be used | | | | | | to | | | | | | replace | | | | | | the | | | | | | | | | | | | truncated | | | | | | segment | | | | | | of | | | | | | PAN). | | | | | | | | | | | | > -- If hashed | | | | | | > and truncated | | | | | | > versions of | | | | | | > the same PAN, | | | | | | > or different | | | | | | > truncation | | | | | | > formats of | | | | | | > the same PAN, | | | | | | > are present | | | | | | > in an | | | | | | > environment, | | | | | | > additional | | | | | | > controls are | | | | | | > in place such | | | | | | > that the | | | | | | > different | | | | | | > versions | | | | | | > cannot be | | | | | | > correlated to | | | | | | > reconstruct | | | | | | > the original | | | | | | > PAN. | | | | | | | | | | | | - Index | | | | | | tokens. | | | | | | | | | | | | - Strong | | | | | | | | | | | | cryptography | | | | | | with | | | | | | associated | | | | | | | | | | | | key-management | | | | | | processes | | | | | | and | | | | | | procedures. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **3.5.1.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | about the | number(s) from | | | system used to | [Section | | | render PAN | 6 | | | unreadable, | ](#evidence-asses | | | including the | sment-workpapers) | | | vendor, type of | for all | | | system/process, | **documentation** | | | and the | examined for this | | | encryption | testing | | | algorithms (if | procedure. | | | applicable) to | | | | verify that the | | | | PAN is rendered | | | | unreadable | | | | using any of | | | | the methods | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **3.5.1.b** | **Identify** the | \<Enter Response Here\> | | Examine data | evidence | | | repositories | reference | | | and audit logs, | number(s) from | | | including | [Section | | | payment | 6 | | | application | ](#evidence-asses | | | logs, to verify | sment-workpapers) | | | the PAN is | for all **data | | | rendered | repositories** | | | unreadable | examined for this | | | using any of | testing | | | the methods | procedure. | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **audit | | | | logs** examined | | | | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **3.5.1.c** If | **Identify** the | \<Enter Response Here\> | | hashed and | evidence | | | truncated | reference | | | versions of the | number(s) from | | | same PAN are | [Section | | | present in the | 6 | | | environment, | ](#evidence-asses | | | examine | sment-workpapers) | | | implemented | for all | | | controls to | **implemented | | | verify that the | controls** | | | hashed and | examined for this | | | truncated | testing | | | versions cannot | procedure. | | | be correlated | | | | to reconstruct | | | | the original | | | | PAN. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **3.5.1.1** | | | | | | Hashes used to | | | | | | render PAN | | | | | | unreadable (per | | | | | | the first | | | | | | bullet of | | | | | | Requirement | | | | | | 3.5.1) are | | | | | | keyed | | | | | | cryptographic | | | | | | hashes of the | | | | | | entire PAN, | | | | | | with associated | | | | | | key-management | | | | | | processes and | | | | | | procedures in | | | | | | accordance with | | | | | | Requirements | | | | | | 3.6 and 3.7. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | considered a | | | | | | **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in* | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | *in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **3.5.1.1.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | about the | number(s) from | | | hashing method | [Section | | | used to render | 6 | | | PAN unreadable, | ](#evidence-asses | | | including the | sment-workpapers) | | | vendor, type of | for all | | | system/process, | **documentation** | | | and the | examined for this | | | encryption | testing | | | algorithms (as | procedure. | | | applicable) to | | | | verify that the | | | | hashing method | | | | results in | | | | keyed | | | | cryptographic | | | | hashes of the | | | | entire PAN, | | | | with associated | | | | key management | | | | processes and | | | | procedures. | | | +-----------------+-------------------+--------------------------------+ | **3.5.1.1.b** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | about the key | number(s) from | | | management | [Section | | | procedures and | 6 | | | processes | ](#evidence-asses | | | associated with | sment-workpapers) | | | the keyed | for all | | | cryptographic | **documentation** | | | hashes to | examined for this | | | verify keys are | testing | | | managed in | procedure. | | | accordance with | | | | Requirements | | | | 3.6 and 3.7. | | | +-----------------+-------------------+--------------------------------+ | **3.5.1.1.c** | **Identify** the | \<Enter Response Here\> | | Examine data | evidence | | | repositories to | reference | | | verify the PAN | number(s) from | | | is rendered | [Section | | | unreadable. | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **data | | | | repositories** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **3.5.1.1.d** | **Identify** the | \<Enter Response Here\> | | Examine audit | evidence | | | logs, including | reference | | | payment | number(s) from | | | application | [Section | | | logs, to verify | 6 | | | the PAN is | ](#evidence-asses | | | rendered | sment-workpapers) | | | unreadable. | for all **audit | | | | logs** examined | | | | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | > **PCI DSS | | | | > Requirement** | | | +-----------------+-------------------+--------------------------------+ | **3.5.1.2** If | | | | disk-level or | | | | partition-level | | | | encryption | | | | (rather than | | | | file-, column-, | | | | or field-level | | | | database | | | | encryption) is | | | | used to render | | | | PAN unreadable, | | | | it is | | | | implemented | | | | only as | | | | follows: | | | | | | | | - On | | | | removable | | | | electronic | | | | media OR | | | | | | | | - If used for | | | | | | | | non-removable | | | | electronic | | | | media, PAN | | | | is also | | | | rendered | | | | unreadable | | | | via another | | | | mechanism | | | | that meets | | | | Requirement | | | | 3.5.1. | | | | | | | | ***Note:** This | | | | requirement is | | | | considered a | | | | **best | | | | practice** | | | | until **31 | | | | March 2025**, | | | | after which it | | | | will be | | | | required and | | | | must be fully | | | | considered | | | | during a PCI | | | | DSS | | | | assessment.* | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +=================+================+===+==============+=================+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | This | | | | | | requirement is | | | | | | not eligible | | | | | | for the | | | | | | customized | | | | | | approach. | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **3.5.1.2.a** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | encryption | > reference | | Here\> | | | processes to | > number(s) | | | | | verify that, if | > from | | | | | disk-level or | > [Section | | | | | partition-level | > 6](#evi | | | | | encryption is | dence-assessme | | | | | used to render | nt-workpapers) | | | | | PAN unreadable, | > for all | | | | | it is | > **encryption | | | | | implemented | > processes** | | | | | only as | > examined for | | | | | follows: | > this testing | | | | | | > procedure. | | | | | - On | | | | | | removable | | | | | | electronic | | | | | | media, OR | | | | | | | | | | | | - If used for | | | | | | | | | | | | non-removable | | | | | | electronic | | | | | | media, | | | | | | examine | | | | | | encryption | | | | | | processes | | | | | | used to | | | | | | verify that | | | | | | PAN is also | | | | | | rendered | | | | | | unreadable | | | | | | via another | | | | | | method that | | | | | | meets | | | | | | Requirement | | | | | | 3.5.1. | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **3.5.1.2.b** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | configurations | > reference | | Here\> | | | and/or vendor | > number(s) | | | | | documentation | > from | | | | | and observe | > [Section | | | | | encryption | > 6](#evi | | | | | processes to | dence-assessme | | | | | verify the | nt-workpapers) | | | | | system is | > for all | | | | | configured | > **co | | | | | according to | nfigurations** | | | | | vendor | > examined for | | | | | documentation | > this testing | | | | | the result is | > procedure. | | | | | that the disk | | | | | | or the | | | | | | partition is | | | | | | rendered | | | | | | unreadable. | | | | | +=================+================+===+==============+=================+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > **vendor | | | | | | > d | | | | | | ocumentation** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for the | | | | | | > ** | | | | | | observation(s) | | | | | | > of the | | | | | | > encryption | | | | | | > processes** | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **3.5.1.3** If | | | | | | disk-level or | | | | | | partition-level | | | | | | encryption is | | | | | | used (rather | | | | | | than file-, | | | | | | column-, or | | | | | | field\--level | | | | | | database | | | | | | encryption) to | | | | | | render PAN | | | | | | unreadable, it | | | | | | is managed as | | | | | | follows: | | | | | | | | | | | | - Logical | | | | | | access is | | | | | | managed | | | | | | separately | | | | | | and | | | | | | | | | | | | independently | | | | | | of native | | | | | | operating | | | | | | system | | | | | | | | | | | | authentication | | | | | | and access | | | | | | control | | | | | | mechanisms. | | | | | | | | | | | | - Decryption | | | | | | keys are | | | | | | not | | | | | | associated | | | | | | with user | | | | | | accounts. | | | | | | | | | | | | - | | | | | | Authentication | | | | | | factors | | | | | | (passwords, | | | | | | | | | | | | passphrases, | | | | | | or | | | | | | | | | | | | cryptographic | | | | | | keys) that | | | | | | allow | | | | | | access to | | | | | | unencrypted | | | | | | data are | | | | | | stored | | | | | | securely. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +=================+===================+================================+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **3.5.1.3.a** | **Identify** the | \<Enter Response Here\> | | If disk-level | evidence | | | or | reference | | | partition-level | number(s) from | | | encryption is | [Section | | | used to render | 6 | | | PAN unreadable, | ](#evidence-asses | | | examine the | sment-workpapers) | | | system | for all **system | | | configuration | configurations** | | | and observe the | examined for this | | | authentication | testing | | | process to | procedure. | | | verify that | | | | logical access | | | | is implemented | | | | in accordance | | | | with all | | | | elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **observation(s) | | | | of the | | | | authentication | | | | process** for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **3.5.1.3.b** | **Identify** the | \<Enter Response Here\> | | Examine files | evidence | | | containing | reference | | | authentication | number(s) from | | | factors | [Section | | | (passwords, | 6 | | | passphrases, or | ](#evidence-asses | | | cryptographic | sment-workpapers) | | | keys) and | for all **files | | | interview | containing | | | personnel to | authentication | | | verify that | factors** | | | authentication | examined for this | | | factors that | testing | | | allow access to | procedure. | | | unencrypted | | | | data are stored | | | | securely and | | | | are independent | | | | from the native | | | | operating | | | | system's | | | | authentication | | | | and access | | | | control | | | | methods. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------------------------------------------------------------+ | > **Requirement Description** | +=======================================================================+ | **3.6** Cryptographic keys used to protect stored account data are | | secured. | +-----------------------------------------------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +=================+================+===+==============+=================+ | 1. Procedures | | | | | | are defined | | | | | | and | | | | | | implemented | | | | | | to protect | | | | | | | | | | | | cryptographic | | | | | | keys used | | | | | | to protect | | | | | | stored | | | | | | account | | | | | | data | | | | | | against | | | | | | disclosure | | | | | | and misuse | | | | | | that | | | | | | include: | | | | | | | | | | | | - Access | | | | | | to keys | | | | | | is | | | | | | | | | | | | restricted | | | | | | to the | | | | | | fewest | | | | | | number | | | | | | of | | | | | | | | | | | | custodians | | | | | | | | | | | | necessary. | | | | | | | | | | | | - | | | | | | Key-encrypting | | | | | | keys | | | | | | are at | | | | | | least | | | | | | as | | | | | | strong | | | | | | as the | | | | | | | | | | | | data-encrypting | | | | | | keys | | | | | | they | | | | | | | | | | | | protect. | | | | | | | | | | | | - | | | | | | Key-encrypting | | | | | | keys | | | | | | are | | | | | | stored | | | | | | | | | | | | separately | | | | | | from | | | | | | | | | | | | data-encrypting | | | | | | keys. | | | | | | | | | | | | - Keys | | | | | | are | | | | | | stored | | | | | | | | | | | | securely | | | | | | in the | | | | | | fewest | | | | | | | | | | | | possible | | | | | | | | | | | | locations | | | | | | and | | | | | | forms. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | 1. Examine | > **Identify** | | \<Enter | | | documented | > the evidence | | Response | | | key- | > reference | | Here\> | | | management | > number(s) | | | | | policies | > from | | | | | and | > [Section | | | | | procedures | > 6](#evi | | | | | to verify | dence-assessme | | | | | that | nt-workpapers) | | | | | processes | > for all | | | | | to protect | > | | | | | | documentation | | | | | cryptographic | > examined for | | | | | keys used | > this testing | | | | | to protect | > procedure. | | | | | stored | | | | | | account | | | | | | data | | | | | | against | | | | | | disclosure | | | | | | and misuse | | | | | | are defined | | | | | | to include | | | | | | all | | | | | | elements | | | | | | specified | | | | | | in this | | | | | | | | | | | | requirement. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | 1. | | | | | | ***Additional | | | | | | requirement | | | | | | for service | | | | | | providers | | | | | | only:*** A | | | | | | documented | | | | | | description | | | | | | of the | | | | | | | | | | | | cryptographic | | | | | | | | | | | | architecture | | | | | | is | | | | | | maintained | | | | | | that | | | | | | includes: | | | | | | | | | | | | - Details | | | | | | of all | | | | | | | | | | | | algorithms, | | | | | | | | | | | | protocols, | | | | | | and | | | | | | keys | | | | | | used | | | | | | for the | | | | | | | | | | | | protection | | | | | | of | | | | | | stored | | | | | | account | | | | | | data, | | | | | | | | | | | | including | | | | | | key | | | | | | | | | | | | strength | | | | | | and | | | | | | expiry | | | | | | date. | | | | | | | | | | | | | | | | | | - Preventing | | | | | | the use | | | | | | of the | | | | | | same | | | | | | | | | | | | cryptographic | | | | | | keys in | | | | | | | | | | | | production | | | | | | and | | | | | | test | | | | | | | | | | | | environments. | | | | | | *This | | | | | | bullet | | | | | | is a | | | | | | **best | | | | | | | | | | | | practice** | | | | | | until | | | | | | **31 | | | | | | March | | | | | | 2025**, | | | | | | after | | | | | | which | | | | | | it will | | | | | | be | | | | | | | | | | | | required | | | | | | as part | | | | | | of | | | | | | | | | | | | Requirement | | | | | | 3.6.1 | | | | | | and | | | | | | must be | | | | | | fully | | | | | | | | | | | | considered | | | | | | during | | | | | | a PCI | | | | | | DSS | | | | | | | | | | | | assessment.* | | | | | | | | | | | | | | | | | | - Description | | | | | | of the | | | | | | key | | | | | | usage | | | | | | for | | | | | | each | | | | | | key. | | | | | | | | | | | | | | | | | | - Inventory | | | | | | of any | | | | | | | | | | | | hardware | | | | | | | | | | | | security | | | | | | modules | | | | | | (HSMs), | | | | | | key | | | | | | | | | | | | management | | | | | | systems | | | | | | (KMS), | | | | | | and | | | | | | other | | | | | | secure | | | | | | | | | | | | cryptographic | | | | | | devices | | | | | | (SCDs) | | | | | | used | | | | | | for key | | | | | | | | | | | | management, | | | | | | | | | | | | including | | | | | | type | | | | | | and | | | | | | | | | | | | location | | | | | | of | | | | | | | | | | | | devices, | | | | | | as | | | | | | | | | | | | outlined | | | | | | in | | | | | | | | | | | | Requirement | | | | | | 12.3.4. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ > **If "Yes", Identify** the aspect(s) of the requirement where the > Customized Approach was used. > > ***Note:** The use of Customized Approach must also be documented in > [Appendix E.](#appendix-e-customized-approach-template)* > > \<Enter Response Here\> +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **3.6.1.1 | **Identify** the | \<Enter Response Here\> | | *Additional | evidence | | | testing | reference | | | procedure for | number(s) from | | | service | [Section | | | provider | 6 | | | assessments | ](#evidence-asses | | | only*:** | sment-workpapers) | | | Interview | for all | | | responsible | **interview(s)** | | | personnel and | conducted for | | | examine | this testing | | | documentation | procedure. | | | to verify that | | | | a document | | | | exists to | | | | describe the | | | | cryptographic | | | | architecture | | | | that includes | | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **documentation** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +=================+================+===+==============+=================+ | **3.6.1.2** | | | | | | Secret and | | | | | | private keys | | | | | | used to | | | | | | encrypt/decrypt | | | | | | stored account | | | | | | data are stored | | | | | | in one (or | | | | | | more) of the | | | | | | following forms | | | | | | at all times: | | | | | | | | | | | | - Encrypted | | | | | | with a | | | | | | | | | | | | key-encrypting | | | | | | key that is | | | | | | at least as | | | | | | strong as | | | | | | the | | | | | | | | | | | | data-encrypting | | | | | | key, and | | | | | | that is | | | | | | stored | | | | | | separately | | | | | | from the | | | | | | | | | | | | data-encrypting | | | | | | key. | | | | | | | | | | | | - Within a | | | | | | secure | | | | | | | | | | | | cryptographic | | | | | | device | | | | | | (SCD), such | | | | | | as a | | | | | | hardware | | | | | | security | | | | | | module | | | | | | (HSM) or | | | | | | | | | | | | PTS-approved | | | | | | point | | | | | | -of-interaction | | | | | | device. | | | | | | | | | | | | - As at least | | | | | | two | | | | | | full-length | | | | | | key | | | | | | components | | | | | | or key | | | | | | shares, in | | | | | | accordance | | | | | | with an | | | | | | in | | | | | | dustry-accepted | | | | | | method. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **3.6.1.2.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documented | reference | | | procedures to | number(s) from | | | verify it is | [Section | | | defined that | 6 | | | cryptographic | ](#evidence-asses | | | keys used to | sment-workpapers) | | | encrypt/decrypt | for all | | | stored account | **documented | | | data must exist | procedures** | | | only in one (or | examined for this | | | more) of the | testing | | | forms specified | procedure. | | | in this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **3.6.1.2.b** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | configurations | reference | | | and key storage | number(s) from | | | locations to | [Section | | | verify that | 6 | | | cryptographic | ](#evidence-asses | | | keys used to | sment-workpapers) | | | encrypt/decrypt | for all **system | | | stored account | configurations** | | | data exist in | examined for this | | | one (or more) | testing | | | of the forms | procedure. | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **key | | | | storage** | | | | locations | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **3.6.1.2.c** | **Identify** the | \<Enter Response Here\> | | Wherever | evidence | | | key-encrypting | reference | | | keys are used, | number(s) from | | | examine system | [Section | | | configurations | 6 | | | and key storage | ](#evidence-asses | | | locations to | sment-workpapers) | | | verify: | for all **system | | | | configurations** | | | - | examined for this | | | Key-encrypting | testing | | | keys are at | procedure. | | | least as | | | | strong as | | | | the | | | | | | | | data-encrypting | | | | keys they | | | | protect. | | | | | | | | - | | | | Key-encrypting | | | | keys are | | | | stored | | | | separately | | | | from | | | | | | | | data-encrypting | | | | keys. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **key | | | | storage | | | | locations** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **3.6.1.3** | | | | | | Access to | | | | | | cleartext | | | | | | cryptographic | | | | | | key components | | | | | | is restricted | | | | | | to the fewest | | | | | | number of | | | | | | custodians | | | | | | necessary. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **3.6.1.3** | > **Identify** | | \<Enter | | | Examine user | > the evidence | | Response | | | access lists to | > reference | | Here\> | | | verify that | > number(s) | | | | | access to | > from | | | | | cleartext | > [Section | | | | | cryptographic | > 6](#evi | | | | | key components | dence-assessme | | | | | is restricted | nt-workpapers) | | | | | to the fewest | > for all | | | | | number of | > **user | | | | | custodians | > access | | | | | necessary. | > lists** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +=================+================+===+==============+=================+ | **3.6.1.4** | | | | | | Cryptographic | | | | | | keys are stored | | | | | | in the fewest | | | | | | possible | | | | | | locations. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **3.6.1.4** | **Identify** the | \<Enter Response Here\> | | Examine key | evidence | | | storage | reference | | | locations and | number(s) from | | | observe | [Section | | | processes to | 6 | | | verify that | ](#evidence-asses | | | keys are stored | sment-workpapers) | | | in the fewest | for all **key | | | possible | storage | | | locations. | locations** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **observation(s) | | | | of processes** | | | | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+----------------+-----------------+ | **Requirement | | | | | Description** | | | | +=================+================+================+=================+ | **3.7** Where | | | | | cryptography is | | | | | used to protect | | | | | stored account | | | | | data, key | | | | | management | | | | | processes and | | | | | procedures | | | | | covering all | | | | | aspects of the | | | | | key lifecycle | | | | | are defined and | | | | | implemented. | | | | +-----------------+----------------+----------------+-----------------+ | **PCI DSS | | | | | Requirement** | | | | +-----------------+----------------+----------------+-----------------+ | **3.7.1** | | | | | Key-management | | | | | policies and | | | | | procedures are | | | | | implemented to | | | | | include | | | | | generation of | | | | | strong | | | | | cryptographic | | | | | keys used to | | | | | protect stored | | | | | account data. | | | | +-----------------+----------------+----------------+-----------------+ | > **Assessment | | | | | > Findings | | | | | > (select | | | | | > one)** | | | | +-----------------+----------------+----------------+-----------------+ | **In Place** | **Not | **Not Tested** | **Not in | | | Applicable** | | Place** | +-----------------+----------------+----------------+-----------------+ | ☐ | ☐ | ☐ | ☐ | +-----------------+----------------+----------------+-----------------+ | Describe why | | \<Enter | | | the assessment | | Response | | | finding was | | Here\> | | | selected. | | | | | | | | | | ***Note**: | | | | | Include all | | | | | details as | | | | | noted in the | | | | | "Required | | | | | Reporting" | | | | | column of the | | | | | table in | | | | | [Assessment | | | | | F | | | | | indings](#asses | | | | | sment-findings) | | | | | in the ROC | | | | | Template | | | | | Instructions.* | | | | +-----------------+----------------+----------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **3.7.1.a** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence | | | documented key- | reference | | | management | number(s) from | | | policies and | [Section | | | procedures for | 6 | | | keys used for | ](#evidence-asses | | | protection of | sment-workpapers) | | | stored account | for all | | | data to verify | **documented key- | | | that they | management | | | define | policies and | | | generation of | procedures** | | | strong | examined for this | | | cryptographic | testing | | | keys. | procedure. | | +-----------------+-------------------+--------------------------------+ | **3.7.1.b** | **Identify** the | \<Enter Response Here\> | | Observe the | evidence | | | method for | reference | | | generating keys | number(s) from | | | to verify that | [Section | | | strong keys are | 6 | | | generated. | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **observation(s) | | | | of the methods | | | | for generating | | | | keys** for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +=================+================+===+==============+=================+ | **3.7.2** | | | | | | Key-management | | | | | | policies and | | | | | | procedures are | | | | | | implemented to | | | | | | include secure | | | | | | distribution of | | | | | | cryptographic | | | | | | keys used to | | | | | | protect stored | | | | | | account data. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **3.7.2.a** | > **Identify** | | \<Enter | | | Examine the | > the evidence | | Response | | | documented key- | > reference | | Here\> | | | management | > number(s) | | | | | policies and | > from | | | | | procedures for | > [Section | | | | | keys used for | > 6](#evi | | | | | protection of | dence-assessme | | | | | stored account | nt-workpapers) | | | | | data to verify | > for the | | | | | that they | > **documented | | | | | define secure | > key | | | | | distribution of | > management | | | | | cryptographic | > policies and | | | | | keys. | > procedures** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **3.7.2.b** | > **Identify** | | \<Enter | | | Observe the | > the evidence | | Response | | | method for | > reference | | Here\> | | | distributing | > number(s) | | | | | keys to verify | > from | | | | | that keys are | > [Section | | | | | distributed | > 6](#evi | | | | | securely. | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | observation(s) | | | | | | > of the | | | | | | > method for | | | | | | > distributing | | | | | | > keys** for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **3.7.3** | | | | | | Key-management | | | | | | policies and | | | | | | procedures are | | | | | | implemented to | | | | | | include secure | | | | | | storage of | | | | | | cryptographic | | | | | | keys used to | | | | | | protect stored | | | | | | account data. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **3.7.3.a** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence | | | documented key- | reference | | | management | number(s) from | | | policies and | [Section | | | procedures for | 6 | | | keys used for | ](#evidence-asses | | | protection of | sment-workpapers) | | | stored account | for the | | | data to verify | **documented key- | | | that they | management | | | define secure | policies and | | | storage of | procedures** | | | cryptographic | examined for this | | | keys. | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **3.7.3.b** | **Identify** the | \<Enter Response Here\> | | Observe the | evidence | | | method for | reference | | | storing keys to | number(s) from | | | verify that | [Section | | | keys are stored | 6 | | | securely. | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **observation(s) | | | | of the method for | | | | storing keys** | | | | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +=================+================+===+==============+=================+ | **3.7.4** Key | | | | | | management | | | | | | policies and | | | | | | procedures are | | | | | | implemented for | | | | | | cryptographic | | | | | | key changes for | | | | | | keys that have | | | | | | reached the end | | | | | | of their | | | | | | cryptoperiod, | | | | | | as defined by | | | | | | the associated | | | | | | application | | | | | | vendor or key | | | | | | owner, and | | | | | | based on | | | | | | industry best | | | | | | practices and | | | | | | guidelines, | | | | | | including the | | | | | | following: | | | | | | | | | | | | - A defined | | | | | | | | | | | | cryptoperiod | | | | | | for each | | | | | | key type in | | | | | | use. | | | | | | | | | | | | - A process | | | | | | for key | | | | | | changes at | | | | | | the end of | | | | | | the defined | | | | | | | | | | | | cryptoperiod. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **3.7.4.a** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence | | | documented key- | reference | | | management | number(s) from | | | policies and | [Section | | | procedures for | 6 | | | keys used for | ](#evidence-asses | | | protection of | sment-workpapers) | | | stored account | for the | | | data to verify | **documented key- | | | that they | management | | | define changes | policies and | | | to | procedures** | | | cryptographic | examined for this | | | keys that have | testing | | | reached the end | procedure. | | | of their | | | | cryptoperiod | | | | and include all | | | | elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **3.7.4.b** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | personnel, | reference | | | examine | number(s) from | | | documentation, | [Section | | | and observe key | 6 | | | storage | ](#evidence-asses | | | locations to | sment-workpapers) | | | verify that | for all | | | keys are | **interview(s)** | | | changed at the | conducted for | | | end of the | this testing | | | defined | procedure. | | | c | | | | ryptoperiod(s). | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **documentation** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **observation(s) | | | | of key storage | | | | locations** for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +=================+================+===+==============+=================+ | **3.7.5** Key | | | | | | management | | | | | | policies | | | | | | procedures are | | | | | | implemented to | | | | | | include the | | | | | | retirement, | | | | | | replacement, or | | | | | | destruction of | | | | | | keys used to | | | | | | protect stored | | | | | | account data, | | | | | | as deemed | | | | | | necessary when: | | | | | | | | | | | | - The key has | | | | | | reached the | | | | | | end of its | | | | | | defined | | | | | | | | | | | | cryptoperiod. | | | | | | | | | | | | - The | | | | | | integrity | | | | | | of the key | | | | | | has been | | | | | | weakened, | | | | | | including | | | | | | when | | | | | | personnel | | | | | | with | | | | | | knowledge | | | | | | of a | | | | | | cleartext | | | | | | key | | | | | | component | | | | | | leaves the | | | | | | company, or | | | | | | the role | | | | | | for which | | | | | | the key | | | | | | component | | | | | | was known. | | | | | | | | | | | | - The key is | | | | | | suspected | | | | | | of or known | | | | | | to be | | | | | | | | | | | | compromised. | | | | | | | | | | | | - Retired or | | | | | | replaced | | | | | | keys are | | | | | | not used | | | | | | for | | | | | | encryption | | | | | | operations. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **3.7.5.a** | > **Identify** | | \<Enter | | | Examine the | > the evidence | | Response | | | documented key- | > reference | | Here\> | | | management | > number(s) | | | | | policies and | > from | | | | | procedures for | > [Section | | | | | keys used for | > 6](#evi | | | | | protection of | dence-assessme | | | | | stored account | nt-workpapers) | | | | | data and verify | > for the | | | | | that they | > **documented | | | | | define | > key- | | | | | retirement, | > management | | | | | replacement, or | > policies and | | | | | destruction of | > procedures** | | | | | keys in | > examined for | | | | | accordance with | > this testing | | | | | all elements | > procedure. | | | | | specified in | | | | | | this | | | | | | requirement. | | | | | +-----------------+----------------+---+--------------+-----------------+ | **3.7.5.b** | > **Identify** | | \<Enter | | | Interview | > the evidence | | Response | | | personnel to | > reference | | Here\> | | | verify that | > number(s) | | | | | processes are | > from | | | | | implemented in | > [Section | | | | | accordance with | > 6](#evi | | | | | all elements | dence-assessme | | | | | specified in | nt-workpapers) | | | | | this | > for all | | | | | requirement. | > ** | | | | | | interview(s)** | | | | | | > conducted | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **3.7.6** Where | | | | | | manual | | | | | | cleartext | | | | | | cryptographic | | | | | | key-management | | | | | | operations are | | | | | | performed by | | | | | | personnel, | | | | | | key-management | | | | | | policies and | | | | | | procedures are | | | | | | implemented | | | | | | include | | | | | | managing these | | | | | | operations | | | | | | using split | | | | | | knowledge and | | | | | | dual control. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **3.7.6.a** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence | | | documented key- | reference | | | management | number(s) from | | | policies and | [Section | | | procedures for | 6 | | | keys used for | ](#evidence-asses | | | protection of | sment-workpapers) | | | stored account | for all | | | data and verify | **documented key- | | | that they | management | | | define using | policies and | | | split knowledge | procedures** | | | and dual | examined for this | | | control. | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **3.7.6.b** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | personnel | reference | | | and/or observe | number(s) from | | | processes to | [Section | | | verify that | 6 | | | manual | ](#evidence-asses | | | cleartext keys | sment-workpapers) | | | are managed | for all | | | with split | **interview(s)** | | | knowledge and | conducted for | | | dual control. | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **observation(s) | | | | of processes** | | | | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +=================+================+===+==============+=================+ | **3.7.7** Key | | | | | | management | | | | | | policies and | | | | | | procedures are | | | | | | implemented to | | | | | | include the | | | | | | prevention of | | | | | | unauthorized | | | | | | substitution of | | | | | | cryptographic | | | | | | keys. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **3.7.7.a** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence | | | documented key- | reference | | | management | number(s) from | | | policies and | [Section | | | procedures for | 6 | | | keys used for | ](#evidence-asses | | | protection of | sment-workpapers) | | | stored account | for the | | | data and verify | **documented key- | | | that they | management | | | define | policies and | | | prevention of | procedures** | | | unauthorized | examined for this | | | substitution of | testing | | | cryptographic | procedure. | | | keys. | | | +-----------------+-------------------+--------------------------------+ | **3.7.7.b** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | personnel | reference | | | and/or observe | number(s) from | | | processes to | [Section | | | verify that | 6 | | | unauthorized | ](#evidence-asses | | | substitution of | sment-workpapers) | | | keys is | for all | | | prevented. | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **observation(s) | | | | of processes** | | | | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +=================+================+===+==============+=================+ | **3.7.8** Key | | | | | | management | | | | | | policies and | | | | | | procedures are | | | | | | implemented to | | | | | | include that | | | | | | cryptographic | | | | | | key custodians | | | | | | formally | | | | | | acknowledge (in | | | | | | writing or | | | | | | electronically) | | | | | | that they | | | | | | understand and | | | | | | accept their | | | | | | key-custodian | | | | | | re | | | | | | sponsibilities. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **3.7.8.a** | > **Identify** | | \<Enter | | | Examine the | > the evidence | | Response | | | documented key- | > reference | | Here\> | | | management | > number(s) | | | | | policies and | > from | | | | | procedures for | > [Section | | | | | keys used for | > 6](#evi | | | | | protection of | dence-assessme | | | | | stored account | nt-workpapers) | | | | | data and verify | > for the | | | | | that they | > **documented | | | | | define | > key- | | | | | acknowledgments | > management | | | | | for key | > policies and | | | | | custodians in | > procedures** | | | | | accordance with | > examined for | | | | | all elements | > this testing | | | | | specified in | > procedure. | | | | | this | | | | | | requirement. | | | | | +-----------------+----------------+---+--------------+-----------------+ | **3.7.8.b** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | documentation | > reference | | Here\> | | | or other | > number(s) | | | | | evidence | > from | | | | | showing that | > [Section | | | | | key custodians | > 6](#evi | | | | | have provided | dence-assessme | | | | | acknowledgments | nt-workpapers) | | | | | in accordance | > for all | | | | | with all | > * | | | | | elements | *documentation | | | | | specified in | > or other | | | | | this | > evidence** | | | | | requirement. | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **3.7.9 | | | | | | *Additional | | | | | | requirement for | | | | | | service | | | | | | providers only: | | | | | | ***Where a | | | | | | service | | | | | | provider shares | | | | | | cryptographic | | | | | | keys with its | | | | | | customers for | | | | | | transmission or | | | | | | storage of | | | | | | account data, | | | | | | guidance on | | | | | | secure | | | | | | transmission, | | | | | | storage and | | | | | | updating of | | | | | | such keys is | | | | | | documented and | | | | | | distributed to | | | | | | the service | | | | | | provider's | | | | | | customers. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **3.7.9 | **Identify** the | \<Enter Response Here\> | | *Additional | evidence | | | testing | reference | | | procedure for | number(s) from | | | service | [Section | | | provider | 6 | | | assessments | ](#evidence-asses | | | only: ***If the | sment-workpapers) | | | service | for all | | | provider shares | **documentation** | | | cryptographic | examined for this | | | keys with its | testing | | | customers for | procedure. | | | transmission or | | | | storage of | | | | account data, | | | | examine the | | | | documentation | | | | that the | | | | service | | | | provider | | | | provides to its | | | | customers to | | | | verify it | | | | includes | | | | guidance on how | | | | to securely | | | | transmit, | | | | store, and | | | | update | | | | customers' keys | | | | in accordance | | | | with all | | | | elements | | | | specified in | | | | Requirements | | | | 3.7.1 through | | | | 3.7.8 above. | | | +-----------------+-------------------+--------------------------------+ ### Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks {#requirement-4-protect-cardholder-data-with-strong-cryptography-during-transmission-over-open-public-networks .unnumbered} +-----------------+----------------+---+--------------+-----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+================+===+==============+=================+ | 1. Processes | | | | | | and | | | | | | mechanisms | | | | | | for | | | | | | protecting | | | | | | cardholder | | | | | | data with | | | | | | strong | | | | | | | | | | | | cryptography | | | | | | during | | | | | | | | | | | | transmission | | | | | | over open, | | | | | | public | | | | | | networks | | | | | | are defined | | | | | | and | | | | | | documented. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | 1. All | | | | | | security | | | | | | policies | | | | | | and | | | | | | operational | | | | | | procedures | | | | | | that are | | | | | | identified | | | | | | in | | | | | | Requirement | | | | | | 4 are: | | | | | | | | | | | | | | | | | | - Documented. | | | | | | | | | | | | - Kept up | | | | | | to | | | | | | date. | | | | | | | | | | | | - In use. | | | | | | | | | | | | - Known | | | | | | to all | | | | | | | | | | | | affected | | | | | | | | | | | | parties. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +=================+================+===+==============+=================+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **4.1.1** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | documentation | > reference | | Here\> | | | and interview | > number(s) | | | | | personnel to | > from | | | | | verify that | > [Section | | | | | security | > 6](#evi | | | | | policies and | dence-assessme | | | | | operational | nt-workpapers) | | | | | procedures | > for all | | | | | identified in | > **d | | | | | Requirement 4 | ocumentation** | | | | | are managed in | > examined for | | | | | accordance with | > this testing | | | | | all elements | > procedure. | | | | | specified in | | | | | | this | | | | | | requirement. | | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | interview(s)** | | | | | | > conducted | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **4.1.2** Roles | | | | | | and | | | | | | r | | | | | | esponsibilities | | | | | | for performing | | | | | | activities in | | | | | | Requirement 4 | | | | | | are documented, | | | | | | assigned, and | | | | | | understood. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **4.1.2.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | to verify that | number(s) from | | | descriptions of | [Section | | | roles and | 6 | | | r | ](#evidence-asses | | | esponsibilities | sment-workpapers) | | | for performing | for all | | | activities in | **documentation** | | | Requirement 4 | examined for this | | | are documented | testing | | | and assigned. | procedure. | | +-----------------+-------------------+--------------------------------+ | **4.1.2.b** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | personnel with | reference | | | responsibility | number(s) from | | | for performing | [Section | | | activities in | 6 | | | Requirement 4 | ](#evidence-asses | | | to verify that | sment-workpapers) | | | roles and | for all | | | r | **interview(s)** | | | esponsibilities | conducted for | | | are assigned as | this testing | | | documented and | procedure. | | | are understood. | | | +-----------------+-------------------+--------------------------------+ +-----------------+-----------------+---+--------------+----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+=================+===+==============+================+ | **4.2** PAN is | | | | | | protected with | | | | | | strong | | | | | | cryptography | | | | | | during | | | | | | transmission. | | | | | +-----------------+-----------------+---+--------------+----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+-----------------+---+--------------+----------------+ | 1. Strong | | | | | | | | | | | | cryptography | | | | | | and | | | | | | security | | | | | | protocols | | | | | | are | | | | | | implemented | | | | | | as follows | | | | | | to | | | | | | safeguard | | | | | | PAN during | | | | | | | | | | | | transmission | | | | | | over open, | | | | | | public | | | | | | networks: | | | | | | | | | | | | - Only | | | | | | trusted | | | | | | keys | | | | | | and | | | | | | | | | | | | certificates | | | | | | are | | | | | | | | | | | | accepted. | | | | | | | | | | | | - | | | | | | Certificates | | | | | | used to | | | | | | | | | | | | safeguard | | | | | | PAN | | | | | | during | | | | | | | | | | | | transmission | | | | | | over | | | | | | open, | | | | | | public | | | | | | | | | | | | networks | | | | | | are | | | | | | | | | | | | confirmed | | | | | | as | | | | | | valid | | | | | | and are | | | | | | not | | | | | | expired | | | | | | or | | | | | | | | | | | | revoked. | | | | | | *This | | | | | | bullet | | | | | | is a* | | | | | | | | | | | | > **best | | | | | | > practice** | | | | | | > *until **31 | | | | | | > March 2025**, | | | | | | > after which | | | | | | > it will be | | | | | | > required as | | | | | | > part of | | | | | | > Requirement | | | | | | > 4.2.1 and | | | | | | > must be fully | | | | | | > considered | | | | | | > during a PCI | | | | | | > DSS | | | | | | > assessment.* | | | | | | | | | | | | - The | | | | | | protocol in | | | | | | use | | | | | | supports | | | | | | only secure | | | | | | versions or | | | | | | | | | | | | configurations | | | | | | and does | | | | | | not support | | | | | | fallback | | | | | | to, or use | | | | | | of insecure | | | | | | versions, | | | | | | algorithms, | | | | | | key sizes, | | | | | | or | | | | | | i | | | | | | mplementations. | | | | | | | | | | | | - The | | | | | | encryption | | | | | | strength is | | | | | | appropriate | | | | | | for the | | | | | | encryption | | | | | | methodology | | | | | | in use. | | | | | +-----------------+-----------------+---+--------------+----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+-----------------+---+--------------+----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+-----------------+---+--------------+----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+-----------------+---+--------------+----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+-----------------+---+--------------+----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+-----------------+---+--------------+----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+-----------------+---+--------------+----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+-----------------+---+--------------+----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **4.2.1.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documented | reference | | | policies and | number(s) from | | | procedures and | [Section | | | interview | 6 | | | personnel to | ](#evidence-asses | | | verify | sment-workpapers) | | | processes are | for the | | | defined to | **documented | | | include all | policies and | | | elements | procedures** | | | specified in | examined for this | | | this | testing | | | requirement. | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **4.2.1.b** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | configurations | reference | | | to verify that | number(s) from | | | strong | [Section | | | cryptography | 6 | | | and security | ](#evidence-asses | | | protocols are | sment-workpapers) | | | implemented in | for all **system | | | accordance with | configurations** | | | all elements | examined for this | | | specified in | testing | | | this | procedure. | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **4.2.1.c** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | cardholder data | reference | | | transmissions | number(s) from | | | to verify that | [Section | | | all PAN is | 6 | | | encrypted with | ](#evidence-asses | | | strong | sment-workpapers) | | | cryptography | for all | | | when it is | **cardholder data | | | transmitted | transmissions** | | | over open, | examined for this | | | public | testing | | | networks. | procedure. | | +-----------------+-------------------+--------------------------------+ | **4.2.1.d** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | configurations | reference | | | to verify that | number(s) from | | | keys and/or | [Section | | | certificates | 6 | | | that cannot be | ](#evidence-asses | | | verified as | sment-workpapers) | | | trusted are | for all **system | | | rejected. | configurations** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+-----------------+---+--------------+----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+=================+===+==============+================+ | **4.2.1.1** An | | | | | | inventory of | | | | | | the entity's | | | | | | trusted keys | | | | | | and | | | | | | certificates | | | | | | used to protect | | | | | | PAN during | | | | | | transmission is | | | | | | maintained. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+-----------------+---+--------------+----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+-----------------+---+--------------+----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+-----------------+---+--------------+----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+-----------------+---+--------------+----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+-----------------+---+--------------+----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+-----------------+---+--------------+----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+-----------------+---+--------------+----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+-----------------+---+--------------+----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+-----------------+---+--------------+----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+-----------------+---+--------------+----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+-----------------+---+--------------+----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+-----------------+---+--------------+----------------+ | **4.2.1.1.a** | **Identify** | | \<Enter | | | Examine | the evidence | | Response | | | documented | reference | | Here\> | | | policies and | number(s) from | | | | | procedures to | [Section | | | | | verify | 6](#e | | | | | | vidence-assessm | | | | | | ent-workpapers) | | | | | | for the | | | | | | **documented** | | | | +-----------------+-----------------+---+--------------+----------------+ +-----------------+-----------------+---+--------------+----------------+ | processes are | **policies and | | | | | defined for the | procedures** | | | | | entity to | examined for | | | | | maintain an | this testing | | | | | inventory of | procedure. | | | | | its trusted | | | | | | keys and | | | | | | certificates. | | | | | +=================+=================+===+==============+================+ | **4.2.1.1.b** | **Identify** | | \<Enter | | | Examine the | the evidence | | Response | | | inventory of | reference | | Here\> | | | trusted keys | number(s) from | | | | | and | [Section | | | | | certificates to | 6](#e | | | | | verify it is | vidence-assessm | | | | | kept up to | ent-workpapers) | | | | | date. | for all | | | | | | **inventories | | | | | | of trusted | | | | | | keys** examined | | | | | | for this | | | | | | testing | | | | | | procedure. | | | | +-----------------+-----------------+---+--------------+----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+-----------------+---+--------------+----------------+ | **4.2.1.2** | | | | | | Wireless | | | | | | networks | | | | | | transmitting | | | | | | PAN or | | | | | | connected to | | | | | | the CDE use | | | | | | industry best | | | | | | practices to | | | | | | implement | | | | | | strong | | | | | | cryptography | | | | | | for | | | | | | authentication | | | | | | and | | | | | | transmission. | | | | | +-----------------+-----------------+---+--------------+----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+-----------------+---+--------------+----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+-----------------+---+--------------+----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+-----------------+---+--------------+----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+-----------------+---+--------------+----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+-----------------+---+--------------+----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+-----------------+---+--------------+----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+-----------------+---+--------------+----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+-----------------+---+--------------+----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+-----------------+---+--------------+----------------+ +-----------------+-----------------+---+--------------+----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +=================+=================+===+==============+================+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+-----------------+---+--------------+----------------+ | **4.2.1.2** | > **Identify** | | \<Enter | | | Examine system | > the evidence | | Response | | | configurations | > reference | | Here\> | | | to verify that | > number(s) | | | | | wireless | > from [Section | | | | | networks | > 6](#e | | | | | transmitting | vidence-assessm | | | | | PAN or | ent-workpapers) | | | | | connected to | > for all | | | | | the CDE use | > **system | | | | | industry best | > c | | | | | practices to | onfigurations** | | | | | implement | > examined for | | | | | strong | > this testing | | | | | cryptography | > procedure. | | | | | for | | | | | | authentication | | | | | | and | | | | | | transmission. | | | | | +-----------------+-----------------+---+--------------+----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+-----------------+---+--------------+----------------+ | **4.2.2** PAN | | | | | | is secured with | | | | | | strong | | | | | | cryptography | | | | | | whenever it is | | | | | | sent via | | | | | | end-user | | | | | | messaging | | | | | | technologies. | | | | | +-----------------+-----------------+---+--------------+----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+-----------------+---+--------------+----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+-----------------+---+--------------+----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+-----------------+---+--------------+----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+-----------------+---+--------------+----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+-----------------+---+--------------+----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+-----------------+---+--------------+----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+-----------------+---+--------------+----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **4.2.2.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documented | reference | | | policies and | number(s) from | | | procedures to | [Section | | | verify that | 6 | | | processes are | ](#evidence-asses | | | defined to | sment-workpapers) | | | secure PAN with | for all | | | strong | **documented | | | cryptography | policies and | | | whenever sent | procedures** | | | over end-user | examined for this | | | messaging | testing | | | technologies. | procedure. | | +-----------------+-------------------+--------------------------------+ | **4.2.2.b** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | configurations | reference | | | and vendor | number(s) from | | | documentation | [Section | | | to verify that | 6 | | | PAN is secured | ](#evidence-asses | | | with strong | sment-workpapers) | | | cryptography | for all **system | | | whenever it is | configurations** | | | sent via | examined for this | | | end-user | testing | | | messaging | procedure. | | | technologies. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **vendor | | | | documentation** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ ## Maintain a Vulnerability Management Program {#maintain-a-vulnerability-management-program .unnumbered} ### Requirement 5: Protect All Systems and Networks from Malicious Software {#requirement-5-protect-all-systems-and-networks-from-malicious-software .unnumbered} +-----------------+----------------+----------------+-----------------+ | **Requirement | | | | | Description** | | | | +=================+================+================+=================+ | 1. Processes | | | | | and | | | | | mechanisms | | | | | for | | | | | protecting | | | | | all systems | | | | | and | | | | | networks | | | | | from | | | | | malicious | | | | | software | | | | | are defined | | | | | and | | | | | understood. | | | | +-----------------+----------------+----------------+-----------------+ | > **PCI DSS | | | | | > Requirement** | | | | +-----------------+----------------+----------------+-----------------+ | 1. All | | | | | security | | | | | policies | | | | | and | | | | | operational | | | | | procedures | | | | | that are | | | | | identified | | | | | in | | | | | Requirement | | | | | 5 are: | | | | | | | | | | | | | | | - Documented. | | | | | | | | | | - Kept up | | | | | to | | | | | date. | | | | | | | | | | - In use. | | | | | | | | | | - Known | | | | | to all | | | | | | | | | | affected | | | | | | | | | | parties. | | | | +-----------------+----------------+----------------+-----------------+ | > **Assessment | | | | | > Findings | | | | | > (select | | | | | > one)** | | | | +-----------------+----------------+----------------+-----------------+ | **In Place** | **Not | **Not Tested** | **Not in | | | Applicable** | | Place** | +-----------------+----------------+----------------+-----------------+ | ☐ | ☐ | ☐ | ☐ | +-----------------+----------------+----------------+-----------------+ | Describe why | | \<Enter | | | the assessment | | Response | | | finding was | | Here\> | | | selected. | | | | | | | | | | ***Note**: | | | | | Include all | | | | | details as | | | | | noted in the | | | | | "Required | | | | | Reporting" | | | | | column of the | | | | | table in | | | | | [Assessment | | | | | F | | | | | indings](#asses | | | | | sment-findings) | | | | | in the ROC | | | | | Template | | | | | Instructions.* | | | | +-----------------+----------------+----------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **5.1.1** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | and interview | number(s) from | | | personnel to | [Section | | | verify that | 6 | | | security | ](#evidence-asses | | | policies and | sment-workpapers) | | | operational | for all | | | procedures | **documentation** | | | identified in | examined for this | | | Requirement 5 | testing | | | are managed in | procedure. | | | accordance with | | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **5.1.2** Roles | | | | | | and | | | | | | r | | | | | | esponsibilities | | | | | | for performing | | | | | | activities in | | | | | | Requirement 5 | | | | | | are documented, | | | | | | assigned, and | | | | | | understood. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **5.1.2.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | to verify that | number(s) from | | | descriptions of | [Section | | | roles and | 6 | | | r | ](#evidence-asses | | | esponsibilities | sment-workpapers) | | | for performing | for all | | | activities in | **documentation** | | | Requirement 5 | examined for this | | | are documented | testing | | | and assigned. | procedure. | | +-----------------+-------------------+--------------------------------+ | **5.1.2.b** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | personnel with | reference | | | responsibility | number(s) from | | | for performing | [Section | | | activities in | 6 | | | Requirement 5 | ](#evidence-asses | | | to verify that | sment-workpapers) | | | roles and | for all | | | r | **interview(s)** | | | esponsibilities | conducted for | | | are assigned as | this testing | | | documented and | procedure. | | | are understood. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **Requirement | | | | | | Description** | | | | | +=================+================+===+==============+=================+ | **5.2** | | | | | | Malicious | | | | | | software | | | | | | (malware) is | | | | | | prevented or | | | | | | detected and | | | | | | addressed. | | | | | +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **5.2.1** An | | | | | | anti-malware | | | | | | solution(s) is | | | | | | deployed on all | | | | | | system | | | | | | components, | | | | | | except for | | | | | | those system | | | | | | components | | | | | | identified in | | | | | | periodic | | | | | | evaluations per | | | | | | Requirement | | | | | | 5.2.3 that | | | | | | concludes the | | | | | | system | | | | | | components are | | | | | | not at risk | | | | | | from malware. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **5.2.1.a** | > **Identify** | | \<Enter | | | Examine system | > the evidence | | Response | | | components to | > reference | | Here\> | | | verify that an | > number(s) | | | | | anti-malware | > from | | | | | solution(s) is | > [Section | | | | | deployed on all | > 6](#evi | | | | | system | dence-assessme | | | | | components, | nt-workpapers) | | | | | except for | > for all | | | | | those | > **system | | | | | determined to | > components** | | | | | not be at risk | > examined for | | | | | from malware | > this testing | | | | | based on | > procedure. | | | | | periodic | | | | | | evaluations per | | | | | | Requirement | | | | | | 5.2.3. | | | | | +-----------------+----------------+---+--------------+-----------------+ | **5.2.1.b** For | > **Identify** | | \<Enter | | | any system | > the evidence | | Response | | | components | > reference | | Here\> | | | without an | > number(s) | | | | | anti-malware | > from | | | | | solution, | > [Section | | | | | examine the | > 6](#evi | | | | | periodic | dence-assessme | | | | | evaluations to | nt-workpapers) | | | | | verify the | > for all | | | | | component was | > **periodic | | | | | evaluated and | > | | | | | the evaluation | evaluations** | | | | | concludes that | > examined for | | | | | the component | > this testing | | | | | is not at risk | > procedure. | | | | | from malware. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **5.2.2** The | | | | | | deployed | | | | | | anti-malware | | | | | | solution(s): | | | | | | | | | | | | - Detects all | | | | | | known types | | | | | | of malware. | | | | | | | | | | | | - Removes, | | | | | | blocks, or | | | | | | contains | | | | | | all known | | | | | | types of | | | | | | malware. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **5.2.2** | **Identify** the | \<Enter Response Here\> | | Examine vendor | evidence | | | documentation | reference | | | and | number(s) from | | | configurations | [Section | | | of the | 6 | | | anti-malware | ](#evidence-asses | | | solution(s) to | sment-workpapers) | | | verify that the | for all **vendor | | | solution: | documentation** | | | | examined for this | | | - Detects all | testing | | | known types | procedure. | | | of malware. | | | | | | | | - Removes, | | | | blocks, or | | | | contains | | | | all known | | | | types of | | | | malware. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | * | | | | *configurations** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +=================+================+===+==============+=================+ | **5.2.3** Any | | | | | | system | | | | | | components that | | | | | | are not at risk | | | | | | for malware are | | | | | | evaluated | | | | | | periodically to | | | | | | include the | | | | | | following: | | | | | | | | | | | | - A | | | | | | documented | | | | | | list of all | | | | | | system | | | | | | components | | | | | | not at risk | | | | | | for | | | | | | malware. | | | | | | | | | | | | - | | | | | | Identification | | | | | | and | | | | | | evaluation | | | | | | of evolving | | | | | | malware | | | | | | threats for | | | | | | those | | | | | | system | | | | | | components. | | | | | | | | | | | | - | | | | | | Confirmation | | | | | | whether | | | | | | such system | | | | | | components | | | | | | continue to | | | | | | not require | | | | | | | | | | | | anti-malware | | | | | | protection. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **5.2.3.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documented | reference | | | policies and | number(s) from | | | procedures to | [Section | | | verify that a | 6 | | | process is | ](#evidence-asses | | | defined for | sment-workpapers) | | | periodic | for all | | | evaluations of | **documented | | | any system | policies and | | | components that | procedures** | | | are not at risk | examined for this | | | for malware | testing | | | that includes | procedure. | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **5.2.3.b** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | personnel to | reference | | | verify that the | number(s) from | | | evaluations | [Section | | | include all | 6 | | | elements | ](#evidence-asses | | | specified in | sment-workpapers) | | | this | for all | | | requirement. | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **5.2.3.c** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence | | | list of system | reference | | | components | number(s) from | | | identified as | [Section | | | not at risk of | 6 | | | malware and | ](#evidence-asses | | | compare to the | sment-workpapers) | | | system | for all **lists | | | components | of system | | | without an | components** | | | anti-malware | examined for this | | | solution | testing | | | deployed per | procedure. | | | Requirement | | | | | | | | 5.2.1 to verify | | | | that the system | | | | components | | | | match for both | | | | requirements. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +=================+================+===+==============+=================+ | **5.2.3.1** The | | | | | | frequency of | | | | | | periodic | | | | | | evaluations of | | | | | | system | | | | | | components | | | | | | identified as | | | | | | not at risk for | | | | | | malware is | | | | | | defined in the | | | | | | entity's | | | | | | targeted risk | | | | | | analysis, which | | | | | | is performed | | | | | | according to | | | | | | all elements | | | | | | specified in | | | | | | Requirement | | | | | | 12.3.1. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **5.2.3.1.a** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence | | | entity's | reference | | | targeted risk | number(s) from | | | analysis for | [Section | | | the frequency | 6 | | | of periodic | ](#evidence-asses | | | evaluations of | sment-workpapers) | | | system | for the | | | components | **targeted risk | | | identified as | analysis** | | | not at risk for | examined for this | | | malware to | testing | | | verify the risk | procedure. | | | analysis was | | | | performed in | | | | accordance with | | | | all elements | | | | specified in | | | | Requirement | | | | 12.3.1. | | | +-----------------+-------------------+--------------------------------+ | **5.2.3.1.b** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documented | reference | | | results of | number(s) from | | | periodic | [Section | | | evaluations of | 6 | | | system | ](#evidence-asses | | | components | sment-workpapers) | | | identified as | for all | | | not at risk for | **documented | | | malware and | results of | | | interview | periodic | | | personnel to | evaluations of | | | verify that | system | | | evaluations are | components** | | | performed at | examined for this | | | the frequency | testing | | | defined in the | procedure. | | | entity's | | | | targeted risk | | | | analysis | | | | performed for | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **Requirement | | | | | | Description** | | | | | +=================+================+===+==============+=================+ | **5.3** | | | | | | Anti-malware | | | | | | mechanisms and | | | | | | processes are | | | | | | active, | | | | | | maintained, and | | | | | | monitored. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **5.3.1** The | | | | | | anti-malware | | | | | | solution(s) is | | | | | | kept current | | | | | | via automatic | | | | | | updates. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **5.3.1.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | anti-malware | reference | | | solution(s) | number(s) from | | | configurations, | [Section | | | including any | 6 | | | master | ](#evidence-asses | | | installation of | sment-workpapers) | | | the software, | for all | | | to verify the | **anti-malware | | | solution is | solution(s) | | | configured to | configurations** | | | perform | examined for this | | | automatic | testing | | | updates. | procedure. | | +-----------------+-------------------+--------------------------------+ | **5.3.1.b** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | components and | reference | | | logs, to verify | number(s) from | | | that the anti- | [Section | | | malware | 6 | | | solution(s) and | ](#evidence-asses | | | definitions are | sment-workpapers) | | | current and | for all **system | | | have been | components** | | | promptly | examined for this | | | deployed | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **logs** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **5.3.2** The | | | | | | anti-malware | | | | | | solution(s): | | | | | | | | | | | | - Performs | | | | | | periodic | | | | | | scans and | | | | | | active or | | | | | | real-time | | | | | | scans. OR | | | | | | | | | | | | - Performs | | | | | | continuous | | | | | | behavioral | | | | | | analysis of | | | | | | systems or | | | | | | processes. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **5.3.2.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | anti-malware | reference | | | solution(s) | number(s) from | | | configurations, | [Section | | | including any | 6 | | | master | ](#evidence-asses | | | installation of | sment-workpapers) | | | the software, | for all | | | to verify the | **anti-malware | | | solution(s) is | solution(s) | | | configured to | configurations** | | | perform at | examined for this | | | least one of | testing | | | the elements | procedure. | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **5.3.2.b** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | components, | reference | | | including all | number(s) from | | | operating | [Section | | | system types | 6 | | | identified as | ](#evidence-asses | | | at risk for | sment-workpapers) | | | malware, to | for all **system | | | verify the | components** | | | solution(s) is | examined for this | | | enabled in | testing | | | accordance with | procedure. | | | at least one of | | | | the elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **5.3.2.c** | **Identify** the | \<Enter Response Here\> | | Examine logs | evidence | | | and scan | reference | | | results to | number(s) from | | | verify that the | [Section | | | solution(s) is | 6 | | | enabled in | ](#evidence-asses | | | accordance with | sment-workpapers) | | | at least one of | for all **logs** | | | the elements | examined for this | | | specified in | testing | | | this | procedure. | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **scan | | | | results** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | ***5.3.2.1** If | | | | | | periodic | | | | | | malware scans | | | | | | are performed | | | | | | to meet | | | | | | Requirement | | | | | | 5.3.2, the | | | | | | frequency of | | | | | | scans is | | | | | | defined in the | | | | | | entity's | | | | | | targeted risk | | | | | | analysis, which | | | | | | is performed | | | | | | according to | | | | | | all elements | | | | | | specified in | | | | | | Requirement | | | | | | 12.3.1.* | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | ***Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used:* | | | | | +-----------------+----------------+---+--------------+-----------------+ | ***If "Yes", | | | *\<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\>* | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used.* | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **5.3.2.1.a** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence | | | entity's | reference | | | targeted risk | number(s) from | | | analysis for | [Section | | | the frequency | 6 | | | of periodic | ](#evidence-asses | | | malware scans | sment-workpapers) | | | to verify the | for the | | | risk analysis | **targeted risk | | | was performed | analysis** | | | in accordance | examined for this | | | with all | testing | | | elements | procedure. | | | specified in | | | | Requirement | | | | 12.3.1. | | | +-----------------+-------------------+--------------------------------+ | **5.3.2.1.b** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documented | reference | | | results of | number(s) from | | | periodic | [Section | | | malware scans | 6 | | | and interview | ](#evidence-asses | | | personnel to | sment-workpapers) | | | verify scans | for all | | | are performed | **documented | | | at the | results of | | | frequency | periodic malware | | | defined in the | scans** examined | | | entity's | for this testing | | | targeted risk | procedure. | | | analysis | | | | performed for | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **5.3.3** For | | | | | | removable | | | | | | electronic | | | | | | media, the | | | | | | anti-malware | | | | | | solution(s): | | | | | | | | | | | | - Performs | | | | | | automatic | | | | | | scans of | | | | | | when the | | | | | | media is | | | | | | inserted, | | | | | | connected, | | | | | | or | | | | | | logically | | | | | | mounted, OR | | | | | | | | | | | | - Performs | | | | | | continuous | | | | | | behavioral | | | | | | analysis of | | | | | | systems or | | | | | | processes | | | | | | when the | | | | | | media is | | | | | | inserted, | | | | | | connected, | | | | | | or | | | | | | logically | | | | | | mounted. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **5.3.3.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | anti-malware | reference | | | solution(s) | number(s) from | | | configurations | [Section | | | to verify that, | 6 | | | for removable | ](#evidence-asses | | | electronic | sment-workpapers) | | | media, the | for all | | | solution is | **anti-malware | | | configured to | solution(s) | | | perform at | configurations** | | | least one of | examined for this | | | the elements | testing | | | specified in | procedure. | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **5.3.3.b** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | components with | reference | | | removable | number(s) from | | | electronic | [Section | | | media connected | 6 | | | to verify that | ](#evidence-asses | | | the solution(s) | sment-workpapers) | | | is enabled in | for all **system | | | accordance with | components** | | | at least one of | examined for this | | | the elements as | testing | | | specified in | procedure. | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **5.3.3.c** | **Identify** the | \<Enter Response Here\> | | Examine logs | evidence | | | and scan | reference | | | results to | number(s) from | | | verify that the | [Section | | | solution(s) is | 6 | | | enabled in | ](#evidence-asses | | | accordance with | sment-workpapers) | | | at least one of | for all **logs** | | | the elements | examined for this | | | specified in | testing | | | this | procedure. | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **scan | | | | results** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **5.3.4** Audit | | | | | | logs for the | | | | | | anti-malware | | | | | | solution(s) are | | | | | | enabled and | | | | | | retained in | | | | | | accordance with | | | | | | Requirement | | | | | | 10.5.1. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **5.3.4** | **Identify** | | \<Enter | | | Examine | the evidence | | Response | | | anti-malware | reference | | Here\> | | | solution(s) | number(s) from | | | | | configurations | [Section | | | | | to verify logs | 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | for all | | | | | | ** | | | | | | anti-malware** | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | are enabled and | **solution(s) | | | | | retained in | co | | | | | accordance with | nfigurations** | | | | | Requirement | examined for | | | | | 10.5.1. | this testing | | | | | | procedure. | | | | +=================+================+===+==============+=================+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **5.3.5** | | | | | | Anti-malware | | | | | | mechanisms | | | | | | cannot be | | | | | | disabled or | | | | | | altered by | | | | | | users, unless | | | | | | specifically | | | | | | documented, and | | | | | | authorized by | | | | | | management on a | | | | | | case-by-case | | | | | | basis for a | | | | | | limited time | | | | | | period. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **5.3.5.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | anti-malware | reference | | | configurations, | number(s) from | | | to verify that | [Section | | | the anti- | 6 | | | malware | ](#evidence-asses | | | mechanisms | sment-workpapers) | | | cannot be | for all | | | disabled or | **anti-malware | | | altered by | solution | | | users. | configurations** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **5.3.5.b** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | responsible | reference | | | personnel and | number(s) from | | | observe | [Section | | | processes to | 6 | | | verify that any | ](#evidence-asses | | | requests to | sment-workpapers) | | | disable or | for all | | | alter | **interview(s)** | | | anti-malware | conducted for | | | mechanisms are | this testing | | | specifically | procedure. | | | documented and | | | | authorized by | | | | management on a | | | | case-by-case | | | | basis for a | | | | limited time | | | | period. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **observation(s) | | | | of processes** | | | | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+================+===+==============+=================+ | **5.4** | | | | | | Anti-phishing | | | | | | mechanisms | | | | | | protect users | | | | | | against | | | | | | phishing | | | | | | attacks. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **5.4.1** | | | | | | Processes and | | | | | | automated | | | | | | mechanisms are | | | | | | in place to | | | | | | detect and | | | | | | protect | | | | | | personnel | | | | | | against | | | | | | phishing | | | | | | attacks. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **5.4.1** | **Identify** the | \<Enter Response Here\> | | Observe | evidence | | | implemented | reference | | | processes and | number(s) from | | | examine | [Section | | | mechanisms to | 6 | | | verify controls | ](#evidence-asses | | | are in place to | sment-workpapers) | | | detect and | for all | | | protect | **observation(s) | | | personnel | of implemented | | | against | processes** for | | | phishing | this testing | | | attacks. | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **mechanisms** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ ### Requirement 6: Develop and Maintain Secure Systems and Software {#requirement-6-develop-and-maintain-secure-systems-and-software .unnumbered} +-----------------------------------------------------------------------+ | > **Requirement Description** | +=======================================================================+ | 1. Processes and mechanisms for developing and maintaining secure | | systems and software are defined and understood. | +-----------------------------------------------------------------------+ | > **PCI DSS Requirement** | +-----------------------------------------------------------------------+ | 1. All security policies and operational procedures that are | | identified in Requirement 6 are: | | | | - Documented. | | | | - Kept up to date. | | | | - In use. | | | | - Known to all affected parties. | +-----------------------------------------------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +=================+================+===+==============+=================+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **6.1.1** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | documentation | > reference | | Here\> | | | and interview | > number(s) | | | | | personnel to | > from | | | | | verify that | > [Section | | | | | security | > 6](#evi | | | | | policies and | dence-assessme | | | | | operational | nt-workpapers) | | | | | procedures | > for all | | | | | identified in | > **d | | | | | Requirement 6 | ocumentation** | | | | | are managed in | > examined for | | | | | accordance with | > this testing | | | | | all elements | > procedure. | | | | | specified in | | | | | | this | | | | | | requirement. | | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | interview(s)** | | | | | | > conducted | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **6.1.2** Roles | | | | | | and | | | | | | r | | | | | | esponsibilities | | | | | | for performing | | | | | | activities in | | | | | | Requirement 6 | | | | | | are documented, | | | | | | assigned, and | | | | | | understood. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **6.1.2.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | to verify that | number(s) from | | | descriptions of | [Section | | | roles and | 6 | | | r | ](#evidence-asses | | | esponsibilities | sment-workpapers) | | | for performing | for all | | | activities in | **documentation** | | | Requirement 6 | examined for this | | | are documented | testing | | | and assigned. | procedure. | | +-----------------+-------------------+--------------------------------+ | **6.1.2.b** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | personnel | reference | | | responsible for | number(s) from | | | performing | [Section | | | activities in | 6 | | | Requirement 6 | ](#evidence-asses | | | to verify that | sment-workpapers) | | | roles and | for all | | | r | **interview(s)** | | | esponsibilities | conducted for | | | are assigned as | this testing | | | documented and | procedure. | | | are understood. | | | +-----------------+-------------------+--------------------------------+ +-----------------------------------------------------------------------+ | > **Requirement Description** | +=======================================================================+ | **6.2** Bespoke and custom software are developed securely. | +-----------------------------------------------------------------------+ | > **PCI DSS Requirement** | +-----------------------------------------------------------------------+ | 1. Bespoke and custom software are developed securely, as follows: | | | | - Based on industry standards and/or best practices for secure | | development. | | | | - In accordance with PCI DSS (for example, secure | | authentication and logging). | | | | - Incorporating consideration of information security issues | | during each stage of the software development lifecycle. | +-----------------------------------------------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +=================+================+===+==============+=================+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **6.2.1** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | documented | > reference | | Here\> | | | software | > number(s) | | | | | development | > from | | | | | procedures to | > [Section | | | | | verify that | > 6](#evi | | | | | processes are | dence-assessme | | | | | defined that | nt-workpapers) | | | | | include all | > for the | | | | | elements | > **documented | | | | | specified in | > software | | | | | this | > development | | | | | requirement. | > procedures** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **6.2.2** | | | | | | Software | | | | | | development | | | | | | personnel | | | | | | working on | | | | | | bespoke and | | | | | | custom software | | | | | | are trained at | | | | | | least once | | | | | | every 12 months | | | | | | as follows: | | | | | | | | | | | | - On software | | | | | | security | | | | | | relevant to | | | | | | their job | | | | | | function | | | | | | and | | | | | | development | | | | | | languages. | | | | | | | | | | | | - Including | | | | | | secure | | | | | | software | | | | | | design and | | | | | | secure | | | | | | coding | | | | | | techniques. | | | | | | | | | | | | - Including, | | | | | | if security | | | | | | testing | | | | | | tools are | | | | | | used, how | | | | | | to use the | | | | | | tools for | | | | | | detecting | | | | | | | | | | | | vulnerabilities | | | | | | in | | | | | | software. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **6.2.2.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | software | reference | | | development | number(s) from | | | procedures to | [Section | | | verify that | 6 | | | processes are | ](#evidence-asses | | | defined for | sment-workpapers) | | | training of | for all | | | software | **software | | | development | development | | | personnel | procedures** | | | developing | examined for this | | | bespoke and | testing | | | custom software | procedure. | | | that includes | | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **6.2.2.b** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | training | reference | | | records and | number(s) from | | | interview | [Section | | | personnel to | 6 | | | verify that | ](#evidence-asses | | | software | sment-workpapers) | | | development | for all | | | personnel | **training | | | working on | records** | | | bespoke and | examined for this | | | custom software | testing | | | received | procedure. | | | software | | | | security | | | | training that | | | | is relevant to | | | | their job | | | | function and | | | | development | | | | languages in | | | | accordance with | | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **6.2.3** | | | | | | Bespoke and | | | | | | custom software | | | | | | is reviewed | | | | | | prior to being | | | | | | released into | | | | | | production or | | | | | | to customers, | | | | | | to identify and | | | | | | correct | | | | | | potential | | | | | | coding | | | | | | v | | | | | | ulnerabilities, | | | | | | as follows: | | | | | | | | | | | | - Code | | | | | | reviews | | | | | | ensure code | | | | | | is | | | | | | developed | | | | | | according | | | | | | to secure | | | | | | coding | | | | | | guidelines. | | | | | | | | | | | | - Code | | | | | | reviews | | | | | | look for | | | | | | both | | | | | | existing | | | | | | and | | | | | | emerging | | | | | | software | | | | | | v | | | | | | ulnerabilities. | | | | | | | | | | | | - Appropriate | | | | | | corrections | | | | | | are | | | | | | implemented | | | | | | prior to | | | | | | release. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **6.2.3.a** | **Identify** | | \<Enter | | | Examine | the evidence | | Response | | | documented | reference | | Here\> | | | software | number(s) from | | | | | development | [Section | | | | | procedures and | 6](#evi | | | | | interview | dence-assessme | | | | | responsible | nt-workpapers) | | | | | personnel to | for the | | | | | verify that | **documented | | | | | processes are | software | | | | | defined that | development | | | | | require all | procedures** | | | | | bespoke and | examined for | | | | | custom software | this testing | | | | | to be reviewed | procedure. | | | | | in accordance | | | | | | with all | | | | | | elements | | | | | | specified in | | | | | | this | | | | | | requirement. | | | | | +-----------------+----------------+---+--------------+-----------------+ | | **Identify** | | \<Enter | | | | the evidence | | Response | | | | reference | | Here\> | | | | number(s) from | | | | | | [Section | | | | | | 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | for all | | | | | | ** | | | | | | interview(s)** | | | | | | conducted for | | | | | | this testing | | | | | | procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **6.2.3.b** | **Identify** | | \<Enter | | | Examine | the evidence | | Response | | | evidence of | reference | | Here\> | | | changes to | number(s) from | | | | | bespoke and | [Section | | | | | custom software | 6](#evi | | | | | to verify that | dence-assessme | | | | | the code | nt-workpapers) | | | | | changes were | for all | | | | | reviewed in | **evidence of | | | | | accordance with | changes** | | | | | all elements | examined for | | | | | specified in | this testing | | | | | this | procedure. | | | | | requirement. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | 1. If manual | | | | | | code | | | | | | reviews are | | | | | | performed | | | | | | for bespoke | | | | | | and custom | | | | | | software | | | | | | prior to | | | | | | release to | | | | | | production, | | | | | | code | | | | | | changes | | | | | | are: | | | | | | | | | | | | | | | | | | - Reviewed | | | | | | by | | | | | | | | | | | | individuals | | | | | | other | | | | | | than | | | | | | the | | | | | | | | | | | | originating | | | | | | code | | | | | | author, | | | | | | and who | | | | | | are | | | | | | | | | | | | knowledgeable | | | | | | about | | | | | | | | | | | | code-review | | | | | | | | | | | | techniques | | | | | | and | | | | | | secure | | | | | | coding | | | | | | | | | | | | practices. | | | | | | | | | | | | | | | | | | - Reviewed | | | | | | and | | | | | | | | | | | | approved | | | | | | by | | | | | | | | | | | | management | | | | | | prior | | | | | | to | | | | | | | | | | | | release. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **6.2.3.1.a** | **Identify** the | \<Enter Response Here\> | | If manual code | evidence | | | reviews are | reference | | | performed for | number(s) from | | | bespoke and | [Section | | | custom software | 6 | | | prior to | ](#evidence-asses | | | release to | sment-workpapers) | | | production, | for the | | | examine | **documented | | | documented | software | | | software | development | | | development | procedures** | | | procedures and | examined for this | | | interview | testing | | | responsible | procedure. | | | personnel to | | | | verify that | | | | processes are | | | | defined for | | | | manual code | | | | reviews to be | | | | conducted in | | | | accordance with | | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **6.2.3.1.b** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | evidence of | reference | | | changes to | number(s) from | | | bespoke and | [Section | | | custom software | 6 | | | and interview | ](#evidence-asses | | | personnel to | sment-workpapers) | | | verify that | for all | | | manual code | **evidence of | | | reviews were | changes** | | | conducted in | examined for this | | | accordance with | testing | | | all elements | procedure. | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **6.2.4** | | | | | | Software | | | | | | engineering | | | | | | techniques or | | | | | | other methods | | | | | | are defined and | | | | | | in use by | | | | | | software | | | | | | development | | | | | | personnel to | | | | | | prevent or | | | | | | mitigate common | | | | | | software | | | | | | attacks and | | | | | | related | | | | | | vulnerabilities | | | | | | in bespoke and | | | | | | custom | | | | | | software, | | | | | | including but | | | | | | not limited to | | | | | | the following: | | | | | | | | | | | | - Injection | | | | | | attacks, | | | | | | including | | | | | | SQL, LDAP, | | | | | | XPath, or | | | | | | other | | | | | | command, | | | | | | parameter, | | | | | | object, | | | | | | fault, or | | | | | | | | | | | | injection-type | | | | | | flaws. | | | | | | | | | | | | - Attacks on | | | | | | data and | | | | | | data | | | | | | structures, | | | | | | including | | | | | | attempts to | | | | | | manipulate | | | | | | buffers, | | | | | | pointers, | | | | | | input data, | | | | | | or shared | | | | | | data. | | | | | | | | | | | | - Attacks on | | | | | | | | | | | | cryptography | | | | | | usage, | | | | | | including | | | | | | attempts to | | | | | | exploit | | | | | | weak, | | | | | | insecure, | | | | | | or | | | | | | | | | | | | inappropriate | | | | | | | | | | | | cryptographic | | | | | | i | | | | | | mplementations, | | | | | | algorithms, | | | | | | cipher | | | | | | suites, or | | | | | | modes of | | | | | | operation. | | | | | | | | | | | | - Attacks on | | | | | | business | | | | | | logic, | | | | | | including | | | | | | attempts to | | | | | | abuse or | | | | | | bypass | | | | | | application | | | | | | features | | | | | | and | | | | | | | | | | | | functionalities | | | | | | through the | | | | | | | | | | | | manipulation | | | | | | of APIs, | | | | | | | | | | | | communication | | | | | | protocols | | | | | | and | | | | | | channels, | | | | | | client-side | | | | | | | | | | | | functionality, | | | | | | or other | | | | | | sys | | | | | | tem/application | | | | | | functions | | | | | | and | | | | | | resources. | | | | | | This | | | | | | includes | | | | | | cross-site | | | | | | scripting | | | | | | (XSS) and | | | | | | cross-site | | | | | | request | | | | | | forgery | | | | | | (CSRF). | | | | | | | | | | | | - Attacks on | | | | | | access | | | | | | control | | | | | | mechanisms, | | | | | | including | | | | | | attempts to | | | | | | bypass or | | | | | | abuse | | | | | | | | | | | | identification, | | | | | | | | | | | | authentication, | | | | | | or | | | | | | | | | | | | authorization | | | | | | mechanisms, | | | | | | or attempts | | | | | | to exploit | | | | | | weaknesses | | | | | | in the | | | | | | | | | | | | implementation | | | | | | of such | | | | | | mechanisms. | | | | | | | | | | | | - Attacks via | | | | | | any | | | | | | | | | | | | \"high-risk\" | | | | | | | | | | | | vulnerabilities | | | | | | identified | | | | | | in the | | | | | | | | | | | | vulnerability | | | | | | | | | | | | identification | | | | | | process, as | | | | | | defined in | | | | | | Requirement | | | | | | 6.3.1. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **6.2.4** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documented | reference | | | procedures and | number(s) from | | | interview | [Section | | | responsible | 6 | | | software | ](#evidence-asses | | | development | sment-workpapers) | | | personnel to | for all | | | verify that | **documented | | | software | procedures** | | | engineering | examined for this | | | techniques or | testing | | | other methods | procedure. | | | are defined and | | | | in use by | | | | developers of | | | | bespoke and | | | | custom software | | | | to prevent or | | | | mitigate all | | | | common software | | | | attacks as | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------------------------------------------------------------+ | > **Requirement Description** | +=======================================================================+ | **6.3** Security vulnerabilities are identified and addressed. | +-----------------------------------------------------------------------+ | > **PCI DSS Requirement** | +-----------------------------------------------------------------------+ | 1. Security vulnerabilities are identified and managed as follows: | | | | - New security vulnerabilities are identified using | | industry-recognized sources for security vulnerability | | information, including alerts from international and national | | computer emergency response teams (CERTs). | | | | - Vulnerabilities are assigned a risk ranking based on industry | | best practices and consideration of potential impact. | | | | - Risk rankings identify, at a minimum, all vulnerabilities | | considered to be a high-risk or critical to the environment. | | | | - Vulnerabilities for bespoke and custom, and third-party | | software (for example operating systems and databases) are | | covered. | +-----------------------------------------------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +=================+================+===+==============+=================+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **6.3.1.a** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | policies and | > reference | | Here\> | | | procedures for | > number(s) | | | | | identifying and | > from | | | | | managing | > [Section | | | | | security | > 6](#evi | | | | | vulnerabilities | dence-assessme | | | | | to verify that | nt-workpapers) | | | | | processes are | > for all | | | | | defined in | > **policies | | | | | accordance with | > and | | | | | all elements | > procedures** | | | | | specified in | > examined for | | | | | this | > this testing | | | | | requirement. | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **6.3.1.b** | > **Identify** | | \<Enter | | | Interview | > the evidence | | Response | | | responsible | > reference | | Here\> | | | personnel, | > number(s) | | | | | examine | > from | | | | | documentation, | > [Section | | | | | and observe | > 6](#evi | | | | | processes to | dence-assessme | | | | | verify that | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | interview(s)** | | | | | | > conducted | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | security | > **Identify** | | \<Enter | | | vulnerabilities | > the evidence | | Response | | | are identified | > reference | | Here\> | | | and managed in | > number(s) | | | | | accordance with | > from | | | | | all elements | > [Section | | | | | specified in | > 6](#evi | | | | | this | dence-assessme | | | | | requirement. | nt-workpapers) | | | | | | > for all | | | | | | > **d | | | | | | ocumentation** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +=================+================+===+==============+=================+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | observation(s) | | | | | | > of | | | | | | > processes** | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **6.3.2** An | | | | | | inventory of | | | | | | bespoke and | | | | | | custom | | | | | | software, and | | | | | | third-party | | | | | | software | | | | | | components | | | | | | incorporated | | | | | | into bespoke | | | | | | and custom | | | | | | software is | | | | | | maintained to | | | | | | facilitate | | | | | | vulnerability | | | | | | and patch | | | | | | management. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +=================+===================+================================+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **6.3.2.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | and interview | number(s) from | | | personnel to | [Section | | | verify that an | 6 | | | inventory of | ](#evidence-asses | | | bespoke and | sment-workpapers) | | | custom software | for all | | | and third-party | **documentation** | | | software | examined for this | | | components | testing | | | incorporated | procedure. | | | into bespoke | | | | and custom | | | | software is | | | | maintained, and | | | | that the | | | | inventory is | | | | used to | | | | identify and | | | | address | | | | v | | | | ulnerabilities. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **6.3.2.b** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | software | reference | | | documentation, | number(s) from | | | including for | [Section | | | bespoke and | 6 | | | custom software | ](#evidence-asses | | | that integrates | sment-workpapers) | | | third-party | for all | | | software | **software | | | components, and | documentation** | | | compare it to | examined for this | | | the inventory | testing | | | to verify that | procedure. | | | the inventory | | | | includes the | | | | bespoke and | | | | custom software | | | | and third-party | | | | software | | | | components. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **6.3.3** All | | | | | | system | | | | | | components are | | | | | | protected from | | | | | | known | | | | | | vulnerabilities | | | | | | by installing | | | | | | applicable | | | | | | security | | | | | | patches/updates | | | | | | as follows: | | | | | | | | | | | | - Critical or | | | | | | | | | | | | high-security | | | | | | | | | | | | patches/updates | | | | | | (identified | | | | | | according | | | | | | to the risk | | | | | | ranking | | | | | | process at | | | | | | Requirement | | | | | | 6.3.1) are | | | | | | installed | | | | | | within one | | | | | | month of | | | | | | release. | | | | | | | | | | | | - All other | | | | | | applicable | | | | | | security | | | | | | | | | | | | patches/updates | | | | | | are | | | | | | installed | | | | | | within an | | | | | | appropriate | | | | | | time frame | | | | | | as | | | | | | determined | | | | | | by the | | | | | | entity (for | | | | | | example, | | | | | | within | | | | | | three | | | | | | months of | | | | | | release). | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **6.3.3.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | policies and | reference | | | procedures to | number(s) from | | | verify | [Section | | | processes are | 6 | | | defined for | ](#evidence-asses | | | addressing | sment-workpapers) | | | vulnerabilities | for all | | | by installing | **policies and | | | applicable | procedures** | | | security | examined for this | | | patches/updates | testing | | | in accordance | procedure. | | | with all | | | | elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **6.3.3.b** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | components and | reference | | | related | number(s) from | | | software and | [Section | | | compare the | 6 | | | list of | ](#evidence-asses | | | installed | sment-workpapers) | | | security | for all **system | | | patches/updates | components and | | | to the most | related | | | recent security | software** | | | patch/update | examined for this | | | information to | testing | | | verify | procedure. | | | vulnerabilities | | | | are addressed | | | | in accordance | | | | with all | | | | elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ +-----------------------------------------------------------------------+ | > **Requirement Description** | +=======================================================================+ | **6.4** Public-facing web applications are protected against attacks. | +-----------------------------------------------------------------------+ | > **PCI DSS Requirement** | +-----------------------------------------------------------------------+ | 1. For public-facing web applications, new threats and | | vulnerabilities are addressed on an ongoing basis and these | | applications are protected against known attacks as follows: | | | | - Reviewing public-facing web applications via manual or | | automated application vulnerability security assessment tools | | or methods as follows: | | | | - At least once every 12 months and after significant | | changes. | | | | - By an entity that specializes in application security. | | | | - Including, at a minimum, all common software attacks in | | Requirement 6.2.4. | | | | - All vulnerabilities are ranked in accordance with | | requirement 6.3.1. | | | | - All vulnerabilities are corrected. | | | | - The application is re-evaluated after the corrections | | | | OR | | | | - Installing an automated technical solution(s) that continually | | detects and prevents web-based attacks as follows: | | | | - Installed in front of public-facing web applications to | | detect and prevent web-based attacks. | | | | - Actively running and up to date as applicable. | | | | - Generating audit logs. | | | | - Configured to either block web-based attacks or generate an | | alert that is immediately investigated. | | | | ***Note:** This requirement will be **superseded** by Requirement | | 6.4.2 after **31 March 2025** when Requirement 6.4.2 becomes | | effective.* | +-----------------------------------------------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +=================+================+===+==============+=================+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | 1. For | **Identify** the | \<Enter Response Here\> | | | evidence | | | public-facing | reference | | | web | number(s) from | | | | [Section | | | applications, | 6 | | | ensure that | ](#evidence-asses | | | either one | sment-workpapers) | | | of the | for all | | | required | **documented | | | methods is | processes** | | | in place as | examined for this | | | follows: | testing | | | | procedure. | | | - If | | | | manual | | | | or | | | | | | | | automated | | | | | | | | vulnerability | | | | | | | | security | | | | | | | | assessment | | | | tools | | | | or | | | | methods | | | | are in | | | | use, | | | | examine | | | | | | | | documented | | | | | | | | processes, | | | | | | | | interview | | | | | | | | personnel, | | | | and | | | | examine | | | | records | | | | of | | | | | | | | application | | | | | | | | security | | | | | | | | assessments | | | | to | | | | verify | | | | that | | | | public- | | | | facing | | | | web | | | | | | | | applications | | | | are | | | | | | | | reviewed | | | | in | | | | | | | | accordance | | | | with | | | | all | | | | | | | | elements | | | | of this | | | | | | | | requirement | | | | | | | | specific | | | | to the | | | | | | | | tool/method. | | | | | | | | OR | | | | | | | | - If an | | | | automated | | | | technical | | | | solution(s) | | | | is | | | | installed | | | | that | | | | continually | | | | detects and | | | | prevents | | | | web-based | | | | attacks, | | | | examine the | | | | system | | | | | | | | configuration | | | | settings | | | | and audit | | | | logs, and | | | | interview | | | | responsible | | | | personnel | | | | to verify | | | | that the | | | | automated | | | | technical | | | | solution(s) | | | | is | | | | installed | | | | in | | | | accordance | | | | with all | | | | elements of | | | | this | | | | requirement | | | | specific to | | | | the | | | | | | | | solution(s). | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **records | | | | of application | | | | security | | | | assessments** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **system | | | | configuration | | | | settings** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **audit | | | | logs** examined | | | | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **6.4.2** For | | | | | | public-facing | | | | | | web | | | | | | applications, | | | | | | an automated | | | | | | technical | | | | | | solution is | | | | | | deployed that | | | | | | continually | | | | | | detects and | | | | | | prevents | | | | | | web-based | | | | | | attacks, with | | | | | | at least the | | | | | | following: | | | | | | | | | | | | - Is | | | | | | installed | | | | | | in front of | | | | | | | | | | | | public-facing | | | | | | web | | | | | | | | | | | | applications | | | | | | and is | | | | | | configured | | | | | | to detect | | | | | | and prevent | | | | | | web-based | | | | | | attacks. | | | | | | | | | | | | - Actively | | | | | | running and | | | | | | up to date | | | | | | as | | | | | | applicable. | | | | | | | | | | | | - Generating | | | | | | audit logs. | | | | | | | | | | | | - Configured | | | | | | to either | | | | | | block | | | | | | web-based | | | | | | attacks or | | | | | | generate an | | | | | | alert that | | | | | | is | | | | | | immediately | | | | | | | | | | | | investigated. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS assessment. | | | | | | This new | | | | | | requirement | | | | | | will replace | | | | | | Requirement | | | | | | 6.4.1 once its | | | | | | effective date | | | | | | is reached.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **6.4.2** For | **Identify** the | \<Enter Response Here\> | | public-facing | evidence | | | web | reference | | | applications, | number(s) from | | | examine the | [Section | | | system | 6 | | | configuration | ](#evidence-asses | | | settings and | sment-workpapers) | | | audit logs, and | for all **system | | | interview | configuration | | | responsible | settings** | | | personnel to | examined for this | | | verify that an | testing | | | automated | procedure. | | | technical | | | | solution that | | | | detects and | | | | prevents | | | | web-based | | | | attacks is in | | | | place in | | | | accordance with | | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **audit | | | | logs** examined | | | | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **6.4.3** All | | | | | | payment page | | | | | | scripts that | | | | | | are loaded and | | | | | | executed in the | | | | | | consumer\'s | | | | | | browser are | | | | | | managed as | | | | | | follows: | | | | | | | | | | | | - A method is | | | | | | implemented | | | | | | to confirm | | | | | | that each | | | | | | script is | | | | | | authorized. | | | | | | | | | | | | - A method is | | | | | | implemented | | | | | | to assure | | | | | | the | | | | | | integrity | | | | | | of each | | | | | | script. | | | | | | | | | | | | - An | | | | | | inventory | | | | | | of all | | | | | | scripts is | | | | | | maintained | | | | | | with | | | | | | written | | | | | | | | | | | | justification | | | | | | as to why | | | | | | each is | | | | | | necessary. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **6.4.3.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | policies and | reference | | | procedures to | number(s) from | | | verify that | [Section | | | processes are | 6 | | | defined for | ](#evidence-asses | | | managing all | sment-workpapers) | | | payment page | for all | | | scripts that | **policies and | | | are loaded and | procedures** | | | executed in the | examined for this | | | consumer's | testing | | | browser, in | procedure. | | | accordance with | | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **6.4.3.b** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | responsible | reference | | | personnel and | number(s) from | | | examine | [Section | | | inventory | 6 | | | records and | ](#evidence-asses | | | system | sment-workpapers) | | | configurations | for all | | | to verify that | **interview(s)** | | | all payment | conducted for | | | page scripts | this testing | | | that are loaded | procedure. | | | and executed in | | | | the consumer's | | | | browser are | | | | managed in | | | | accordance with | | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **inventory | | | | records** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **system | | | | configurations** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+================+===+==============+=================+ | **6.5** Changes | | | | | | to all system | | | | | | components are | | | | | | managed | | | | | | securely. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | 1. Changes to | | | | | | all system | | | | | | components | | | | | | in the | | | | | | production | | | | | | environment | | | | | | are made | | | | | | according | | | | | | to | | | | | | established | | | | | | procedures | | | | | | that | | | | | | include: | | | | | | | | | | | | - Reason | | | | | | for, | | | | | | and | | | | | | | | | | | | description | | | | | | of, the | | | | | | change. | | | | | | | | | | | | - | | | | | | Documentation | | | | | | of | | | | | | | | | | | | security | | | | | | impact. | | | | | | | | | | | | | | | | | | - Documented | | | | | | change | | | | | | | | | | | | approval | | | | | | by | | | | | | | | | | | | authorized | | | | | | | | | | | | parties. | | | | | | | | | | | | - Testing | | | | | | to | | | | | | verify | | | | | | that | | | | | | the | | | | | | change | | | | | | does | | | | | | not | | | | | | | | | | | | adversely | | | | | | impact | | | | | | system | | | | | | | | | | | | security. | | | | | | | | | | | | - For | | | | | | bespoke | | | | | | and | | | | | | custom | | | | | | | | | | | | software | | | | | | | | | | | | changes, | | | | | | all | | | | | | updates | | | | | | are | | | | | | tested | | | | | | for | | | | | | | | | | | | compliance | | | | | | with | | | | | | | | | | | | Requirement | | | | | | 6.2.4 | | | | | | before | | | | | | being | | | | | | | | | | | | deployed | | | | | | into | | | | | | | | | | | | production. | | | | | | | | | | | | | | | | | | - Procedures | | | | | | to | | | | | | address | | | | | | | | | | | | failures | | | | | | and | | | | | | return | | | | | | to a | | | | | | secure | | | | | | state. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **6.5.1.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documented | reference | | | change control | number(s) from | | | procedures to | [Section | | | verify | 6 | | | procedures are | ](#evidence-asses | | | defined for | sment-workpapers) | | | changes to all | for all | | | system | **documented | | | components in | change control | | | the production | procedures** | | | environment to | examined for this | | | include all | testing | | | elements | procedure. | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **6.5.1.b** | **Identify** the | \<Enter Response Here\> | | Examine recent | evidence | | | changes to | reference | | | system | number(s) from | | | components and | [Section | | | trace those | 6 | | | changes back to | ](#evidence-asses | | | related change | sment-workpapers) | | | control | for all **recent | | | documentation. | changes to system | | | For each change | components** | | | examined, | examined for this | | | verify the | testing | | | change is | procedure. | | | implemented in | | | | accordance with | | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **change | | | | control | | | | documentation** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **6.5.2** Upon | | | | | | completion of a | | | | | | significant | | | | | | change, all | | | | | | applicable PCI | | | | | | DSS | | | | | | requirements | | | | | | are confirmed | | | | | | to be in place | | | | | | on all new or | | | | | | changed systems | | | | | | and networks, | | | | | | and | | | | | | documentation | | | | | | is updated as | | | | | | applicable. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **6.5.2** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | for significant | number(s) from | | | changes, | [Section | | | interview | 6 | | | personnel, and | ](#evidence-asses | | | observe the | sment-workpapers) | | | affected | for all | | | s | **documentation** | | | ystems/networks | examined for this | | | to verify that | testing | | | the entity | procedure. | | | confirmed | | | | applicable PCI | | | | DSS | | | | requirements | | | | were in place | | | | on all new or | | | | changed systems | | | | and networks | | | | and that | | | | documentation | | | | was updated as | | | | applicable. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **observation(s) | | | | of the affected | | | | s | | | | ystems/networks** | | | | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **6.5.3** | | | | | | Pre-production | | | | | | environments | | | | | | are separated | | | | | | from production | | | | | | environments | | | | | | and the | | | | | | separation is | | | | | | enforced with | | | | | | access | | | | | | controls. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **6.5.3.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | policies and | reference | | | procedures to | number(s) from | | | verify that | [Section | | | processes are | 6 | | | defined for | ](#evidence-asses | | | separating the | sment-workpapers) | | | pre- production | for all | | | environment | **policies and | | | from the | procedures** | | | production | examined for this | | | environment via | testing | | | access controls | procedure. | | | that enforce | | | | the separation. | | | +-----------------+-------------------+--------------------------------+ | **6.5.3.b** | **Identify** the | \<Enter Response Here\> | | Examine network | evidence | | | documentation | reference | | | and | number(s) from | | | configurations | [Section | | | of network | 6 | | | security | ](#evidence-asses | | | controls to | sment-workpapers) | | | verify that the | for all **network | | | pre-production | documentation** | | | environment is | examined for this | | | separate from | testing | | | the production | procedure. | | | environment(s). | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | * | | | | *configurations** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **6.5.3.c** | **Identify** the | \<Enter Response Here\> | | Examine access | evidence | | | control | reference | | | settings to | number(s) from | | | verify that | [Section | | | access controls | 6 | | | are in place to | ](#evidence-asses | | | enforce | sment-workpapers) | | | separation | for all **access | | | between the | control | | | pre-production | settings** | | | and production | examined for this | | | environment(s). | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **6.5.4** Roles | | | | | | and functions | | | | | | are separated | | | | | | between | | | | | | production and | | | | | | pre-production | | | | | | environments to | | | | | | provide | | | | | | accountability | | | | | | such that only | | | | | | reviewed and | | | | | | approved | | | | | | changes are | | | | | | deployed. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **6.5.4.a** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | policies and | > reference | | Here\> | | | procedures to | > number(s) | | | | | verify that | > from | | | | | processes are | > [Section | | | | | defined for | > 6](#evi | | | | | separating | dence-assessme | | | | | roles and | nt-workpapers) | | | | | functions to | > for all | | | | | provide | > **policies | | | | | accountability | > and | | | | | such that only | > procedures** | | | | | reviewed and | > examined for | | | | | approved | > this testing | | | | | changes are | > procedure. | | | | | deployed. | | | | | +-----------------+----------------+---+--------------+-----------------+ | **6.5.4.b** | > **Identify** | | \<Enter | | | Observe | > the evidence | | Response | | | processes and | > reference | | Here\> | | | interview | > number(s) | | | | | personnel to | > from | | | | | verify | > [Section | | | | | implemented | > 6](#evi | | | | | controls | dence-assessme | | | | | separate roles | nt-workpapers) | | | | | and functions | > for all | | | | | and provide | > ** | | | | | accountability | observation(s) | | | | | such that only | > of | | | | | reviewed and | > processe**s | | | | | approved | > for this | | | | | changes are | > testing | | | | | deployed. | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | interview(s)** | | | | | | > conducted | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **6.5.5** Live | | | | | | PANs are not | | | | | | used in | | | | | | pre-production | | | | | | environments, | | | | | | except where | | | | | | those | | | | | | environments | | | | | | are included in | | | | | | the CDE and | | | | | | protected in | | | | | | accordance with | | | | | | all applicable | | | | | | PCI DSS | | | | | | requirements. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **6.5.5.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | policies and | reference | | | procedures to | number(s) from | | | verify that | [Section | | | processes are | 6 | | | defined for not | ](#evidence-asses | | | using live PANs | sment-workpapers) | | | in | for all | | | pre-production | **policies and | | | environments, | procedures** | | | except where | examined for this | | | those | testing | | | environments | procedure. | | | are in a CDE | | | | and protected | | | | in accordance | | | | with all | | | | applicable PCI | | | | DSS | | | | requirements. | | | +-----------------+-------------------+--------------------------------+ | **6.5.5.b** | **Identify** the | \<Enter Response Here\> | | Observe testing | evidence | | | processes and | reference | | | interview | number(s) from | | | personnel to | [Section | | | verify | 6 | | | procedures are | ](#evidence-asses | | | in place to | sment-workpapers) | | | ensure live | for all | | | PANs are not | **observation(s) | | | used in | of the testing | | | pre-production | processes** for | | | environments, | this testing | | | except where | procedure. | | | those | | | | environments | | | | are in a CDE | | | | and protected | | | | in accordance | | | | with all | | | | applicable PCI | | | | DSS | | | | requirements. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **6.5.5.c** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | pre-production | > reference | | Here\> | | | test data to | > number(s) | | | | | verify live | > from | | | | | PANs are not | > [Section | | | | | used in | > 6](#evi | | | | | pre-production | dence-assessme | | | | | environments, | nt-workpapers) | | | | | except where | > for all | | | | | those | > ** | | | | | environments | pre-production | | | | | are in a CDE | > test data** | | | | | and protected | > examined for | | | | | in accordance | > this testing | | | | | with all | > procedure. | | | | | applicable PCI | | | | | | DSS | | | | | | requirements. | | | | | +=================+================+===+==============+=================+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **6.5.6** Test | | | | | | data and test | | | | | | accounts are | | | | | | removed from | | | | | | system | | | | | | components | | | | | | before the | | | | | | system goes | | | | | | into | | | | | | production. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **6.5.6.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | policies and | reference | | | procedures to | number(s) from | | | verify that | [Section | | | processes are | 6 | | | defined for | ](#evidence-asses | | | removal of test | sment-workpapers) | | | data and test | for all | | | accounts from | **policies and | | | system | procedures** | | | components | examined for this | | | before the | testing | | | system goes | procedure. | | | into | | | | production. | | | +-----------------+-------------------+--------------------------------+ | **6.5.6.b** | **Identify** the | \<Enter Response Here\> | | Observe testing | evidence | | | processes for | reference | | | both | number(s) from | | | off-the-shelf | [Section | | | software and | 6 | | | in- house | ](#evidence-asses | | | applications, | sment-workpapers) | | | and interview | for all | | | personnel to | **observation(s) | | | verify test | of the testing | | | data and test | processes** for | | | accounts are | this testing | | | removed before | procedure. | | | a system goes | | | | into | | | | production. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **6.5.6.c** | **Identify** the | \<Enter Response Here\> | | Examine data | evidence | | | and accounts | reference | | | for recently | number(s) from | | | installed or | [Section | | | updated off- | 6 | | | the-shelf | ](#evidence-asses | | | software and | sment-workpapers) | | | in-house | for all **data** | | | applications to | examined for this | | | verify there is | testing | | | no test data or | procedure. | | | test accounts | | | | on systems in | | | | production. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **accounts** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ ## Implement Strong Access Control Measures {#implement-strong-access-control-measures .unnumbered} ### Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know {#requirement-7-restrict-access-to-system-components-and-cardholder-data-by-business-need-to-know .unnumbered} +-----------------+----------------+----------------+-----------------+ | **Requirement | | | | | Description** | | | | +=================+================+================+=================+ | 1. Processes | | | | | and | | | | | mechanisms | | | | | for | | | | | restricting | | | | | access to | | | | | system | | | | | components | | | | | and | | | | | cardholder | | | | | data by | | | | | business | | | | | need to | | | | | know are | | | | | defined and | | | | | understood. | | | | +-----------------+----------------+----------------+-----------------+ | **PCI DSS | | | | | Requirement** | | | | +-----------------+----------------+----------------+-----------------+ | 1. All | | | | | security | | | | | policies | | | | | and | | | | | operational | | | | | procedures | | | | | that are | | | | | identified | | | | | in | | | | | Requirement | | | | | 7 are: | | | | | | | | | | | | | | | - Documented. | | | | | | | | | | - Kept up | | | | | to | | | | | date. | | | | | | | | | | - In use. | | | | | | | | | | - Known | | | | | to all | | | | | | | | | | affected | | | | | | | | | | parties. | | | | +-----------------+----------------+----------------+-----------------+ | > **Assessment | | | | | > Findings | | | | | > (select | | | | | > one)** | | | | +-----------------+----------------+----------------+-----------------+ | **In Place** | **Not | **Not Tested** | **Not in | | | Applicable** | | Place** | +-----------------+----------------+----------------+-----------------+ | ☐ | ☐ | ☐ | ☐ | +-----------------+----------------+----------------+-----------------+ | Describe why | | \<Enter | | | the assessment | | Response | | | finding was | | Here\> | | | selected. | | | | | | | | | | ***Note**: | | | | | Include all | | | | | details as | | | | | noted in the | | | | | "Required | | | | | Reporting" | | | | | column of the | | | | | table in | | | | | [Assessment | | | | | F | | | | | indings](#asses | | | | | sment-findings) | | | | | in the ROC | | | | | Template | | | | | Instructions.* | | | | +-----------------+----------------+----------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **7.1.1** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | and interview | number(s) from | | | personnel to | [Section | | | verify that | 6 | | | security | ](#evidence-asses | | | policies and | sment-workpapers) | | | operational | for all | | | procedures | **documentation** | | | identified in | examined for this | | | Requirement 7 | testing | | | are managed in | procedure. | | | accordance with | | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **7.1.2** Roles | | | | | | and | | | | | | r | | | | | | esponsibilities | | | | | | for performing | | | | | | activities in | | | | | | Requirement 7 | | | | | | are documented, | | | | | | assigned, and | | | | | | understood. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **7.1.2.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | to verify that | number(s) from | | | descriptions of | [Section | | | roles and | 6 | | | r | ](#evidence-asses | | | esponsibilities | sment-workpapers) | | | for performing | for all | | | activities in | **documentation** | | | Requirement 7 | examined for this | | | are documented | testing | | | and assigned. | procedure. | | +-----------------+-------------------+--------------------------------+ | **7.1.2.b** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | personnel with | reference | | | responsibility | number(s) from | | | for performing | [Section | | | activities in | 6 | | | Requirement 7 | ](#evidence-asses | | | to verify that | sment-workpapers) | | | roles and | for all | | | r | **interview(s)** | | | esponsibilities | conducted for | | | are assigned as | this testing | | | and are | procedure. | | | understood. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+================+===+==============+=================+ | **7.2** Access | | | | | | to system | | | | | | components and | | | | | | data is | | | | | | appropriately | | | | | | defined and | | | | | | assigned. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | 1. An access | | | | | | control | | | | | | model is | | | | | | defined and | | | | | | includes | | | | | | granting | | | | | | access as | | | | | | follows: | | | | | | | | | | | | | | | | | | - Appropriate | | | | | | access | | | | | | | | | | | | depending | | | | | | on the | | | | | | | | | | | | entity\'s | | | | | | | | | | | | business | | | | | | and | | | | | | access | | | | | | needs. | | | | | | | | | | | | - Access | | | | | | to | | | | | | system | | | | | | | | | | | | components | | | | | | and | | | | | | data | | | | | | | | | | | | resources | | | | | | that is | | | | | | based | | | | | | on | | | | | | users\' | | | | | | job | | | | | | | | | | | | classification | | | | | | and | | | | | | | | | | | | functions. | | | | | | | | | | | | - The | | | | | | least | | | | | | | | | | | | privileges | | | | | | | | | | | | required | | | | | | (for | | | | | | | | | | | | example, | | | | | | user, | | | | | | | | | | | | administrator) | | | | | | to | | | | | | perform | | | | | | a job | | | | | | | | | | | | function. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +=================+================+===+==============+=================+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **7.2.1.a** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | documented | > reference | | Here\> | | | policies and | > number(s) | | | | | procedures and | > from | | | | | interview | > [Section | | | | | personnel to | > 6](#evi | | | | | verify the | dence-assessme | | | | | access control | nt-workpapers) | | | | | model is | > for all | | | | | defined in | > **documented | | | | | accordance with | > policies and | | | | | all elements | > procedures** | | | | | specified in | > examined for | | | | | this | > this testing | | | | | requirement. | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | interview(s)** | | | | | | > conducted | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **7.2.1.b** | > **Identify** | | \<Enter | | | Examine access | > the evidence | | Response | | | control model | > reference | | Here\> | | | settings and | > number(s) | | | | | verify that | > from | | | | | access needs | > [Section | | | | | are | > 6](#evi | | | | | appropriately | dence-assessme | | | | | defined in | nt-workpapers) | | | | | accordance with | > for all | | | | | all elements | > **access | | | | | specified in | > control | | | | | this | > model | | | | | requirement. | > settings** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **7.2.2** | | | | | | Access is | | | | | | assigned to | | | | | | users, | | | | | | including | | | | | | privileged | | | | | | users, based | | | | | | on: | | | | | | | | | | | | - Job | | | | | | | | | | | | classification | | | | | | and | | | | | | function. | | | | | | | | | | | | - Least | | | | | | privileges | | | | | | necessary | | | | | | to perform | | | | | | job | | | | | | re | | | | | | sponsibilities. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **7.2.2.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | policies and | reference | | | procedures to | number(s) from | | | verify they | [Section | | | cover assigning | 6 | | | access to users | ](#evidence-asses | | | in accordance | sment-workpapers) | | | with all | for all | | | elements | **policies and | | | specified in | procedures** | | | this | examined for this | | | requirement. | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **7.2.2.b** | **Identify** the | \<Enter Response Here\> | | Examine user | evidence | | | access | reference | | | settings, | number(s) from | | | including for | [Section | | | privileged | 6 | | | users, and | ](#evidence-asses | | | interview | sment-workpapers) | | | responsible | for all **user | | | management | access settings** | | | personnel to | examined for this | | | verify that | testing | | | privileges | procedure. | | | assigned are in | | | | accordance with | | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **7.2.2.c** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | personnel | reference | | | responsible for | number(s) from | | | assigning | [Section | | | access to | 6 | | | verify that | ](#evidence-asses | | | privileged user | sment-workpapers) | | | access is | for all | | | assigned in | **interview(s)** | | | accordance with | conducted for | | | all elements | this testing | | | specified in | procedure. | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **7.2.3** | | | | | | Required | | | | | | privileges are | | | | | | approved by | | | | | | authorized | | | | | | personnel. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | *Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected.* | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in* | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | *in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **7.2.3.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | policies and | reference | | | procedures to | number(s) from | | | verify they | [Section | | | define | 6 | | | processes for | ](#evidence-asses | | | approval of all | sment-workpapers) | | | privileges by | for all | | | authorized | **policies and | | | personnel. | procedures** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **7.2.3.b** | **Identify** the | \<Enter Response Here\> | | Examine user | evidence | | | IDs and | reference | | | assigned | number(s) from | | | privileges, and | [Section | | | compare with | 6 | | | documented | ](#evidence-asses | | | approvals to | sment-workpapers) | | | verify that: | for all **user | | | | IDs and assigned | | | - Documented | privileges** | | | approval | examined for this | | | exists for | testing | | | the | procedure. | | | assigned | | | | privileges. | | | | | | | | - The | | | | approval | | | | was by | | | | authorized | | | | personnel. | | | | | | | | - Specified | | | | privileges | | | | match the | | | | roles | | | | assigned to | | | | the | | | | individual. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **documented | | | | approvals** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **7.2.4** All | | | | | | user accounts | | | | | | and related | | | | | | access | | | | | | privileges, | | | | | | including | | | | | | thi | | | | | | rd-party/vendor | | | | | | accounts, are | | | | | | reviewed as | | | | | | follows: | | | | | | | | | | | | - At least | | | | | | once every | | | | | | six months. | | | | | | | | | | | | - To ensure | | | | | | user | | | | | | accounts | | | | | | and access | | | | | | remain | | | | | | appropriate | | | | | | based on | | | | | | job | | | | | | function. | | | | | | | | | | | | - Any | | | | | | | | | | | | inappropriate | | | | | | access is | | | | | | addressed. | | | | | | | | | | | | - Management | | | | | | | | | | | | acknowledges | | | | | | that access | | | | | | remains | | | | | | | | | | | | appropriate. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **7.2.4.a** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | policies and | > reference | | Here\> | | | procedures to | > number(s) | | | | | verify they | > from | | | | | define | > [Section | | | | | processes to | > 6](#evi | | | | | review all user | dence-assessme | | | | | accounts and | nt-workpapers) | | | | | related access | > for all | | | | | privileges, | > **policies | | | | | including | > and | | | | | thi | > procedures** | | | | | rd-party/vendor | > examined for | | | | | accounts, in | > this testing | | | | | accordance with | > procedure. | | | | | all elements | | | | | | specified in | | | | | | this | | | | | | requirement. | | | | | +-----------------+----------------+---+--------------+-----------------+ | **7.2.4.b** | > **Identify** | | \<Enter | | | Interview | > the evidence | | Response | | | responsible | > reference | | Here\> | | | personnel and | > number(s) | | | | | examine | > from | | | | | documented | > [Section | | | | | results of | > 6](#evi | | | | | periodic | dence-assessme | | | | | reviews of user | nt-workpapers) | | | | | accounts to | > for all | | | | | verify that all | > ** | | | | | the results are | interview(s)** | | | | | in accordance | > conducted | | | | | with all | > for this | | | | | elements | > testing | | | | | specified in | > procedure. | | | | | this | | | | | | requirement. | | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for the | | | | | | > **documented | | | | | | > results of | | | | | | > periodic | | | | | | > reviews of | | | | | | > user | | | | | | > accounts** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **7.2.5** All | | | | | | application and | | | | | | system accounts | | | | | | and related | | | | | | access | | | | | | privileges are | | | | | | assigned and | | | | | | managed as | | | | | | follows: | | | | | | | | | | | | - Based on | | | | | | the least | | | | | | privileges | | | | | | necessary | | | | | | for the | | | | | | operability | | | | | | of the | | | | | | system or | | | | | | | | | | | | application. | | | | | | | | | | | | - Access is | | | | | | limited to | | | | | | the | | | | | | systems, | | | | | | | | | | | | applications, | | | | | | or | | | | | | processes | | | | | | that | | | | | | | | | | | | specifically | | | | | | require | | | | | | their use. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **7.2.5.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | policies and | reference | | | procedures to | number(s) from | | | verify they | [Section | | | define | 6 | | | processes to | ](#evidence-asses | | | manage and | sment-workpapers) | | | assign | for all | | | application and | **policies and | | | system accounts | procedures** | | | and related | examined for this | | | access | testing | | | privileges in | procedure. | | | accordance with | | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **7.2.5.b** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | privileges | reference | | | associated with | number(s) from | | | system and | [Section | | | application | 6 | | | accounts and | ](#evidence-asses | | | interview | sment-workpapers) | | | responsible | for all | | | personnel to | **privileges | | | verify that | associated with | | | application and | system and | | | system accounts | application | | | and related | accounts** | | | access | examined for this | | | privileges are | testing | | | assigned and | procedure. | | | managed in | | | | accordance with | | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | 1. All access | | | | | | by | | | | | | application | | | | | | and system | | | | | | accounts | | | | | | and related | | | | | | access | | | | | | privileges | | | | | | are | | | | | | reviewed as | | | | | | follows: | | | | | | | | | | | | - | | | | | | Periodically | | | | | | (at the | | | | | | | | | | | | frequency | | | | | | defined | | | | | | in the | | | | | | | | | | | | entity\'s | | | | | | | | | | | | targeted | | | | | | risk | | | | | | | | | | | | analysis, | | | | | | which | | | | | | is | | | | | | | | | | | | performed | | | | | | | | | | | | according | | | | | | to all | | | | | | | | | | | | elements | | | | | | | | | | | | specified | | | | | | in | | | | | | | | | | | | Requirement | | | | | | | | | | | | 12.3.1). | | | | | | | | | | | | - The | | | | | | app | | | | | | lication/system | | | | | | access | | | | | | remains | | | | | | | | | | | | appropriate | | | | | | for the | | | | | | | | | | | | function | | | | | | being | | | | | | | | | | | | performed. | | | | | | | | | | | | - Any | | | | | | | | | | | | inappropriate | | | | | | access | | | | | | is | | | | | | | | | | | | addressed. | | | | | | | | | | | | | | | | | | - Management | | | | | | | | | | | | acknowledges | | | | | | that | | | | | | access | | | | | | remains | | | | | | | | | | | | appropriate. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **7.2.5.1.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | policies and | reference | | | procedures to | number(s) from | | | verify they | [Section | | | define | 6 | | | processes to | ](#evidence-asses | | | review all | sment-workpapers) | | | application and | for all | | | system accounts | **policies and | | | and related | procedures** | | | access | examined for this | | | privileges in | testing | | | accordance with | procedure. | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **7.2.5.1.b** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence | | | entity's | reference | | | targeted risk | number(s) from | | | analysis for | [Section | | | the frequency | 6 | | | of periodic | ](#evidence-asses | | | reviews of | sment-workpapers) | | | application and | for the | | | system accounts | **entity's | | | and related | targeted risk | | | access | analysis** | | | privileges to | examined for this | | | verify the risk | testing | | | analysis was | procedure. | | | performed in | | | | accordance with | | | | all elements | | | | specified in | | | | Requirement | | | | 12.3.1. | | | +-----------------+-------------------+--------------------------------+ | **7.2.5.1.c** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | responsible | reference | | | personnel and | number(s) from | | | examine | [Section | | | documented | 6 | | | results of | ](#evidence-asses | | | periodic | sment-workpapers) | | | reviews of | for all | | | system and | **interview(s)** | | | application | conducted for | | | accounts and | this testing | | | related | procedure. | | | privileges to | | | | verify that the | | | | reviews occur | | | | in accordance | | | | with all | | | | elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **documented | | | | results of | | | | periodic | | | | reviews** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **7.2.6** All | | | | | | user access to | | | | | | query | | | | | | repositories of | | | | | | stored | | | | | | cardholder data | | | | | | is restricted | | | | | | as follows: | | | | | | | | | | | | - Via | | | | | | | | | | | | applications | | | | | | or other | | | | | | | | | | | | programmatic | | | | | | methods, | | | | | | with access | | | | | | and allowed | | | | | | actions | | | | | | based on | | | | | | user roles | | | | | | and least | | | | | | privileges. | | | | | | | | | | | | - Only the | | | | | | responsible | | | | | | a | | | | | | dministrator(s) | | | | | | can | | | | | | directly | | | | | | access or | | | | | | query | | | | | | | | | | | | repositories | | | | | | of stored | | | | | | CHD. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **7.2.6.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | policies and | reference | | | procedures and | number(s) from | | | interview | [Section | | | personnel to | 6 | | | verify | ](#evidence-asses | | | processes are | sment-workpapers) | | | defined for | for all | | | granting user | **policies and | | | access to query | procedures** | | | repositories of | examined for this | | | stored | testing | | | cardholder | procedure. | | | data, in | | | | accordance with | | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **7.2.6.b** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | configuration | reference | | | settings for | number(s) from | | | querying | [Section | | | repositories of | 6 | | | stored | ](#evidence-asses | | | cardholder data | sment-workpapers) | | | to verify they | for all | | | are in | **configuration | | | accordance with | settings** | | | all elements | examined for this | | | specified in | testing | | | this | procedure. | | | requirement. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+================+===+==============+=================+ | **7.3** Access | | | | | | to system | | | | | | components and | | | | | | data is managed | | | | | | via an access | | | | | | control | | | | | | system(s). | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **7.3.1** An | | | | | | access control | | | | | | system(s) is in | | | | | | place that | | | | | | restricts | | | | | | access based on | | | | | | a user's need | | | | | | to know and | | | | | | covers all | | | | | | system | | | | | | components. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **7.3.1** | > **Identify** | | \<Enter | | | Examine vendor | > the evidence | | Response | | | documentation | > reference | | Here\> | | | and system | > number(s) | | | | | settings to | > from | | | | | verify that | > [Section | | | | | access is | > 6](#evi | | | | | managed for | dence-assessme | | | | | each system | nt-workpapers) | | | | | component via | > for all | | | | | an access | > **vendor | | | | | control | > d | | | | | system(s) that | ocumentation** | | | | | restricts | > examined for | | | | | access based on | > this testing | | | | | a user's need | > procedure. | | | | | to know and | | | | | | covers all | | | | | | system | | | | | | components. | | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > **system | | | | | | > settings** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **7.3.2** The | | | | | | access control | | | | | | system(s) is | | | | | | configured to | | | | | | enforce | | | | | | permissions | | | | | | assigned to | | | | | | individuals, | | | | | | applications, | | | | | | and systems | | | | | | based on job | | | | | | classification | | | | | | and function. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **7.3.2** | **Identify** the | \<Enter Response Here\> | | Examine vendor | evidence | | | documentation | reference | | | and system | number(s) from | | | settings to | [Section | | | verify that the | 6 | | | access control | ](#evidence-asses | | | system(s) is | sment-workpapers) | | | configured to | for all **vendor | | | enforce | documentation** | | | permissions | examined for this | | | assigned to | testing | | | individuals, | procedure. | | | applications, | | | | and systems | | | | based on job | | | | classification | | | | and function. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **system | | | | settings** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **7.3.3** The | | | | | | access control | | | | | | system(s) is | | | | | | set to "deny | | | | | | all" by | | | | | | default. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **7.3.3** | **Identify** the | \<Enter Response Here\> | | Examine vendor | evidence | | | documentation | reference | | | and system | number(s) from | | | settings to | [Section | | | verify that the | 6 | | | access control | ](#evidence-asses | | | system(s) is | sment-workpapers) | | | set to "deny | for all **vendor | | | all" by | documentation** | | | default. | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **system | | | | settings** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ ### Requirement 8: Identify Users and Authenticate Access to System Components {#requirement-8-identify-users-and-authenticate-access-to-system-components .unnumbered} +-----------------+----------------+----------------+-----------------+ | > **Requirement | | | | | > Description** | | | | +=================+================+================+=================+ | 1. Processes | | | | | and | | | | | mechanisms | | | | | for | | | | | identifying | | | | | users and | | | | | | | | | | authenticating | | | | | access to | | | | | system | | | | | components | | | | | are defined | | | | | and | | | | | understood. | | | | +-----------------+----------------+----------------+-----------------+ | > **PCI DSS | | | | | > Requirement** | | | | +-----------------+----------------+----------------+-----------------+ | 1. All | | | | | security | | | | | policies | | | | | and | | | | | operational | | | | | procedures | | | | | that are | | | | | identified | | | | | in | | | | | Requirement | | | | | 8 are: | | | | | | | | | | | | | | | - Documented. | | | | | | | | | | - Kept up | | | | | to | | | | | date. | | | | | | | | | | - In use. | | | | | | | | | | - Known | | | | | to all | | | | | | | | | | affected | | | | | | | | | | parties. | | | | +-----------------+----------------+----------------+-----------------+ | > **Assessment | | | | | > Findings | | | | | > (select | | | | | > one)** | | | | +-----------------+----------------+----------------+-----------------+ | **In Place** | **Not | **Not Tested** | **Not in | | | Applicable** | | Place** | +-----------------+----------------+----------------+-----------------+ | ☐ | ☐ | ☐ | ☐ | +-----------------+----------------+----------------+-----------------+ +-----------------+----------------+---+--------------------------------+ | Describe why | | \ | | | the assessment | | < | | | finding was | | E | | | selected. | | n | | | | | t | | | ***Note**: | | e | | | Include all | | r | | | details as | | R | | | noted in the | | e | | | "Required | | s | | | Reporting" | | p | | | column of the | | o | | | table in | | n | | | [Assessment | | s | | | F | | e | | | indings](#asses | | H | | | sment-findings) | | e | | | in the ROC | | r | | | Template | | e | | | Instructions.* | | \ | | | | | > | | +=================+================+===+================================+ | **Validation | | | | | Method -- | | | | | Customized | | | | | Approach** | | | | +-----------------+----------------+---+--------------------------------+ | **Indicate** | | | - Yes ☐ No | | whether a | | | | | Customized | | | | | Approach was | | | | | used: | | | | +-----------------+----------------+---+--------------------------------+ | **If "Yes", | | | \<Enter Response Here\> | | Identify** the | | | | | aspect(s) of | | | | | the requirement | | | | | where the | | | | | Customized | | | | | Approach was | | | | | used. | | | | | | | | | | ***Note:** The | | | | | use of | | | | | Customized | | | | | Approach must | | | | | also be | | | | | documented in | | | | | [Appendix | | | | | E | | | | | .](#appendix-e- | | | | | customized-appr | | | | | oach-template)* | | | | +-----------------+----------------+---+--------------------------------+ | **Validation | | | | | Method -- | | | | | Defined | | | | | Approach** | | | | +-----------------+----------------+---+--------------------------------+ | **Indicate** | | | - Yes ☐ No | | whether a | | | | | Compensating | | | | | Control was | | | | | used: | | | | +-----------------+----------------+---+--------------------------------+ | **If "Yes", | | | \<Enter Response Here\> | | Identify** the | | | | | aspect(s) of | | | | | the requirement | | | | | where the | | | | | Compensating | | | | | Control(s) was | | | | | used. | | | | | | | | | | ***Note:** The | | | | | use of | | | | | Compensating | | | | | Controls must | | | | | also be | | | | | documented in | | | | | [Appendix | | | | | C.]( | | | | | #appendix-c-com | | | | | pensating-contr | | | | | ols-worksheet)* | | | | +-----------------+----------------+---+--------------------------------+ | > **Testing | > **Reporting | | > **Reporting Details: | | > Procedures** | > | | > Assessor's Response** | | | Instructions** | | | +-----------------+----------------+---+--------------------------------+ | **8.1.1** | **Identify** | | \<Enter Response Here\> | | Examine | the evidence | | | | documentation | reference | | | | and interview | number(s) from | | | | personnel to | [Section | | | | verify that | 6](#evi | | | | security | dence-assessme | | | | policies and | nt-workpapers) | | | | operational | for all | | | | procedures that | **d | | | | are identified | ocumentation** | | | | in Requirement | examined for | | | | 8 are managed | this testing | | | | in accordance | procedure. | | | | with all | | | | | elements | | | | | specified in | | | | | this | | | | | requirement. | | | | +-----------------+----------------+---+--------------------------------+ | | **Identify** | | \<Enter Response Here\> | | | the evidence | | | | | reference | | | | | number(s) from | | | | | [Section | | | | | 6](#evi | | | | | dence-assessme | | | | | nt-workpapers) | | | | | for all | | | | | ** | | | | | interview(s)** | | | | | conducted for | | | | | this testing | | | | | procedure. | | | +-----------------+----------------+---+--------------------------------+ | > **PCI DSS | | | | | > Requirement** | | | | +-----------------+----------------+---+--------------------------------+ | **8.1.2** Roles | | | | | and | | | | | r | | | | | esponsibilities | | | | | for performing | | | | | activities in | | | | | Requirement 8 | | | | | are documented, | | | | | assigned, and | | | | | understood. | | | | +-----------------+----------------+---+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +=================+================+===+==============+=================+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **8.1.2.a** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | documentation | > reference | | Here\> | | | to verify that | > number(s) | | | | | descriptions of | > from | | | | | roles and | > [Section | | | | | r | > 6](#evi | | | | | esponsibilities | dence-assessme | | | | | for performing | nt-workpapers) | | | | | activities in | > for all | | | | | Requirement 8 | > **d | | | | | are documented | ocumentation** | | | | | and assigned. | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **8.1.2.b** | > **Identify** | | \<Enter | | | Interview | > the evidence | | Response | | | personnel with | > reference | | Here\> | | | responsibility | > number(s) | | | | | for performing | > from | | | | | activities in | > [Section | | | | | Requirement 8 | > 6](#evi | | | | | to verify that | dence-assessme | | | | | roles | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | interview(s)** | | | | | | > conducted | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ ------------------------------------------------------------------------ and responsibilities are assigned as documented and are understood. ------------------ -------------------- -------------------------------- ------------------------------------------------------------------------ +-----------------+----------------+---+--------------+-----------------+ | **Requirement | | | | | | Description** | | | | | +=================+================+===+==============+=================+ | **8.2** User | | | | | | identification | | | | | | and related | | | | | | accounts for | | | | | | users and | | | | | | administrators | | | | | | are strictly | | | | | | managed | | | | | | throughout an | | | | | | account's | | | | | | lifecycle. | | | | | +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **8.2.1** All | | | | | | users are | | | | | | assigned a | | | | | | unique ID | | | | | | before access | | | | | | to system | | | | | | components or | | | | | | cardholder data | | | | | | is allowed. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +=================+===================+================================+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **8.2.1.a** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | responsible | reference | | | personnel to | number(s) from | | | verify that all | [Section | | | users are | 6 | | | assigned a | ](#evidence-asses | | | unique ID for | sment-workpapers) | | | access to | for all | | | system | **interview(s)** | | | components and | conducted for | | | cardholder | this testing | | | data. | procedure. | | +-----------------+-------------------+--------------------------------+ | **8.2.1.b** | **Identify** the | \<Enter Response Here\> | | Examine audit | evidence | | | logs and other | reference | | | evidence to | number(s) from | | | verify that | [Section | | | access to | 6 | | | system | ](#evidence-asses | | | components and | sment-workpapers) | | | cardholder data | for all **audit | | | can be uniquely | logs** examined | | | identified and | for this testing | | | associated with | procedure. | | | individuals. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for **any other | | | | evidence** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **PCI DSS | | | | Requirement** | | | +-----------------+-------------------+--------------------------------+ | **8.2.2** | | | | Group, shared, | | | | or generic | | | | accounts, or | | | | other shared | | | | authentication | | | | credentials are | | | | only used when | | | | necessary on an | | | | exception | | | | basis, and are | | | | managed as | | | | follows: | | | | | | | | - Account use | | | | is | | | | prevented | | | | unless | | | | needed for | | | | an | | | | exceptional | | | | | | | | circumstance. | | | | | | | | - Use is | | | | limited to | | | | the time | | | | needed for | | | | the | | | | exceptional | | | | | | | | circumstance. | | | | | | | | - Business | | | | | | | | justification | | | | for use is | | | | documented. | | | | | | | | - Use is | | | | explicitly | | | | approved by | | | | management. | | | | | | | | - Individual | | | | user | | | | identity is | | | | confirmed | | | | before | | | | access to | | | | an account | | | | is granted. | | | | | | | | - Every | | | | action | | | | taken is | | | | | | | | attributable | | | | to an | | | | individual | | | | user. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +=================+================+===+==============+=================+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **8.2.2.a** | **Identify** the | \<Enter Response Here\> | | Examine user | evidence | | | account lists | reference | | | on system | number(s) from | | | components and | [Section | | | applicable | 6 | | | documentation | ](#evidence-asses | | | to verify that | sment-workpapers) | | | shared | for all **user | | | authentication | account lists** | | | credentials are | examined for this | | | only used when | testing | | | necessary, on | procedure. | | | an exception | | | | basis, and are | | | | managed in | | | | accordance with | | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **documentation** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **8.2.2.b** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | authentication | reference | | | policies and | number(s) from | | | procedures to | [Section | | | verify | 6 | | | processes are | ](#evidence-asses | | | defined for | sment-workpapers) | | | shared | for all | | | authentication | **authentication | | | credentials | policies and | | | such that they | procedures** | | | are only used | examined for this | | | when necessary, | testing | | | on an exception | procedure. | | | basis, and are | | | | managed in | | | | accordance with | | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **8.2.2.c** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | system | reference | | | administrators | number(s) from | | | to verify that | [Section | | | shared | 6 | | | authentication | ](#evidence-asses | | | credentials are | sment-workpapers) | | | only used when | for all | | | necessary, on | **interview(s)** | | | an exception | conducted for | | | basis, and are | this testing | | | managed in | procedure. | | | accordance with | | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **8.2.3 | | | | | | *Additional | | | | | | requirement for | | | | | | service | | | | | | providers only: | | | | | | ***Service | | | | | | providers with | | | | | | remote access | | | | | | to customer | | | | | | premises use | | | | | | unique | | | | | | authentication | | | | | | factors for | | | | | | each customer | | | | | | premises. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **8.2.3 | **Identify** | | \<Enter | | | *Additional | the evidence | | Response | | | testing | reference | | Here\> | | | procedure for | number(s) from | | | | | service | [Section | | | | | provider | 6](#evi | | | | | assessments | dence-assessme | | | | | only: | nt-workpapers) | | | | | ***Examine | for all | | | | | authentication | ** | | | | | policies and | authentication | | | | | procedures and | policies and | | | | | interview | procedures** | | | | | personnel to | examined for | | | | | verify that | this testing | | | | | service | procedure. | | | | | providers with | | | | | | remote access | | | | | | to customer | | | | | | premises use | | | | | | unique | | | | | | authentication | | | | | | factors for | | | | | | remote access | | | | | | to each | | | | | | customer | | | | | | premises. | | | | | +-----------------+----------------+---+--------------+-----------------+ | | **Identify** | | \<Enter | | | | the evidence | | Response | | | | reference | | Here\> | | | | number(s) from | | | | | | [Section | | | | | | 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | for all | | | | | | ** | | | | | | interview(s)** | | | | | | conducted for | | | | | | this testing | | | | | | procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **8.2.4** | | | | | | Addition, | | | | | | deletion, and | | | | | | modification of | | | | | | user IDs, | | | | | | authentication | | | | | | factors, and | | | | | | other | | | | | | identifier | | | | | | objects are | | | | | | managed as | | | | | | follows: | | | | | | | | | | | | - Authorized | | | | | | with the | | | | | | appropriate | | | | | | approval. | | | | | | | | | | | | - Implemented | | | | | | with only | | | | | | the | | | | | | privileges | | | | | | specified | | | | | | on the | | | | | | documented | | | | | | approval. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **8.2.4** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documented | reference | | | authorizations | number(s) from | | | across various | [Section | | | phases of the | 6 | | | account | ](#evidence-asses | | | lifecycle | sment-workpapers) | | | (additions, | for all | | | modifications, | **documented | | | and deletions) | authorizations** | | | and examine | examined for this | | | system settings | testing | | | to verify the | procedure. | | | activity has | | | | been managed in | | | | accordance with | | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **system | | | | settings** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **8.2.5** | | | | | | Access for | | | | | | terminated | | | | | | users is | | | | | | immediately | | | | | | revoked. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in* | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | *in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **8.2.5.a** | **Identify** | | \<Enter | | | Examine | the evidence | | Response | | | information | reference | | Here\> | | | sources for | number(s) from | | | | | terminated | [Section | | | | | users and | 6](#evi | | | | | review | dence-assessme | | | | | | nt-workpapers) | | | | | | for all | | | | | | * | | | | | | *information** | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | current user | **sources** | | | | | access | examined for | | | | | lists---for | this testing | | | | | both local and | procedure. | | | | | remote | | | | | | access---to | | | | | | verify that | | | | | | terminated user | | | | | | IDs have been | | | | | | deactivated or | | | | | | removed from | | | | | | the access | | | | | | lists. | | | | | +=================+================+===+==============+=================+ | | **Identify** | | \<Enter | | | | the evidence | | Response | | | | reference | | Here\> | | | | number(s) from | | | | | | [Section | | | | | | 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | for all | | | | | | **current user | | | | | | access lists** | | | | | | examined for | | | | | | this testing | | | | | | procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **8.2.5.b** | **Identify** | | \<Enter | | | Interview | the evidence | | Response | | | responsible | reference | | Here\> | | | personnel to | number(s) from | | | | | verify that all | [Section | | | | | physical | 6](#evi | | | | | authentication | dence-assessme | | | | | factors---such | nt-workpapers) | | | | | as, smart | for all | | | | | cards, tokens, | ** | | | | | etc.---have | interview(s)** | | | | | been returned | conducted for | | | | | or deactivated | this testing | | | | | for terminated | procedure. | | | | | users. | | | | | +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **8.2.6** | | | | | | Inactive user | | | | | | accounts are | | | | | | removed or | | | | | | disabled within | | | | | | 90 days of | | | | | | inactivity. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **8.2.6** | **Identify** the | \<Enter Response Here\> | | Examine user | evidence | | | accounts and | reference | | | last logon | number(s) from | | | information, | [Section | | | and interview | 6 | | | personnel to | ](#evidence-asses | | | verify that any | sment-workpapers) | | | inactive user | for all **user | | | accounts are | accounts and last | | | removed or | login | | | disabled within | information** | | | 90 days of | examined for this | | | inactivity. | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **8.2.7** | | | | | | Accounts used | | | | | | by third | | | | | | parties to | | | | | | access, | | | | | | support, or | | | | | | maintain system | | | | | | components via | | | | | | remote access | | | | | | are managed as | | | | | | follows: | | | | | | | | | | | | - Enabled | | | | | | only during | | | | | | the time | | | | | | period | | | | | | needed and | | | | | | disabled | | | | | | when not in | | | | | | use. | | | | | | | | | | | | - Use is | | | | | | monitored | | | | | | for | | | | | | unexpected | | | | | | activity. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **8.2.7** | **Identify** | | \<Enter | | | Interview | the evidence | | Response | | | personnel, | reference | | Here\> | | | examine | number(s) from | | | | | documentation | [Section | | | | | for managing | 6](#evi | | | | | accounts, and | dence-assessme | | | | | examine | nt-workpapers) | | | | | evidence to | for all | | | | | verify that | ** | | | | | accounts used | interview(s)** | | | | | by third | conducted for | | | | | parties for | this testing | | | | | remote access | procedure. | | | | | are managed | | | | | | according to | | | | | | all elements | | | | | | specified in | | | | | | this | | | | | | requirement. | | | | | +-----------------+----------------+---+--------------+-----------------+ | | **Identify** | | \<Enter | | | | the evidence | | Response | | | | reference | | Here\> | | | | number(s) from | | | | | | [Section | | | | | | 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | for all | | | | | | **d | | | | | | ocumentation** | | | | | | examined for | | | | | | this testing | | | | | | procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | | **Identify** | | \<Enter | | | | the evidence | | Response | | | | reference | | Here\> | | | | number(s) from | | | | | | [Section | | | | | | 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | for any | | | | | | **other | | | | | | evidence** | | | | | | examined for | | | | | | this testing | | | | | | procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **8.2.8** If a | | | | | | user session | | | | | | has been idle | | | | | | for more than | | | | | | 15 minutes, the | | | | | | user is | | | | | | required to | | | | | | re-authenticate | | | | | | to re-activate | | | | | | the terminal or | | | | | | session. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **8.2.8** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | configuration | reference | | | settings to | number(s) from | | | verify that | [Section | | | system/session | 6 | | | idle timeout | ](#evidence-asses | | | features for | sment-workpapers) | | | user sessions | for all **system | | | have been set | configuration | | | to 15 minutes | settings** | | | or less. | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+================+===+==============+=================+ | **8.3** Strong | | | | | | authentication | | | | | | for users and | | | | | | administrators | | | | | | is established | | | | | | and managed. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | 1. All user | | | | | | access to | | | | | | system | | | | | | components | | | | | | for users | | | | | | and | | | | | | | | | | | | administrators | | | | | | is | | | | | | | | | | | | authenticated | | | | | | via at | | | | | | least one | | | | | | of the | | | | | | following | | | | | | | | | | | | authentication | | | | | | factors: | | | | | | | | | | | | | | | | | | - Something | | | | | | you | | | | | | know, | | | | | | such as | | | | | | a | | | | | | | | | | | | password | | | | | | or | | | | | | | | | | | | passphrase. | | | | | | | | | | | | | | | | | | - Something | | | | | | you | | | | | | have, | | | | | | such as | | | | | | a token | | | | | | device | | | | | | or | | | | | | smart | | | | | | card. | | | | | | | | | | | | | | | | | | - Something | | | | | | you | | | | | | are, | | | | | | such as | | | | | | a | | | | | | | | | | | | biometric | | | | | | | | | | | | element. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **8.3.1.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | describing the | number(s) from | | | authentication | [Section | | | factor(s) used | 6 | | | to verify that | ](#evidence-asses | | | user access to | sment-workpapers) | | | system | for all | | | components is | **documentation** | | | authenticated | examined for this | | | via at least | testing | | | one | procedure. | | | authentication | | | | factor | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **8.3.1.b** For | **Identify** the | \<Enter Response Here\> | | each type of | evidence | | | authentication | reference | | | factor used | number(s) from | | | with each type | [Section | | | of system | 6 | | | component, | ](#evidence-asses | | | observe an | sment-workpapers) | | | authentication | for all | | | to verify that | **observation(s) | | | authentication | of each type of | | | is functioning | authentication | | | consistently | factor used** for | | | with documented | this testing | | | authentication | procedure. | | | factor(s). | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **8.3.2** | | | | | | Strong | | | | | | cryptography is | | | | | | used to render | | | | | | all | | | | | | authentication | | | | | | factors | | | | | | unreadable | | | | | | during | | | | | | transmission | | | | | | and storage on | | | | | | all system | | | | | | components. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **8.3.2.a** | **Identify** the | \<Enter Response Here\> | | Examine vendor | evidence | | | documentation | reference | | | and system | number(s) from | | | configuration | [Section | | | settings to | 6 | | | verify that | ](#evidence-asses | | | authentication | sment-workpapers) | | | factors are | for all **vendor | | | rendered | documentation** | | | unreadable with | examined for this | | | strong | testing | | | cryptography | procedure. | | | during | | | | transmission | | | | and storage. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **system | | | | configuration | | | | settings** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **8.3.2.b** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | repositories of | reference | | | authentication | number(s) from | | | factors to | [Section | | | verify that | 6 | | | they are | ](#evidence-asses | | | unreadable | sment-workpapers) | | | during storage. | for all | | | | **repositories of | | | | authentication | | | | factors** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **8.3.2.c** | **Identify** the | \<Enter Response Here\> | | Examine data | evidence | | | transmissions | reference | | | to verify that | number(s) from | | | authentication | [Section | | | factors are | 6 | | | unreadable | ](#evidence-asses | | | during | sment-workpapers) | | | transmission. | for all **data | | | | transmissions** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **8.3.3** User | | | | | | identity is | | | | | | verified before | | | | | | modifying any | | | | | | authentication | | | | | | factor. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **8.3.3** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | procedures for | > reference | | Here\> | | | modifying | > number(s) | | | | | authentication | > from | | | | | factors and | > [Section | | | | | observe | > 6](#evi | | | | | security | dence-assessme | | | | | personnel to | nt-workpapers) | | | | | verify that | > for all | | | | | when a user | > | | | | | requests a | **procedures** | | | | | modification of | > examined for | | | | | an | > this testing | | | | | authentication | > procedure. | | | | | factor, the | | | | | | user's identity | | | | | | is verified | | | | | | before the | | | | | | authentication | | | | | | factor is | | | | | | modified. | | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | observation(s) | | | | | | > of security | | | | | | > personnel** | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **8.3.4** | | | | | | Invalid | | | | | | authentication | | | | | | attempts are | | | | | | limited by: | | | | | | | | | | | | - Locking out | | | | | | the user ID | | | | | | after not | | | | | | more than | | | | | | 10 | | | | | | attempts. | | | | | | | | | | | | - Setting the | | | | | | lockout | | | | | | duration to | | | | | | a minimum | | | | | | of 30 | | | | | | minutes or | | | | | | until the | | | | | | user's | | | | | | identity is | | | | | | confirmed. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **8.3.4.a** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | configuration | reference | | | settings to | number(s) from | | | verify that | [Section | | | authentication | 6 | | | parameters are | ](#evidence-asses | | | set to require | sment-workpapers) | | | that user | for all system | | | accounts be | configuration | | | locked out | settings examined | | | after not more | for this testing | | | than 10 invalid | procedure. | | | logon attempts. | | | +-----------------+-------------------+--------------------------------+ | **8.3.4.b** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | configuration | reference | | | settings to | number(s) from | | | verify that | [Section | | | password | 6 | | | parameters are | ](#evidence-asses | | | set to require | sment-workpapers) | | | that once a | for all system | | | user account is | configuration | | | locked out, it | settings examined | | | remains locked | for this testing | | | for a minimum | procedure. | | | of 30 minutes | | | | or until the | | | | user's identity | | | | is confirmed. | | | +-----------------+-------------------+--------------------------------+ | > **PCI DSS | | | | > Requirement** | | | +-----------------+-------------------+--------------------------------+ | **8.3.5** If | | | | passwo | | | | rds/passphrases | | | | are used as | | | | authentication | | | | factors to meet | | | | Requirement | | | | 8.3.1, they are | | | | set and reset | | | | for each user | | | | as follows: | | | | | | | | - Set to a | | | | unique | | | | value for | | | | first-time | | | | use and | | | | upon reset. | | | | | | | | - Forced to | | | | be changed | | | | immediately | | | | after the | | | | first use. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +=================+================+===+==============+=================+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **8.3.5** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | procedures for | > reference | | Here\> | | | setting and | > number(s) | | | | | resetting | > from | | | | | passwo | > [Section | | | | | rds/passphrases | > 6](#evi | | | | | (if used as | dence-assessme | | | | | authentication | nt-workpapers) | | | | | factors to meet | > for all | | | | | Requirement | > | | | | | 8.3.1) and | **procedures** | | | | | observe | > examined for | | | | | security | > this testing | | | | | personnel to | > procedure. | | | | | verify that | | | | | | passwo | | | | | | rds/passphrases | | | | | | are set and | | | | | | reset in | | | | | | accordance with | | | | | | all elements | | | | | | specified in | | | | | | this | | | | | | requirement. | | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | observation(s) | | | | | | > of security | | | | | | > personnel** | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+----------------+-----------------+ | > **PCI DSS | | | | | > Requirement** | | | | +=================+================+================+=================+ | **8.3.6** If | | | | | passwo | | | | | rds/passphrases | | | | | are used as | | | | | authentication | | | | | factors to meet | | | | | Requirement | | | | | 8.3.1, they | | | | | meet the | | | | | following | | | | | minimum level | | | | | of complexity: | | | | | | | | | | - A minimum | | | | | length of | | | | | 12 | | | | | characters | | | | | (or IF the | | | | | system does | | | | | not support | | | | | 12 | | | | | characters, | | | | | a minimum | | | | | length of | | | | | eight | | | | | | | | | | characters). | | | | | | | | | | - Contain | | | | | both | | | | | numeric and | | | | | alphabetic | | | | | characters. | | | | | | | | | | ***Note:** This | | | | | requirement is | | | | | a **best | | | | | practice** | | | | | until **31 | | | | | March 2025**, | | | | | after which it | | | | | will be | | | | | required and | | | | | must be fully | | | | | considered | | | | | during a PCI | | | | | DSS assessment. | | | | | Until 31 March | | | | | 2025, passwords | | | | | must be a | | | | | minimum length | | | | | of seven | | | | | characters in | | | | | accordance with | | | | | PCI DSS v3.2.1 | | | | | Requirement | | | | | 8.2.3.* | | | | +-----------------+----------------+----------------+-----------------+ | > **Assessment | | | | | > Findings | | | | | > (select | | | | | > one)** | | | | +-----------------+----------------+----------------+-----------------+ | **In Place** | **Not | **Not Tested** | **Not in | | | Applicable** | | Place** | +-----------------+----------------+----------------+-----------------+ | ☐ | ☐ | ☐ | ☐ | +-----------------+----------------+----------------+-----------------+ | Describe why | | \<Enter | | | the assessment | | Response | | | finding was | | Here\> | | | selected. | | | | | | | | | | ***Note**: | | | | | Include all | | | | | details as | | | | | noted in the | | | | | "Required | | | | | Reporting" | | | | | column of the | | | | | table in | | | | | [Assessment | | | | | F | | | | | indings](#asses | | | | | sment-findings) | | | | | in the ROC | | | | | Template | | | | | Instructions.* | | | | +-----------------+----------------+----------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **8.3.6** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | configuration | reference | | | settings to | number(s) from | | | verify that | [Section | | | user | 6 | | | pass | ](#evidence-asses | | | word/passphrase | sment-workpapers) | | | complexity | for all **system | | | parameters are | configuration | | | set in | settings** | | | accordance with | examined for this | | | all elements | testing | | | specified in | procedure. | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **8.3.7** | | | | | | Individuals are | | | | | | not allowed to | | | | | | submit a new | | | | | | pass | | | | | | word/passphrase | | | | | | that is the | | | | | | same as any of | | | | | | the last four | | | | | | passwo | | | | | | rds/passphrases | | | | | | used. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **8.3.7** | > **Identify** | | \<Enter | | | Examine system | > the evidence | | Response | | | configuration | > reference | | Here\> | | | settings to | > number(s) | | | | | verify that | > from | | | | | password | > [Section | | | | | parameters are | > 6](#evi | | | | | set to require | dence-assessme | | | | | that new | nt-workpapers) | | | | | passwo | > for all | | | | | rds/passphrases | > **system | | | | | cannot be the | > | | | | | same as the | configuration | | | | | four previously | > settings** | | | | | used | > examined for | | | | | passwor | > this testing | | | | | ds/passphrases. | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **8.3.8** | | | | | | Authentication | | | | | | policies and | | | | | | procedures are | | | | | | documented and | | | | | | communicated to | | | | | | all users | | | | | | including: | | | | | | | | | | | | - Guidance on | | | | | | selecting | | | | | | strong | | | | | | | | | | | | authentication | | | | | | factors. | | | | | | | | | | | | - Guidance | | | | | | for how | | | | | | users | | | | | | should | | | | | | protect | | | | | | their | | | | | | | | | | | | authentication | | | | | | factors. | | | | | | | | | | | | - | | | | | | Instructions | | | | | | not to | | | | | | reuse | | | | | | previously | | | | | | used | | | | | | passwor | | | | | | ds/passphrases. | | | | | | | | | | | | - | | | | | | Instructions | | | | | | to change | | | | | | passwo | | | | | | rds/passphrases | | | | | | if there is | | | | | | any | | | | | | suspicion | | | | | | or | | | | | | knowledge | | | | | | that the | | | | | | passw | | | | | | ord/passphrases | | | | | | have been | | | | | | compromised | | | | | | and how to | | | | | | report the | | | | | | incident. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **8.3.8.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | procedures and | reference | | | interview | number(s) from | | | personnel to | [Section | | | verify that | 6 | | | authentication | ](#evidence-asses | | | policies and | sment-workpapers) | | | procedures are | for all | | | distributed to | **procedures** | | | all users. | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **8.3.8.b** | **Identify** the | \<Enter Response Here\> | | Review | evidence | | | authentication | reference | | | policies and | number(s) from | | | procedures that | [Section | | | are distributed | 6 | | | to users and | ](#evidence-asses | | | verify they | sment-workpapers) | | | include the | for all | | | elements | **authentication | | | specified in | policies and | | | this | procedures** | | | requirement. | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **8.3.8.c** | **Identify** the | \<Enter Response Here\> | | Interview users | evidence | | | to verify that | reference | | | they are | number(s) from | | | familiar with | [Section | | | authentication | 6 | | | policies and | ](#evidence-asses | | | procedures. | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **8.3.9** If | | | | | | passwo | | | | | | rds/passphrases | | | | | | are used as the | | | | | | only | | | | | | authentication | | | | | | factor for user | | | | | | access (i.e., | | | | | | in any | | | | | | single-factor | | | | | | authentication | | | | | | implementation) | | | | | | then either: | | | | | | | | | | | | - Passwo | | | | | | rds/passphrases | | | | | | are changed | | | | | | at least | | | | | | once every | | | | | | 90 days, OR | | | | | | | | | | | | - The | | | | | | security | | | | | | posture of | | | | | | accounts is | | | | | | dynamically | | | | | | analyzed, | | | | | | and | | | | | | real-time | | | | | | access to | | | | | | resources | | | | | | is | | | | | | | | | | | | automatically | | | | | | determined | | | | | | | | | | | | accordingly. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **8.3.9** If | > **Identify** | | \<Enter | | | passwo | > the evidence | | Response | | | rds/passphrases | > reference | | Here\> | | | are used as the | > number(s) | | | | | only | > from | | | | | authentication | > [Section | | | | | factor for user | > 6](#evi | | | | | access, inspect | dence-assessme | | | | | system | nt-workpapers) | | | | | configuration | > for all | | | | | settings to | > **system | | | | | verify that | > | | | | | passwo | configuration | | | | | rds/passphrases | > settings** | | | | | are managed in | > examined for | | | | | accordance with | > this testing | | | | | ONE of the | > procedure. | | | | | elements | | | | | | specified in | | | | | | this | | | | | | requirement. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **8.3.10 | | | | | | *Additional | | | | | | requirement for | | | | | | service | | | | | | providers only: | | | | | | ***If | | | | | | passwo | | | | | | rds/passphrases | | | | | | are used as the | | | | | | only | | | | | | authentication | | | | | | factor for | | | | | | customer user | | | | | | access to | | | | | | cardholder data | | | | | | (i.e., in any | | | | | | single-factor | | | | | | authentication | | | | | | i | | | | | | mplementation), | | | | | | then guidance | | | | | | is provided to | | | | | | customer users | | | | | | including: | | | | | | | | | | | | - Guidance | | | | | | for | | | | | | customers | | | | | | to change | | | | | | their user | | | | | | passwo | | | | | | rds/passphrases | | | | | | | | | | | | periodically. | | | | | | | | | | | | - Guidance as | | | | | | to when, | | | | | | and under | | | | | | what | | | | | | | | | | | | circumstances, | | | | | | passwo | | | | | | rds/passphrases | | | | | | are to be | | | | | | changed. | | | | | | | | | | | | ***Note**: This | | | | | | requirement for | | | | | | service | | | | | | providers will | | | | | | be | | | | | | **superseded** | | | | | | by Requirement | | | | | | 8.3.10.1 as of | | | | | | **31 March | | | | | | 2025**.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **8.3.10 | **Identify** the | \<Enter Response Here\> | | *Additional | evidence | | | testing | reference | | | procedure for | number(s) from | | | service | [Section | | | provider | 6 | | | assessments | ](#evidence-asses | | | only: ***If | sment-workpapers) | | | passwo | for all | | | rds/passphrases | **guidance | | | are used as the | provided to | | | only | customer users** | | | authentication | examined for this | | | factor for | testing | | | customer user | procedure. | | | access to | | | | cardholder | | | | data, examine | | | | guidance | | | | provided to | | | | customer users | | | | to verify that | | | | the guidance | | | | includes all | | | | elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | 1. | | | | | | ***Additional | | | | | | requirement | | | | | | for service | | | | | | providers | | | | | | only:*** If | | | | | | passwo | | | | | | rds/passphrases | | | | | | are used as | | | | | | the only | | | | | | | | | | | | authentication | | | | | | factor for | | | | | | customer | | | | | | user access | | | | | | (i.e., in | | | | | | any | | | | | | | | | | | | single-factor | | | | | | | | | | | | authentication | | | | | | | | | | | | implementation) | | | | | | then | | | | | | either: | | | | | | | | | | | | - Passwo | | | | | | rds/passphrases | | | | | | are | | | | | | changed | | | | | | at | | | | | | least | | | | | | once | | | | | | every | | | | | | 90 | | | | | | days, | | | | | | OR | | | | | | | | | | | | - The | | | | | | | | | | | | security | | | | | | posture | | | | | | of | | | | | | | | | | | | accounts | | | | | | is | | | | | | | | | | | | dynamically | | | | | | | | | | | | analyzed, | | | | | | and | | | | | | | | | | | | real-time | | | | | | access | | | | | | to | | | | | | | | | | | | resources | | | | | | is | | | | | | | | | | | | automatically | | | | | | | | | | | | determined | | | | | | | | | | | | accordingly. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS assessment. | | | | | | Until this | | | | | | requirement is | | | | | | effective on 31 | | | | | | March 2025, | | | | | | service | | | | | | providers may | | | | | | meet either | | | | | | Requirement | | | | | | 8.3.10 or | | | | | | 8.3.10.1.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **8.3.10.1 | **Identify** the | \<Enter Response Here\> | | *Additional | evidence | | | testing | reference | | | procedure for | number(s) from | | | service | [Section | | | provider | 6 | | | assessments | ](#evidence-asses | | | only: ***If | sment-workpapers) | | | passwo | for all **system | | | rds/passphrases | configuration | | | are used as the | settings** | | | only | examined for this | | | authentication | testing | | | factor for | procedure. | | | customer user | | | | access, inspect | | | | system | | | | configuration | | | | settings to | | | | verify that | | | | passwo | | | | rds/passphrases | | | | are managed in | | | | accordance with | | | | ONE of the | | | | elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **8.3.11** | | | | | | Where | | | | | | authentication | | | | | | factors such as | | | | | | physical or | | | | | | logical | | | | | | security | | | | | | tokens, smart | | | | | | cards, or | | | | | | certificates | | | | | | are used: | | | | | | | | | | | | - Factors are | | | | | | assigned to | | | | | | an | | | | | | individual | | | | | | user and | | | | | | not shared | | | | | | among | | | | | | multiple | | | | | | users. | | | | | | | | | | | | - Physical | | | | | | and/or | | | | | | logical | | | | | | controls | | | | | | ensure only | | | | | | the | | | | | | intended | | | | | | user can | | | | | | use that | | | | | | factor to | | | | | | gain | | | | | | access. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **8.3.11.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | authentication | reference | | | policies and | number(s) from | | | procedures to | [Section | | | verify that | 6 | | | procedures for | ](#evidence-asses | | | using | sment-workpapers) | | | authentication | for all | | | factors such as | **authentication | | | physical | policies and | | | security | procedures** | | | tokens, smart | examined for this | | | cards, and | testing | | | certificates | procedure. | | | are defined and | | | | include all | | | | elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **8.3.11.b** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | security | reference | | | personnel to | number(s) from | | | verify | [Section | | | authentication | 6 | | | factors are | ](#evidence-asses | | | assigned to an | sment-workpapers) | | | individual user | for all | | | and not shared | **interview(s)** | | | among multiple | conducted for | | | users. | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **8.3.11.c** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | configuration | reference | | | settings and/or | number(s) from | | | observe | [Section | | | physical | 6 | | | controls, as | ](#evidence-asses | | | applicable, to | sment-workpapers) | | | verify that | for all **system | | | controls are | configuration | | | implemented to | settings** | | | ensure only the | examined for this | | | intended user | testing | | | can use that | procedure. | | | factor to gain | | | | access. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **observations of | | | | physical | | | | controls** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+================+===+==============+=================+ | **8.4** | | | | | | Multi-factor | | | | | | authentication | | | | | | (MFA) is | | | | | | implemented to | | | | | | secure access | | | | | | into the CDE. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **8.4.1** MFA | | | | | | is implemented | | | | | | for all | | | | | | non-console | | | | | | access into the | | | | | | CDE for | | | | | | personnel with | | | | | | administrative | | | | | | access. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **8.4.1.a** | > **Identify** | | \<Enter | | | Examine network | > the evidence | | Response | | | and/or system | > reference | | Here\> | | | configurations | > number(s) | | | | | to verify MFA | > from | | | | | is required for | > [Section | | | | | all non-console | > 6](#evi | | | | | into the CDE | dence-assessme | | | | | for personnel | nt-workpapers) | | | | | with | > for all | | | | | administrative | > **network | | | | | access. | > and/or | | | | | | > system | | | | | | > co | | | | | | nfigurations** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **8.4.1.b** | > **Identify** | | \<Enter | | | Observe | > the evidence | | Response | | | administrator | > reference | | Here\> | | | personnel | > number(s) | | | | | logging into | > from | | | | | the CDE and | > [Section | | | | | verify that MFA | > 6](#evi | | | | | is required. | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | observation(s) | | | | | | > of | | | | | | > | | | | | | administrator | | | | | | > personnel | | | | | | > logging into | | | | | | > the CDE** | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **8.4.2** MFA | | | | | | is implemented | | | | | | for all access | | | | | | into the CDE. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **8.4.2.a** | **Identify** the | \<Enter Response Here\> | | Examine network | evidence | | | and/or system | reference | | | configurations | number(s) from | | | to verify MFA | [Section | | | is implemented | 6 | | | for all access | ](#evidence-asses | | | into the CDE. | sment-workpapers) | | | | for all **network | | | | and/or system | | | | configurations** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **8.4.2.b** | **Identify** the | \<Enter Response Here\> | | Observe | evidence | | | personnel | reference | | | logging in to | number(s) from | | | the CDE and | [Section | | | examine | 6 | | | evidence to | ](#evidence-asses | | | verify that MFA | sment-workpapers) | | | is required. | for all | | | | **observation(s) | | | | of personnel | | | | logging into the | | | | CDE** for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for any | | | | **additional | | | | evidence** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **8.4.3** MFA | | | | | | is implemented | | | | | | for all remote | | | | | | network access | | | | | | originating | | | | | | from outside | | | | | | the entity's | | | | | | network that | | | | | | could access or | | | | | | impact the CDE | | | | | | as follows: | | | | | | | | | | | | - All remote | | | | | | access by | | | | | | all | | | | | | personnel, | | | | | | both users | | | | | | and | | | | | | | | | | | | administrators, | | | | | | originating | | | | | | from | | | | | | outside the | | | | | | entity's | | | | | | network. | | | | | | | | | | | | - All remote | | | | | | access by | | | | | | third | | | | | | parties and | | | | | | vendors. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **8.4.3.a** | **Identify** the | \<Enter Response Here\> | | Examine network | evidence | | | and/or system | reference | | | configurations | number(s) from | | | for remote | [Section | | | access servers | 6 | | | and systems to | ](#evidence-asses | | | verify MFA is | sment-workpapers) | | | required in | for all **network | | | accordance with | and/or system | | | all elements | configurations** | | | specified in | examined for this | | | this | testing | | | requirement. | procedure. | | +-----------------+-------------------+--------------------------------+ | **8.4.3.b** | **Identify** the | \<Enter Response Here\> | | Observe | evidence | | | personnel (for | reference | | | example, users | number(s) from | | | and | [Section | | | administrators) | 6 | | | connecting | ](#evidence-asses | | | remotely to the | sment-workpapers) | | | network and | for all | | | verify that | **observation(s) | | | multi-factor | of personnel | | | authentication | connecting | | | is required. | remotely to the | | | | network** for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------------------------------------------------------------+ | > **Requirement Description** | +=======================================================================+ | **8.5** Multi-factor authentication (MFA) systems are configured to | | prevent misuse. | +-----------------------------------------------------------------------+ | > **PCI DSS Requirement** | +-----------------------------------------------------------------------+ | 1. MFA systems are implemented as follows: | | | | - The MFA system is not susceptible to replay attacks. | | | | - MFA systems cannot be bypassed by any users, including | | administrative users unless specifically documented, and | | authorized by management on an exception basis, for a limited | | time period. | | | | - At least two different types of authentication factors are | | used. | | | | - Success of all authentication factors is required before | | access is granted. | | | | ***Note:** This requirement is a **best practice** until **31 March | | 2025**, after which it will be required and must be fully considered | | during a PCI DSS assessment.* | +-----------------------------------------------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +=================+================+===+==============+=================+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **8.5.1.a** | **Identify** the | \<Enter Response Here\> | | Examine vendor | evidence | | | system | reference | | | documentation | number(s) from | | | to verify that | [Section | | | the MFA system | 6 | | | is not | ](#evidence-asses | | | susceptible to | sment-workpapers) | | | replay attacks. | for all **vendor | | | | system | | | | documentation** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **8.5.1.b** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | configurations | reference | | | for the MFA | number(s) from | | | implementation | [Section | | | to verify it is | 6 | | | configured in | ](#evidence-asses | | | accordance with | sment-workpapers) | | | all elements | for all **system | | | specified in | configurations** | | | this | examined for this | | | requirement. | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **8.5.1.c** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | responsible | reference | | | personnel and | number(s) from | | | observe | [Section | | | processes to | 6 | | | verify that any | ](#evidence-asses | | | requests to | sment-workpapers) | | | bypass MFA are | for all | | | specifically | **interview(s)** | | | documented and | conducted for | | | authorized by | this testing | | | management on | procedure. | | | an exception | | | | basis, for a | | | | limited time | | | | period. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **observation(s) | | | | of processes** | | | | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **8.5.1.d** | **Identify** the | \<Enter Response Here\> | | Observe | evidence | | | personnel | reference | | | logging into | number(s) from | | | system | [Section | | | components in | 6 | | | the CDE to | ](#evidence-asses | | | verify that | sment-workpapers) | | | access is | for all | | | granted only | **observation(s) | | | after all | of personnel | | | authentication | logging into | | | factors are | system components | | | successful. | in the CDE** for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **8.5.1.e** | **Identify** the | \<Enter Response Here\> | | Observe | evidence | | | personnel | reference | | | connecting | number(s) from | | | remotely from | [Section | | | outside the | 6 | | | entity's | ](#evidence-asses | | | network to | sment-workpapers) | | | verify that | for all | | | access is | **observation(s) | | | granted only | of personnel | | | after all | connecting | | | authentication | remotely from | | | factors are | outside the | | | successful. | entity's | | | | network** for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+================+===+==============+================+ | **8.6** Use of | | | | | | application and | | | | | | system accounts | | | | | | and associated | | | | | | authentication | | | | | | factors is | | | | | | strictly | | | | | | managed. | | | | | +-----------------+----------------+---+--------------+----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+----------------+ | 1. If accounts | | | | | | used by | | | | | | systems or | | | | | | | | | | | | applications | | | | | | can be used | | | | | | for | | | | | | interactive | | | | | | login, they | | | | | | are managed | | | | | | as follows: | | | | | | | | | | | | | | | | | | - Interactive | | | | | | use is | | | | | | | | | | | | prevented | | | | | | unless | | | | | | needed | | | | | | for an | | | | | | | | | | | | exceptional | | | | | | | | | | | | circumstance. | | | | | | | | | | | | | | | | | | - Interactive | | | | | | use is | | | | | | limited | | | | | | to the | | | | | | time | | | | | | needed | | | | | | for the | | | | | | | | | | | | exceptional | | | | | | | | | | | | circumstance. | | | | | | | | | | | | | | | | | | - Business | | | | | | | | | | | | justification | | | | | | for | | | | | | | | | | | | interactive | | | | | | use is | | | | | | | | | | | | documented. | | | | | | | | | | | | | | | | | | - Interactive | | | | | | use is | | | | | | | | | | | | explicitly | | | | | | | | | | | | approved | | | | | | by | | | | | | | | | | | | management. | | | | | | | | | | | | | | | | | | - Individual | | | | | | user | | | | | | | | | | | | identity | | | | | | is | | | | | | | | | | | | confirmed | | | | | | before | | | | | | access | | | | | | to | | | | | | account | | | | | | is | | | | | | | | | | | | granted. | | | | | | | | | | | | - Every | | | | | | action | | | | | | taken | | | | | | is | | | | | | | | | | | | attributable | | | | | | to an | | | | | | | | | | | | individual | | | | | | user. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **8.6.1** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | application and | reference | | | system accounts | number(s) from | | | that can be | [Section | | | used | 6 | | | interactively | ](#evidence-asses | | | and interview | sment-workpapers) | | | administrative | for all | | | personnel to | **application and | | | verify that | system accounts** | | | application and | examined for this | | | system accounts | testing | | | are managed in | procedure. | | | accordance with | | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+================+ | **8.6.2** | | | | | | Passwo | | | | | | rds/passphrases | | | | | | for any | | | | | | application and | | | | | | system accounts | | | | | | that can be | | | | | | used for | | | | | | interactive | | | | | | login are not | | | | | | hard coded in | | | | | | scripts, | | | | | | configu | | | | | | ration/property | | | | | | files, or | | | | | | bespoke and | | | | | | custom source | | | | | | code. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **8.6.2.a** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | personnel and | reference | | | examine system | number(s) from | | | development | [Section | | | procedures to | 6 | | | verify that | ](#evidence-asses | | | processes are | sment-workpapers) | | | defined for | for all | | | application and | **interview(s)** | | | system accounts | conducted for | | | that can be | this testing | | | used for | procedure. | | | interactive | | | | login, | | | | specifying that | | | | passwo | | | | rds/passphrases | | | | are not hard | | | | coded in | | | | scripts, | | | | configu | | | | ration/property | | | | files, or | | | | bespoke and | | | | custom source | | | | code. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **system | | | | development | | | | procedures** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **8.6.2.b** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | scripts, | reference | | | configu | number(s) from | | | ration/property | [Section | | | files, and | 6 | | | bespoke and | ](#evidence-asses | | | custom source | sment-workpapers) | | | code for | for all | | | application and | **scripts, | | | system accounts | confi | | | that can be | guration/property | | | used for | files, and | | | interactive | bespoke and | | | login, to | custom source | | | verify | code** examined | | | passwo | for this testing | | | rds/passphrases | procedure. | | | for those | | | | accounts are | | | | not present. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+================+ | **8.6.3** | | | | | | Passwo | | | | | | rds/passphrases | | | | | | for any | | | | | | application and | | | | | | system accounts | | | | | | are protected | | | | | | against misuse | | | | | | as follows: | | | | | | | | | | | | - Passwo | | | | | | rds/passphrases | | | | | | are changed | | | | | | | | | | | | periodically | | | | | | (at the | | | | | | frequency | | | | | | defined in | | | | | | the | | | | | | entity's | | | | | | targeted | | | | | | risk | | | | | | analysis, | | | | | | which is | | | | | | performed | | | | | | according | | | | | | to all | | | | | | elements | | | | | | specified | | | | | | in | | | | | | Requirement | | | | | | 12.3.1) and | | | | | | upon | | | | | | suspicion | | | | | | or | | | | | | | | | | | | confirmation | | | | | | of | | | | | | compromise. | | | | | | | | | | | | - Passwo | | | | | | rds/passphrases | | | | | | are | | | | | | constructed | | | | | | with | | | | | | sufficient | | | | | | complexity | | | | | | appropriate | | | | | | for how | | | | | | frequently | | | | | | the entity | | | | | | changes the | | | | | | passwor | | | | | | ds/passphrases. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **8.6.3.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | policies and | reference | | | procedures to | number(s) from | | | verify that | [Section | | | procedures are | 6 | | | defined to | ](#evidence-asses | | | protect | sment-workpapers) | | | passwo | for all | | | rds/passphrases | **policies and | | | for application | procedures** | | | or system | examined for this | | | accounts | testing | | | against misuse | procedure. | | | in accordance | | | | with all | | | | elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **8.6.3.b** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence | | | entity's | reference | | | targeted risk | number(s) from | | | analysis for | [Section | | | the change | 6 | | | frequency and | ](#evidence-asses | | | complexity for | sment-workpapers) | | | passwo | for the | | | rds/passphrases | **entity's | | | used for | targeted risk | | | interactive | analysis** | | | login to | examined for this | | | application and | testing | | | system accounts | procedure. | | | to verify the | | | | risk analysis | | | | was performed | | | | in accordance | | | | with all | | | | elements | | | | specified in | | | | Requirement | | | | 12.3.1 and | | | | addresses: | | | | | | | | - The | | | | frequency | | | | defined for | | | | periodic | | | | changes to | | | | application | | | | and system | | | | passwor | | | | ds/passphrases. | | | | | | | | - The | | | | complexity | | | | defined for | | | | passwo | | | | rds/passphrases | | | | and | | | | | | | | appropriateness | | | | of the | | | | complexity | | | | relative to | | | | the | | | | frequency | | | | of changes. | | | +-----------------+-------------------+--------------------------------+ | **8.6.3.c** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | responsible | reference | | | personnel and | number(s) from | | | examine system | [Section | | | configuration | 6 | | | settings to | ](#evidence-asses | | | verify that | sment-workpapers) | | | passwo | for all | | | rds/passphrases | **interview(s)** | | | for any | conducted for | | | application and | this testing | | | system accounts | procedure. | | | that can be | | | | used for | | | | interactive | | | | login are | | | | protected | | | | against misuse | | | | in accordance | | | | with all | | | | elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **system | | | | configuration | | | | settings** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ ### Requirement 9: Restrict Physical Access to Cardholder Data {#requirement-9-restrict-physical-access-to-cardholder-data .unnumbered} +-----------------+----------------+---+--------------+-----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+================+===+==============+=================+ | 1. Processes | | | | | | and | | | | | | mechanisms | | | | | | for | | | | | | restricting | | | | | | physical | | | | | | access to | | | | | | cardholder | | | | | | data are | | | | | | defined and | | | | | | understood. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | 1. All | | | | | | security | | | | | | policies | | | | | | and | | | | | | operational | | | | | | procedures | | | | | | that are | | | | | | identified | | | | | | in | | | | | | Requirement | | | | | | 9 are: | | | | | | | | | | | | | | | | | | - Documented. | | | | | | | | | | | | - Kept up | | | | | | to | | | | | | date. | | | | | | | | | | | | - In use. | | | | | | | | | | | | - Known | | | | | | to all | | | | | | | | | | | | affected | | | | | | | | | | | | parties. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +=================+================+===+==============+=================+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **9.1.1** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | documentation | > reference | | Here\> | | | and interview | > number(s) | | | | | personnel to | > from | | | | | verify that | > [Section | | | | | security | > 6](#evi | | | | | policies and | dence-assessme | | | | | operational | nt-workpapers) | | | | | procedures | > for all | | | | | identified in | > **d | | | | | Requirement 9 | ocumentation** | | | | | are managed in | > examined for | | | | | accordance with | > this testing | | | | | all elements | > procedure. | | | | | specified in | | | | | | this | | | | | | requirement. | | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | interview(s)** | | | | | | > conducted | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **9.1.2** Roles | | | | | | and | | | | | | r | | | | | | esponsibilities | | | | | | for performing | | | | | | activities in | | | | | | Requirement 9 | | | | | | are documented, | | | | | | assigned, and | | | | | | understood. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **9.1.2.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | to verify that | number(s) from | | | descriptions of | [Section | | | roles and | 6 | | | r | ](#evidence-asses | | | esponsibilities | sment-workpapers) | | | for performing | for all | | | activities in | **documentation** | | | Requirement 9 | examined for this | | | are documented | testing | | | and assigned. | procedure. | | +-----------------+-------------------+--------------------------------+ | **9.1.2.b** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | personnel with | reference | | | responsibility | number(s) from | | | for performing | [Section | | | activities in | 6 | | | Requirement 9 | ](#evidence-asses | | | to verify that | sment-workpapers) | | | roles and | for all | | | r | **interview(s)** | | | esponsibilities | conducted for | | | are assigned as | this testing | | | documented and | procedure. | | | are understood. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+================+===+==============+=================+ | **9.2** | | | | | | Physical access | | | | | | controls manage | | | | | | entry into | | | | | | facilities and | | | | | | systems | | | | | | containing | | | | | | cardholder | | | | | | data. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **9.2.1** | | | | | | Appropriate | | | | | | facility entry | | | | | | controls are in | | | | | | place to | | | | | | restrict | | | | | | physical access | | | | | | to systems in | | | | | | the CDE. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | 1. Observe | > **Identify** | | \<Enter | | | entry | > the evidence | | Response | | | controls | > reference | | Here\> | | | and | > number(s) | | | | | interview | > from | | | | | responsible | > [Section | | | | | personnel | > 6](#evi | | | | | to verify | dence-assessme | | | | | that | nt-workpapers) | | | | | physical | > for all | | | | | security | > ** | | | | | controls | observation(s) | | | | | are in | > of the entry | | | | | place to | > controls** | | | | | restrict | > for this | | | | | access to | > testing | | | | | systems in | > procedure. | | | | | the CDE. | | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | interview(s)** | | | | | | > conducted | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | 1. Individual | | | | | | physical | | | | | | access to | | | | | | sensitive | | | | | | areas | | | | | | within the | | | | | | CDE is | | | | | | monitored | | | | | | with either | | | | | | video | | | | | | cameras or | | | | | | physical | | | | | | access | | | | | | control | | | | | | mechanisms | | | | | | (or both) | | | | | | as follows: | | | | | | | | | | | | - Entry | | | | | | and | | | | | | exit | | | | | | points | | | | | | to/from | | | | | | | | | | | | sensitive | | | | | | areas | | | | | | within | | | | | | the CDE | | | | | | are | | | | | | | | | | | | monitored. | | | | | | | | | | | | | | | | | | - Monitoring | | | | | | devices | | | | | | or | | | | | | | | | | | | mechanisms | | | | | | are | | | | | | | | | | | | protected | | | | | | from | | | | | | | | | | | | tampering | | | | | | or | | | | | | | | | | | | disabling. | | | | | | | | | | | | | | | | | | - Collected | | | | | | data is | | | | | | | | | | | | reviewed | | | | | | and | | | | | | | | | | | | correlated | | | | | | with | | | | | | other | | | | | | | | | | | | entries. | | | | | | | | | | | | | | | | | | - Collected | | | | | | data is | | | | | | stored | | | | | | for at | | | | | | least | | | | | | three | | | | | | months, | | | | | | unless | | | | | | | | | | | | otherwise | | | | | | | | | | | | restricted | | | | | | by law. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **9.2.1.1.a** | **Identify** the | \<Enter Response Here\> | | Observe | evidence | | | locations where | reference | | | individual | number(s) from | | | physical access | [Section | | | to sensitive | 6 | | | areas within | ](#evidence-asses | | | the CDE occurs | sment-workpapers) | | | to verify that | for all | | | either video | **observation(s) | | | cameras or | of locations | | | physical access | where individual | | | control | physical access | | | mechanisms (or | to sensitive | | | both) are in | areas within the | | | place to | CDE occurs** for | | | monitor the | this testing | | | entry and exit | procedure. | | | points. | | | +-----------------+-------------------+--------------------------------+ | **9.2.1.1.b** | **Identify** the | \<Enter Response Here\> | | Observe | evidence | | | locations where | reference | | | individual | number(s) from | | | physical access | [Section | | | to sensitive | 6 | | | areas within | ](#evidence-asses | | | the CDE occurs | sment-workpapers) | | | to verify that | for all | | | either video | **observations(s) | | | cameras or | of locations | | | physical access | where individual | | | control | physical access | | | mechanisms (or | to the CDE | | | both) are | occurs** for this | | | protected from | testing | | | tampering or | procedure. | | | disabling. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **9.2.1.1.c** | > **Identify** | | \<Enter | | | Observe the | > the evidence | | Response | | | physical access | > reference | | Here\> | | | control | > number(s) | | | | | mechanisms | > from | | | | | and/or examine | > [Section | | | | | video cameras | > 6](#evi | | | | | and interview | dence-assessme | | | | | responsible | nt-workpapers) | | | | | personnel to | > for all | | | | | verify that: | > ** | | | | | | observation(s) | | | | | - Collected | > of the | | | | | data from | > physical | | | | | video | > access | | | | | cameras | > control | | | | | and/or | > mechanisms** | | | | | physical | > for this | | | | | access | > testing | | | | | control | > procedure. | | | | | mechanisms | | | | | | is reviewed | | | | | | and | | | | | | correlated | | | | | | with other | | | | | | entries. | | | | | | | | | | | | - Collected | | | | | | data is | | | | | | stored for | | | | | | at least | | | | | | three | | | | | | months. | | | | | +=================+================+===+==============+=================+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > **video | | | | | | > cameras** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | interview(s)** | | | | | | > conducted | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **9.2.2** | | | | | | Physical and/or | | | | | | logical | | | | | | controls are | | | | | | implemented to | | | | | | restrict use of | | | | | | publicly | | | | | | accessible | | | | | | network jacks | | | | | | within the | | | | | | facility. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **9.2.2** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | responsible | reference | | | personnel and | number(s) from | | | observe | [Section | | | locations of | 6 | | | publicly | ](#evidence-asses | | | accessible | sment-workpapers) | | | network jacks | for all | | | to verify that | **interview(s)** | | | physical and/or | conducted for | | | logical | this testing | | | controls are in | procedure. | | | place to | | | | restrict access | | | | to publicly | | | | accessible | | | | network jacks | | | | within the | | | | facility. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **observation(s) | | | | of the locations | | | | of publicly | | | | accessible | | | | network jacks** | | | | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **9.2.3** | | | | | | Physical access | | | | | | to wireless | | | | | | access points, | | | | | | gateways, | | | | | | networking | | | | | | /communications | | | | | | hardware, and | | | | | | te | | | | | | lecommunication | | | | | | lines within | | | | | | the facility is | | | | | | restricted. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **9.2.3** | > **Identify** | | \<Enter | | | Interview | > the evidence | | Response | | | responsible | > reference | | Here\> | | | personnel and | > number(s) | | | | | observe | > from | | | | | locations of | > [Section | | | | | hardware and | > 6](#evi | | | | | lines to verify | dence-assessme | | | | | that physical | nt-workpapers) | | | | | access to | > for all | | | | | wireless access | > ** | | | | | points, | interview(s)** | | | | | gateways, | > conducted | | | | | networking | > for this | | | | | /communications | > testing | | | | | hardware, and | > procedure. | | | | | te | | | | | | lecommunication | | | | | | lines within | | | | | | the facility is | | | | | | restricted. | | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | observation(s) | | | | | | > of the | | | | | | > locations of | | | | | | > hardware and | | | | | | > lines** for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **9.2.4** | | | | | | Access to | | | | | | consoles in | | | | | | sensitive areas | | | | | | is restricted | | | | | | via locking | | | | | | when not in | | | | | | use. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Validation | | | | > Method -- | | | | > Defined | | | | > Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **9.2.4** | **Identify** the | \<Enter Response Here\> | | Observe a | evidence | | | system | reference | | | administrator's | number(s) from | | | attempt to log | [Section | | | into consoles | 6 | | | in sensitive | ](#evidence-asses | | | areas and | sment-workpapers) | | | verify that | for **all | | | they are | observation(s) of | | | "locked" to | a system | | | prevent | administrator's | | | unauthorized | attempt to log | | | use. | into consoles in | | | | sensitive areas** | | | | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------------------------------------------------------------+ | > **Requirement Description** | +=======================================================================+ | **9.3** Physical access for personnel and visitors is authorized and | | managed. | +-----------------------------------------------------------------------+ | > **PCI DSS Requirement** | +-----------------------------------------------------------------------+ | 1. Procedures are implemented for authorizing and managing physical | | access of personnel to the CDE, including: | | | | - Identifying personnel. | | | | - Managing changes to an individual\'s physical access | | requirements. | | | | - Revoking or terminating personnel identification. | | | | - Limiting access to the identification process or system to | | authorized personnel. | +-----------------------------------------------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +=================+================+===+==============+=================+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **9.3.1.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documented | reference | | | procedures to | number(s) from | | | verify that | [Section | | | procedures to | 6 | | | authorize and | ](#evidence-asses | | | manage physical | sment-workpapers) | | | access of | for all | | | personnel to | **documentation** | | | the CDE are | examined for this | | | defined in | testing | | | accordance with | procedure. | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **9.3.1.b** | **Identify** the | \<Enter Response Here\> | | Observe | evidence | | | identification | reference | | | methods, such | number(s) from | | | as ID badges, | [Section | | | and processes | 6 | | | to verify that | ](#evidence-asses | | | personnel in | sment-workpapers) | | | the CDE are | for all | | | clearly | **observation(s) | | | identified. | of all | | | | identification | | | | methods and | | | | processes** for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **9.3.1.c** | **Identify** the | \<Enter Response Here\> | | Observe | evidence | | | processes to | reference | | | verify that | number(s) from | | | access to the | [Section | | | identification | 6 | | | process, such | ](#evidence-asses | | | as a badge | sment-workpapers) | | | system, is | for all | | | limited to | **observation(s) | | | authorized | of processes** | | | personnel. | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | 1. Physical | | | | | | access to | | | | | | sensitive | | | | | | areas | | | | | | within the | | | | | | CDE for | | | | | | personnel | | | | | | is | | | | | | controlled | | | | | | as follows: | | | | | | | | | | | | - Access | | | | | | is | | | | | | | | | | | | authorized | | | | | | and | | | | | | based | | | | | | on | | | | | | | | | | | | individual | | | | | | job | | | | | | | | | | | | function. | | | | | | | | | | | | - Access | | | | | | is | | | | | | revoked | | | | | | | | | | | | immediately | | | | | | upon | | | | | | | | | | | | termination. | | | | | | | | | | | | - All | | | | | | | | | | | | physical | | | | | | access | | | | | | | | | | | | mechanisms, | | | | | | such as | | | | | | keys, | | | | | | access | | | | | | cards, | | | | | | etc., | | | | | | are | | | | | | | | | | | | returned | | | | | | or | | | | | | | | | | | | disabled | | | | | | upon | | | | | | | | | | | | termination. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **9.3.1.1.a** | **Identify** the | \<Enter Response Here\> | | Observe | evidence | | | personnel in | reference | | | sensitive areas | number(s) from | | | within the CDE, | [Section | | | interview | 6 | | | responsible | ](#evidence-asses | | | personnel, and | sment-workpapers) | | | examine | for all | | | physical access | **observation(s) | | | control lists | of personnel in | | | to verify that: | sensitive areas** | | | | for this testing | | | - Access to | procedure. | | | the | | | | sensitive | | | | area is | | | | authorized. | | | | | | | | - Access is | | | | required | | | | for the | | | | | | | | individual's | | | | job | | | | function. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **physical access | | | | control lists** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **9.3.1.1.b** | **Identify** the | \<Enter Response Here\> | | Observe | evidence | | | processes and | reference | | | interview | number(s) from | | | personnel to | [Section | | | verify that | 6 | | | access of all | ](#evidence-asses | | | personnel is | sment-workpapers) | | | revoked | for all | | | immediately | **observation(s) | | | upon | of processes** | | | termination. | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **9.3.1.1.c** | **Identify** the | \<Enter Response Here\> | | For terminated | evidence | | | personnel, | reference | | | examine | number(s) from | | | physical access | [Section | | | controls lists | 6 | | | and interview | ](#evidence-asses | | | responsible | sment-workpapers) | | | personnel to | for all | | | verify that all | **physical access | | | physical access | control lists** | | | mechanisms | examined for this | | | (such as keys, | testing | | | access cards, | procedure. | | | etc.) were | | | | returned or | | | | disabled. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **9.3.2** | | | | | | Procedures are | | | | | | implemented for | | | | | | authorizing and | | | | | | managing | | | | | | visitor access | | | | | | to the CDE, | | | | | | including: | | | | | | | | | | | | - Visitors | | | | | | are | | | | | | authorized | | | | | | before | | | | | | entering. | | | | | | | | | | | | - Visitors | | | | | | are | | | | | | escorted at | | | | | | all times. | | | | | | | | | | | | - Visitors | | | | | | are clearly | | | | | | identified | | | | | | and given a | | | | | | badge or | | | | | | other | | | | | | | | | | | | identification | | | | | | that | | | | | | expires. | | | | | | | | | | | | - Visitor | | | | | | badges or | | | | | | other | | | | | | | | | | | | identification | | | | | | visibly | | | | | | | | | | | | distinguishes | | | | | | visitors | | | | | | from | | | | | | personnel. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **9.3.2.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documented | reference | | | procedures and | number(s) from | | | interview | [Section | | | personnel to | 6 | | | verify | ](#evidence-asses | | | procedures are | sment-workpapers) | | | defined for | for all | | | authorizing and | **documented | | | managing | procedures** | | | visitor access | examined for this | | | to the CDE in | testing | | | accordance with | procedure. | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **9.3.2.b** | **Identify** the | \<Enter Response Here\> | | Observe | evidence | | | processes when | reference | | | visitors are | number(s) from | | | present in the | [Section | | | CDE and | 6 | | | interview | ](#evidence-asses | | | personnel to | sment-workpapers) | | | verify that | for all | | | visitors are: | **observation(s) | | | | of processes when | | | - Authorized | visitors are | | | before | present in the | | | entering | CDE** for this | | | the CDE. | testing | | | | procedure. | | | - Escorted at | | | | all times | | | | within the | | | | CDE. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **9.3.2.c** | **Identify** the | \<Enter Response Here\> | | Observe the use | evidence | | | of visitor | reference | | | badges or other | number(s) from | | | identification | [Section | | | to verify that | 6 | | | the badge or | ](#evidence-asses | | | other | sment-workpapers) | | | identification | for all | | | does not permit | **observation(s) | | | unescorted | of the use of | | | access to the | visitor badges or | | | CDE. | other | | | | identification** | | | | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **9.3.2.d** | **Identify** the | \<Enter Response Here\> | | Observe | evidence | | | visitors in the | reference | | | CDE to verify | number(s) from | | | that: | [Section | | | | 6 | | | - Visitor | ](#evidence-asses | | | badges or | sment-workpapers) | | | other | for all | | | | ** | | | identification | observations(s)** | | | are being | conducted for | | | used for | this testing | | | all | procedure. | | | visitors. | | | | | | | | - Visitor | | | | badges or | | | | | | | | identification | | | | easily | | | | distinguish | | | | visitors | | | | from | | | | personnel. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **9.3.2.e** | > **Identify** | | \<Enter | | | Examine visitor | > the evidence | | Response | | | badges or other | > reference | | Here\> | | | identification | > number(s) | | | | | and observe | > from | | | | | evidence in the | > [Section | | | | | badging system | > 6](#evi | | | | | to verify | dence-assessme | | | | | visitor badges | nt-workpapers) | | | | | or other | > for all | | | | | identification | > **visitor | | | | | expires. | > badges or | | | | | | > other | | | | | | > id | | | | | | entification** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +=================+================+===+==============+=================+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | observation(s) | | | | | | > of evidence | | | | | | > in the | | | | | | > badging | | | | | | > system** for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **9.3.3** | | | | | | Visitor badges | | | | | | or | | | | | | identification | | | | | | are surrendered | | | | | | or deactivated | | | | | | before visitors | | | | | | leave the | | | | | | facility or at | | | | | | the date of | | | | | | expiration. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **9.3.3** | **Identify** the | \<Enter Response Here\> | | Observe | evidence | | | visitors | reference | | | leaving the | number(s) from | | | facility and | [Section | | | interview | 6 | | | personnel to | ](#evidence-asses | | | verify visitor | sment-workpapers) | | | badges or other | for all | | | identification | **observation(s) | | | are surrendered | of visitors | | | or deactivated | leaving the | | | before visitors | facility** for | | | leave the | this testing | | | facility or at | procedure. | | | the date of | | | | expiration. | | | | upon departure | | | | or expiration. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **9.3.4** A | | | | | | visitor log is | | | | | | used to | | | | | | maintain a | | | | | | physical record | | | | | | of visitor | | | | | | activity within | | | | | | the facility | | | | | | and within | | | | | | sensitive | | | | | | areas, | | | | | | including: | | | | | | | | | | | | - The | | | | | | visitor's | | | | | | name and | | | | | | the | | | | | | | | | | | | organization | | | | | | | | | | | | represented. | | | | | | | | | | | | - The date | | | | | | and time of | | | | | | the visit. | | | | | | | | | | | | - The name of | | | | | | the | | | | | | personnel | | | | | | authorizing | | | | | | physical | | | | | | access. | | | | | | | | | | | | - Retaining | | | | | | the log for | | | | | | at least | | | | | | three | | | | | | months, | | | | | | unless | | | | | | otherwise | | | | | | restricted | | | | | | by law. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **9.3.4.a** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence | | | visitor log and | reference | | | interview | number(s) from | | | responsible | [Section | | | personnel to | 6 | | | verify that a | ](#evidence-asses | | | visitor log is | sment-workpapers) | | | used to record | for all **visitor | | | physical access | logs** examined | | | to the facility | for this testing | | | and sensitive | procedure. | | | areas. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **9.3.4.b** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence | | | visitor log and | reference | | | verify that the | number(s) from | | | log contains: | [Section | | | | 6 | | | - The | ](#evidence-asses | | | visitor's | sment-workpapers) | | | name and | for all **visitor | | | the | logs** examined | | | | for this testing | | | organization | procedure. | | | | | | | represented. | | | | | | | | - The | | | | personnel | | | | authorizing | | | | physical | | | | access. | | | | | | | | - Date and | | | | time of | | | | visit. | | | +-----------------+-------------------+--------------------------------+ | **9.3.4.c** | **Identify** the | \<Enter Response Here\> | | Examine visitor | evidence | | | log storage | reference | | | locations and | number(s) from | | | interview | [Section | | | responsible | 6 | | | personnel to | ](#evidence-asses | | | verify that the | sment-workpapers) | | | log is retained | for all **visitor | | | for at least | log storage | | | three months, | locations** | | | unless | examined for this | | | otherwise | testing | | | restricted by | procedure. | | | law. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **Requirement | | | | | | Description** | | | | | +=================+================+===+==============+=================+ | **9.4** Media | | | | | | with cardholder | | | | | | data is | | | | | | securely | | | | | | stored, | | | | | | accessed, | | | | | | distributed, | | | | | | and destroyed. | | | | | +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **9.4.1** All | | | | | | media with | | | | | | cardholder data | | | | | | is physically | | | | | | secured. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **9.4.1** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | documentation | > reference | | Here\> | | | to verify that | > number(s) | | | | | procedures | > from | | | | | defined for | > [Section | | | | | protecting | > 6](#evi | | | | | cardholder data | dence-assessme | | | | | include | nt-workpapers) | | | | | controls for | > for all | | | | | physically | > **d | | | | | securing all | ocumentation** | | | | | media. | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **9.4.1.1** | | | | | | Offline media | | | | | | backups with | | | | | | cardholder data | | | | | | are stored in a | | | | | | secure | | | | | | location. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **9.4.1.1.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | to verify that | number(s) from | | | procedures are | [Section | | | defined for | 6 | | | physically | ](#evidence-asses | | | securing | sment-workpapers) | | | offline media | for all | | | backups with | **documentation** | | | cardholder data | examined for this | | | in a secure | testing | | | location. | procedure. | | +-----------------+-------------------+--------------------------------+ | **9.4.1.1.b** | **Identify** the | \<Enter Response Here\> | | Examine logs or | evidence | | | other | reference | | | documentation | number(s) from | | | and interview | [Section | | | responsible | 6 | | | personnel at | ](#evidence-asses | | | the storage | sment-workpapers) | | | location to | for all **logs or | | | verify that | other | | | offline media | documentation** | | | backups are | examined for this | | | stored in a | testing | | | secure | procedure. | | | location. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +=================+================+===+==============+=================+ | **9.4.1.2** The | | | | | | security of the | | | | | | offline media | | | | | | backup | | | | | | location(s) | | | | | | with cardholder | | | | | | data is | | | | | | reviewed at | | | | | | least once | | | | | | every 12 | | | | | | months. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **9.4.1.2.a** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | documentation | > reference | | Here\> | | | to verify that | > number(s) | | | | | procedures are | > from | | | | | defined for | > [Section | | | | | reviewing the | > 6](#evi | | | | | security of the | dence-assessme | | | | | offline | nt-workpapers) | | | | | | > for all | | | | | | > **d | | | | | | ocumentation** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | media backup | | | | | | location(s) | | | | | | with cardholder | | | | | | data at least | | | | | | once every 12 | | | | | | months. | | | | | +=================+================+===+==============+=================+ | **9.4.1.2.b** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | documented | > reference | | Here\> | | | procedures, | > number(s) | | | | | logs, or other | > from | | | | | documentation, | > [Section | | | | | and interview | > 6](#evi | | | | | responsible | dence-assessme | | | | | personnel at | nt-workpapers) | | | | | the storage | > for all | | | | | location(s) to | > **documented | | | | | verify that the | > procedures, | | | | | storage | > logs, or | | | | | location's | > other | | | | | security is | > d | | | | | reviewed at | ocumentation** | | | | | least once | > examined for | | | | | every 12 | > this testing | | | | | months. | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | interview(s)** | | | | | | > conducted | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **9.4.2** All | | | | | | media with | | | | | | cardholder data | | | | | | is classified | | | | | | in accordance | | | | | | with the | | | | | | sensitivity of | | | | | | the data. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **9.4.2.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | to verify that | number(s) from | | | procedures are | [Section | | | defined for | 6 | | | classifying | ](#evidence-asses | | | media with | sment-workpapers) | | | cardholder data | for all | | | in accordance | **documentation** | | | with the | examined for this | | | sensitivity of | testing | | | the data. | procedure. | | +-----------------+-------------------+--------------------------------+ | **9.4.2.b** | **Identify** the | \<Enter Response Here\> | | Examine media | evidence | | | logs or other | reference | | | documentation | number(s) from | | | to verify that | [Section | | | all media is | 6 | | | classified in | ](#evidence-asses | | | accordance with | sment-workpapers) | | | the sensitivity | for all **media | | | of the data. | logs or other | | | | documentation** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +=================+================+===+==============+=================+ | **9.4.3** Media | | | | | | with cardholder | | | | | | data sent | | | | | | outside the | | | | | | facility is | | | | | | secured as | | | | | | follows: | | | | | | | | | | | | - Media sent | | | | | | outside the | | | | | | facility is | | | | | | logged. | | | | | | | | | | | | - Media is | | | | | | sent by | | | | | | secured | | | | | | courier or | | | | | | other | | | | | | delivery | | | | | | method that | | | | | | can be | | | | | | accurately | | | | | | tracked. | | | | | | | | | | | | - Offsite | | | | | | tracking | | | | | | logs | | | | | | include | | | | | | details | | | | | | about media | | | | | | location. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **9.4.3.a** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | documentation | > reference | | Here\> | | | to verify that | > number(s) | | | | | procedures are | > from | | | | | defined for | > [Section | | | | | securing media | > 6](#evi | | | | | sent outside | dence-assessme | | | | | the facility in | nt-workpapers) | | | | | accordance with | > for all | | | | | all elements | > **d | | | | | specified in | ocumentation** | | | | | this | > examined for | | | | | requirement. | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **9.4.3.b** | > **Identify** | | \<Enter | | | Interview | > the evidence | | Response | | | personnel and | > reference | | Here\> | | | examine records | > number(s) | | | | | to verify that | > from | | | | | all media sent | > [Section | | | | | outside the | > 6](#evi | | | | | facility is | dence-assessme | | | | | logged and sent | nt-workpapers) | | | | | via secured | > for all | | | | | courier or | > ** | | | | | other delivery | interview(s)** | | | | | method that can | > conducted | | | | | be tracked. | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > **records | | | | | | > examined** | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **9.4.3.c** | > **Identify** | | \<Enter | | | Examine offsite | > the evidence | | Response | | | tracking logs | > reference | | Here\> | | | for all media | > number(s) | | | | | to verify | > from | | | | | tracking | > [Section | | | | | details are | > 6](#evi | | | | | documented. | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > **offsite | | | | | | > tracking | | | | | | > logs** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **9.4.4** | | | | | | Management | | | | | | approves all | | | | | | media with | | | | | | cardholder data | | | | | | that is moved | | | | | | outside the | | | | | | facility | | | | | | (including when | | | | | | media is | | | | | | distributed to | | | | | | individuals). | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **9.4.4.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | to verify that | number(s) from | | | procedures are | [Section | | | defined to | 6 | | | ensure that | ](#evidence-asses | | | media moved | sment-workpapers) | | | outside the | for all | | | facility is | **documentation** | | | approved by | examined for this | | | management. | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **9.4.4.b** | **Identify** the | \<Enter Response Here\> | | Examine offsite | evidence | | | media tracking | reference | | | logs and | number(s) from | | | interview | [Section | | | responsible | 6 | | | personnel to | ](#evidence-asses | | | verify that | sment-workpapers) | | | proper | for all **offsite | | | management | media tracking | | | authorization | logs** examined | | | is obtained for | for this testing | | | all media moved | procedure. | | | outside the | | | | facility | | | | (including | | | | media | | | | distributed to | | | | individuals). | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +=================+================+===+==============+=================+ | **9.4.5** | | | | | | Inventory logs | | | | | | of all | | | | | | electronic | | | | | | media with | | | | | | cardholder data | | | | | | are maintained. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **9.4.5.a** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | documentation | > reference | | Here\> | | | to verify that | > number(s) | | | | | procedures are | > from | | | | | defined to | > [Section | | | | | maintain | > 6](#evi | | | | | electronic | dence-assessme | | | | | media inventory | nt-workpapers) | | | | | logs. | > for all | | | | | | > **d | | | | | | ocumentation** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **9.4.5.b** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | electronic | > reference | | Here\> | | | media inventory | > number(s) | | | | | logs and | > from | | | | | interview | > [Section | | | | | responsible | > 6](#evi | | | | | personnel to | dence-assessme | | | | | verify that | nt-workpapers) | | | | | logs are | > for all | | | | | maintained. | > **electronic | | | | | | > media | | | | | | > inventory | | | | | | > logs** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | interview(s)** | | | | | | > conducted | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **9.4.5.1** | | | | | | Inventories of | | | | | | electronic | | | | | | media with | | | | | | cardholder data | | | | | | are conducted | | | | | | at least once | | | | | | every 12 | | | | | | months. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **9.4.5.1.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | to verify that | number(s) from | | | procedures are | [Section | | | defined to | 6 | | | conduct | ](#evidence-asses | | | inventories of | sment-workpapers) | | | electronic | for all | | | media with | **documentation** | | | cardholder data | examined for this | | | at least once | testing | | | every 12 | procedure. | | | months. | | | +-----------------+-------------------+--------------------------------+ | **9.4.5.1.b** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | electronic | reference | | | media inventory | number(s) from | | | logs and | [Section | | | interview | 6 | | | personnel to | ](#evidence-asses | | | verify that | sment-workpapers) | | | electronic | for all | | | media | **electronic | | | inventories are | media inventory | | | performed at | logs** examined | | | least once | for this testing | | | every 12 | procedure. | | | months. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +=================+================+===+==============+=================+ | **9.4.6** | | | | | | Hard-copy | | | | | | materials with | | | | | | cardholder data | | | | | | are destroyed | | | | | | when no longer | | | | | | needed for | | | | | | business or | | | | | | legal reasons, | | | | | | as follows: | | | | | | | | | | | | - Materials | | | | | | are | | | | | | cross-cut | | | | | | shredded, | | | | | | | | | | | | incinerated, | | | | | | or pulped | | | | | | so that | | | | | | cardholder | | | | | | data cannot | | | | | | be | | | | | | | | | | | | reconstructed. | | | | | | | | | | | | - Materials | | | | | | are stored | | | | | | in secure | | | | | | storage | | | | | | containers | | | | | | prior to | | | | | | | | | | | | destruction. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **9.4.6.a** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence | | | periodic media | reference | | | destruction | number(s) from | | | policy to | [Section | | | verify that | 6 | | | procedures are | ](#evidence-asses | | | defined to | sment-workpapers) | | | destroy | for the | | | hard-copy media | **periodic media | | | with cardholder | destruction | | | data when no | policy examined** | | | longer needed | for this testing | | | for business or | procedure. | | | legal reasons | | | | in accordance | | | | with all | | | | elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **9.4.6.b** | **Identify** the | \<Enter Response Here\> | | Observe | evidence | | | processes and | reference | | | interview | number(s) from | | | personnel to | [Section | | | verify that | 6 | | | hard- copy | ](#evidence-asses | | | materials are | sment-workpapers) | | | cross-cut | for all | | | shredded, | **observation(s) | | | incinerated, or | of processes** | | | pulped such | for this testing | | | that cardholder | procedure. | | | data cannot be | | | | reconstructed. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **9.4.6.c** | **Identify** the | \<Enter Response Here\> | | Observe storage | evidence | | | containers used | reference | | | for materials | number(s) from | | | that contain | [Section | | | information to | 6 | | | be destroyed to | ](#evidence-asses | | | verify that the | sment-workpapers) | | | containers are | for all | | | secure. | **observation(s) | | | | of the storage | | | | containers used | | | | for materials | | | | that contain | | | | information to be | | | | destroyed** for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +=================+================+===+==============+=================+ | **9.4.7** | | | | | | Electronic | | | | | | media with | | | | | | cardholder data | | | | | | is destroyed | | | | | | when no longer | | | | | | needed for | | | | | | business or | | | | | | legal reasons | | | | | | via one of the | | | | | | following: | | | | | | | | | | | | - The | | | | | | electronic | | | | | | media is | | | | | | destroyed. | | | | | | | | | | | | - The | | | | | | cardholder | | | | | | data is | | | | | | rendered | | | | | | | | | | | | unrecoverable | | | | | | so that it | | | | | | cannot be | | | | | | | | | | | | reconstructed. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **9.4.7.a** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence | | | periodic media | reference | | | destruction | number(s) from | | | policy to | [Section | | | verify that | 6 | | | procedures are | ](#evidence-asses | | | defined to | sment-workpapers) | | | destroy | for the | | | electronic | **periodic media | | | media when no | destruction | | | longer needed | policy examined** | | | for business or | for this testing | | | legal reasons | procedure. | | | in accordance | | | | with all | | | | elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **9.4.7.b** | **Identify** the | \<Enter Response Here\> | | Observe the | evidence | | | media | reference | | | destruction | number(s) from | | | process and | [Section | | | interview | 6 | | | responsible | ](#evidence-asses | | | personnel to | sment-workpapers) | | | verify that | for all | | | electronic | **observation(s) | | | media with | of the media | | | cardholder data | destruction | | | is destroyed | process** for | | | via one of the | this testing | | | methods | procedure. | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------------------------------------------------------------+ | > **Requirement Description** | +=======================================================================+ | **9.5** Point-of-interaction (POI) devices are protected from | | tampering and unauthorized substitution. | +-----------------------------------------------------------------------+ | > **PCI DSS Requirement** | +-----------------------------------------------------------------------+ | 1. POI devices that capture payment card data via direct physical | | interaction with the payment card form factor are protected from | | tampering and unauthorized substitution, including the following: | | | | - Maintaining a list of POI devices. | | | | - Periodically inspecting POI devices to look for tampering or | | unauthorized substitution. | | | | - Training personnel to be aware of suspicious behavior and to | | report tampering or unauthorized substitution of devices. | +-----------------------------------------------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +=================+================+===+==============+=================+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **9.5.1** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | documented | > reference | | Here\> | | | policies and | > number(s) | | | | | procedures to | > from | | | | | verify that | > [Section | | | | | processes are | > 6](#evi | | | | | defined that | dence-assessme | | | | | include all | nt-workpapers) | | | | | elements | > for | | | | | specified in | > **policies | | | | | this | > and | | | | | requirement. | > procedures** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | 1. An | | | | | | up-to-date | | | | | | list of POI | | | | | | devices is | | | | | | maintained, | | | | | | including: | | | | | | | | | | | | - Make | | | | | | and | | | | | | model | | | | | | of the | | | | | | device. | | | | | | | | | | | | | | | | | | - Location | | | | | | of | | | | | | device. | | | | | | | | | | | | - Device | | | | | | serial | | | | | | number | | | | | | or | | | | | | other | | | | | | methods | | | | | | of | | | | | | unique | | | | | | | | | | | | identification. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **9.5.1.1.a** | > **Identify** | | \<Enter | | | Examine the | > the evidence | | Response | | | list of POI | > reference | | Here\> | | | devices to | > number(s) | | | | | verify it | > from | | | | | includes all | > [Section | | | | | elements | > 6](#evi | | | | | specified in | dence-assessme | | | | | this | nt-workpapers) | | | | | requirement. | > for all | | | | | | > **lists of | | | | | | > POI devices | | | | | | > examined** | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **9.5.1.1.b** | > **Identify** | | \<Enter | | | Observe POI | > the evidence | | Response | | | devices and | > reference | | Here\> | | | device | > number(s) | | | | | locations and | > from | | | | | compare to | > [Section | | | | | devices in the | > 6](#evi | | | | | list to verify | dence-assessme | | | | | that the list | nt-workpapers) | | | | | is accurate and | > for all | | | | | up to date. | > ** | | | | | | observation(s) | | | | | | > of the POI | | | | | | > devices and | | | | | | > device | | | | | | > locations** | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **9.5.1.1.c** | > **Identify** | | \<Enter | | | Interview | > the evidence | | Response | | | personnel to | > reference | | Here\> | | | verify the list | > number(s) | | | | | of POI devices | > from | | | | | is updated when | > [Section | | | | | devices are | > 6](#evi | | | | | added, | dence-assessme | | | | | relocated, | nt-workpapers) | | | | | decommissioned, | > for all | | | | | etc. | > ** | | | | | | interview(s)** | | | | | | > conducted | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **9.5.1.2** POI | | | | | | device surfaces | | | | | | are | | | | | | periodically | | | | | | inspected to | | | | | | detect | | | | | | tampering and | | | | | | unauthorized | | | | | | substitution. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **9.5.1.2.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documented | reference | | | procedures to | number(s) from | | | verify | [Section | | | processes are | 6 | | | defined for | ](#evidence-asses | | | periodic | sment-workpapers) | | | inspections of | for all | | | POI device | **documented | | | surfaces to | procedures** | | | detect | examined for this | | | tampering and | testing | | | unauthorized | procedure. | | | substitution. | | | +-----------------+-------------------+--------------------------------+ | **9.5.1.2.b** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | responsible | reference | | | personnel and | number(s) from | | | observe | [Section | | | inspection | 6 | | | processes to | ](#evidence-asses | | | verify: | sment-workpapers) | | | | for all | | | - Personnel | **interview(s)** | | | are aware | conducted for | | | of | this testing | | | procedures | procedure. | | | for | | | | inspecting | | | | devices. | | | | | | | | - All devices | | | | are | | | | | | | | periodically | | | | inspected | | | | for | | | | evidence of | | | | tampering | | | | and | | | | | | | | unauthorized | | | | | | | | substitution. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **observation(s) | | | | of the inspection | | | | processes** for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **9.5.1.2.1** | | | | | | The frequency | | | | | | of periodic POI | | | | | | device | | | | | | inspections and | | | | | | the type of | | | | | | inspections | | | | | | performed is | | | | | | defined in the | | | | | | entity's | | | | | | targeted risk | | | | | | analysis, which | | | | | | is performed | | | | | | according to | | | | | | all elements | | | | | | specified in | | | | | | Requirement | | | | | | 12.3.1. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **9.5.1.2.1.a** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence | | | entity's | reference | | | targeted risk | number(s) from | | | analysis for | [Section | | | the frequency | 6 | | | of periodic POI | ](#evidence-asses | | | device | sment-workpapers) | | | inspections and | for the | | | type of | **entity's | | | inspections | targeted risk | | | performed to | analysis** | | | verify the risk | examined for this | | | analysis was | testing | | | performed in | procedure. | | | accordance with | | | | all elements | | | | specified in | | | | Requirement | | | | 12.3.1. | | | +-----------------+-------------------+--------------------------------+ | **9.5.1.2.1.b** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documented | reference | | | results of | number(s) from | | | periodic device | [Section | | | inspections and | 6 | | | interview | ](#evidence-asses | | | personnel to | sment-workpapers) | | | verify that the | for the | | | frequency and | **documented | | | type of POI | results of | | | device | periodic device | | | inspections | inspections** | | | performed match | examined for this | | | what is defined | testing | | | in the entity's | procedure. | | | targeted risk | | | | analysis | | | | conducted for | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **9.5.1.3** | | | | | | Training is | | | | | | provided for | | | | | | personnel in | | | | | | POI | | | | | | environments to | | | | | | be aware of | | | | | | attempted | | | | | | tampering or | | | | | | replacement of | | | | | | POI devices, | | | | | | and includes: | | | | | | | | | | | | - Verifying | | | | | | the | | | | | | identity of | | | | | | any | | | | | | third-party | | | | | | persons | | | | | | claiming to | | | | | | be repair | | | | | | or | | | | | | maintenance | | | | | | personnel, | | | | | | before | | | | | | granting | | | | | | them access | | | | | | to modify | | | | | | or | | | | | | | | | | | | troubleshoot | | | | | | devices. | | | | | | | | | | | | - Procedures | | | | | | to ensure | | | | | | devices are | | | | | | not | | | | | | installed, | | | | | | replaced, | | | | | | or returned | | | | | | without | | | | | | | | | | | | verification. | | | | | | | | | | | | - Being aware | | | | | | of | | | | | | suspicious | | | | | | behavior | | | | | | around | | | | | | devices. | | | | | | | | | | | | - Reporting | | | | | | suspicious | | | | | | behavior | | | | | | and | | | | | | indications | | | | | | of device | | | | | | tampering | | | | | | or | | | | | | | | | | | | substitution | | | | | | to | | | | | | appropriate | | | | | | personnel. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **9.5.1.3.a** | **Identify** the | \<Enter Response Here\> | | Review training | evidence | | | materials for | reference | | | personnel in | number(s) from | | | POI | [Section | | | environments to | 6 | | | verify they | ](#evidence-asses | | | include all | sment-workpapers) | | | elements | for all | | | specified in | **training | | | this | materials** | | | requirement. | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **9.5.1.3.b** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | personnel in | reference | | | POI | number(s) from | | | environments to | [Section | | | verify they | 6 | | | have received | ](#evidence-asses | | | training and | sment-workpapers) | | | know the | for all | | | procedures for | **interview(s)** | | | all elements | conducted for | | | specified in | this testing | | | this | procedure. | | | requirement. | | | +-----------------+-------------------+--------------------------------+ ## Regularly Monitor and Test Networks {#regularly-monitor-and-test-networks .unnumbered} ### Requirement 10: Log and Monitor All Access to System Components and Cardholder Data {#requirement-10-log-and-monitor-all-access-to-system-components-and-cardholder-data .unnumbered} +-----------------+----------------+----------------+-----------------+ | > **Requirement | | | | | > Description** | | | | +=================+================+================+=================+ | 1. Processes | | | | | and | | | | | mechanisms | | | | | for logging | | | | | and | | | | | monitoring | | | | | all access | | | | | to system | | | | | components | | | | | and | | | | | cardholder | | | | | data are | | | | | defined and | | | | | documented. | | | | +-----------------+----------------+----------------+-----------------+ | > **PCI DSS | | | | | > Requirement** | | | | +-----------------+----------------+----------------+-----------------+ | 1. All | | | | | security | | | | | policies | | | | | and | | | | | operational | | | | | procedures | | | | | that are | | | | | identified | | | | | in | | | | | Requirement | | | | | 10 are: | | | | | | | | | | | | | | | - Documented. | | | | | | | | | | - Kept up | | | | | to | | | | | date. | | | | | | | | | | - In use. | | | | | | | | | | - Known | | | | | to all | | | | | | | | | | affected | | | | | | | | | | parties. | | | | +-----------------+----------------+----------------+-----------------+ | > **Assessment | | | | | > Findings | | | | | > (select | | | | | > one)** | | | | +-----------------+----------------+----------------+-----------------+ | **In Place** | **Not | **Not Tested** | **Not in | | | Applicable** | | Place** | +-----------------+----------------+----------------+-----------------+ | ☐ | ☐ | ☐ | ☐ | +-----------------+----------------+----------------+-----------------+ | Describe why | | \<Enter | | | the assessment | | Response | | | finding was | | Here\> | | | selected. | | | | | | | | | | ***Note**: | | | | | Include all | | | | | details as | | | | | noted in the | | | | | "Required | | | | | Reporting" | | | | | column of the | | | | | table in | | | | | [Assessment | | | | | F | | | | | indings](#asses | | | | | sment-findings) | | | | | in the ROC | | | | | Template | | | | | Instructions.* | | | | +-----------------+----------------+----------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **10.1.1** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | and interview | number(s) from | | | personnel to | [Section | | | verify that | 6 | | | security | ](#evidence-asses | | | policies and | sment-workpapers) | | | operational | for all | | | procedures | **documentation** | | | identified in | examined for this | | | Requirement 10 | testing | | | are managed in | procedure. | | | accordance with | | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **10.1.2** | | | | | | Roles and | | | | | | r | | | | | | esponsibilities | | | | | | for performing | | | | | | activities in | | | | | | Requirement 10 | | | | | | are documented, | | | | | | assigned, and | | | | | | understood. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **10.1.2.a** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | documentation | > reference | | Here\> | | | to verify that | > number(s) | | | | | descriptions of | > from | | | | | roles and | > [Section | | | | | r | > 6](#evi | | | | | esponsibilities | dence-assessme | | | | | for performing | nt-workpapers) | | | | | | > for all | | | | | | > **d | | | | | | ocumentation** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ ----------------------------------------------------------------------------------------- activities in Requirement 10 are documented and assigned. ------------------ ------------------------------------- -------------------------------- **10.1.2.b** **Identify** the evidence reference \<Enter Response Here\> Interview number(s) from [Section personnel with 6](#evidence-assessment-workpapers) responsibility for for all **interview(s)** conducted performing for this testing procedure. activities in Requirement 10 to verify that roles and responsibilities are assigned as defined and are understood. ----------------------------------------------------------------------------------------- +-----------------+----------------+---+--------------+-----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+================+===+==============+=================+ | **10.2** Audit | | | | | | logs are | | | | | | implemented to | | | | | | support the | | | | | | detection of | | | | | | anomalies and | | | | | | suspicious | | | | | | activity, and | | | | | | the forensic | | | | | | analysis of | | | | | | events. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **10.2.1** | | | | | | Interview the | | | | | | system | | | | | | administrator | | | | | | and examine | | | | | | system | | | | | | configurations | | | | | | to verify that | | | | | | audit logs are | | | | | | enabled and | | | | | | active for all | | | | | | system | | | | | | components. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **10.2.1** | > **Identify** | | \<Enter | | | Interview the | > the evidence | | Response | | | system | > reference | | Here\> | | | administrator | > number(s) | | | | | and examine | > from | | | | | system | > [Section | | | | | configurations | > 6](#evi | | | | | to verify that | dence-assessme | | | | | audit logs are | nt-workpapers) | | | | | enabled and | > for all | | | | | active for all | > ** | | | | | system | interview(s)** | | | | | components. | > conducted | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > **system | | | | | | > co | | | | | | nfigurations** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **10.2.1.1** | | | | | | Audit logs | | | | | | capture all | | | | | | individual user | | | | | | access to | | | | | | cardholder | | | | | | data. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **10.2.1.1** | **Identify** the | \<Enter Response Here\> | | Examine audit | evidence | | | log | reference | | | configurations | number(s) from | | | and log data to | [Section | | | verify that all | 6 | | | individual user | ](#evidence-asses | | | access to | sment-workpapers) | | | cardholder data | for all **audit | | | is logged. | log | | | | configurations** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **log | | | | data** examined | | | | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **10.2.1.2** | | | | | | Audit logs | | | | | | capture all | | | | | | actions taken | | | | | | by any | | | | | | individual with | | | | | | administrative | | | | | | access, | | | | | | including any | | | | | | interactive use | | | | | | of application | | | | | | or system | | | | | | accounts. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **10.2.1.2** | > **Identify** | | \<Enter | | | Examine audit | > the evidence | | Response | | | log | > reference | | Here\> | | | configurations | > number(s) | | | | | and log data to | > from | | | | | verify | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for **all | | | | | | > audit log** | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | that all | > **co | | | | | actions taken | nfigurations** | | | | | by any | > examined for | | | | | individual with | > this testing | | | | | administrative | > procedure. | | | | | access, | | | | | | including any | | | | | | interactive use | | | | | | of application | | | | | | or system | | | | | | accounts, are | | | | | | logged. | | | | | +=================+================+===+==============+=================+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > **log data** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **10.2.1.3** | | | | | | Audit logs | | | | | | capture all | | | | | | access to audit | | | | | | logs. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **10.2.1.3** | > **Identify** | | \<Enter | | | Examine audit | > the evidence | | Response | | | log | > reference | | Here\> | | | configurations | > number(s) | | | | | and log data to | > from | | | | | verify that | > [Section | | | | | access to all | > 6](#evi | | | | | audit logs is | dence-assessme | | | | | captured. | nt-workpapers) | | | | | | > for all | | | | | | > **audit log | | | | | | > co | | | | | | nfigurations** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > **log data** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **10.2.1.4** | | | | | | Audit logs | | | | | | capture all | | | | | | invalid logical | | | | | | access | | | | | | attempts. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **10.2.1.4** | **Identify** the | \<Enter Response Here\> | | Examine audit | evidence | | | log | reference | | | configurations | number(s) from | | | and log data to | [Section | | | verify that | 6 | | | invalid logical | ](#evidence-asses | | | access attempts | sment-workpapers) | | | are captured. | for all **audit | | | | log | | | | configurations** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **log | | | | data** examined | | | | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **10.2.1.5** | | | | | | Audit logs | | | | | | capture all | | | | | | changes to | | | | | | identification | | | | | | and | | | | | | authentication | | | | | | credentials | | | | | | including, but | | | | | | not limited to: | | | | | | | | | | | | - Creation of | | | | | | new | | | | | | accounts. | | | | | | | | | | | | - Elevation | | | | | | of | | | | | | privileges. | | | | | | | | | | | | - All | | | | | | changes, | | | | | | additions, | | | | | | or | | | | | | deletions | | | | | | to accounts | | | | | | with | | | | | | | | | | | | administrative | | | | | | access. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **10.2.1.5** | > **Identify** | | \<Enter | | | Examine audit | > the evidence | | Response | | | log | > reference | | Here\> | | | configurations | > number(s) | | | | | and log data to | > from | | | | | verify that | > [Section | | | | | changes to | > 6](#evi | | | | | identification | dence-assessme | | | | | and | nt-workpapers) | | | | | authentication | > for all | | | | | credentials are | > **audit log | | | | | captured in | > co | | | | | accordance with | nfigurations** | | | | | all elements | > examined for | | | | | specified in | > this testing | | | | | this | > procedure. | | | | | requirement. | | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > **log data** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **10.2.1.6** | | | | | | Audit logs | | | | | | capture the | | | | | | following: | | | | | | | | | | | | - All | | | | | | | | | | | | initialization | | | | | | of new | | | | | | audit logs, | | | | | | and | | | | | | | | | | | | - All | | | | | | starting, | | | | | | stopping, | | | | | | or pausing | | | | | | of the | | | | | | existing | | | | | | audit logs. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +=================+================+===+==============+=================+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **10.2.1.6** | > **Identify** | | \<Enter | | | Examine audit | > the evidence | | Response | | | log | > reference | | Here\> | | | configurations | > number(s) | | | | | and log data to | > from | | | | | verify that all | > [Section | | | | | elements | > 6](#evi | | | | | specified in | dence-assessme | | | | | this | nt-workpapers) | | | | | requirement are | > for all | | | | | captured. | > **audit log | | | | | | > co | | | | | | nfigurations** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > **log data** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **10.2.1.7** | | | | | | Audit logs | | | | | | capture all | | | | | | creation and | | | | | | deletion of | | | | | | system-level | | | | | | objects. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **10.2.1.7** | **Identify** the | \<Enter Response Here\> | | Examine audit | evidence | | | log | reference | | | configurations | number(s) from | | | and log data to | [Section | | | verify that | 6 | | | creation and | ](#evidence-asses | | | deletion of | sment-workpapers) | | | system level | for all **audit | | | objects is | log | | | captured. | configurations** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **log | | | | data** examined | | | | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **10.2.2** | | | | | | Audit logs | | | | | | record the | | | | | | following | | | | | | details for | | | | | | each auditable | | | | | | event: | | | | | | | | | | | | - User | | | | | | | | | | | | identification. | | | | | | | | | | | | - Type of | | | | | | event. | | | | | | | | | | | | - Date and | | | | | | time. | | | | | | | | | | | | - Success and | | | | | | failure | | | | | | indication. | | | | | | | | | | | | - Origination | | | | | | of event. | | | | | | | | | | | | - Identity or | | | | | | name of | | | | | | affected | | | | | | data, | | | | | | system | | | | | | component, | | | | | | resource, | | | | | | or service | | | | | | (for | | | | | | example, | | | | | | name and | | | | | | protocol). | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **10.2.2** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | personnel and | reference | | | examine audit | number(s) from | | | log | [Section | | | configurations | 6 | | | and log data to | ](#evidence-asses | | | verify that all | sment-workpapers) | | | elements | for all | | | specified in | **interview(s)** | | | this | conducted for | | | requirement are | this testing | | | included in log | procedure. | | | entries for | | | | each auditable | | | | event (from | | | | 10.2.1.1 | | | | through | | | | 10.2.1.7). | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **audit | | | | log | | | | configurations** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **log | | | | data** examined | | | | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+================+===+==============+=================+ | **10.3** Audit | | | | | | logs are | | | | | | protected from | | | | | | destruction and | | | | | | unauthorized | | | | | | modifications. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **10.3.1** Read | | | | | | access to audit | | | | | | logs files is | | | | | | limited to | | | | | | those with a | | | | | | job-related | | | | | | need. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **10.3.1** | > **Identify** | | \<Enter | | | Interview | > the evidence | | Response | | | system | > reference | | Here\> | | | administrators | > number(s) | | | | | and examine | > from | | | | | system | > [Section | | | | | configurations | > 6](#evi | | | | | and privileges | dence-assessme | | | | | to verify that | nt-workpapers) | | | | | only | > for all | | | | | individuals | > ** | | | | | with a | interview(s)** | | | | | job-related | > conducted | | | | | need have read | > for this | | | | | access to audit | > testing | | | | | log files. | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > **system | | | | | | > | | | | | | configurations | | | | | | > and | | | | | | > privileges** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **10.3.2** | | | | | | Audit log files | | | | | | are protected | | | | | | to prevent | | | | | | modifications | | | | | | by individuals. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **10.3.2** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | configurations | reference | | | and privileges | number(s) from | | | and interview | [Section | | | system | 6 | | | administrators | ](#evidence-asses | | | to verify that | sment-workpapers) | | | current audit | for all **system | | | log files are | configurations | | | protected from | and privileges** | | | modifications | examined for this | | | by individuals | testing | | | via access | procedure. | | | control | | | | mechanisms, | | | | physical | | | | segregation, | | | | and/or network | | | | segregation. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **10.3.3** | | | | | | Audit log | | | | | | files, | | | | | | including those | | | | | | for | | | | | | external-facing | | | | | | technologies, | | | | | | are promptly | | | | | | backed up to a | | | | | | secure, | | | | | | central, | | | | | | internal log | | | | | | server(s) or | | | | | | other media | | | | | | that is | | | | | | difficult to | | | | | | modify. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **10.3.3** | > **Identify** | | \<Enter | | | Examine backup | > the evidence | | Response | | | configurations | > reference | | Here\> | | | or log files to | > number(s) | | | | | verify that | > from | | | | | current audit | > [Section | | | | | log files, | > 6](#evi | | | | | including those | dence-assessme | | | | | for external- | nt-workpapers) | | | | | facing | > for all | | | | | technologies, | > **backup | | | | | are promptly | > | | | | | backed up to a | configurations | | | | | secure, | > or log | | | | | central, | > files** | | | | | internal log | > examined for | | | | | server(s) or | > this testing | | | | | other media | > procedure. | | | | | that is | | | | | | difficult to | | | | | | modify. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **10.3.4** File | | | | | | integrity | | | | | | monitoring or | | | | | | c | | | | | | hange-detection | | | | | | mechanisms is | | | | | | used on audit | | | | | | logs to ensure | | | | | | that existing | | | | | | log data cannot | | | | | | be changed | | | | | | without | | | | | | generating | | | | | | alerts. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **10.3.4** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | settings, | reference | | | monitored | number(s) from | | | files, and | [Section | | | results from | 6 | | | monitoring | ](#evidence-asses | | | activities to | sment-workpapers) | | | verify the use | for all **system | | | of file | settings** | | | integrity | examined for this | | | monitoring or | testing | | | change- | procedure. | | | detection | | | | software on | | | | audit logs. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **monitored | | | | files** examined | | | | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **results | | | | from monitoring | | | | activities** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **Requirement | | | | | | Description** | | | | | +=================+================+===+==============+=================+ | **10.4** Audit | | | | | | logs are | | | | | | reviewed to | | | | | | identify | | | | | | anomalies or | | | | | | suspicious | | | | | | activity. | | | | | +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | 1. The | | | | | | following | | | | | | audit logs | | | | | | are | | | | | | reviewed at | | | | | | least once | | | | | | daily: | | | | | | | | | | | | - All | | | | | | | | | | | | security | | | | | | events. | | | | | | | | | | | | - Logs of | | | | | | all | | | | | | system | | | | | | | | | | | | components | | | | | | that | | | | | | store, | | | | | | | | | | | | process, | | | | | | or | | | | | | | | | | | | transmit | | | | | | CHD | | | | | | and/or | | | | | | SAD. | | | | | | | | | | | | - Logs of | | | | | | all | | | | | | | | | | | | critical | | | | | | system | | | | | | | | | | | | components. | | | | | | | | | | | | - Logs of | | | | | | all | | | | | | servers | | | | | | and | | | | | | system | | | | | | | | | | | | components | | | | | | that | | | | | | perform | | | | | | | | | | | | security | | | | | | | | | | | | functions | | | | | | (for | | | | | | | | | | | | example, | | | | | | network | | | | | | | | | | | | security | | | | | | | | | | | | controls, | | | | | | intr | | | | | | usion-detection | | | | | | sys | | | | | | tems/intrusion- | | | | | | | | | | | | prevention | | | | | | systems | | | | | | | | | | | | (IDS/IPS), | | | | | | | | | | | | authentication | | | | | | | | | | | | servers). | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +=================+===================+================================+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **10.4.1.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | security | reference | | | policies and | number(s) from | | | procedures to | [Section | | | verify that | 6 | | | processes are | ](#evidence-asses | | | defined for | sment-workpapers) | | | reviewing all | for all | | | elements | **security | | | specified in | policies and | | | this | procedures** | | | requirement at | examined for this | | | least once | testing | | | daily. | procedure. | | +-----------------+-------------------+--------------------------------+ | **10.4.1.b** | **Identify** the | \<Enter Response Here\> | | Observe | evidence | | | processes and | reference | | | interview | number(s) from | | | personnel to | [Section | | | verify that all | 6 | | | elements | ](#evidence-asses | | | specified in | sment-workpapers) | | | this | for all | | | requirement are | **observation(s) | | | reviewed at | of processes** | | | least once | for this testing | | | daily | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +=================+================+===+==============+=================+ | **10.4.1.1** | | | | | | Automated | | | | | | mechanisms are | | | | | | used to perform | | | | | | audit log | | | | | | reviews. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **10.4.1.1** | > **Identify** | | \<Enter | | | Examine log | > the evidence | | Response | | | review | > reference | | Here\> | | | mechanisms and | > number(s) | | | | | interview | > from | | | | | personnel to | > [Section | | | | | verify that | > 6](#evi | | | | | automated | dence-assessme | | | | | mechanisms are | nt-workpapers) | | | | | used to perform | > for all | | | | | log reviews. | > **log review | | | | | | > mechanisms** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | interview(s)** | | | | | | > conducted | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **10.4.2** Logs | | | | | | of all other | | | | | | system | | | | | | components | | | | | | (those not | | | | | | specified in | | | | | | Requirement | | | | | | 10.4.1) are | | | | | | reviewed | | | | | | periodically. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in* | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | *in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **10.4.2.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | security | reference | | | policies and | number(s) from | | | procedures to | [Section | | | verify that | 6 | | | processes are | ](#evidence-asses | | | defined for | sment-workpapers) | | | reviewing logs | for all | | | of all other | **security | | | system | policies and | | | components | procedures** | | | periodically. | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **10.4.2.b** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documented | reference | | | results of log | number(s) from | | | reviews and | [Section | | | interview | 6 | | | personnel to | ](#evidence-asses | | | verify that log | sment-workpapers) | | | reviews are | for all | | | performed | **documented | | | periodically. | results of log | | | | reviews** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +=================+================+===+==============+=================+ | **10.4.2.1** | | | | | | The frequency | | | | | | of periodic log | | | | | | reviews for all | | | | | | other system | | | | | | components (not | | | | | | defined in | | | | | | Requirement | | | | | | 10.4.1) is | | | | | | defined in the | | | | | | entity's | | | | | | targeted risk | | | | | | analysis, which | | | | | | is performed | | | | | | according to | | | | | | all elements | | | | | | specified in | | | | | | Requirement | | | | | | 12.3.1 | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **10.4.2.1.a** | > **Identify** | | \<Enter | | | Examine the | > the evidence | | Response | | | entity's | > reference | | Here\> | | | targeted risk | > number(s) | | | | | analysis for | > from | | | | | the frequency | > [Section | | | | | of periodic log | > 6](#evi | | | | | reviews for all | dence-assessme | | | | | other system | nt-workpapers) | | | | | components (not | > for the | | | | | defined in | > **entity's | | | | | Requirement | > targeted | | | | | 10.4.1) to | > risk | | | | | verify the risk | > analysis** | | | | | analysis was | > examined for | | | | | performed in | > this testing | | | | | accordance with | > procedure. | | | | | all elements | | | | | | specified at | | | | | | Requirement | | | | | | 12.3.1. | | | | | +-----------------+----------------+---+--------------+-----------------+ | **10.4.2.1.b** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | documented | > reference | | Here\> | | | results of | > number(s) | | | | | periodic log | > from | | | | | reviews of all | > [Section | | | | | other system | > 6](#evi | | | | | components (not | dence-assessme | | | | | defined in | nt-workpapers) | | | | | Requirement | > for the | | | | | 10.4.1) and | > **documented | | | | | interview | > results of | | | | | personnel to | > all other | | | | | verify log | > system | | | | | reviews are | > components | | | | | performed at | > (not defined | | | | | the frequency | > in | | | | | specified in | > Requirement | | | | | the entity's | > 10.4.1)** | | | | | targeted risk | > examined for | | | | | analysis | > this testing | | | | | performed for | > procedure. | | | | | this | | | | | | requirement. | | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | interview(s)** | | | | | | > conducted | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **10.4.3** | | | | | | Exceptions and | | | | | | anomalies | | | | | | identified | | | | | | during the | | | | | | review process | | | | | | are addressed. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **10.4.3.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | security | reference | | | policies and | number(s) from | | | procedures to | [Section | | | verify that | 6 | | | processes are | ](#evidence-asses | | | defined for | sment-workpapers) | | | addressing | for all | | | exceptions and | **security | | | anomalies | policies and | | | identified | procedures** | | | during the | examined for this | | | review process. | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **10.4.3.b** | **Identify** the | \<Enter Response Here\> | | Observe | evidence | | | processes and | reference | | | interview | number(s) from | | | personnel to | [Section | | | verify that, | 6 | | | when exceptions | ](#evidence-asses | | | and anomalies | sment-workpapers) | | | are identified, | for all | | | they are | **observation(s) | | | addressed. | of processes** | | | | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+================+===+==============+=================+ | **10.5** Audit | | | | | | log history is | | | | | | retained and | | | | | | available for | | | | | | analysis. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **10.5.1** | | | | | | Retain audit | | | | | | log history for | | | | | | at least 12 | | | | | | months, with at | | | | | | least the most | | | | | | recent three | | | | | | months | | | | | | immediately | | | | | | available for | | | | | | analysis. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **10.5.1.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | to verify that | number(s) from | | | the following | [Section | | | is defined: | 6 | | | | ](#evidence-asses | | | - Audit log | sment-workpapers) | | | retention | for all | | | policies. | **documentation** | | | | examined for this | | | - Procedures | testing | | | for | procedure. | | | retaining | | | | audit log | | | | history for | | | | at least 12 | | | | months, | | | | with at | | | | least the | | | | most recent | | | | three | | | | months | | | | immediately | | | | available | | | | online. | | | +-----------------+-------------------+--------------------------------+ | **10.5.1.b** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | configurations | reference | | | of audit log | number(s) from | | | history, | [Section | | | interview | 6 | | | personnel and | ](#evidence-asses | | | examine audit | sment-workpapers) | | | logs to verify | for all | | | that audit logs | * | | | history is | *configurations** | | | retained for at | examined for this | | | least 12 | testing | | | months. | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **audit | | | | logs** examined | | | | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **10.5.1.c** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | personnel and | reference | | | observe | number(s) from | | | processes to | [Section | | | verify that at | 6 | | | least the most | ](#evidence-asses | | | recent three | sment-workpapers) | | | months' audit | for all | | | log history is | **interview(s)** | | | immediately | conducted for | | | available for | this testing | | | analysis. | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for the | | | | **observation(s) | | | | of processes** | | | | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+================+===+==============+=================+ | **10.6** | | | | | | Time- | | | | | | synchronization | | | | | | mechanisms | | | | | | support | | | | | | consistent time | | | | | | settings across | | | | | | all systems. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **10.6.1** | | | | | | System clocks | | | | | | and time are | | | | | | synchronized | | | | | | using | | | | | | time- | | | | | | synchronization | | | | | | technology. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **10.6.1** | > **Identify** | | \<Enter | | | Examine system | > the evidence | | Response | | | configuration | > reference | | Here\> | | | settings to | > number(s) | | | | | verify that | > from | | | | | time- | > [Section | | | | | synchronization | > 6](#evi | | | | | technology is | dence-assessme | | | | | implemented and | nt-workpapers) | | | | | kept current. | > for all | | | | | | > **system | | | | | | > | | | | | | configuration | | | | | | > settings** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **10.6.2** | | | | | | Systems are | | | | | | configured to | | | | | | the correct and | | | | | | consistent time | | | | | | as follows: | | | | | | | | | | | | - One or more | | | | | | designated | | | | | | time | | | | | | servers are | | | | | | in use. | | | | | | | | | | | | - Only the | | | | | | designated | | | | | | central | | | | | | time | | | | | | server(s) | | | | | | receives | | | | | | time from | | | | | | external | | | | | | sources. | | | | | | | | | | | | - Time | | | | | | received | | | | | | from | | | | | | external | | | | | | sources is | | | | | | based on | | | | | | | | | | | | International | | | | | | Atomic Time | | | | | | or | | | | | | Coordinated | | | | | | Universal | | | | | | Time (UTC). | | | | | | | | | | | | - The | | | | | | designated | | | | | | time | | | | | | server(s) | | | | | | accept time | | | | | | updates | | | | | | only from | | | | | | specific | | | | | | in | | | | | | dustry-accepted | | | | | | external | | | | | | sources. | | | | | | | | | | | | - Where there | | | | | | is more | | | | | | than one | | | | | | designated | | | | | | time | | | | | | server, the | | | | | | time | | | | | | servers | | | | | | peer with | | | | | | one another | | | | | | to keep | | | | | | accurate | | | | | | time. | | | | | | | | | | | | - Internal | | | | | | systems | | | | | | receive | | | | | | time | | | | | | information | | | | | | only from | | | | | | designated | | | | | | central | | | | | | time | | | | | | server(s). | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in* | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | *in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +=================+===================+================================+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **10.6.2** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | configuration | reference | | | settings for | number(s) from | | | acquiring, | [Section | | | distributing, | 6 | | | and storing the | ](#evidence-asses | | | correct time to | sment-workpapers) | | | verify the | for all **system | | | settings are | configuration | | | configured in | settings** | | | accordance with | examined for this | | | all elements | testing | | | specified in | procedure. | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **10.6.3** Time | | | | | | synchronization | | | | | | settings and | | | | | | data are | | | | | | protected as | | | | | | follows: | | | | | | | | | | | | - Access to | | | | | | time data | | | | | | is | | | | | | restricted | | | | | | to only | | | | | | personnel | | | | | | with a | | | | | | business | | | | | | need. | | | | | | | | | | | | - Any changes | | | | | | to time | | | | | | settings on | | | | | | critical | | | | | | systems are | | | | | | logged, | | | | | | monitored, | | | | | | and | | | | | | reviewed. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **10.6.3.a** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | configurations | reference | | | and time- | number(s) from | | | synchronization | [Section | | | settings to | 6 | | | verify that | ](#evidence-asses | | | access to time | sment-workpapers) | | | data is | for all **system | | | restricted to | configurations | | | only personnel | and time- | | | with a business | synchronization | | | need. | settings** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **10.6.3.b** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | configurations | reference | | | and time | number(s) from | | | synchronization | [Section | | | settings and | 6 | | | logs and | ](#evidence-asses | | | observe | sment-workpapers) | | | processes to | for all **system | | | verify that any | configurations | | | changes to time | time | | | settings on | synchronization | | | critical | settings** | | | systems are | examined for this | | | logged, | testing | | | monitored, and | procedure. | | | reviewed. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **logs** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for the | | | | **observation(s) | | | | of processes** | | | | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+----------------+-----------------+ | **Requirement | | | | | Description** | | | | +=================+================+================+=================+ | **10.7** | | | | | Failures of | | | | | critical | | | | | security | | | | | control systems | | | | | are detected, | | | | | reported, and | | | | | responded to | | | | | promptly. | | | | +-----------------+----------------+----------------+-----------------+ | **PCI DSS | | | | | Requirement** | | | | +-----------------+----------------+----------------+-----------------+ | 1. | | | | | ***Additional | | | | | requirement | | | | | for service | | | | | providers | | | | | only*:** | | | | | Failures of | | | | | critical | | | | | security | | | | | control | | | | | systems are | | | | | detected, | | | | | alerted, | | | | | and | | | | | addressed | | | | | promptly, | | | | | including | | | | | but not | | | | | limited to | | | | | failure of | | | | | the | | | | | following | | | | | critical | | | | | security | | | | | control | | | | | systems: | | | | | | | | | | - Network | | | | | | | | | | security | | | | | | | | | | controls. | | | | | | | | | | | | | | | - IDS/IPS. | | | | | | | | | | - FIM. | | | | | | | | | | - | | | | | Anti-malware | | | | | | | | | | solutions. | | | | | | | | | | | | | | | - Physical | | | | | access | | | | | | | | | | controls. | | | | | | | | | | - Logical | | | | | access | | | | | | | | | | controls. | | | | | | | | | | - Audit | | | | | logging | | | | | | | | | | mechanisms. | | | | | | | | | | - | | | | | Segmentation | | | | | | | | | | controls | | | | | (if | | | | | used). | | | | | | | | | | ***Note:** This | | | | | requirement | | | | | will be | | | | | **superseded** | | | | | by Requirement | | | | | 10.7.2 as of | | | | | **31 March | | | | | 2025**.* | | | | +-----------------+----------------+----------------+-----------------+ | > **Assessment | | | | | > Findings | | | | | > (select | | | | | > one)** | | | | +-----------------+----------------+----------------+-----------------+ | **In Place** | **Not | **Not Tested** | **Not in | | | Applicable** | | Place** | +-----------------+----------------+----------------+-----------------+ | ☐ | ☐ | ☐ | ☐ | +-----------------+----------------+----------------+-----------------+ | Describe why | | \<Enter | | | the assessment | | Response | | | finding was | | Here\> | | | selected. | | | | | | | | | | ***Note**: | | | | | Include all | | | | | details as | | | | | noted in the | | | | | "Required | | | | | Reporting" | | | | | column of the | | | | | table in | | | | | [Assessment | | | | | F | | | | | indings](#asses | | | | | sment-findings) | | | | | in the ROC | | | | | Template | | | | | Instructions.* | | | | +-----------------+----------------+----------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **10.7.1.a | **Identify** the | \<Enter Response Here\> | | *Additional | evidence | | | testing | reference | | | procedure for | number(s) from | | | service | [Section | | | provider | 6 | | | assessments | ](#evidence-asses | | | only: | sment-workpapers) | | | ***Examine | for all | | | documentation | **documentation** | | | to verify that | examined for this | | | processes are | testing | | | defined for the | procedure. | | | prompt | | | | detection and | | | | addressing of | | | | failures of | | | | critical | | | | security | | | | control | | | | systems, | | | | including but | | | | not limited to | | | | failure of all | | | | elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **10.7.1.b | **Identify** the | \<Enter Response Here\> | | *Additional | evidence | | | testing | reference | | | procedure for | number(s) from | | | service | [Section | | | provider | 6 | | | assessments | ](#evidence-asses | | | only: | sment-workpapers) | | | ***Observe | for all | | | detection and | **observation(s) | | | alerting | of detection and | | | processes and | alerting | | | interview | processes** | | | personnel to | conducted for | | | verify that | this testing | | | failures of | procedure. | | | critical | | | | security | | | | control systems | | | | are detected | | | | and reported, | | | | and that | | | | failure of a | | | | critical | | | | security | | | | control results | | | | in the | | | | generation of | | | | an alert. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+----------------+-----------------+ | **PCI DSS | | | | | Requirement** | | | | +=================+================+================+=================+ | **10.7.2** | | | | | Failures of | | | | | critical | | | | | security | | | | | control systems | | | | | are detected, | | | | | alerted, and | | | | | addressed | | | | | promptly, | | | | | including but | | | | | not limited to | | | | | failure of the | | | | | following | | | | | critical | | | | | security | | | | | control | | | | | systems: | | | | | | | | | | - Network | | | | | security | | | | | controls. | | | | | | | | | | - IDS/IPS. | | | | | | | | | | - C | | | | | hange-detection | | | | | mechanisms. | | | | | | | | | | - | | | | | Anti-malware | | | | | solutions. | | | | | | | | | | - Physical | | | | | access | | | | | controls. | | | | | | | | | | - Logical | | | | | access | | | | | controls. | | | | | | | | | | - Audit | | | | | logging | | | | | mechanisms. | | | | | | | | | | - | | | | | Segmentation | | | | | controls | | | | | (if used). | | | | | | | | | | - Audit log | | | | | review | | | | | mechanisms. | | | | | | | | | | - Automated | | | | | security | | | | | testing | | | | | tools (if | | | | | used). | | | | | | | | | | ***Note:** This | | | | | requirement is | | | | | a **best | | | | | practice** | | | | | until **31 | | | | | March 2025**, | | | | | after which it | | | | | will be | | | | | required and | | | | | must be fully | | | | | considered | | | | | during a PCI | | | | | DSS assessment | | | | | and will | | | | | supersede | | | | | Requirement | | | | | 10.7.1.* | | | | +-----------------+----------------+----------------+-----------------+ | > **Assessment | | | | | > Findings | | | | | > (select | | | | | > one)** | | | | +-----------------+----------------+----------------+-----------------+ | **In Place** | **Not | **Not Tested** | **Not in | | | Applicable** | | Place** | +-----------------+----------------+----------------+-----------------+ | ☐ | ☐ | ☐ | ☐ | +-----------------+----------------+----------------+-----------------+ | Describe why | | \<Enter | | | the assessment | | Response | | | finding was | | Here\> | | | selected. | | | | | | | | | | ***Note**: | | | | | Include all | | | | | details as | | | | | noted in the | | | | | "Required | | | | | Reporting" | | | | | column of the | | | | | table in | | | | | [Assessment | | | | | F | | | | | indings](#asses | | | | | sment-findings) | | | | | in the ROC | | | | | Template | | | | | Instructions.* | | | | +-----------------+----------------+----------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **10.7.2.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | to verify that | number(s) from | | | processes are | [Section | | | defined for the | 6 | | | prompt | ](#evidence-asses | | | detection and | sment-workpapers) | | | addressing of | for all | | | failures of | **documentation** | | | critical | examined for this | | | security | testing | | | control | procedure. | | | systems, | | | | including but | | | | not limited to | | | | failure of all | | | | elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **10.7.2.b** | **Identify** the | \<Enter Response Here\> | | Observe | evidence | | | detection and | reference | | | alerting | number(s) from | | | processes and | [Section | | | interview | 6 | | | personnel to | ](#evidence-asses | | | verify that | sment-workpapers) | | | failures of | for all | | | critical | **observation(s) | | | security | of detection and | | | control systems | alerting | | | are detected | processes** | | | and reported, | conducted for | | | and that | this testing | | | failure of a | procedure. | | | critical | | | | security | | | | control results | | | | in the | | | | generation of | | | | an alert. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **10.7.3** | | | | | | Failures of any | | | | | | critical | | | | | | security | | | | | | controls | | | | | | systems are | | | | | | responded to | | | | | | promptly, | | | | | | including but | | | | | | not limited to: | | | | | | | | | | | | - Restoring | | | | | | security | | | | | | functions. | | | | | | | | | | | | - Identifying | | | | | | and | | | | | | documenting | | | | | | the | | | | | | duration | | | | | | (date and | | | | | | time from | | | | | | start to | | | | | | end) of the | | | | | | security | | | | | | failure. | | | | | | | | | | | | - Identifying | | | | | | and | | | | | | documenting | | | | | | the | | | | | | cause(s) of | | | | | | failure and | | | | | | documenting | | | | | | required | | | | | | | | | | | | remediation. | | | | | | | | | | | | - Identifying | | | | | | and | | | | | | addressing | | | | | | any | | | | | | security | | | | | | issues that | | | | | | arose | | | | | | during the | | | | | | failure. | | | | | | | | | | | | - Determining | | | | | | whether | | | | | | further | | | | | | actions are | | | | | | required as | | | | | | a result of | | | | | | the | | | | | | security | | | | | | failure. | | | | | | | | | | | | - | | | | | | Implementing | | | | | | controls to | | | | | | prevent the | | | | | | cause of | | | | | | failure | | | | | | from | | | | | | | | | | | | reoccurring. | | | | | | | | | | | | - Resuming | | | | | | monitoring | | | | | | of security | | | | | | controls. | | | | | | | | | | | | ***Note:** This | | | | | | is a current | | | | | | v3.2.1 | | | | | | requirement | | | | | | that applies to | | | | | | service | | | | | | providers only. | | | | | | However, this | | | | | | requirement is | | | | | | a **best | | | | | | practice** for | | | | | | all other | | | | | | entities until | | | | | | **31 March | | | | | | 2025**, after | | | | | | which it will | | | | | | be required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **10.7.3.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | and interview | number(s) from | | | personnel to | [Section | | | verify that | 6 | | | processes are | ](#evidence-asses | | | defined and | sment-workpapers) | | | implemented to | for all | | | respond to a | **documentation** | | | failure of any | examined for this | | | critical | testing | | | security | procedure. | | | control system | | | | and include at | | | | least all | | | | elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **10.7.3.b** | **Identify** the | \<Enter Response Here\> | | Examine records | evidence | | | to verify that | reference | | | failures of | number(s) from | | | critical | [Section | | | security | 6 | | | control systems | ](#evidence-asses | | | are documented | sment-workpapers) | | | to include: | for all | | | | **records** | | | - | examined for this | | | Identification | testing | | | of cause(s) | procedure. | | | of the | | | | failure. | | | | | | | | - Duration | | | | (date and | | | | time start | | | | and end) of | | | | the | | | | security | | | | failure. | | | | | | | | - Details of | | | | the | | | | remediation | | | | required to | | | | address the | | | | root cause. | | | +-----------------+-------------------+--------------------------------+ ### Requirement 11: Test Security of Systems and Networks Regularly {#requirement-11-test-security-of-systems-and-networks-regularly .unnumbered} +-----------------+----------------+---+--------------+-----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+================+===+==============+=================+ | 1. Processes | | | | | | and | | | | | | mechanisms | | | | | | for | | | | | | regularly | | | | | | testing | | | | | | security of | | | | | | systems and | | | | | | networks | | | | | | are defined | | | | | | and | | | | | | understood. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | 1. All | | | | | | security | | | | | | policies | | | | | | and | | | | | | operational | | | | | | procedures | | | | | | that are | | | | | | identified | | | | | | in | | | | | | Requirement | | | | | | 11 are: | | | | | | | | | | | | | | | | | | - Documented. | | | | | | | | | | | | - Kept up | | | | | | to | | | | | | date. | | | | | | | | | | | | - In use. | | | | | | | | | | | | - Known | | | | | | to all | | | | | | | | | | | | affected | | | | | | | | | | | | parties. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +=================+================+===+==============+=================+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **11.1.1** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | documentation | > reference | | Here\> | | | and interview | > number(s) | | | | | personnel to | > from | | | | | verify that | > [Section | | | | | security | > 6](#evi | | | | | policies and | dence-assessme | | | | | operational | nt-workpapers) | | | | | procedures are | > for all | | | | | managed in | > **d | | | | | accordance with | ocumentation** | | | | | all elements | > examined for | | | | | specified in | > this testing | | | | | this | > procedure. | | | | | requirement. | | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | interview(s)** | | | | | | > conducted | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **11.1.2** | | | | | | Roles and | | | | | | r | | | | | | esponsibilities | | | | | | for performing | | | | | | activities in | | | | | | Requirement 11 | | | | | | are documented, | | | | | | assigned, and | | | | | | understood. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **11.1.2.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | to verify that | number(s) from | | | descriptions of | [Section | | | roles and | 6 | | | r | ](#evidence-asses | | | esponsibilities | sment-workpapers) | | | for performing | for all | | | activities in | **documentation** | | | Requirement 11 | examined for this | | | are documented | testing | | | and assigned. | procedure. | | +-----------------+-------------------+--------------------------------+ | **11.1.2.b** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | personnel with | reference | | | responsibility | number(s) from | | | for performing | [Section | | | activities in | 6 | | | Requirement 11 | ](#evidence-asses | | | to verify that | sment-workpapers) | | | roles and | for all | | | r | **interview(s)** | | | esponsibilities | conducted for | | | are assigned as | this testing | | | documented and | procedure. | | | are understood. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+================+===+==============+=================+ | **11.2** | | | | | | Wireless access | | | | | | points are | | | | | | identified and | | | | | | monitored, and | | | | | | unauthorized | | | | | | wireless access | | | | | | points are | | | | | | addressed. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | 1. Authorized | | | | | | and | | | | | | | | | | | | unauthorized | | | | | | wireless | | | | | | access | | | | | | points are | | | | | | managed as | | | | | | follows: | | | | | | | | | | | | - The | | | | | | | | | | | | presence | | | | | | of | | | | | | | | | | | | wireless | | | | | | (Wi-Fi) | | | | | | access | | | | | | points | | | | | | is | | | | | | tested | | | | | | for, | | | | | | | | | | | | - All | | | | | | | | | | | | authorized | | | | | | and | | | | | | | | | | | | unauthorized | | | | | | | | | | | | wireless | | | | | | access | | | | | | points | | | | | | are | | | | | | | | | | | | detected | | | | | | and | | | | | | | | | | | | identified, | | | | | | | | | | | | | | | | | | - Testing, | | | | | | | | | | | | detection, | | | | | | and | | | | | | | | | | | | identification | | | | | | occurs | | | | | | at | | | | | | least | | | | | | once | | | | | | every | | | | | | three | | | | | | months. | | | | | | | | | | | | - If | | | | | | | | | | | | automated | | | | | | | | | | | | monitoring | | | | | | is | | | | | | used, | | | | | | | | | | | | personnel | | | | | | are | | | | | | | | | | | | notified | | | | | | via | | | | | | | | | | | | generated | | | | | | alerts. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **11.2.1.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | policies and | reference | | | procedures to | number(s) from | | | verify | [Section | | | processes are | 6 | | | defined for | ](#evidence-asses | | | managing both | sment-workpapers) | | | authorized and | for all | | | unauthorized | **policies and | | | wireless access | procedures** | | | points with all | examined for this | | | elements | testing | | | specified in | procedure. | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **11.2.1.b** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence | | | m | reference | | | ethodology(ies) | number(s) from | | | in use and the | [Section | | | resulting | 6 | | | documentation, | ](#evidence-asses | | | and interview | sment-workpapers) | | | personnel to | for the | | | verify | * | | | processes are | *methodology(ies) | | | defined to | in use and | | | detect and | resulting | | | identify both | documentation** | | | authorized and | examined for this | | | unauthorized | testing | | | wireless access | procedure. | | | points in | | | | accordance with | | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **11.2.1.c** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | wireless | reference | | | assessment | number(s) from | | | results and | [Section | | | interview | 6 | | | personnel to | ](#evidence-asses | | | verify that | sment-workpapers) | | | wireless | for all | | | assessments | **wireless | | | were conducted | assessment | | | in accordance | results** | | | with all | examined for this | | | elements | testing | | | specified in | procedure. | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **11.2.1.d** If | **Identify** the | \<Enter Response Here\> | | automated | evidence | | | monitoring is | reference | | | used, examine | number(s) from | | | configuration | [Section | | | settings to | 6 | | | verify the | ](#evidence-asses | | | configuration | sment-workpapers) | | | will generate | for all | | | alerts to | **configuration | | | notify | settings** | | | personnel. | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **11.2.2** An | | | | | | inventory of | | | | | | authorized | | | | | | wireless access | | | | | | points is | | | | | | maintained, | | | | | | including a | | | | | | documented | | | | | | business | | | | | | justification. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **11.2.2** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | to verify that | number(s) from | | | an inventory of | [Section | | | authorized | 6 | | | wireless access | ](#evidence-asses | | | points is | sment-workpapers) | | | maintained, and | for all | | | a business | **documentation** | | | justification | examined for this | | | is documented | testing | | | for all | procedure. | | | authorized | | | | wireless access | | | | points. | | | +-----------------+-------------------+--------------------------------+ +-----------------------------------------------------------------------+ | > **Requirement Description** | +=======================================================================+ | **11.3** External and internal vulnerabilities are regularly | | identified, prioritized, and addressed. | +-----------------------------------------------------------------------+ | > **PCI DSS Requirement** | +-----------------------------------------------------------------------+ | 1. Internal vulnerability scans are performed as follows: | | | | - At least once every three months. | | | | - High-risk and critical vulnerabilities (per the entity\'s | | vulnerability risk rankings defined at Requirement 6.3.1) are | | resolved. | | | | - Rescans are performed that confirm all high-risk and critical | | vulnerabilities (as noted above) have been resolved. | | | | - Scan tool is kept up to date with latest vulnerability | | information. | | | | - Scans are performed by qualified personnel and organizational | | independence of the tester exists. | +-----------------------------------------------------------------------+ +-----------------+----------------+---+------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +=================+================+===+============+=================+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+------------+-----------------+ | **Indicate** | | | - Yes ☐ | | | whether a | | | No | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+------------+-----------------+ | **Indicate** | | | - Yes ☐ | | | whether a | | | No | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+------------+-----------------+ +-----------------+---------------------+------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+=====================+==============================+ | **11.3.1.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence reference | | | internal scan | number(s) from | | | report results | [Section | | | from the last | 6](#evidence-ass | | | 12 months to | essment-workpapers) | | | verify that | for all **internal | | | internal scans | scan report | | | occurred at | results** examined | | | least once | for this testing | | | every three | procedure. | | | months in the | | | | most recent | | | | 12-month | | | | period. | | | +-----------------+---------------------+------------------------------+ | **11.3.1.b** | **Identify** the | \<Enter Response Here\> | | Examine | evidence reference | | | internal scan | number(s) from | | | report results | [Section | | | from each scan | 6](#evidence-ass | | | and rescan run | essment-workpapers) | | | in the last 12 | for all **internal | | | months to | scan report | | | verify that all | results** examined | | | high-risk and | for this testing | | | critical | procedure. | | | vulnerabilities | | | | (identified in | | | | PCI DSS | | | | Requirement | | | | 6.3.1) are | | | | resolved. | | | +-----------------+---------------------+------------------------------+ | **11.3.1.c** | **Identify** the | \<Enter Response Here\> | | Examine scan | evidence reference | | | tool | number(s) from | | | configurations | [Section | | | and interview | 6](#evidence-ass | | | personnel to | essment-workpapers) | | | verify that the | for all **scan tool | | | scan tool is | configurations** | | | kept up to date | examined for this | | | with the latest | testing procedure. | | | vulnerability | | | | information. | | | +-----------------+---------------------+------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence reference | | | | number(s) from | | | | [Section | | | | 6](#evidence-ass | | | | essment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for this | | | | testing procedure. | | +-----------------+---------------------+------------------------------+ | **11.3.1.d** | **Identify** the | \<Enter Response Here\> | | Interview | evidence reference | | | responsible | number(s) from | | | personnel to | [Section | | | verify that the | 6](#evidence-ass | | | scan was | essment-workpapers) | | | performed by a | for all | | | qualified | **interview(s)** | | | internal | conducted for this | | | resource(s) or | testing procedure. | | | qualified | | | | external third | | | | party and that | | | | organizational | | | | independence of | | | | the tester | | | | exists. | | | +-----------------+---------------------+------------------------------+ +-----------------+----------------+---+------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+============+=================+ | 1. All other | | | | | | applicable | | | | | | | | | | | | vulnerabilities | | | | | | (those not | | | | | | ranked as | | | | | | high-risk | | | | | | or critical | | | | | | per the | | | | | | entity's | | | | | | | | | | | | vulnerability | | | | | | risk | | | | | | rankings | | | | | | defined at | | | | | | Requirement | | | | | | 6.3.1) are | | | | | | managed as | | | | | | follows: | | | | | | | | | | | | | | | | | | - Addressed | | | | | | based | | | | | | on the | | | | | | risk | | | | | | defined | | | | | | in the | | | | | | | | | | | | entity's | | | | | | | | | | | | targeted | | | | | | risk | | | | | | | | | | | | analysis, | | | | | | which | | | | | | is | | | | | | | | | | | | performed | | | | | | | | | | | | according | | | | | | to all | | | | | | | | | | | | elements | | | | | | | | | | | | specified | | | | | | in | | | | | | | | | | | | Requirement | | | | | | 12.3.1. | | | | | | | | | | | | - Rescans | | | | | | are | | | | | | | | | | | | conducted | | | | | | as | | | | | | needed. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+------------+-----------------+ | **Indicate** | | | - Yes ☐ | | | whether a | | | No | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+------------+-----------------+ | **Indicate** | | | - Yes ☐ | | | whether a | | | No | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+------------+-----------------+ +-----------------+---------------------+------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+=====================+==============================+ | **11.3.1.1.a** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence reference | | | entity's | number(s) from | | | targeted risk | [Section | | | analysis that | 6](#evidence-ass | | | defines the | essment-workpapers) | | | risk for | for the **entity's | | | addressing all | targeted risk | | | other | analysis** examined | | | applicable | for this testing | | | vulnerabilities | procedure. | | | (those not | | | | ranked as | | | | high-risk or | | | | critical per | | | | the entity's | | | | vulnerability | | | | risk rankings | | | | at Requirement | | | | 6.3.1) to | | | | verify the risk | | | | analysis was | | | | performed in | | | | accordance with | | | | all elements | | | | specified at | | | | Requirement | | | | 12.3.1. | | | +-----------------+---------------------+------------------------------+ | **11.3.1.1.b** | **Identify** the | \<Enter Response Here\> | | Interview | evidence reference | | | responsible | number(s) from | | | personnel and | [Section | | | examine | 6](#evidence-ass | | | internal scan | essment-workpapers) | | | report results | for all | | | or other | **interview(s)** | | | documentation | conducted for this | | | to verify that | testing procedure. | | | all other | | | | applicable | | | | vulnerabilities | | | | (those not | | | | ranked as | | | | high-risk or | | | | critical per | | | | the entity's | | | | vulnerability | | | | risk rankings | | | | at Requirement | | | | 6.3.1) are | | | | addressed based | | | | on the risk | | | | defined in the | | | | entity's | | | | targeted risk | | | | analysis, and | | | | that the scan | | | | process | | | | includes | | | | rescans as | | | | needed to | | | | confirm the | | | | vulnerabilities | | | | have been | | | | addressed. | | | +-----------------+---------------------+------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence reference | | | | number(s) from | | | | [Section | | | | 6](#evidence-ass | | | | essment-workpapers) | | | | for all **internal | | | | scan report results | | | | or other | | | | documentation** | | | | examined for this | | | | testing procedure. | | +-----------------+---------------------+------------------------------+ +-----------------+----------------+---+------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+============+=================+ | **11.3.1.2** | | | | | | Internal | | | | | | vulnerability | | | | | | scans are | | | | | | performed via | | | | | | authenticated | | | | | | scanning as | | | | | | follows: | | | | | | | | | | | | - Systems | | | | | | that are | | | | | | unable to | | | | | | accept | | | | | | credentials | | | | | | for | | | | | | | | | | | | authenticated | | | | | | scanning | | | | | | are | | | | | | documented. | | | | | | | | | | | | - Sufficient | | | | | | privileges | | | | | | are used | | | | | | for those | | | | | | systems | | | | | | that accept | | | | | | credentials | | | | | | for | | | | | | scanning. | | | | | | | | | | | | - If accounts | | | | | | used for | | | | | | | | | | | | authenticated | | | | | | scanning | | | | | | can be used | | | | | | for | | | | | | interactive | | | | | | login, they | | | | | | are managed | | | | | | in | | | | | | accordance | | | | | | with | | | | | | Requirement | | | | | | 8.2.2. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+------------+-----------------+ | **Indicate** | | | - Yes ☐ | | | whether a | | | No | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+------------+-----------------+ | **Indicate** | | | - Yes ☐ | | | whether a | | | No | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+------------+-----------------+ +-----------------+---------------------+------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+=====================+==============================+ | **11.3.1.2.a** | **Identify** the | \<Enter Response Here\> | | Examine scan | evidence reference | | | tool | number(s) from | | | configurations | [Section | | | to verify that | 6](#evidence-ass | | | authenticated | essment-workpapers) | | | scanning is | for all **scan tool | | | used for | configurations** | | | internal scans, | examined for this | | | with sufficient | testing procedure. | | | privileges, for | | | | those systems | | | | that accept | | | | credentials for | | | | scanning. | | | +-----------------+---------------------+------------------------------+ | **11.3.1.2.b** | **Identify** the | \<Enter Response Here\> | | Examine scan | evidence reference | | | report results | number(s) from | | | and interview | [Section | | | personnel to | 6](#evidence-ass | | | verify that | essment-workpapers) | | | authenticated | for all **examine | | | scans are | scan report | | | performed. | results** examined | | | | for this testing | | | | procedure. | | +-----------------+---------------------+------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence reference | | | | number(s) from | | | | [Section | | | | 6](#evidence-ass | | | | essment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for this | | | | testing procedure. | | +-----------------+---------------------+------------------------------+ | **11.3.1.2.c** | **Identify** the | \<Enter Response Here\> | | If accounts | evidence reference | | | used for | number(s) from | | | authenticated | [Section | | | scanning can be | 6](#evidence-ass | | | used for | essment-workpapers) | | | interactive | for all | | | login, examine | **accounts** | | | the accounts | examined for this | | | and interview | testing procedure. | | | personnel to | | | | verify the | | | | accounts are | | | | managed | | | | following all | | | | elements | | | | specified in | | | | Requirement | | | | 8.2.2. | | | +-----------------+---------------------+------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence reference | | | | number(s) from | | | | [Section | | | | 6](#evidence-ass | | | | essment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for this | | | | testing procedure. | | +-----------------+---------------------+------------------------------+ | **11.3.1.2.d** | **Identify** the | \<Enter Response Here\> | | Examine | evidence reference | | | documentation | number(s) from | | | to verify that | [Section | | | systems that | 6](#evidence-ass | | | are unable to | essment-workpapers) | | | accept | for all | | | credentials for | **documentation** | | | authenticated | examined for this | | | scanning are | testing procedure. | | | defined. | | | +-----------------+---------------------+------------------------------+ +-----------------+----------------+---+------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+============+=================+ | **11.3.1.3** | | | | | | Internal | | | | | | vulnerability | | | | | | scans are | | | | | | performed after | | | | | | any significant | | | | | | change as | | | | | | follows: | | | | | | | | | | | | - High-risk | | | | | | and | | | | | | critical | | | | | | | | | | | | vulnerabilities | | | | | | (per the | | | | | | entity\'s | | | | | | | | | | | | vulnerability | | | | | | risk | | | | | | rankings | | | | | | defined at | | | | | | Requirement | | | | | | 6.3.1) are | | | | | | resolved. | | | | | | | | | | | | - Rescans are | | | | | | conducted | | | | | | as needed. | | | | | | | | | | | | - Scans are | | | | | | performed | | | | | | by | | | | | | qualified | | | | | | personnel | | | | | | and | | | | | | | | | | | | organizational | | | | | | | | | | | | independence | | | | | | of the | | | | | | tester | | | | | | exists (not | | | | | | required to | | | | | | be a QSA or | | | | | | ASV). | | | | | +-----------------+----------------+---+------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+------------+-----------------+ | **Indicate** | | | - Yes ☐ | | | whether a | | | No | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+------------+-----------------+ | **Indicate** | | | - Yes ☐ | | | whether a | | | No | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+------------+-----------------+ +-----------------+---------------------+------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+=====================+==============================+ | **11.3.1.3.a** | **Identify** the | \<Enter Response Here\> | | Examine change | evidence reference | | | control | number(s) from | | | documentation | [Section | | | and internal | 6](#evidence-ass | | | scan reports to | essment-workpapers) | | | verify that | for all **change | | | system | control | | | components were | documentation** | | | scanned after | examined for this | | | any significant | testing procedure. | | | changes. | | | +-----------------+---------------------+------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence reference | | | | number(s) from | | | | [Section | | | | 6](#evidence-ass | | | | essment-workpapers) | | | | for all **internal | | | | scan reports** | | | | examined for this | | | | testing procedure. | | +-----------------+---------------------+------------------------------+ | **11.3.1.3.b** | **Identify** the | \<Enter Response Here\> | | Interview | evidence reference | | | personnel and | number(s) from | | | examine | [Section | | | internal scan | 6](#evidence-ass | | | and rescan | essment-workpapers) | | | reports to | for all | | | verify that | **interview(s)** | | | internal scans | conducted for this | | | were performed | testing procedure. | | | after | | | | significant | | | | changes and | | | | that high-risk | | | | and critical | | | | vulnerabilities | | | | as defined in | | | | Requirement | | | | 6.3.1 were | | | | resolved. | | | +-----------------+---------------------+------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence reference | | | | number(s) from | | | | [Section | | | | 6](#evidence-ass | | | | essment-workpapers) | | | | for all **internal | | | | scan and rescan | | | | reports** examined | | | | for this testing | | | | procedure. | | +-----------------+---------------------+------------------------------+ | **11.3.1.3.c** | **Identify** the | \<Enter Response Here\> | | Interview | evidence reference | | | personnel to | number(s) from | | | verify that | [Section | | | internal scans | 6](#evidence-ass | | | are performed | essment-workpapers) | | | by a qualified | for all | | | internal | **interview(s)** | | | resource(s) or | conducted for this | | | qualified | testing procedure. | | | external third | | | | party and that | | | | organizational | | | | independence of | | | | the tester | | | | exists. | | | +-----------------+---------------------+------------------------------+ +-----------------+----------------+---+------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+============+=================+ | **11.3.2** | | | | | | External | | | | | | vulnerability | | | | | | scans are | | | | | | performed as | | | | | | follows: | | | | | | | | | | | | - At least | | | | | | once every | | | | | | three | | | | | | months. | | | | | | | | | | | | - By PCI SSC | | | | | | Approved | | | | | | Scanning | | | | | | Vendor | | | | | | (ASV). | | | | | | | | | | | | - | | | | | | Vulnerabilities | | | | | | are | | | | | | resolved | | | | | | and *ASV | | | | | | Program | | | | | | Guide* | | | | | | | | | | | | requirements | | | | | | for a | | | | | | passing | | | | | | scan are | | | | | | met. | | | | | | | | | | | | - Rescans are | | | | | | performed | | | | | | as needed | | | | | | to confirm | | | | | | that | | | | | | | | | | | | vulnerabilities | | | | | | are | | | | | | resolved | | | | | | per the | | | | | | *ASV | | | | | | Program | | | | | | Guide* | | | | | | | | | | | | requirements | | | | | | for a | | | | | | passing | | | | | | scan. | | | | | +-----------------+----------------+---+------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+------------+-----------------+ | This | | | | | | requirement is | | | | | | not eligible | | | | | | for the | | | | | | customized | | | | | | approach. | | | | | +-----------------+----------------+---+------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+------------+-----------------+ | **Indicate** | | | - Yes ☐ | | | whether a | | | No | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+------------+-----------------+ +-----------------+----------------+---+------------+-----------------+ | **Testing | > **Reporting | | > * | | | Procedures** | > | | *Reporting | | | | Instructions** | | > Details: | | | | | | > | | | | | | Assessor's | | | | | | > | | | | | | Response** | | +=================+================+===+============+=================+ | **11.3.2.a** | > **Identify** | | \<Enter | | | Examine ASV | > the evidence | | Response | | | scan reports | > reference | | Here\> | | | from the last | > number(s) | | | | | 12 months to | > from | | | | | verify that | > [Section | | | | | external | > 6](#evi | | | | | vulnerability | dence-assessme | | | | | scans occurred | nt-workpapers) | | | | | at least once | > for all | | | | | every three | > **ASV scan | | | | | months in the | > reports** | | | | | most recent | > examined for | | | | | 12-month | > this testing | | | | | period. | > procedure. | | | | +-----------------+----------------+---+------------+-----------------+ | **11.3.2.b** | > **Identify** | | \<Enter | | | Examine the ASV | > the evidence | | Response | | | scan report | > reference | | Here\> | | | from each scan | > number(s) | | | | | and rescan run | > from | | | | | in the last 12 | > [Section | | | | | months to | > 6](#evi | | | | | verify that | dence-assessme | | | | | vulnerabilities | nt-workpapers) | | | | | are resolved | > for all | | | | | and the ASV | > **ASV scan | | | | | Program Guide | > report | | | | | requirements | > results** | | | | | for a passing | > examined for | | | | | scan are met. | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+------------+-----------------+ | **11.3.2.c** | > **Identify** | | \<Enter | | | Examine the ASV | > the evidence | | Response | | | scan reports to | > reference | | Here\> | | | verify that the | > number(s) | | | | | scans were | > from | | | | | completed by a | > [Section | | | | | PCI SSC | > 6](#evi | | | | | Approved | dence-assessme | | | | | Scanning Vendor | nt-workpapers) | | | | | (ASV). | > for all | | | | | | > **ASV scan | | | | | | > reports** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+------------+-----------------+ | 1. External | | | | | | | | | | | | vulnerability | | | | | | scans are | | | | | | performed | | | | | | after any | | | | | | significant | | | | | | change as | | | | | | follows: | | | | | | | | | | | | - | | | | | | Vulnerabilities | | | | | | that | | | | | | are | | | | | | scored | | | | | | 4.0 or | | | | | | higher | | | | | | by the | | | | | | CVSS | | | | | | are | | | | | | | | | | | | resolved. | | | | | | | | | | | | - Rescans | | | | | | are | | | | | | | | | | | | conducted | | | | | | as | | | | | | needed. | | | | | | | | | | | | - Scans | | | | | | are | | | | | | | | | | | | performed | | | | | | by | | | | | | | | | | | | qualified | | | | | | | | | | | | personnel | | | | | | and | | | | | | | | | | | | organizational | | | | | | | | | | | | independence | | | | | | of the | | | | | | tester | | | | | | exists | | | | | | (not | | | | | | | | | | | | required | | | | | | to be a | | | | | | QSA or | | | | | | ASV). | | | | | +-----------------+----------------+---+------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+------------+-----------------+ +-----------------+---------------------+------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+=====================+==============================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+---------------------+------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+---------------------+------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+---------------------+------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+---------------------+------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+---------------------+------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+---------------------+------------------------------+ | **11.3.2.1.a** | **Identify** the | \<Enter Response Here\> | | Examine change | evidence reference | | | control | number(s) from | | | documentation | [Section | | | and external | 6](#evidence-ass | | | scan reports to | essment-workpapers) | | | verify that | for all **change | | | system | control** | | | components were | documentation | | | scanned after | examined for this | | | any significant | testing procedure. | | | changes. | | | +-----------------+---------------------+------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence reference | | | | number(s) from | | | | [Section | | | | 6](#evidence-ass | | | | essment-workpapers) | | | | for all **external | | | | scan reports** | | | | examined for this | | | | testing procedure. | | +-----------------+---------------------+------------------------------+ | **11.3.2.1.b** | **Identify** the | \<Enter Response Here\> | | Interview | evidence reference | | | personnel and | number(s) from | | | examine | [Section | | | external scan | 6](#evidence-ass | | | and rescan | essment-workpapers) | | | reports to | for all | | | verify that | **interview(s)** | | | external scans | conducted for this | | | were performed | testing procedure. | | | after | | | | significant | | | | changes and | | | | that | | | | vulnerabilities | | | | scored 4.0 or | | | | higher by the | | | | CVSS were | | | | resolved. | | | +-----------------+---------------------+------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence reference | | | | number(s) from | | | | [Section | | | | 6](#evidence-ass | | | | essment-workpapers) | | | | for all **external | | | | scan and rescan | | | | reports** examined | | | | for this testing | | | | procedure. | | +-----------------+---------------------+------------------------------+ | **11.3.2.1.c** | **Identify** the | \<Enter Response Here\> | | Interview | evidence reference | | | personnel to | number(s) from | | | verify that | [Section | | | external scans | 6](#evidence-ass | | | are performed | essment-workpapers) | | | by a qualified | for all | | | internal | **interview(s)** | | | resource(s) or | conducted for this | | | qualified | testing procedure. | | | external third | | | +-----------------+---------------------+------------------------------+ ------------------------------------------------------------------------ party and that organizational independence of the tester exists. ------------------ --------------------- ------------------------------- ------------------------------------------------------------------------ +-----------------+----------------+----------------+-----------------+ | **Requirement | | | | | Description** | | | | +=================+================+================+=================+ | **11.4** | | | | | External and | | | | | internal | | | | | penetration | | | | | testing is | | | | | regularly | | | | | performed, and | | | | | exploitable | | | | | vulnerabilities | | | | | and security | | | | | weaknesses are | | | | | corrected. | | | | +-----------------+----------------+----------------+-----------------+ | **PCI DSS | | | | | Requirement** | | | | +-----------------+----------------+----------------+-----------------+ | 1. A | | | | | penetration | | | | | testing | | | | | methodology | | | | | is defined, | | | | | documented, | | | | | and | | | | | implemented | | | | | by the | | | | | entity and | | | | | includes: | | | | | | | | | | - In | | | | | dustry-accepted | | | | | | | | | | penetration | | | | | testing | | | | | | | | | | approaches. | | | | | | | | | | | | | | | - Coverage | | | | | for the | | | | | entire | | | | | CDE | | | | | | | | | | perimeter | | | | | and | | | | | | | | | | critical | | | | | | | | | | systems. | | | | | | | | | | - Testing | | | | | from | | | | | both | | | | | inside | | | | | and | | | | | outside | | | | | the | | | | | | | | | | network. | | | | | | | | | | - Testing | | | | | to | | | | | | | | | | validate | | | | | any | | | | | | | | | | segmentation | | | | | and | | | | | | | | | | scope-reduction | | | | | | | | | | controls. | | | | | | | | | | - Ap | | | | | plication-layer | | | | | | | | | | penetration | | | | | testing | | | | | to | | | | | | | | | | identify, | | | | | at a | | | | | | | | | | minimum, | | | | | the | | | | | | | | | | vulnerabilities | | | | | listed | | | | | in | | | | | | | | | | Requirement | | | | | 6.2.4. | | | | | | | | | | - | | | | | Network-layer | | | | | | | | | | penetration | | | | | tests | | | | | that | | | | | | | | | | encompass | | | | | all | | | | | | | | | | components | | | | | that | | | | | support | | | | | network | | | | | | | | | | functions | | | | | as well | | | | | as | | | | | | | | | | operating | | | | | | | | | | systems. | | | | | | | | | | - Review | | | | | and | | | | | | | | | | consideration | | | | | of | | | | | threats | | | | | and | | | | | | | | | | vulnerabilities | | | | | | | | | | experienced | | | | | in the | | | | | last 12 | | | | | months. | | | | | | | | | | | | | | | - Documented | | | | | | | | | | approach | | | | | to | | | | | | | | | | assessing | | | | | and | | | | | | | | | | addressing | | | | | the | | | | | risk | | | | | posed | | | | | by | | | | | | | | | | exploitable | | | | | | | | | | vulnerabilities | | | | | and | | | | | | | | | | security | | | | | | | | | | weaknesses | | | | | found | | | | | during | | | | | | | | | | penetration | | | | | | | | | | testing. | | | | | | | | | | | | | | | - Retention | | | | | of | | | | | | | | | | penetration | | | | | testing | | | | | results | | | | | and | | | | | | | | | | remediation | | | | | | | | | | activities | | | | | results | | | | | for at | | | | | least | | | | | 12 | | | | | months. | | | | +-----------------+----------------+----------------+-----------------+ | > **Assessment | | | | | > Findings | | | | | > (select | | | | | > one)** | | | | +-----------------+----------------+----------------+-----------------+ | **In Place** | **Not | **Not Tested** | **Not in | | | Applicable** | | Place** | +-----------------+----------------+----------------+-----------------+ | ☐ | ☐ | ☐ | ☐ | +-----------------+----------------+----------------+-----------------+ | Describe why | | \<Enter | | | the assessment | | Response | | | finding was | | Here\> | | | selected. | | | | | | | | | | ***Note**: | | | | | Include all | | | | | details as | | | | | noted in the | | | | | "Required | | | | | Reporting" | | | | | column of the | | | | | table in | | | | | [Assessment | | | | | F | | | | | indings](#asses | | | | | sment-findings) | | | | | in the ROC | | | | | Template | | | | | Instructions.* | | | | +-----------------+----------------+----------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **11.4.1** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | and interview | number(s) from | | | personnel to | [Section | | | verify that the | 6 | | | pene | ](#evidence-asses | | | tration-testing | sment-workpapers) | | | methodology | for all | | | defined, | **documentation** | | | documented, and | examined for this | | | implemented by | testing | | | the entity | procedure. | | | includes all | | | | elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +=================+================+===+==============+=================+ | **11.4.2** | | | | | | Internal | | | | | | penetration | | | | | | testing is | | | | | | performed: | | | | | | | | | | | | - Per the | | | | | | entity\'s | | | | | | defined | | | | | | methodology | | | | | | | | | | | | - At least | | | | | | once every | | | | | | 12 months | | | | | | | | | | | | - After any | | | | | | significant | | | | | | | | | | | | infrastructure | | | | | | or | | | | | | application | | | | | | upgrade or | | | | | | change | | | | | | | | | | | | - By a | | | | | | qualified | | | | | | internal | | | | | | resource or | | | | | | qualified | | | | | | external | | | | | | third-party | | | | | | | | | | | | - | | | | | | Organizational | | | | | | | | | | | | independence | | | | | | of the | | | | | | tester | | | | | | exists (not | | | | | | required to | | | | | | be a QSA or | | | | | | ASV) | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **11.4.2.a** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence | | | scope of work | reference | | | and results | number(s) from | | | from the most | [Section | | | recent internal | 6 | | | penetration | ](#evidence-asses | | | test to verify | sment-workpapers) | | | that | for the **scope | | | penetration | of work** | | | testing is | examined for this | | | performed in | testing | | | accordance with | procedure. | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for the **results | | | | from the most | | | | recent internal | | | | penetration | | | | test** examined | | | | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **11.4.2.b** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | personnel to | reference | | | verify that the | number(s) from | | | internal | [Section | | | penetration | 6 | | | test was | ](#evidence-asses | | | performed by a | sment-workpapers) | | | qualified | for all | | | internal | **interview(s)** | | | resource or | conducted for | | | qualified | this testing | | | external third- | procedure. | | | party and that | | | | organizational | | | | independence of | | | | the tester | | | | exists (not | | | | required to be | | | | a QSA or ASV). | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +=================+================+===+==============+=================+ | **11.4.3** | | | | | | External | | | | | | penetration | | | | | | testing is | | | | | | performed: | | | | | | | | | | | | - Per the | | | | | | entity\'s | | | | | | defined | | | | | | methodology | | | | | | | | | | | | - At least | | | | | | once every | | | | | | 12 months | | | | | | | | | | | | - After any | | | | | | significant | | | | | | | | | | | | infrastructure | | | | | | or | | | | | | application | | | | | | upgrade or | | | | | | change | | | | | | | | | | | | - By a | | | | | | qualified | | | | | | internal | | | | | | resource or | | | | | | qualified | | | | | | external | | | | | | third party | | | | | | | | | | | | - | | | | | | Organizational | | | | | | | | | | | | independence | | | | | | of the | | | | | | tester | | | | | | exists (not | | | | | | required to | | | | | | be a QSA or | | | | | | ASV) | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **11.4.3.a** | > **Identify** | | \<Enter | | | Examine the | > the evidence | | Response | | | scope of work | > reference | | Here\> | | | and results | > number(s) | | | | | from the most | > from | | | | | recent external | > [Section | | | | | penetration | > 6](#evi | | | | | test to verify | dence-assessme | | | | | that | nt-workpapers) | | | | | penetration | > for the | | | | | testing is | > **scope of | | | | | performed | > work** | | | | | according to | > examined for | | | | | all elements | > this testing | | | | | specified in | > procedure. | | | | | this | | | | | | requirement. | | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for the | | | | | | > **results | | | | | | > from the | | | | | | > most | | | | | | > recent** | | | | | | > external | | | | | | > penetration | | | | | | > test | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **11.4.3.b** | > **Identify** | | \<Enter | | | Interview | > the evidence | | Response | | | personnel to | > reference | | Here\> | | | verify that the | > number(s) | | | | | external | > from | | | | | penetration | > [Section | | | | | test was | > 6](#evi | | | | | performed by a | dence-assessme | | | | | qualified | nt-workpapers) | | | | | internal | > for all | | | | | resource or | > ** | | | | | qualified | interview(s)** | | | | | external third- | > conducted | | | | | party and that | > for this | | | | | organizational | > testing | | | | | independence of | > procedure. | | | | | the tester | | | | | | exists (not | | | | | | required to be | | | | | | a QSA or ASV). | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **11.4.4** | | | | | | Exploitable | | | | | | vulnerabilities | | | | | | and security | | | | | | weaknesses | | | | | | found during | | | | | | penetration | | | | | | testing are | | | | | | corrected as | | | | | | follows: | | | | | | | | | | | | - In | | | | | | accordance | | | | | | with the | | | | | | entity\'s | | | | | | assessment | | | | | | of the risk | | | | | | posed by | | | | | | the | | | | | | security | | | | | | issue as | | | | | | defined in | | | | | | Requirement | | | | | | 6.3.1. | | | | | | | | | | | | - Penetration | | | | | | testing is | | | | | | repeated to | | | | | | verify the | | | | | | | | | | | | corrections. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **11.4.4** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | penetration | reference | | | testing results | number(s) from | | | to verify that | [Section | | | noted | 6 | | | exploitable | ](#evidence-asses | | | vulnerabilities | sment-workpapers) | | | and security | for all | | | weaknesses were | **penetration | | | corrected in | testing results** | | | accordance with | examined for this | | | all elements | testing | | | specified in | procedure. | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +=================+================+===+==============+=================+ | **11.4.5** If | | | | | | segmentation is | | | | | | used to isolate | | | | | | the CDE from | | | | | | other networks, | | | | | | penetration | | | | | | tests are | | | | | | performed on | | | | | | segmentation | | | | | | controls as | | | | | | follows: | | | | | | | | | | | | - At least | | | | | | once every | | | | | | 12 months | | | | | | and after | | | | | | any changes | | | | | | to | | | | | | | | | | | | segmentation | | | | | | c | | | | | | ontrols/methods | | | | | | | | | | | | - Covering | | | | | | all | | | | | | | | | | | | segmentation | | | | | | c | | | | | | ontrols/methods | | | | | | in use | | | | | | | | | | | | - According | | | | | | to the | | | | | | entity\'s | | | | | | defined | | | | | | penetration | | | | | | testing | | | | | | methodology | | | | | | | | | | | | - Confirming | | | | | | that the | | | | | | | | | | | | segmentation | | | | | | c | | | | | | ontrols/methods | | | | | | are | | | | | | operational | | | | | | and | | | | | | effective, | | | | | | and isolate | | | | | | the CDE | | | | | | from all | | | | | | | | | | | | out-of-scope | | | | | | systems | | | | | | | | | | | | - Confirming | | | | | | | | | | | | effectiveness | | | | | | of any use | | | | | | of | | | | | | isolation | | | | | | to separate | | | | | | systems | | | | | | with | | | | | | differing | | | | | | security | | | | | | levels (see | | | | | | Requirement | | | | | | 2.2.3) | | | | | | | | | | | | - Performed | | | | | | by a | | | | | | qualified | | | | | | internal | | | | | | resource or | | | | | | qualified | | | | | | external | | | | | | third party | | | | | | | | | | | | - | | | | | | Organizational | | | | | | | | | | | | independence | | | | | | of the | | | | | | tester | | | | | | exists (not | | | | | | required to | | | | | | be a QSA or | | | | | | ASV) | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **11.4.5.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | segmentation | reference | | | controls and | number(s) from | | | review | [Section | | | penetration- | 6 | | | testing | ](#evidence-asses | | | methodology to | sment-workpapers) | | | verify that | for all | | | pene | **segmentation | | | tration-testing | controls** | | | procedures are | examined for this | | | defined to test | testing | | | all | procedure. | | | segmentation | | | | methods in | | | | accordance with | | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for the | | | | **penetration | | | | testing | | | | methodology** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **11.4.5.b** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence | | | results from | reference | | | the most recent | number(s) from | | | penetration | [Section | | | test to verify | 6 | | | the penetration | ](#evidence-asses | | | test covers and | sment-workpapers) | | | addresses all | for all **results | | | elements | from the most | | | specified in | recent | | | this | penetration | | | requirement. | test** examined | | | | for this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **11.4.5.c** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | personnel to | reference | | | verify that the | number(s) from | | | test was | [Section | | | performed by a | 6 | | | qualified | ](#evidence-asses | | | internal | sment-workpapers) | | | resource or | for all | | | qualified | **interview(s)** | | | external third | conducted for | | | party and that | this testing | | | organizational | procedure. | | | independence of | | | | the tester | | | | exists (not | | | | required to be | | | | a QSA or ASV). | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +=================+================+===+==============+=================+ | **11.4.6 | | | | | | *Additional | | | | | | requirement for | | | | | | service | | | | | | providers only: | | | | | | ***If | | | | | | segmentation is | | | | | | used to isolate | | | | | | the CDE from | | | | | | other networks, | | | | | | penetration | | | | | | tests are | | | | | | performed on | | | | | | segmentation | | | | | | controls as | | | | | | follows: | | | | | | | | | | | | - At least | | | | | | once every | | | | | | six months | | | | | | and after | | | | | | any changes | | | | | | to | | | | | | | | | | | | segmentation | | | | | | co | | | | | | ntrols/methods. | | | | | | | | | | | | - Covering | | | | | | all | | | | | | | | | | | | segmentation | | | | | | c | | | | | | ontrols/methods | | | | | | in use. | | | | | | | | | | | | - According | | | | | | to the | | | | | | entity\'s | | | | | | defined | | | | | | penetration | | | | | | testing | | | | | | | | | | | | methodology. | | | | | | | | | | | | - Confirming | | | | | | that the | | | | | | | | | | | | segmentation | | | | | | c | | | | | | ontrols/methods | | | | | | are | | | | | | operational | | | | | | and | | | | | | effective, | | | | | | and isolate | | | | | | the CDE | | | | | | from all | | | | | | | | | | | | out-of-scope | | | | | | systems. | | | | | | | | | | | | - Confirming | | | | | | | | | | | | effectiveness | | | | | | of any use | | | | | | of | | | | | | isolation | | | | | | to separate | | | | | | systems | | | | | | with | | | | | | differing | | | | | | security | | | | | | levels (see | | | | | | Requirement | | | | | | 2.2.3). | | | | | | | | | | | | - Performed | | | | | | by a | | | | | | qualified | | | | | | internal | | | | | | resource or | | | | | | qualified | | | | | | external | | | | | | third | | | | | | party. | | | | | | | | | | | | - | | | | | | Organizational | | | | | | | | | | | | independence | | | | | | of the | | | | | | tester | | | | | | exists (not | | | | | | required to | | | | | | be a QSA or | | | | | | ASV). | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **11.4.6.a | **Identify** the | \<Enter Response Here\> | | *Additional | evidence | | | testing | reference | | | procedure for | number(s) from | | | service | [Section | | | provider | 6 | | | assessments | ](#evidence-asses | | | only: | sment-workpapers) | | | ***Examine the | for the **results | | | results from | from the most | | | the most recent | recent | | | penetration | penetration | | | test to verify | test** examined | | | that the | for this testing | | | penetration | procedure. | | | covers and | | | | addresses all | | | | elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **11.4.6.b | **Identify** the | \<Enter Response Here\> | | *Additional | evidence | | | testing | reference | | | procedure for | number(s) from | | | service | [Section | | | provider | 6 | | | assessments | ](#evidence-asses | | | only: | sment-workpapers) | | | ***Interview | for all | | | personnel to | **interview(s)** | | | verify that the | conducted for | | | test was | this testing | | | performed by a | procedure. | | | qualified | | | | internal | | | | resource or | | | | qualified | | | | external third | | | | party and that | | | | organizational | | | | independence of | | | | the tester | | | | exists (not | | | | required to be | | | | a QSA or ASV). | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +=================+================+===+==============+=================+ | **11.4.7 | | | | | | *Additional | | | | | | requirement for | | | | | | multi-tenant | | | | | | service | | | | | | providers only: | | | | | | ***Multi-tenant | | | | | | service | | | | | | providers | | | | | | support their | | | | | | customers for | | | | | | external | | | | | | penetration | | | | | | testing per | | | | | | Requirement | | | | | | 11.4.3 and | | | | | | 11.4.4. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **11.4.7 | **Identify** the | \<Enter Response Here\> | | *Additional | evidence | | | testing | reference | | | procedure for | number(s) from | | | multi-tenant | [Section | | | providers only: | 6 | | | ***Examine | ](#evidence-asses | | | evidence to | sment-workpapers) | | | verify that | for all | | | multi- tenant | **evidence** | | | service | examined for this | | | providers | testing | | | support their | procedure. | | | customers for | | | | external | | | | penetration | | | | testing per | | | | Requirement | | | | 11.4.3 and | | | | 11.4.4. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+----------------+-----------------+ | **Requirement | | | | | Description** | | | | +=================+================+================+=================+ | **11.5** | | | | | Network | | | | | intrusions and | | | | | unexpected file | | | | | changes are | | | | | detected and | | | | | responded to. | | | | +-----------------+----------------+----------------+-----------------+ | **PCI DSS | | | | | Requirement** | | | | +-----------------+----------------+----------------+-----------------+ | 1. Intr | | | | | usion-detection | | | | | and/or | | | | | intru | | | | | sion-prevention | | | | | techniques | | | | | are used to | | | | | detect | | | | | and/or | | | | | prevent | | | | | intrusions | | | | | into the | | | | | network as | | | | | follows: | | | | | | | | | | - All | | | | | traffic | | | | | is | | | | | | | | | | monitored | | | | | at the | | | | | | | | | | perimeter | | | | | of the | | | | | CDE. | | | | | | | | | | - All | | | | | traffic | | | | | is | | | | | | | | | | monitored | | | | | at | | | | | | | | | | critical | | | | | points | | | | | in the | | | | | CDE. | | | | | | | | | | | | | | | - Personnel | | | | | are | | | | | alerted | | | | | to | | | | | | | | | | suspected | | | | | | | | | | compromises. | | | | | | | | | | - All | | | | | intr | | | | | usion-detection | | | | | and | | | | | | | | | | prevention | | | | | | | | | | engines, | | | | | | | | | | baselines, | | | | | and | | | | | | | | | | signatures | | | | | are | | | | | kept up | | | | | to | | | | | date. | | | | +-----------------+----------------+----------------+-----------------+ | > **Assessment | | | | | > Findings | | | | | > (select | | | | | > one)** | | | | +-----------------+----------------+----------------+-----------------+ | **In Place** | **Not | **Not Tested** | **Not in | | | Applicable** | | Place** | +-----------------+----------------+----------------+-----------------+ | ☐ | ☐ | ☐ | ☐ | +-----------------+----------------+----------------+-----------------+ | Describe why | | \<Enter | | | the assessment | | Response | | | finding was | | Here\> | | | selected. | | | | | | | | | | ***Note**: | | | | | Include all | | | | | details as | | | | | noted in the | | | | | "Required | | | | | Reporting" | | | | | column of the | | | | | table in | | | | | [Assessment | | | | | F | | | | | indings](#asses | | | | | sment-findings) | | | | | in the ROC | | | | | Template | | | | | Instructions.* | | | | +-----------------+----------------+----------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **11.5.1.a** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | configurations | reference | | | and network | number(s) from | | | diagrams to | [Section | | | verify that | 6 | | | intr | ](#evidence-asses | | | usion-detection | sment-workpapers) | | | and/or | for all **system | | | intru | configurations** | | | sion-prevention | examined for this | | | techniques are | testing | | | in place to | procedure. | | | monitor all | | | | traffic: | | | | | | | | - At the | | | | perimeter | | | | of the CDE. | | | | | | | | - At critical | | | | points in | | | | the CDE. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **network | | | | diagrams** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **11.5.1.b** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | configurations | reference | | | and interview | number(s) from | | | responsible | [Section | | | personnel to | 6 | | | verify | ](#evidence-asses | | | intr | sment-workpapers) | | | usion-detection | for all **system | | | and/or | configurations** | | | intrusion- | examined for this | | | prevention | testing | | | techniques | procedure. | | | alert personnel | | | | of suspected | | | | compromises. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | **11.5.1.c** | > **Identify** | | \<Enter | | | Examine system | > the evidence | | Response | | | configurations | > reference | | Here\> | | | and vendor | > number(s) | | | | | documentation | > from | | | | | to verify | > [Section | | | | | intrusion- | > 6](#evi | | | | | detection | dence-assessme | | | | | and/or | nt-workpapers) | | | | | intru | > for all | | | | | sion-prevention | > **system | | | | | techniques are | > co | | | | | configured to | nfigurations** | | | | | keep all | > examined for | | | | | engines, | > this testing | | | | | baselines, and | > procedure. | | | | | signatures up | | | | | | to date. | | | | | +=================+================+===+==============+=================+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > **vendor | | | | | | > d | | | | | | ocumentation** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **11.5.1.1 | | | | | | *Additional | | | | | | requirement for | | | | | | service | | | | | | providers only: | | | | | | ***Intr | | | | | | usion-detection | | | | | | and/or | | | | | | intru | | | | | | sion-prevention | | | | | | techniques | | | | | | detect, alert | | | | | | on/prevent, and | | | | | | address covert | | | | | | malware | | | | | | communication | | | | | | channels. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +=================+===================+================================+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **11.5.1.1.a | **Identify** the | \<Enter Response Here\> | | *Additional | evidence | | | testing | reference | | | procedure for | number(s) from | | | service | [Section | | | provider | 6 | | | assessments | ](#evidence-asses | | | only: | sment-workpapers) | | | ***Examine | for all | | | documentation | **documentation** | | | and | examined for this | | | configuration | testing | | | settings to | procedure. | | | verify that | | | | methods to | | | | detect and | | | | alert | | | | on/prevent | | | | covert malware | | | | communication | | | | channels are in | | | | place and | | | | operating. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **configuration | | | | settings** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **11.5.1.1.b | **Identify** the | \<Enter Response Here\> | | *Additional | evidence | | | testing | reference | | | procedure for | number(s) from | | | service | [Section | | | provider | 6 | | | assessments | ](#evidence-asses | | | only: | sment-workpapers) | | | ***Examine the | for the | | | entity's | **entity's | | | in | incident- | | | cident-response | response plan** | | | plan | examined for this | | | (Requirement | testing | | | 12.10.1) to | procedure. | | | verify it | | | | requires and | | | | defines a | | | | response in the | | | | event that | | | | covert malware | | | | communication | | | | channels are | | | | detected. | | | +-----------------+-------------------+--------------------------------+ | **11.5.1.1.c | **Identify** the | \<Enter Response Here\> | | *Additional | evidence | | | testing | reference | | | procedure for | number(s) from | | | service | [Section | | | provider | 6 | | | assessments | ](#evidence-asses | | | only: | sment-workpapers) | | | ***Interview | for all | | | responsible | **interview(s)** | | | personnel and | conducted for | | | observe | this testing | | | processes to | procedure. | | | verify that | | | | personnel | | | | maintain | | | | knowledge of | | | | covert malware | | | | communication | | | | and control | | | | techniques and | | | | are | | | | knowledgeable | | | | about how to | | | | respond when | | | | malware is | | | | suspected. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **observation(s) | | | | of processes** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | > **PCI DSS | | | | > Requirement** | | | +-----------------+-------------------+--------------------------------+ | **11.5.2** A | | | | c | | | | hange-detection | | | | mechanism (for | | | | example, file | | | | integrity | | | | monitoring | | | | tools) is | | | | deployed as | | | | follows: | | | | | | | | - To alert | | | | personnel | | | | to | | | | | | | | unauthorized | | | | | | | | modification | | | | (including | | | | changes, | | | | additions, | | | | and | | | | deletions) | | | | of critical | | | | files. | | | | | | | | - To perform | | | | critical | | | | file | | | | comparisons | | | | at least | | | | once | | | | weekly. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +=================+================+===+==============+=================+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **11.5.2.a** | > **Identify** | | \<Enter | | | Examine system | > the evidence | | Response | | | settings, | > reference | | Here\> | | | monitored | > number(s) | | | | | files, and | > from | | | | | results from | > [Section | | | | | monitoring | > 6](#evi | | | | | activities to | dence-assessme | | | | | verify the use | nt-workpapers) | | | | | of a | > for all | | | | | c | > **system | | | | | hange-detection | > settings** | | | | | mechanism. | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > **monitored | | | | | | > files** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > **results | | | | | | > from** | | | | +-----------------+----------------+---+--------------+-----------------+ ----------------------------------------------------------------------------------------- **monitoring activities** examined for this testing procedure. ------------------ ------------------------------------- -------------------------------- **11.5.2.b** **Identify** the evidence reference \<Enter Response Here\> Examine settings number(s) from [Section for the 6](#evidence-assessment-workpapers) change-detection for all **settings for the mechanism to change-detection mechanism** examined verify it is for this testing procedure. configured in accordance with all elements specified in this requirement. ----------------------------------------------------------------------------------------- +-----------------+----------------+----+-----------+-----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+================+====+===========+=================+ | **11.6** | | | | | | Unauthorized | | | | | | changes on | | | | | | payment pages | | | | | | are detected | | | | | | and responded | | | | | | to. | | | | | +-----------------+----------------+----+-----------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+----+-----------+-----------------+ | 1. A change- | | | | | | and | | | | | | t | | | | | | amper-detection | | | | | | mechanism | | | | | | is deployed | | | | | | as follows: | | | | | | | | | | | | - To | | | | | | alert | | | | | | | | | | | | personnel | | | | | | to | | | | | | | | | | | | unauthorized | | | | | | | | | | | | modification | | | | | | | | | | | | (including | | | | | | | | | | | | indicators | | | | | | of | | | | | | | | | | | | compromise, | | | | | | | | | | | | changes, | | | | | | | | | | | | additions, | | | | | | and | | | | | | | | | | | | deletions) | | | | | | to the | | | | | | HTTP | | | | | | headers | | | | | | and the | | | | | | | | | | | | contents | | | | | | of | | | | | | payment | | | | | | pages | | | | | | as | | | | | | | | | | | | received | | | | | | by the | | | | | | | | | | | | consumer | | | | | | | | | | | | browser. | | | | | | | | | | | | - The | | | | | | | | | | | | mechanism | | | | | | is | | | | | | | | | | | | configured | | | | | | to | | | | | | | | | | | | evaluate | | | | | | the | | | | | | | | | | | | received | | | | | | HTTP | | | | | | header | | | | | | and | | | | | | payment | | | | | | page. | | | | | | | | | | | | - The | | | | | | | | | | | | mechanism | | | | | | | | | | | | functions | | | | | | are | | | | | | | | | | | | performed | | | | | | as | | | | | | | | | | | | follows: | | | | | | | | | | | | - At | | | | | | | | | | | | least | | | | | | | | | | | | once | | | | | | | | | | | | every | | | | | | | | | | | | seven | | | | | | | | | | | | days | | | | | | | | | | | | > OR | | | | | | | | | | | | - | | | | | | Periodically | | | | | | (at the | | | | | | frequency | | | | | | defined in | | | | | | the | | | | | | entity\'s | | | | | | targeted | | | | | | risk | | | | | | analysis, | | | | | | which is | | | | | | performed | | | | | | according | | | | | | to all | | | | | | elements | | | | | | specified | | | | | | in | | | | | | Requirement | | | | | | 12.3.1). | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+----+-----------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+----+-----------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | *N | | Place** | | | | ot | | | | | | Te | | | | | | st | | | | | | ed | | | | | | ** | | | +-----------------+----------------+----+-----------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+----+-----------+-----------------+ | Describe why | | | \<Enter | | | the assessment | | | Response | | | finding was | | | Here\> | | | selected. | | | | | | | | | | | | ***Note**: | | | | | | Include all | | | | | | details as | | | | | | noted in the | | | | | | "Required | | | | | | Reporting" | | | | | | column of the | | | | | | table in | | | | | | [Assessment | | | | | | F | | | | | | indings](#asses | | | | | | sment-findings) | | | | | | in the ROC | | | | | | Template | | | | | | Instructions.* | | | | | +-----------------+----------------+----+-----------+-----------------+ +-------------------------------------+--------------------------------+ | **Validation Method -- Customized | | | Approach** | | +=====================================+================================+ | **Indicate** whether a Customized | - Yes ☐ No | | Approach was used: | | +-------------------------------------+--------------------------------+ | **If "Yes", Identify** the | \<Enter Response Here\> | | aspect(s) of the requirement where | | | the Customized Approach was used. | | | | | | ***Note:** The use of Customized | | | Approach must also be documented in | | | [Appendix | | | E.](#append | | | ix-e-customized-approach-template)* | | +-------------------------------------+--------------------------------+ | **Validation Method -- Defined | | | Approach** | | +-------------------------------------+--------------------------------+ | **Indicate** whether a Compensating | - Yes ☐ No | | Control was used: | | +-------------------------------------+--------------------------------+ | **If "Yes", Identify** the | \<Enter Response Here\> | | aspect(s) of the requirement where | | | the Compensating Control(s) was | | | used. | | | | | | ***Note:** The use of Compensating | | | Controls must also be documented in | | | [Appendix | | | C.](#appendix- | | | c-compensating-controls-worksheet)* | | +-------------------------------------+--------------------------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **11.6.1.a** | **Identify** the | \<Enter Response Here\> | | Examine system | evidence | | | settings, | reference | | | monitored | number(s) from | | | payment pages, | [Section | | | and results | 6 | | | from monitoring | ](#evidence-asses | | | activities to | sment-workpapers) | | | verify the use | for all **system | | | of a change- | settings** | | | and tamper- | examined for this | | | detection | testing | | | mechanism. | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **monitoring | | | | activities** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **results | | | | from monitoring | | | | activities** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **11.6.1.b** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | configuration | reference | | | settings to | number(s) from | | | verify the | [Section | | | mechanism is | 6 | | | configured in | ](#evidence-asses | | | accordance with | sment-workpapers) | | | all elements | for all | | | specified in | **configuration | | | this | settings** | | | requirement. | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **11.6.1.c** If | **Identify** the | \<Enter Response Here\> | | the mechanism | evidence | | | functions are | reference | | | performed at an | number(s) from | | | entity-defined | [Section | | | frequency, | 6 | | | examine the | ](#evidence-asses | | | entity's | sment-workpapers) | | | targeted risk | for the | | | analysis for | **entity's | | | determining the | targeted risk | | | frequency to | analysis** | | | verify the risk | examined for this | | | analysis was | testing | | | performed in | procedure. | | | accordance with | | | | all elements | | | | specified at | | | | Requirement | | | | 12.3.1. | | | +-----------------+-------------------+--------------------------------+ | **11.6.1.d** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | configuration | reference | | | settings and | number(s) from | | | interview | [Section | | | personnel to | 6 | | | verify the | ](#evidence-asses | | | mechanism | sment-workpapers) | | | functions are | for all | | | performed | **configuration | | | either: | settings** | | | | examined for this | | | - At least | testing | | | once every | procedure. | | | seven days | | | | | | | | OR | | | | | | | | - At the | | | | frequency | | | | defined in | | | | the | | | | entity's | | | | targeted | | | | risk | | | | analysis | | | | performed | | | | for this | | | | | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ ## Maintain an Information Security Policy {#maintain-an-information-security-policy .unnumbered} ### Requirement 12: Support Information Security with Organizational Policies and Programs {#requirement-12-support-information-security-with-organizational-policies-and-programs .unnumbered} +-----------------+----------------+----------------+-----------------+ | **Requirement | | | | | Description** | | | | +=================+================+================+=================+ | 1. A | | | | | | | | | | comprehensive | | | | | information | | | | | security | | | | | policy that | | | | | governs and | | | | | provides | | | | | direction | | | | | for | | | | | protection | | | | | of the | | | | | entity's | | | | | information | | | | | assets is | | | | | known and | | | | | current. | | | | +-----------------+----------------+----------------+-----------------+ | > **PCI DSS | | | | | > Requirement** | | | | +-----------------+----------------+----------------+-----------------+ | 1. An overall | | | | | information | | | | | security | | | | | policy is: | | | | | | | | | | - | | | | | Established. | | | | | | | | | | | | | | | - Published. | | | | | | | | | | | | | | | - Maintained. | | | | | | | | | | - | | | | | Disseminated | | | | | to all | | | | | | | | | | relevant | | | | | | | | | | personnel, | | | | | as well | | | | | as to | | | | | | | | | | relevant | | | | | vendors | | | | | and | | | | | | | | | | business | | | | | | | | | | partners. | | | | +-----------------+----------------+----------------+-----------------+ | > **Assessment | | | | | > Findings | | | | | > (select | | | | | > one)** | | | | +-----------------+----------------+----------------+-----------------+ | **In Place** | **Not | **Not Tested** | **Not in | | | Applicable** | | Place** | +-----------------+----------------+----------------+-----------------+ | ☐ | ☐ | ☐ | ☐ | +-----------------+----------------+----------------+-----------------+ | Describe why | | \<Enter | | | the assessment | | Response | | | finding was | | Here\> | | | selected. | | | | | | | | | | ***Note**: | | | | | Include all | | | | | details as | | | | | noted in the | | | | | "Required | | | | | Reporting" | | | | | column of the | | | | | table in | | | | | [Assessment | | | | | F | | | | | indings](#asses | | | | | sment-findings) | | | | | in the ROC | | | | | Template | | | | | Instructions.* | | | | +-----------------+----------------+----------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **12.1.1** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence | | | information | reference | | | security policy | number(s) from | | | and interview | [Section | | | personnel to | 6 | | | verify that the | ](#evidence-asses | | | overall | sment-workpapers) | | | information | for the | | | security policy | **information | | | is managed in | security policy** | | | accordance with | examined for this | | | all elements | testing | | | specified in | procedure. | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **12.1.2** The | | | | | | information | | | | | | security policy | | | | | | is: | | | | | | | | | | | | - Reviewed at | | | | | | least once | | | | | | every 12 | | | | | | months. | | | | | | | | | | | | - Updated as | | | | | | needed to | | | | | | reflect | | | | | | changes to | | | | | | business | | | | | | objectives | | | | | | or risks to | | | | | | the | | | | | | | | | | | | environment. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **12.1.2** | **Identify** | | \<Enter | | | Examine the | the evidence | | Response | | | information | reference | | Here\> | | | security policy | number(s) from | | | | | and interview | [Section | | | | | responsible | 6](#evi | | | | | personnel to | dence-assessme | | | | | verify the | nt-workpapers) | | | | | policy is | for all | | | | | managed in | **information | | | | | accordance with | security | | | | | all elements | policies** | | | | | specified in | examined for | | | | | this | this testing | | | | | requirement. | procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | | **Identify** | | \<Enter | | | | the evidence | | Response | | | | reference | | Here\> | | | | number(s) from | | | | | | [Section | | | | | | 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | for all | | | | | | ** | | | | | | interview(s)** | | | | | | conducted for | | | | | | this testing | | | | | | procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **12.1.3** The | | | | | | security policy | | | | | | clearly defines | | | | | | information | | | | | | security roles | | | | | | and | | | | | | r | | | | | | esponsibilities | | | | | | for all | | | | | | personnel, and | | | | | | all personnel | | | | | | are aware of | | | | | | and acknowledge | | | | | | their | | | | | | information | | | | | | security | | | | | | re | | | | | | sponsibilities. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **12.1.3.a** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence | | | information | reference | | | security policy | number(s) from | | | to verify that | [Section | | | they clearly | 6 | | | define | ](#evidence-asses | | | information | sment-workpapers) | | | security roles | for the | | | and | **information | | | r | security policy** | | | esponsibilities | examined for this | | | for all | testing | | | personnel. | procedure. | | +-----------------+-------------------+--------------------------------+ | **12.1.3.b** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | personnel in | reference | | | various roles | number(s) from | | | to verify they | [Section | | | understand | 6 | | | their | ](#evidence-asses | | | information | sment-workpapers) | | | security | for all | | | re | **interview(s)** | | | sponsibilities. | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **12.1.3.c** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documented | reference | | | evidence to | number(s) from | | | verify | [Section | | | personnel | 6 | | | acknowledge | ](#evidence-asses | | | their | sment-workpapers) | | | information | for all | | | security | **documented | | | re | evidence** | | | sponsibilities. | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **12.1.4** | | | | | | Responsibility | | | | | | for information | | | | | | security is | | | | | | formally | | | | | | assigned to a | | | | | | Chief | | | | | | Information | | | | | | Security | | | | | | Officer or | | | | | | other | | | | | | information | | | | | | security | | | | | | knowledgeable | | | | | | member of | | | | | | executive | | | | | | management. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **12.1.4** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence | | | information | reference | | | security policy | number(s) from | | | to verify that | [Section | | | information | 6 | | | security is | ](#evidence-asses | | | formally | sment-workpapers) | | | assigned to a | for the | | | Chief | **information | | | Information | security policy** | | | Security | examined for this | | | Officer or | testing | | | other | procedure. | | | information | | | | securit | | | | y-knowledgeable | | | | member of | | | | executive | | | | management. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+----------------+-----------------+ | > **Requirement | | | | | > Description** | | | | +=================+================+================+=================+ | **12.2** | | | | | Acceptable use | | | | | policies for | | | | | end-user | | | | | technologies | | | | | are defined and | | | | | implemented. | | | | +-----------------+----------------+----------------+-----------------+ | > **PCI DSS | | | | | > Requirement** | | | | +-----------------+----------------+----------------+-----------------+ | 1. Acceptable | | | | | use | | | | | policies | | | | | for | | | | | end-user | | | | | | | | | | technologies | | | | | are | | | | | documented | | | | | and | | | | | | | | | | implemented, | | | | | including: | | | | | | | | | | | | | | | - Explicit | | | | | | | | | | approval | | | | | by | | | | | | | | | | authorized | | | | | | | | | | parties. | | | | | | | | | | | | | | | - Acceptable | | | | | uses of | | | | | the | | | | | | | | | | technology. | | | | | | | | | | - List of | | | | | | | | | | products | | | | | | | | | | approved | | | | | by the | | | | | company | | | | | for | | | | | | | | | | employee | | | | | use, | | | | | | | | | | including | | | | | | | | | | hardware | | | | | and | | | | | | | | | | software. | | | | +-----------------+----------------+----------------+-----------------+ | > **Assessment | | | | | > Findings | | | | | > (select | | | | | > one)** | | | | +-----------------+----------------+----------------+-----------------+ | **In Place** | **Not | **Not Tested** | **Not in | | | Applicable** | | Place** | +-----------------+----------------+----------------+-----------------+ | ☐ | ☐ | ☐ | ☐ | +-----------------+----------------+----------------+-----------------+ | Describe why | | \<Enter | | | the assessment | | Response | | | finding was | | Here\> | | | selected. | | | | | | | | | | ***Note**: | | | | | Include all | | | | | details as | | | | | noted in the | | | | | "Required | | | | | Reporting" | | | | | column of the | | | | | table in | | | | | [Assessment | | | | | F | | | | | indings](#asses | | | | | sment-findings) | | | | | in the ROC | | | | | Template | | | | | Instructions.* | | | | +-----------------+----------------+----------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **12.2.1** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence | | | acceptable use | reference | | | policies for | number(s) from | | | end-user | [Section | | | technologies | 6 | | | and interview | ](#evidence-asses | | | responsible | sment-workpapers) | | | personnel to | for all | | | verify | **acceptable use | | | processes are | policies** | | | documented and | examined for this | | | implemented in | testing | | | accordance with | procedure. | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+----------------+-----------------+ | > **Requirement | | | | | > Description** | | | | +=================+================+================+=================+ | **12.3** Risks | | | | | to the | | | | | cardholder data | | | | | environment are | | | | | formally | | | | | identified, | | | | | evaluated, and | | | | | managed. | | | | +-----------------+----------------+----------------+-----------------+ | > **PCI DSS | | | | | > Requirement** | | | | +-----------------+----------------+----------------+-----------------+ | 1. Each PCI | | | | | DSS | | | | | requirement | | | | | that | | | | | provides | | | | | flexibility | | | | | for how | | | | | frequently | | | | | it is | | | | | performed | | | | | (for | | | | | example, | | | | | | | | | | requirements | | | | | to be | | | | | performed | | | | | | | | | | periodically) | | | | | is | | | | | supported | | | | | by a | | | | | targeted | | | | | risk | | | | | analysis | | | | | that is | | | | | documented | | | | | and | | | | | includes: | | | | | | | | | | - | | | | | Identification | | | | | of the | | | | | assets | | | | | being | | | | | | | | | | protected. | | | | | | | | | | - | | | | | Identification | | | | | of the | | | | | | | | | | threat(s) | | | | | that | | | | | the | | | | | | | | | | requirement | | | | | is | | | | | | | | | | protecting | | | | | | | | | | against. | | | | | | | | | | - | | | | | Identification | | | | | of | | | | | factors | | | | | that | | | | | | | | | | contribute | | | | | to the | | | | | | | | | | likelihood | | | | | and/or | | | | | impact | | | | | of a | | | | | threat | | | | | being | | | | | | | | | | realized. | | | | | | | | | | | | | | | - Resulting | | | | | | | | | | analysis | | | | | that | | | | | | | | | | determines, | | | | | and | | | | | | | | | | includes | | | | | | | | | | justification | | | | | for, | | | | | how | | | | | | | | | | frequently | | | | | the | | | | | | | | | | requirement | | | | | must be | | | | | | | | | | performed | | | | | to | | | | | | | | | | minimize | | | | | the | | | | | | | | | | likelihood | | | | | of the | | | | | threat | | | | | being | | | | | | | | | | realized. | | | | | | | | | | - Review | | | | | of each | | | | | | | | | | targeted | | | | | risk | | | | | | | | | | analysis | | | | | at | | | | | least | | | | | once | | | | | every | | | | | 12 | | | | | months | | | | | to | | | | | | | | | | determine | | | | | whether | | | | | the | | | | | results | | | | | are | | | | | still | | | | | valid | | | | | or if | | | | | an | | | | | updated | | | | | risk | | | | | | | | | | analysis | | | | | is | | | | | needed. | | | | | | | | | | | | | | | - Performance | | | | | of | | | | | updated | | | | | risk | | | | | | | | | | analyses | | | | | when | | | | | needed, | | | | | as | | | | | | | | | | determined | | | | | by the | | | | | annual | | | | | review. | | | | | | | | | | ***Note:** This | | | | | requirement is | | | | | a **best | | | | | practice** | | | | | until **31 | | | | | March 2025**, | | | | | after which it | | | | | will be | | | | | required and | | | | | must be fully | | | | | considered | | | | | during a PCI | | | | | DSS | | | | | assessment.* | | | | +-----------------+----------------+----------------+-----------------+ | > **Assessment | | | | | > Findings | | | | | > (select | | | | | > one)** | | | | +-----------------+----------------+----------------+-----------------+ | **In Place** | **Not | **Not Tested** | **Not in | | | Applicable** | | Place** | +-----------------+----------------+----------------+-----------------+ | ☐ | ☐ | ☐ | ☐ | +-----------------+----------------+----------------+-----------------+ | Describe why | | \<Enter | | | the assessment | | Response | | | finding was | | Here\> | | | selected. | | | | | | | | | | ***Note**: | | | | | Include all | | | | | details as | | | | | noted in the | | | | | "Required | | | | | Reporting" | | | | | column of the | | | | | table in | | | | | [Assessment | | | | | F | | | | | indings](#asses | | | | | sment-findings) | | | | | in the ROC | | | | | Template | | | | | Instructions.* | | | | +-----------------+----------------+----------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **12.3.1** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documented | reference | | | policies and | number(s) from | | | procedures to | [Section | | | verify a | 6 | | | process is | ](#evidence-asses | | | defined for | sment-workpapers) | | | performing | for all | | | targeted risk | **documented | | | analyses for | policies and | | | each PCI DSS | procedures** | | | requirement | examined for this | | | that provides | testing | | | flexibility for | procedure. | | | how frequently | | | | the requirement | | | | is performed, | | | | and that the | | | | process | | | | includes all | | | | elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **12.3.2** A | | | | | | targeted risk | | | | | | analysis is | | | | | | performed for | | | | | | each PCI DSS | | | | | | requirement | | | | | | that the entity | | | | | | meets with the | | | | | | customized | | | | | | approach, to | | | | | | include: | | | | | | | | | | | | - Documented | | | | | | evidence | | | | | | detailing | | | | | | each | | | | | | element | | | | | | specified | | | | | | in Appendix | | | | | | D: | | | | | | Customized | | | | | | Approach | | | | | | (including, | | | | | | at a | | | | | | minimum, a | | | | | | controls | | | | | | matrix and | | | | | | risk | | | | | | analysis). | | | | | | | | | | | | - Approval of | | | | | | documented | | | | | | evidence by | | | | | | senior | | | | | | management. | | | | | | | | | | | | - Performance | | | | | | of the | | | | | | targeted | | | | | | analysis of | | | | | | risk at | | | | | | least once | | | | | | every 12 | | | | | | months. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **12.3.2** | > **Identify** | | \<Enter | | | Examine the | > the evidence | | Response | | | documented | > reference | | Here\> | | | targeted | > number(s) | | | | | risk-analysis | > from | | | | | for each PCI | > [Section | | | | | DSS requirement | > 6](#evi | | | | | that the entity | dence-assessme | | | | | meets with the | nt-workpapers) | | | | | customized | > for all | | | | | approach to | > **d | | | | | verify that | ocumentation** | | | | | documentation | > examined for | | | | | for each | > this testing | | | | | requirement | > procedure. | | | | | exists and is | | | | | | in accordance | | | | | | with all | | | | | | elements | | | | | | specified in | | | | | | this | | | | | | requirement. | | | | | +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **12.3.3** | | | | | | Cryptographic | | | | | | cipher suites | | | | | | and protocols | | | | | | in use are | | | | | | documented and | | | | | | reviewed at | | | | | | least once | | | | | | every 12 | | | | | | months, | | | | | | including at | | | | | | least the | | | | | | following: | | | | | | | | | | | | - An | | | | | | up-to-date | | | | | | inventory | | | | | | of all | | | | | | | | | | | | cryptographic | | | | | | cipher | | | | | | suites and | | | | | | protocols | | | | | | in use, | | | | | | including | | | | | | purpose and | | | | | | where used. | | | | | | | | | | | | - Active | | | | | | monitoring | | | | | | of industry | | | | | | trends | | | | | | regarding | | | | | | continued | | | | | | viability | | | | | | of all | | | | | | | | | | | | cryptographic | | | | | | cipher | | | | | | suites and | | | | | | protocols | | | | | | in use. | | | | | | | | | | | | - A | | | | | | documented | | | | | | strategy to | | | | | | respond to | | | | | | anticipated | | | | | | changes in | | | | | | | | | | | | cryptographic | | | | | | v | | | | | | ulnerabilities. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **12.3.3** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | for | number(s) from | | | cryptographic | [Section | | | suites and | 6 | | | protocols in | ](#evidence-asses | | | use and | sment-workpapers) | | | interview | for all | | | personnel to | **documentation** | | | verify the | examined for this | | | documentation | testing | | | and review is | procedure. | | | in accordance | | | | with all | | | | elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +------------+---------------------+---+---------------+---------------+ | **PCI DSS | | | | | | Req | | | | | | uirement** | | | | | +============+=====================+===+===============+===============+ | **12.3.4** | | | | | | Hardware | | | | | | and | | | | | | software | | | | | | te | | | | | | chnologies | | | | | | in use are | | | | | | reviewed | | | | | | at least | | | | | | once every | | | | | | 12 months, | | | | | | including | | | | | | at least | | | | | | the | | | | | | following: | | | | | | | | | | | | - | | | | | | Analysis | | | | | | that | | | | | | the | | | | | | te | | | | | | chnologies | | | | | | | | | | | | continue | | | | | | to | | | | | | | | | | | | receive | | | | | | | | | | | | security | | | | | | fixes | | | | | | from | | | | | | | | | | | | vendors | | | | | | | | | | | | promptly. | | | | | | | | | | | | - | | | | | | Analysis | | | | | | that | | | | | | the | | | | | | te | | | | | | chnologies | | | | | | | | | | | | continue | | | | | | to | | | | | | | | | | | | support | | | | | | (and | | | | | | do not | | | | | | | | | | | | preclude) | | | | | | the | | | | | | | | | | | | entity's | | | | | | PCI | | | | | | DSS | | | | | | c | | | | | | ompliance. | | | | | | | | | | | | - Doc | | | | | | umentation | | | | | | of any | | | | | | | | | | | | industry | | | | | | ann | | | | | | ouncements | | | | | | or | | | | | | trends | | | | | | | | | | | | related | | | | | | to a | | | | | | t | | | | | | echnology, | | | | | | such | | | | | | as | | | | | | when a | | | | | | vendor | | | | | | has | | | | | | | | | | | | announced | | | | | | "end | | | | | | of | | | | | | life" | | | | | | plans | | | | | | for a | | | | | | t | | | | | | echnology. | | | | | | | | | | | | - Doc | | | | | | umentation | | | | | | of a | | | | | | plan, | | | | | | | | | | | | approved | | | | | | by | | | | | | senior | | | | | | m | | | | | | anagement, | | | | | | to | | | | | | | | | | | | remediate | | | | | | | | | | | | outdated | | | | | | tec | | | | | | hnologies, | | | | | | | | | | | | including | | | | | | those | | | | | | for | | | | | | which | | | | | | | | | | | | vendors | | | | | | have | | | | | | | | | | | | announced | | | | | | "end | | | | | | of | | | | | | life" | | | | | | plans. | | | | | | | | | | | | ***Note:** | | | | | | This | | | | | | r | | | | | | equirement | | | | | | is a | | | | | | **best | | | | | | practice** | | | | | | until **31 | | | | | | March | | | | | | 2025**, | | | | | | after | | | | | | which it | | | | | | will be | | | | | | required | | | | | | and must | | | | | | be fully | | | | | | considered | | | | | | during a | | | | | | PCI DSS | | | | | | as | | | | | | sessment.* | | | | | +------------+---------------------+---+---------------+---------------+ | > ** | | | | | | Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +------------+---------------------+---+---------------+---------------+ | **In | **Not Applicable** | * | | **Not in | | Place** | | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +------------+---------------------+---+---------------+---------------+ | ☐ | ☐ | ☐ | | ☐ | +------------+---------------------+---+---------------+---------------+ | Describe | | \ | | | | why the | | < | | | | assessment | | E | | | | finding | | n | | | | was | | t | | | | selected. | | e | | | | | | r | | | | ***Note**: | | R | | | | Include | | e | | | | all | | s | | | | details as | | p | | | | noted in | | o | | | | the | | n | | | | "Required | | s | | | | Reporting" | | e | | | | column of | | H | | | | the table | | e | | | | in | | r | | | | [ | | e | | | | Assessment | | \ | | | | F | | > | | | | indings](# | | | | | | assessment | | | | | | -findings) | | | | | | in the ROC | | | | | | Template | | | | | | Inst | | | | | | ructions.* | | | | | +------------+---------------------+---+---------------+---------------+ | ** | | | | | | Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +------------+---------------------+---+---------------+---------------+ | ** | | | - Yes ☐ No | | | Indicate** | | | | | | whether a | | | | | | Customized | | | | | | Approach | | | | | | was used: | | | | | +------------+---------------------+---+---------------+---------------+ | **If | | | \<Enter | | | "Yes", | | | Response | | | Identify** | | | Here\> | | | the | | | | | | aspect(s) | | | | | | of the | | | | | | r | | | | | | equirement | | | | | | where the | | | | | | Customized | | | | | | Approach | | | | | | was used. | | | | | | | | | | | | ***Note:** | | | | | | The use of | | | | | | Customized | | | | | | Approach | | | | | | must also | | | | | | be | | | | | | documented | | | | | | in | | | | | | [Appendix | | | | | | E.](#a | | | | | | ppendix-e- | | | | | | customized | | | | | | -approach- | | | | | | template)* | | | | | +------------+---------------------+---+---------------+---------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **12.3.4** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | for the review | number(s) from | | | of hardware and | [Section | | | software | 6 | | | technologies in | ](#evidence-asses | | | use and | sment-workpapers) | | | interview | for all | | | personnel to | **documentation** | | | verify that the | examined for this | | | review is in | testing | | | accordance with | procedure. | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------------------------------------------------------------+ | > **Requirement Description** | +=======================================================================+ | **12.4** PCI DSS compliance is managed. | +-----------------------------------------------------------------------+ | > **PCI DSS Requirement** | +-----------------------------------------------------------------------+ | 1. ***Additional requirement for service providers only:*** | | Responsibility is established by executive management for the | | protection of cardholder data and a PCI DSS compliance program to | | include: | | | | - Overall accountability for maintaining PCI DSS compliance. | | | | - Defining a charter for a PCI DSS compliance program and | | communication to executive management. | +-----------------------------------------------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +=================+================+===+==============+=================+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **12.4.1 | > **Identify** | | \<Enter | | | *Additional | > the evidence | | Response | | | testing | > reference | | Here\> | | | procedure for | > number(s) | | | | | service | > from | | | | | provider | > [Section | | | | | assessments | > 6](#evi | | | | | only: | dence-assessme | | | | | ***Examine | nt-workpapers) | | | | | documentation | > for all | | | | | to verify that | > **d | | | | | executive | ocumentation** | | | | | management has | > examined for | | | | | established | > this testing | | | | | responsibility | > procedure. | | | | | for the | | | | | | protection of | | | | | | cardholder data | | | | | | and a PCI DSS | | | | | | compliance | | | | | | program in | | | | | | accordance with | | | | | | all elements | | | | | | specified in | | | | | | this | | | | | | requirement. | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **12.4.2 | | | | | | *Additional | | | | | | requirement for | | | | | | service | | | | | | providers only: | | | | | | ***Reviews are | | | | | | performed at | | | | | | least once | | | | | | every three | | | | | | months to | | | | | | confirm that | | | | | | personnel are | | | | | | performing | | | | | | their tasks in | | | | | | accordance with | | | | | | all security | | | | | | policies and | | | | | | operational | | | | | | procedures. | | | | | | Reviews are | | | | | | performed by | | | | | | personnel other | | | | | | than those | | | | | | responsible for | | | | | | performing the | | | | | | given task and | | | | | | include, but | | | | | | are not limited | | | | | | to, the | | | | | | following | | | | | | tasks: | | | | | | | | | | | | - Daily log | | | | | | reviews. | | | | | | | | | | | | - | | | | | | Configuration | | | | | | reviews for | | | | | | network | | | | | | security | | | | | | controls. | | | | | | | | | | | | - Applying | | | | | | | | | | | | configuration | | | | | | standards | | | | | | to new | | | | | | systems. | | | | | | | | | | | | - Responding | | | | | | to security | | | | | | alerts. | | | | | | | | | | | | - Ch | | | | | | ange-management | | | | | | processes. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **12.4.2.a | **Identify** the | \<Enter Response Here\> | | *Additional | evidence | | | testing | reference | | | procedure for | number(s) from | | | service | [Section | | | provider | 6 | | | assessments | ](#evidence-asses | | | only: | sment-workpapers) | | | ***Examine | for all | | | policies and | **policies and | | | procedures to | procedures** | | | verify that | examined for this | | | processes are | testing | | | defined for | procedure. | | | conducting | | | | reviews to | | | | confirm that | | | | personnel are | | | | performing | | | | their tasks in | | | | accordance with | | | | all security | | | | policies and | | | | all operational | | | | procedures, | | | | including but | | | | not limited to | | | | the tasks | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **12.4.2.b | **Identify** the | \<Enter Response Here\> | | *Additional | evidence | | | testing | reference | | | procedure for | number(s) from | | | service | [Section | | | provider | 6 | | | assessments | ](#evidence-asses | | | only: | sment-workpapers) | | | ***Interview | for all | | | responsible | **interview(s)** | | | personnel and | conducted for | | | examine records | this testing | | | of reviews to | procedure. | | | verify that | | | | reviews are | | | | performed: | | | | | | | | - At least | | | | once every | | | | three | | | | months. | | | | | | | | - By | | | | personnel | | | | other than | | | | those | | | | responsible | | | | for | | | | performing | | | | the given | | | | task. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **records | | | | of reviews** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | 1. | | | | | | ***Additional | | | | | | requirement | | | | | | for service | | | | | | providers | | | | | | only:*** | | | | | | Reviews | | | | | | conducted | | | | | | in | | | | | | accordance | | | | | | with | | | | | | Requirement | | | | | | 12.4.2 are | | | | | | documented | | | | | | to include: | | | | | | | | | | | | - Results | | | | | | of the | | | | | | | | | | | | reviews. | | | | | | | | | | | | | | | | | | - Documented | | | | | | | | | | | | remediation | | | | | | actions | | | | | | taken | | | | | | for any | | | | | | tasks | | | | | | that | | | | | | were | | | | | | found | | | | | | to not | | | | | | be | | | | | | | | | | | | performed | | | | | | at | | | | | | | | | | | | Requirement | | | | | | 12.4.2. | | | | | | | | | | | | - Review | | | | | | and | | | | | | | | | | | | sign-off | | | | | | of | | | | | | results | | | | | | by | | | | | | | | | | | | personnel | | | | | | | | | | | | assigned | | | | | | | | | | | | responsibility | | | | | | for the | | | | | | PCI DSS | | | | | | | | | | | | compliance | | | | | | | | | | | | program. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | Indicate | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | If "Yes", | | \<Enter Response Here\> | | Identify the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **12.4.2.1 | **Identify** the | \<Enter Response Here\> | | *Additional | evidence | | | testing | reference | | | procedure for | number(s) from | | | service | [Section | | | provider | 6 | | | assessments | ](#evidence-asses | | | only: | sment-workpapers) | | | ***Examine | for all | | | documentation | **documentation** | | | from the | examined for this | | | reviews | testing | | | conducted in | procedure. | | | accordance with | | | | PCI DSS | | | | Requirement | | | | 12.4.2 to | | | | verify the | | | | documentation | | | | includes all | | | | elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+================+===+==============+=================+ | **12.5** PCI | | | | | | DSS scope is | | | | | | documented and | | | | | | validated. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **12.5.1** An | | | | | | inventory of | | | | | | system | | | | | | components that | | | | | | are in scope | | | | | | for PCI DSS, | | | | | | including a | | | | | | description of | | | | | | function/use, | | | | | | is maintained | | | | | | and kept | | | | | | current. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **12.5.1.a** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence | | | inventory to | reference | | | verify it | number(s) from | | | includes all | [Section | | | in-scope system | 6 | | | components and | ](#evidence-asses | | | a description | sment-workpapers) | | | of function/use | for the | | | for each. | **inventory** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **12.5.1.b** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | personnel to | reference | | | verify the | number(s) from | | | inventory is | [Section | | | kept current. | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **PCI DSS | | | | Requirement** | | | +-----------------+-------------------+--------------------------------+ | **12.5.2** PCI | | | | DSS scope is | | | | documented and | | | | confirmed by | | | | the entity at | | | | least once | | | | every 12 months | | | | and upon | | | | significant | | | | change to the | | | | in-scope | | | | environment. At | | | | a minimum, the | | | | scoping | | | | validation | | | | includes: | | | | | | | | - Identifying | | | | all data | | | | flows for | | | | the various | | | | payment | | | | stages (for | | | | example, | | | | | | | | authorization, | | | | capture | | | | settlement, | | | | | | | | chargebacks, | | | | and | | | | refunds) | | | | and | | | | acceptance | | | | channels | | | | (for | | | | example, | | | | | | | | card-present, | | | | ca | | | | rd-not-present, | | | | and | | | | | | | | e-commerce). | | | | | | | | - Updating | | | | all | | | | data-flow | | | | diagrams | | | | per | | | | Requirement | | | | 1.2.4. | | | | | | | | - Identifying | | | | all | | | | locations | | | | where | | | | account | | | | data is | | | | stored, | | | | processed, | | | | and | | | | | | | | transmitted, | | | | including | | | | but not | | | | limited | | | | to: 1) any | | | | locations | | | | outside of | | | | the | | | | currently | | | | defined | | | | CDE, 2) | | | | | | | | applications | | | | that | | | | process | | | | CHD, 3) | | | | | | | | transmissions | | | | between | | | | systems and | | | | networks, | | | | and 4) file | | | | backups. | | | | | | | | - Identifying | | | | all system | | | | components | | | | in the CDE, | | | | connected | | | | to the CDE, | | | | or that | | | | could | | | | impact | | | | security of | | | | the CDE. | | | | | | | | - Identifying | | | | all | | | | | | | | segmentation | | | | controls in | | | | use and the | | | | | | | | environment(s) | | | | from which | | | | the CDE is | | | | segmented, | | | | including | | | | | | | | justification | | | | for | | | | | | | | environments | | | | being out | | | | of scope. | | | | | | | | - Identifying | | | | all | | | | connections | | | | from | | | | third-party | | | | entities | | | | with access | | | | to the CDE. | | | | | | | | - Confirming | | | | that all | | | | identified | | | | data flows, | | | | account | | | | data, | | | | system | | | | components, | | | | | | | | segmentation | | | | controls, | | | | and | | | | connections | | | | from third | | | | parties | | | | with access | | | | to the CDE | | | | are | | | | included in | | | | scope. | | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +=================+================+===+==============+=================+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **12.5.2.a** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | documented | > reference | | Here\> | | | results of | > number(s) | | | | | scope reviews | > from | | | | | and interview | > [Section | | | | | personnel to | > 6](#evi | | | | | verify that the | dence-assessme | | | | | reviews are | nt-workpapers) | | | | | performed: | > for all | | | | | | > **d | | | | | - At least | ocumentation** | | | | | once every | > examined for | | | | | 12 months. | > this testing | | | | | | > procedure. | | | | | - After | | | | | | significant | | | | | | changes to | | | | | | the in- | | | | | | scope | | | | | | | | | | | | environment. | | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | interview(s)** | | | | | | > conducted | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **12.5.2.b** | **Identify** | | \<Enter | | | Examine | the evidence | | Response | | | documented | reference | | Here\> | | | results of | number(s) from | | | | | scope reviews | [Section | | | | | performed by | 6](#evi | | | | | the entity to | dence-assessme | | | | | verify that PCI | nt-workpapers) | | | | | DSS scoping | for all | | | | | confirmation | **documented | | | | | activity | results of | | | | | includes all | scope | | | | | elements | reviews** | | | | | specified in | examined for | | | | | this | this testing | | | | | requirement. | procedure. | | | | +=================+================+===+==============+=================+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **12.5.2.1 | | | | | | *Additional | | | | | | requirement for | | | | | | service | | | | | | providers only: | | | | | | ***PCI DSS | | | | | | scope is | | | | | | documented and | | | | | | confirmed by | | | | | | the entity at | | | | | | least once | | | | | | every six | | | | | | months and upon | | | | | | significant | | | | | | change to the | | | | | | in-scope | | | | | | environment. At | | | | | | a minimum, the | | | | | | scoping | | | | | | validation | | | | | | includes all | | | | | | the elements | | | | | | specified in | | | | | | Requirement | | | | | | 12.5.2. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **12.5.2.1.a | **Identify** the | \<Enter Response Here\> | | *Additional | evidence | | | testing | reference | | | procedure for | number(s) from | | | service | [Section | | | provider | 6 | | | assessments | ](#evidence-asses | | | only: | sment-workpapers) | | | ***Examine | for all | | | documented | **documented | | | results of | results of scope | | | scope reviews | reviews** | | | and interview | examined for this | | | personnel to | testing | | | verify that | procedure. | | | reviews per | | | | Requirement | | | | 12.5.2 are | | | | performed: | | | | | | | | - At least | | | | once every | | | | six months, | | | | and | | | | | | | | - After | | | | significant | | | | changes | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **12.5.2.1.b | **Identify** the | \<Enter Response Here\> | | *Additional | evidence | | | testing | reference | | | procedure for | number(s) from | | | service | [Section | | | provider | 6 | | | assessments | ](#evidence-asses | | | only: | sment-workpapers) | | | ***Examine | for all | | | documented | d**ocumented | | | results of | results of scope | | | scope reviews | reviews** | | | to verify that | examined for this | | | scoping | testing | | | validation | procedure. | | | includes all | | | | elements | | | | specified in | | | | Requirement | | | | 12.5.2. | | | +-----------------+-------------------+--------------------------------+ +------------+---------------------+---+---------------+---------------+ | > **PCI | | | | | | > DSS | | | | | | > Req | | | | | | uirement** | | | | | +------------+---------------------+---+---------------+---------------+ | **12.5.3 | | | | | | * | | | | | | Additional | | | | | | r | | | | | | equirement | | | | | | for | | | | | | service | | | | | | providers | | | | | | only: | | | | | | ***S | | | | | | ignificant | | | | | | changes to | | | | | | orga | | | | | | nizational | | | | | | structure | | | | | | result in | | | | | | a | | | | | | documented | | | | | | (internal) | | | | | | review of | | | | | | the impact | | | | | | to PCI DSS | | | | | | scope and | | | | | | app | | | | | | licability | | | | | | of | | | | | | controls, | | | | | | with | | | | | | results | | | | | | co | | | | | | mmunicated | | | | | | to | | | | | | executive | | | | | | m | | | | | | anagement. | | | | | | | | | | | | ***Note:** | | | | | | This | | | | | | r | | | | | | equirement | | | | | | is a | | | | | | **best | | | | | | practice** | | | | | | until **31 | | | | | | March | | | | | | 2025**, | | | | | | after | | | | | | which it | | | | | | will be | | | | | | required | | | | | | and must | | | | | | be fully | | | | | | considered | | | | | | during a | | | | | | PCI DSS | | | | | | as | | | | | | sessment.* | | | | | +------------+---------------------+---+---------------+---------------+ | > ** | | | | | | Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +------------+---------------------+---+---------------+---------------+ | **In | **Not Applicable** | * | | **Not in | | Place** | | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +------------+---------------------+---+---------------+---------------+ | ☐ | ☐ | ☐ | | ☐ | +------------+---------------------+---+---------------+---------------+ | Describe | | \ | | | | why the | | < | | | | assessment | | E | | | | finding | | n | | | | was | | t | | | | selected. | | e | | | | | | r | | | | ***Note**: | | R | | | | Include | | e | | | | all | | s | | | | details as | | p | | | | noted in | | o | | | | the | | n | | | | "Required | | s | | | | Reporting" | | e | | | | column of | | H | | | | the table | | e | | | | in | | r | | | | [ | | e | | | | Assessment | | \ | | | | F | | > | | | | indings](# | | | | | | assessment | | | | | | -findings) | | | | | | in the ROC | | | | | | Template | | | | | | Inst | | | | | | ructions.* | | | | | +------------+---------------------+---+---------------+---------------+ | ** | | | | | | Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +------------+---------------------+---+---------------+---------------+ | ** | | | - Yes ☐ No | | | Indicate** | | | | | | whether a | | | | | | Customized | | | | | | Approach | | | | | | was used: | | | | | +------------+---------------------+---+---------------+---------------+ | **If | | | \<Enter | | | "Yes", | | | Response | | | Identify** | | | Here\> | | | the | | | | | | aspect(s) | | | | | | of the | | | | | | r | | | | | | equirement | | | | | | where the | | | | | | Customized | | | | | | Approach | | | | | | was used. | | | | | | | | | | | | ***Note:** | | | | | | The use of | | | | | | Customized | | | | | | Approach | | | | | | must also | | | | | | be | | | | | | documented | | | | | | in | | | | | | [Appendix | | | | | | E.](#a | | | | | | ppendix-e- | | | | | | customized | | | | | | -approach- | | | | | | template)* | | | | | +------------+---------------------+---+---------------+---------------+ | ** | | | | | | Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +------------+---------------------+---+---------------+---------------+ | ** | | | - Yes ☐ No | | | Indicate** | | | | | | whether a | | | | | | Co | | | | | | mpensating | | | | | | Control | | | | | | was used: | | | | | +------------+---------------------+---+---------------+---------------+ | **If | | | \<Enter | | | "Yes", | | | Response | | | Identify** | | | Here\> | | | the | | | | | | aspect(s) | | | | | | of the | | | | | | r | | | | | | equirement | | | | | | where the | | | | | | Co | | | | | | mpensating | | | | | | Control(s) | | | | | | was used. | | | | | | | | | | | | ***Note:** | | | | | | The use of | | | | | | Co | | | | | | mpensating | | | | | | Controls | | | | | | must also | | | | | | be | | | | | | documented | | | | | | in | | | | | | [Appendix | | | | | | C.](#appe | | | | | | ndix-c-com | | | | | | pensating- | | | | | | controls-w | | | | | | orksheet)* | | | | | +------------+---------------------+---+---------------+---------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **12.5.3.a | **Identify** the | \<Enter Response Here\> | | *Additional | evidence | | | testing | reference | | | procedure for | number(s) from | | | service | [Section | | | provider | 6 | | | assessments | ](#evidence-asses | | | only: | sment-workpapers) | | | ***Examine | for all | | | policies and | **policies and | | | procedures to | procedures** | | | verify that | examined for this | | | processes are | testing | | | defined such | procedure. | | | that a | | | | significant | | | | change to | | | | organizational | | | | structure | | | | results in | | | | documented | | | | review of the | | | | impact to PCI | | | | DSS scope and | | | | applicability | | | | of controls. | | | +-----------------+-------------------+--------------------------------+ | **12.5.3.b | **Identify** the | \<Enter Response Here\> | | *Additional | evidence | | | testing | reference | | | procedure for | number(s) from | | | service | [Section | | | provider | 6 | | | assessments | ](#evidence-asses | | | only: | sment-workpapers) | | | ***Examine | for all | | | documentation | **documentation** | | | (for example, | examined for this | | | meeting | testing | | | minutes) and | procedure. | | | interview | | | | responsible | | | | personnel to | | | | verify that | | | | significant | | | | changes to | | | | organizational | | | | structure | | | | resulted in | | | | documented | | | | reviews that | | | | included all | | | | elements | | | | specified in | | | | this | | | | requirement, | | | | with results | | | | communicated to | | | | executive | | | | management. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+================+===+==============+=================+ | **12.6** | | | | | | Security | | | | | | awareness | | | | | | education is an | | | | | | ongoing | | | | | | activity. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **12.6.1** A | | | | | | formal security | | | | | | awareness | | | | | | program is | | | | | | implemented to | | | | | | make all | | | | | | personnel aware | | | | | | of the entity's | | | | | | information | | | | | | security policy | | | | | | and procedures, | | | | | | and their role | | | | | | in protecting | | | | | | the cardholder | | | | | | data. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **12.6.1** | > **Identify** | | \<Enter | | | Examine the | > the evidence | | Response | | | security | > reference | | Here\> | | | awareness | > number(s) | | | | | program to | > from | | | | | verify it | > [Section | | | | | provides | > 6](#evi | | | | | awareness to | dence-assessme | | | | | all personnel | nt-workpapers) | | | | | about the | > for the | | | | | entity's | > **security | | | | | information | > awareness | | | | | security policy | > program** | | | | | and procedures, | > examined for | | | | | and personnel's | > this testing | | | | | role in | > procedure. | | | | | protecting the | | | | | | cardholder | | | | | | data. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **12.6.2** The | | | | | | security | | | | | | awareness | | | | | | program is: | | | | | | | | | | | | - Reviewed at | | | | | | least once | | | | | | every 12 | | | | | | months, and | | | | | | | | | | | | - Updated as | | | | | | needed to | | | | | | address any | | | | | | new threats | | | | | | and | | | | | | | | | | | | vulnerabilities | | | | | | that may | | | | | | impact the | | | | | | security of | | | | | | the | | | | | | entity\'s | | | | | | CDE, or the | | | | | | information | | | | | | provided to | | | | | | personnel | | | | | | about their | | | | | | role in | | | | | | protecting | | | | | | cardholder | | | | | | data. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +=================+===================+================================+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **12.6.2** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | security | reference | | | awareness | number(s) from | | | program | [Section | | | content, | 6 | | | evidence of | ](#evidence-asses | | | reviews, and | sment-workpapers) | | | interview | for all | | | personnel to | **security | | | verify that the | awareness program | | | security | content** | | | awareness | examined for this | | | program is in | testing | | | accordance with | procedure. | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **evidence of | | | | reviews** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **12.6.3** | | | | | | Personnel | | | | | | receive | | | | | | security | | | | | | awareness | | | | | | training as | | | | | | follows: | | | | | | | | | | | | - Upon hire | | | | | | and at | | | | | | least once | | | | | | every 12 | | | | | | months. | | | | | | | | | | | | - Multiple | | | | | | methods of | | | | | | | | | | | | communication | | | | | | are used. | | | | | | | | | | | | - Personnel | | | | | | acknowledge | | | | | | at least | | | | | | once every | | | | | | 12 months | | | | | | that they | | | | | | have read | | | | | | and | | | | | | understood | | | | | | the | | | | | | information | | | | | | security | | | | | | policy and | | | | | | procedures. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **12.6.3.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | security | reference | | | awareness | number(s) from | | | program records | [Section | | | to verify that | 6 | | | personnel | ](#evidence-asses | | | attend security | sment-workpapers) | | | awareness | for all | | | training upon | **security | | | hire and at | awareness program | | | least once | records** | | | every 12 | examined for this | | | months. | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **12.6.3.b** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | security | reference | | | awareness | number(s) from | | | program | [Section | | | materials to | 6 | | | verify the | ](#evidence-asses | | | program | sment-workpapers) | | | includes | for all | | | multiple | **security | | | methods of | awareness program | | | communicating | materials** | | | awareness and | examined for this | | | educating | testing | | | personnel. | procedure. | | +-----------------+-------------------+--------------------------------+ | **12.6.3.c** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | personnel to | reference | | | verify they | number(s) from | | | have completed | [Section | | | awareness | 6 | | | training and | ](#evidence-asses | | | are aware of | sment-workpapers) | | | their role in | for all | | | protecting | **interview(s)** | | | cardholder | conducted for | | | data. | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ | **12.6.3.d** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | security | reference | | | awareness | number(s) from | | | program | [Section | | | materials and | 6 | | | personnel | ](#evidence-asses | | | acknowledgments | sment-workpapers) | | | to verify that | for all | | | personnel | **security | | | acknowledge at | awareness program | | | least once | materials** | | | every 12 months | examined for this | | | that they have | testing | | | read and | procedure. | | | understand the | | | | information | | | | security policy | | | | and procedures. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **personnel | | | | acknowledgments** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | 1. Security | | | | | | awareness | | | | | | training | | | | | | includes | | | | | | awareness | | | | | | of threats | | | | | | and | | | | | | | | | | | | vulnerabilities | | | | | | that could | | | | | | impact the | | | | | | security of | | | | | | the CDE, | | | | | | including | | | | | | but not | | | | | | limited to: | | | | | | | | | | | | | | | | | | - Phishing | | | | | | and | | | | | | related | | | | | | | | | | | | attacks. | | | | | | | | | | | | - Social | | | | | | | | | | | | engineering. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **12.6.3.1** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | security | > reference | | Here\> | | | awareness | > number(s) | | | | | training | > from | | | | | content to | > [Section | | | | | verify it | > 6](#evi | | | | | includes all | dence-assessme | | | | | elements | nt-workpapers) | | | | | specified in | > for all | | | | | this | > **security | | | | | requirement. | > awareness | | | | | | > training** | | | | | | > content | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **12.6.3.2** | | | | | | Security | | | | | | awareness | | | | | | training | | | | | | includes | | | | | | awareness about | | | | | | the acceptable | | | | | | use of end-user | | | | | | technologies in | | | | | | accordance with | | | | | | Requirement | | | | | | 12.2.1. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **12.6.3.2** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | security | reference | | | awareness | number(s) from | | | training | [Section | | | content to | 6 | | | verify it | ](#evidence-asses | | | includes | sment-workpapers) | | | awareness about | for all | | | acceptable use | **security | | | of end-user | awareness | | | technologies in | training | | | accordance with | content** | | | Requirement | examined for this | | | 12.2.1. | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+----------------+-----------------+ | > **Requirement | | | | | > Description** | | | | +=================+================+================+=================+ | **12.7** | | | | | Personnel are | | | | | screened to | | | | | reduce risks | | | | | from insider | | | | | threats. | | | | +-----------------+----------------+----------------+-----------------+ | > **PCI DSS | | | | | > Requirement** | | | | +-----------------+----------------+----------------+-----------------+ | **12.7.1** | | | | | Potential | | | | | personnel who | | | | | will have | | | | | access to the | | | | | CDE are | | | | | screened, | | | | | within the | | | | | constraints of | | | | | local laws, | | | | | prior to hire | | | | | to minimize the | | | | | risk of attacks | | | | | from internal | | | | | sources. | | | | +-----------------+----------------+----------------+-----------------+ | > **Assessment | | | | | > Findings | | | | | > (select | | | | | > one)** | | | | +-----------------+----------------+----------------+-----------------+ | **In Place** | **Not | **Not Tested** | **Not in | | | Applicable** | | Place** | +-----------------+----------------+----------------+-----------------+ | ☐ | ☐ | ☐ | ☐ | +-----------------+----------------+----------------+-----------------+ | Describe why | | \<Enter | | | the assessment | | Response | | | finding was | | Here\> | | | selected. | | | | +-----------------+----------------+----------------+-----------------+ +-----------------+----------------+---+--------------------------------+ | ***Note**: | | | | | Include all | | | | | details as | | | | | noted in the | | | | | "Required | | | | | Reporting" | | | | | column of the | | | | | table in | | | | | [Assessment | | | | | F | | | | | indings](#asses | | | | | sment-findings) | | | | | in the ROC | | | | | Template | | | | | Instructions.* | | | | +=================+================+===+================================+ | **Validation | | | | | Method -- | | | | | Customized | | | | | Approach** | | | | +-----------------+----------------+---+--------------------------------+ | **Indicate** | | | - Yes ☐ No | | whether a | | | | | Customized | | | | | Approach was | | | | | used: | | | | +-----------------+----------------+---+--------------------------------+ | **If "Yes", | | | \<Enter Response Here\> | | Identify** the | | | | | aspect(s) of | | | | | the requirement | | | | | where the | | | | | Customized | | | | | Approach was | | | | | used. | | | | | | | | | | ***Note:** The | | | | | use of | | | | | Customized | | | | | Approach must | | | | | also be | | | | | documented in | | | | | [Appendix | | | | | E | | | | | .](#appendix-e- | | | | | customized-appr | | | | | oach-template)* | | | | +-----------------+----------------+---+--------------------------------+ | **Validation | | | | | Method -- | | | | | Defined | | | | | Approach** | | | | +-----------------+----------------+---+--------------------------------+ | **Indicate** | | | - Yes ☐ No | | whether a | | | | | Compensating | | | | | Control was | | | | | used: | | | | +-----------------+----------------+---+--------------------------------+ | **If "Yes", | | | \<Enter Response Here\> | | Identify** the | | | | | aspect(s) of | | | | | the requirement | | | | | where the | | | | | Compensating | | | | | Control(s) was | | | | | used. | | | | | | | | | | ***Note:** The | | | | | use of | | | | | Compensating | | | | | Controls must | | | | | also be | | | | | documented in | | | | | [Appendix | | | | | C.]( | | | | | #appendix-c-com | | | | | pensating-contr | | | | | ols-worksheet)* | | | | +-----------------+----------------+---+--------------------------------+ | > **Testing | > **Reporting | | > **Reporting Details: | | > Procedures** | > | | > Assessor's Response** | | | Instructions** | | | +-----------------+----------------+---+--------------------------------+ | **12.7.1** | **Identify** | | \<Enter Response Here\> | | Interview | the evidence | | | | responsible | reference | | | | Human Resource | number(s) from | | | | department | [Section | | | | management to | 6](#evi | | | | verify that | dence-assessme | | | | screening is | nt-workpapers) | | | | conducted, | for all | | | | within the | ** | | | | constraints of | interview(s)** | | | | local laws, | conducted for | | | | prior to hiring | this testing | | | | potential | procedure. | | | | personnel who | | | | | will have | | | | | access to the | | | | | CDE. | | | | +-----------------+----------------+---+--------------------------------+ +-----------------------------------------------------------------------+ | > **Requirement Description** | +=======================================================================+ | **12.8** Risk to information assets associated with third-party | | service provider (TPSP) relationships is managed. | +-----------------------------------------------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **12.8.1** A | | | | | | list of all | | | | | | third-party | | | | | | service | | | | | | providers | | | | | | (TPSPs) with | | | | | | which account | | | | | | data is shared | | | | | | or that could | | | | | | affect the | | | | | | security of | | | | | | account data is | | | | | | maintained, | | | | | | including a | | | | | | description for | | | | | | each of the | | | | | | services | | | | | | provided. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **12.8.1.a** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | policies and | > reference | | Here\> | | | procedures to | > number(s) | | | | | verify that | > from | | | | | processes | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > **policies | | | | | | > and** | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | are defined to | > | | | | | maintain a list | **procedures** | | | | | of TPSPs, | > examined for | | | | | including a | > this testing | | | | | description for | > procedure. | | | | | each of the | | | | | | services | | | | | | provided, for | | | | | | all TPSPs with | | | | | | whom account | | | | | | data is shared | | | | | | or that could | | | | | | affect the | | | | | | security of | | | | | | account data. | | | | | +=================+================+===+==============+=================+ | **12.8.1.b** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | documentation | > reference | | Here\> | | | to verify that | > number(s) | | | | | a list of all | > from | | | | | TPSPs is | > [Section | | | | | maintained that | > 6](#evi | | | | | includes a | dence-assessme | | | | | description of | nt-workpapers) | | | | | the services | > for all | | | | | provided. | > **d | | | | | | ocumentation** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **12.8.2** | | | | | | Written | | | | | | agreements with | | | | | | TPSPs are | | | | | | maintained as | | | | | | follows: | | | | | | | | | | | | - Written | | | | | | agreements | | | | | | are | | | | | | maintained | | | | | | with all | | | | | | TPSPs with | | | | | | which | | | | | | account | | | | | | data is | | | | | | shared or | | | | | | that could | | | | | | affect the | | | | | | security of | | | | | | the CDE. | | | | | | | | | | | | - Written | | | | | | agreements | | | | | | include | | | | | | | | | | | | acknowledgments | | | | | | from TPSPs | | | | | | that they | | | | | | are | | | | | | responsible | | | | | | for the | | | | | | security of | | | | | | account | | | | | | data the | | | | | | TPSPs | | | | | | possess or | | | | | | otherwise | | | | | | store, | | | | | | process, or | | | | | | transmit on | | | | | | behalf of | | | | | | the entity, | | | | | | or to the | | | | | | extent that | | | | | | they could | | | | | | impact the | | | | | | security of | | | | | | the | | | | | | entity\'s | | | | | | CDE. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +=================+================+===+==============+=================+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **12.8.2.a** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | policies and | > reference | | Here\> | | | procedures to | > number(s) | | | | | verify that | > from | | | | | processes are | > [Section | | | | | defined to | > 6](#evi | | | | | maintain | dence-assessme | | | | | written | nt-workpapers) | | | | | agreements with | > for all | | | | | all TPSPs in | > **policies | | | | | accordance with | > and | | | | | all elements | > procedures** | | | | | specified in | > examined for | | | | | this | > this testing | | | | | requirement. | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **12.8.2.b** | > **Identify** | | \<Enter | | | Examine written | > the evidence | | Response | | | agreements with | > reference | | Here\> | | | TPSPs to verify | > number(s) | | | | | they are | > from | | | | | maintained in | > [Section | | | | | accordance with | > 6](#evi | | | | | all elements as | dence-assessme | | | | | specified in | nt-workpapers) | | | | | this | > for all | | | | | requirement. | > **written | | | | | | > agreements** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **12.8.3** An | | | | | | established | | | | | | process is | | | | | | implemented for | | | | | | engaging TPSPs, | | | | | | including | | | | | | proper due | | | | | | diligence prior | | | | | | to engagement. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------------------------+ | Describe why | | \ | | | the assessment | | < | | | finding was | | E | | | selected. | | n | | | | | t | | | ***Note**: | | e | | | Include all | | r | | | details as | | R | | | noted in the | | e | | | "Required | | s | | | Reporting" | | p | | | column of the | | o | | | table in | | n | | | [Assessment | | s | | | F | | e | | | indings](#asses | | H | | | sment-findings) | | e | | | in the ROC | | r | | | Template | | e | | | Instructions.* | | \ | | | | | > | | +=================+================+===+================================+ | **Validation | | | | | Method -- | | | | | Customized | | | | | Approach** | | | | +-----------------+----------------+---+--------------------------------+ | **Indicate** | | | - Yes ☐ No | | whether a | | | | | Customized | | | | | Approach was | | | | | used: | | | | +-----------------+----------------+---+--------------------------------+ | **If "Yes", | | | \<Enter Response Here\> | | Identify** the | | | | | aspect(s) of | | | | | the requirement | | | | | where the | | | | | Customized | | | | | Approach was | | | | | used. | | | | | | | | | | ***Note:** The | | | | | use of | | | | | Customized | | | | | Approach must | | | | | also be | | | | | documented in | | | | | [Appendix | | | | | E | | | | | .](#appendix-e- | | | | | customized-appr | | | | | oach-template)* | | | | +-----------------+----------------+---+--------------------------------+ | **Validation | | | | | Method -- | | | | | Defined | | | | | Approach** | | | | +-----------------+----------------+---+--------------------------------+ | **Indicate** | | | - Yes ☐ No | | whether a | | | | | Compensating | | | | | Control was | | | | | used: | | | | +-----------------+----------------+---+--------------------------------+ | **If "Yes", | | | \<Enter Response Here\> | | Identify** the | | | | | aspect(s) of | | | | | the requirement | | | | | where the | | | | | Compensating | | | | | Control(s) was | | | | | used. | | | | | | | | | | ***Note:** The | | | | | use of | | | | | Compensating | | | | | Controls must | | | | | also be | | | | | documented in | | | | | [Appendix | | | | | C.]( | | | | | #appendix-c-com | | | | | pensating-contr | | | | | ols-worksheet)* | | | | +-----------------+----------------+---+--------------------------------+ | > **Testing | > **Reporting | | > **Reporting Details: | | > Procedures** | > | | > Assessor's Response** | | | Instructions** | | | +-----------------+----------------+---+--------------------------------+ | **12.8.3.a** | **Identify** | | \<Enter Response Here\> | | Examine | the evidence | | | | policies and | reference | | | | procedures to | number(s) from | | | | verify that | [Section | | | | processes are | 6](#evi | | | | defined for | dence-assessme | | | | engaging TPSPs, | nt-workpapers) | | | | including | for all | | | | proper due | **policies and | | | | diligence prior | procedures** | | | | to engagement. | examined for | | | | | this testing | | | | | procedure. | | | +-----------------+----------------+---+--------------------------------+ | **12.8.3.b** | **Identify** | | \<Enter Response Here\> | | Examine | the evidence | | | | evidence and | reference | | | | interview | number(s) from | | | | responsible | [Section | | | | personnel to | 6](#evi | | | | verify the | dence-assessme | | | | process for | nt-workpapers) | | | | engaging TPSPs | for all | | | | includes proper | **evidence** | | | | due diligence | examined for | | | | prior to | this testing | | | | engagement. | procedure. | | | +-----------------+----------------+---+--------------------------------+ | | **Identify** | | \<Enter Response Here\> | | | the evidence | | | | | reference | | | | | number(s) from | | | | | [Section | | | | | 6](#evi | | | | | dence-assessme | | | | | nt-workpapers) | | | | | for all | | | | | ** | | | | | interview(s)** | | | | | conducted for | | | | | this testing | | | | | procedure. | | | +-----------------+----------------+---+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **12.8.4** A | | | | | | program is | | | | | | implemented to | | | | | | monitor TPSPs' | | | | | | PCI DSS | | | | | | compliance | | | | | | status at least | | | | | | once every 12 | | | | | | months. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **12.8.4.a** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | policies and | > reference | | Here\> | | | procedures to | > number(s) | | | | | verify that | > from | | | | | processes | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > **policies | | | | | | > and** | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | are defined to | > | | | | | monitor TPSPs' | **procedures** | | | | | PCI DSS | > examined for | | | | | compliance | > this testing | | | | | status at least | > procedure. | | | | | once every 12 | | | | | | months. | | | | | +=================+================+===+==============+=================+ | **12.8.4.b** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | documentation | > reference | | Here\> | | | and interview | > number(s) | | | | | responsible | > from | | | | | personnel to | > [Section | | | | | verify that the | > 6](#evi | | | | | PCI DSS | dence-assessme | | | | | compliance | nt-workpapers) | | | | | status of each | > for all | | | | | TPSP is | > **d | | | | | monitored at | ocumentation** | | | | | least once | > examined for | | | | | every 12 | > this testing | | | | | months. | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | interview(s)** | | | | | | > conducted | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **12.8.5** | | | | | | Information is | | | | | | maintained | | | | | | about which PCI | | | | | | DSS | | | | | | requirements | | | | | | are managed by | | | | | | each TPSP, | | | | | | which are | | | | | | managed by the | | | | | | entity, and any | | | | | | that are shared | | | | | | between the | | | | | | TPSP and the | | | | | | entity. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **12.8.5.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | policies and | reference | | | procedures to | number(s) from | | | verify that | [Section | | | processes are | 6 | | | defined to | ](#evidence-asses | | | maintain | sment-workpapers) | | | information | for all | | | about which PCI | **policies and | | | DSS | procedures** | | | requirements | examined for this | | | are managed by | testing | | | each TPSP, | procedure. | | | which are | | | | managed by the | | | | entity, and any | | | | that are shared | | | | between both | | | | the TPSP and | | | | the entity. | | | +-----------------+-------------------+--------------------------------+ | **12.8.5.b** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documentation | reference | | | and interview | number(s) from | | | personnel to | [Section | | | verify the | 6 | | | entity | ](#evidence-asses | | | maintains | sment-workpapers) | | | information | for all | | | about which PCI | **documentation** | | | DSS | examined for this | | | requirements | testing | | | are managed by | procedure. | | | each TPSP, | | | | which are | | | | managed by the | | | | entity, and any | | | | that are shared | | | | between both | | | | entities. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------------------------------------------------------------+ | > **Requirement Description** | +=======================================================================+ | **12.9** Third-party service providers (TPSPs) support their | | customers' PCI DSS compliance. | +-----------------------------------------------------------------------+ | > **PCI DSS Requirement** | +-----------------------------------------------------------------------+ | **12.9.1 *Additional requirement for service providers only: ***TPSPs | | acknowledge in writing to customers that they are responsible for the | | security of account data the TPSP possesses or otherwise stores, | | processes, or transmits on behalf of the customer, or to the extent | | that they could impact the security of the customer's CDE. | +-----------------------------------------------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +=================+================+===+==============+=================+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **12.9.1 | > **Identify** | | \<Enter | | | *Additional | > the evidence | | Response | | | testing | > reference | | Here\> | | | procedure for | > number(s) | | | | | service | > from | | | | | provider | > [Section | | | | | assessments | > 6](#evi | | | | | only: | dence-assessme | | | | | ***Examine TPSP | nt-workpapers) | | | | | policies, | > for all | | | | | procedures, and | > **TPSP | | | | | templates used | > policies, | | | | | for written | > procedures, | | | | | agreements to | > and | | | | | verify | > templates | | | | | processes are | > used for | | | | | defined for the | > written | | | | | TPSP to provide | > agreements** | | | | | written | > examined for | | | | | acknowledgments | > this testing | | | | | to customers in | > procedure. | | | | | accordance with | | | | | | all | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | elements | | | | | | specified in | | | | | | this | | | | | | requirement. | | | | | +=================+================+===+==============+=================+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **12.9.2 | | | | | | *Additional | | | | | | requirement for | | | | | | service | | | | | | providers only: | | | | | | ***TPSPs | | | | | | support their | | | | | | customers\' | | | | | | requests for | | | | | | information to | | | | | | meet | | | | | | Requirements | | | | | | 12.8.4 and | | | | | | 12.8.5 by | | | | | | providing the | | | | | | following upon | | | | | | customer | | | | | | request: | | | | | | | | | | | | - PCI DSS | | | | | | compliance | | | | | | status | | | | | | information | | | | | | for any | | | | | | service the | | | | | | TPSP | | | | | | performs on | | | | | | behalf of | | | | | | customers | | | | | | | | | | | | (Requirement | | | | | | 12.8.4). | | | | | | | | | | | | - Information | | | | | | about which | | | | | | PCI DSS | | | | | | | | | | | | requirements | | | | | | are the | | | | | | | | | | | | responsibility | | | | | | of the TPSP | | | | | | and which | | | | | | are the | | | | | | | | | | | | responsibility | | | | | | of the | | | | | | customer, | | | | | | including | | | | | | any shared | | | | | | r | | | | | | esponsibilities | | | | | | | | | | | | (Requirement | | | | | | 12.8.5). | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **12.9.2 | **Identify** the | \<Enter Response Here\> | | *Additional | evidence | | | testing | reference | | | procedure for | number(s) from | | | service | [Section | | | provider | 6 | | | assessments | ](#evidence-asses | | | only: | sment-workpapers) | | | ***Examine | for all | | | policies and | **policies and | | | procedures to | procedures** | | | verify | examined for this | | | processes are | testing | | | defined for the | procedure. | | | TPSPs to | | | | support | | | | customers' | | | | request for | | | | information to | | | | meet | | | | Requirements | | | | 12.8.4 and | | | | 12.8.5 in | | | | accordance with | | | | all elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ +-----------------------------------------------------------------------+ | > **Requirement Description** | +=======================================================================+ | **12.10** Suspected and confirmed security incidents that could | | impact the CDE are responded to immediately. | +-----------------------------------------------------------------------+ | > **PCI DSS Requirement** | +-----------------------------------------------------------------------+ | 1. An incident response plan exists and is ready to be activated in | | the event of a suspected or confirmed security incident. The plan | | includes, but is not limited to: | | | | - Roles, responsibilities, and communication and contact | | strategies in the event of a suspected or confirmed security | | incident, including notification of payment brands and | | acquirers, at a minimum. | | | | - Incident response procedures with specific containment and | | mitigation activities for different types of incidents. | | | | - Business recovery and continuity procedures. | | | | - Data backup processes. | | | | - Analysis of legal requirements for reporting compromises. | | | | - Coverage and responses of all critical system components. | | | | - Reference or inclusion of incident response procedures from | | the payment brands. | +-----------------------------------------------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +=================+================+===+==============+=================+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **12.10.1.a** | > **Identify** | | \<Enter | | | Examine the | > the evidence | | Response | | | incident | > reference | | Here\> | | | response plan | > number(s) | | | | | to verify that | > from | | | | | the plan exists | > [Section | | | | | and includes at | > 6](#evi | | | | | least the | dence-assessme | | | | | elements | nt-workpapers) | | | | | specified in | > for all | | | | | this | > **incident | | | | | requirement. | > response | | | | | | > plans** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **12.10.1.b** | > **Identify** | | \<Enter | | | Interview | > the evidence | | Response | | | personnel and | > reference | | Here\> | | | examine | > number(s) | | | | | documentation | > from | | | | | from previously | > [Section | | | | | reported | > 6](#evi | | | | | incidents or | dence-assessme | | | | | alerts to | nt-workpapers) | | | | | verify that the | > for all | | | | | documented | > ** | | | | | incident | interview(s)** | | | | | response plan | > conducted | | | | | and procedures | > for this | | | | | were followed. | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > **d | | | | | | ocumentation** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **12.10.2** At | | | | | | least once | | | | | | every 12 | | | | | | months, the | | | | | | security | | | | | | incident | | | | | | response plan | | | | | | is: | | | | | | | | | | | | - Reviewed | | | | | | and the | | | | | | content is | | | | | | updated as | | | | | | needed. | | | | | | | | | | | | - Tested, | | | | | | including | | | | | | all | | | | | | elements | | | | | | listed in | | | | | | Requirement | | | | | | 12.10.1. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **12.10.2** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | personnel and | reference | | | review | number(s) from | | | documentation | [Section | | | to verify that, | 6 | | | at least once | ](#evidence-asses | | | every 12 | sment-workpapers) | | | months, the | for all | | | security | **interview(s)** | | | incident | conducted for | | | response plan | this testing | | | is: | procedure. | | | | | | | - Reviewed | | | | and updated | | | | as needed. | | | | | | | | - Tested, | | | | including | | | | all | | | | elements | | | | listed in | | | | Requirement | | | | 12.10.1. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **documentation** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **12.10.3** | | | | | | Specific | | | | | | personnel are | | | | | | designated to | | | | | | be available on | | | | | | a 24/7 basis to | | | | | | respond to | | | | | | suspected or | | | | | | confirmed | | | | | | security | | | | | | incidents. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **12.10.3** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | documentation | > reference | | Here\> | | | and interview | > number(s) | | | | | responsible | > from | | | | | personnel | > [Section | | | | | occupying | > 6](#evi | | | | | designated | dence-assessme | | | | | roles to verify | nt-workpapers) | | | | | that specific | > for all | | | | | personnel are | > **d | | | | | designated to | ocumentation** | | | | | be available on | > examined for | | | | | a 24/7 basis to | > this testing | | | | | respond to | > procedure. | | | | | security | | | | | | incidents. | | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | interview(s)** | | | | | | > conducted | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **12.10.4** | | | | | | Personnel | | | | | | responsible for | | | | | | responding to | | | | | | suspected and | | | | | | confirmed | | | | | | security | | | | | | incidents are | | | | | | appropriately | | | | | | and | | | | | | periodically | | | | | | trained on | | | | | | their incident | | | | | | response | | | | | | re | | | | | | sponsibilities. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +=================+================+===+==============+=================+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **12.10.4** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | training | > reference | | Here\> | | | documentation | > number(s) | | | | | and interview | > from | | | | | incident | > [Section | | | | | response | > 6](#evi | | | | | personnel to | dence-assessme | | | | | verify that | nt-workpapers) | | | | | personnel are | > for all | | | | | appropriately | > **d | | | | | and | ocumentation** | | | | | periodically | > examined for | | | | | trained on | > this testing | | | | | their incident | > procedure. | | | | | response | | | | | | re | | | | | | sponsibilities. | | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | interview(s)** | | | | | | > conducted | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **12.10.4.1** | | | | | | The frequency | | | | | | of periodic | | | | | | training for | | | | | | incident | | | | | | response | | | | | | personnel is | | | | | | defined in the | | | | | | entity's | | | | | | targeted risk | | | | | | analysis, which | | | | | | is performed | | | | | | according to | | | | | | all elements | | | | | | specified in | | | | | | Requirement | | | | | | 12.3.1. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Customized | | | | Approach was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Customized | | | | Approach was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **12.10.4.1.a** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence | | | entity's | reference | | | targeted risk | number(s) from | | | analysis for | [Section | | | the frequency | 6 | | | of training for | ](#evidence-asses | | | incident | sment-workpapers) | | | response | for the | | | personnel to | **entity's | | | verify the risk | targeted risk | | | analysis was | analysis** | | | performed in | examined for this | | | accordance with | testing | | | all elements | procedure. | | | specified in | | | | Requirement | | | | 12.3.1. | | | +-----------------+-------------------+--------------------------------+ | **12.10.4.1.b** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documented | reference | | | results of | number(s) from | | | periodic | [Section | | | training of | 6 | | | incident | ](#evidence-asses | | | response | sment-workpapers) | | | personnel and | for all | | | interview | **documented | | | personnel to | results** | | | verify training | examined for this | | | is performed at | testing | | | the frequency | procedure. | | | defined in the | | | | entity's | | | | targeted risk | | | | analysis | | | | performed for | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **12.10.5** The | | | | | | security | | | | | | incident | | | | | | response plan | | | | | | includes | | | | | | monitoring and | | | | | | responding to | | | | | | alerts from | | | | | | security | | | | | | monitoring | | | | | | systems, | | | | | | including but | | | | | | not limited to: | | | | | | | | | | | | - Intr | | | | | | usion-detection | | | | | | and | | | | | | intru | | | | | | sion-prevention | | | | | | systems. | | | | | | | | | | | | - Network | | | | | | security | | | | | | controls. | | | | | | | | | | | | - C | | | | | | hange-detection | | | | | | mechanisms | | | | | | for | | | | | | critical | | | | | | files. | | | | | | | | | | | | - The | | | | | | change-and | | | | | | t | | | | | | amper-detection | | | | | | mechanism | | | | | | for payment | | | | | | pages. | | | | | | *This | | | | | | bullet is a | | | | | | **best | | | | | | practice** | | | | | | until **31 | | | | | | March | | | | | | 2025**, | | | | | | after which | | | | | | it will be | | | | | | required as | | | | | | part of | | | | | | Requirement | | | | | | 12.10.5 and | | | | | | must be | | | | | | fully | | | | | | considered | | | | | | during a | | | | | | PCI DSS | | | | | | | | | | | | assessment.* | | | | | | | | | | | | - Detection | | | | | | of | | | | | | | | | | | | unauthorized | | | | | | wireless | | | | | | access | | | | | | points. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **12.10.5** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | documentation | > reference | | Here\> | | | and observe | > number(s) | | | | | incident | > from | | | | | response | > [Section | | | | | processes to | > 6](#evi | | | | | verify that | dence-assessme | | | | | monitoring and | nt-workpapers) | | | | | responding to | > for all | | | | | alerts from | > **d | | | | | security | ocumentation** | | | | | monitoring | > examined for | | | | | systems are | > this testing | | | | | covered in the | > procedure. | | | | | security | | | | | | incident | | | | | | response plan, | | | | | | including but | | | | | | not limited to | | | | | | the systems | | | | | | specified in | | | | | | this | | | | | | requirement. | | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | observation(s) | | | | | | > of incident | | | | | | > response | | | | | | > processes** | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **12.10.6** The | | | | | | security | | | | | | incident | | | | | | response plan | | | | | | is modified and | | | | | | evolved | | | | | | according to | | | | | | lessons learned | | | | | | and to | | | | | | incorporate | | | | | | industry | | | | | | developments. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +=================+===================+================================+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **12.10.6.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | policies and | reference | | | procedures to | number(s) from | | | verify that | [Section | | | processes are | 6 | | | defined to | ](#evidence-asses | | | modify and | sment-workpapers) | | | evolve the | for all | | | security | **policies and | | | incident | procedures** | | | response plan | examined for this | | | according to | testing | | | lessons learned | procedure. | | | and to | | | | incorporate | | | | industry | | | | developments. | | | +-----------------+-------------------+--------------------------------+ | **12.10.6.b** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence | | | security | reference | | | incident | number(s) from | | | response plan | [Section | | | and interview | 6 | | | responsible | ](#evidence-asses | | | personnel to | sment-workpapers) | | | verify that the | for the | | | incident | **security | | | response plan | incident response | | | is modified and | plan** examined | | | evolved | for this testing | | | according to | procedure. | | | lessons learned | | | | and to | | | | incorporate | | | | industry | | | | developments. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **12.10.7** | | | | | | Incident | | | | | | response | | | | | | procedures are | | | | | | in place, to be | | | | | | initiated upon | | | | | | the detection | | | | | | of stored PAN | | | | | | anywhere it is | | | | | | not expected, | | | | | | and include: | | | | | | | | | | | | - Determining | | | | | | what to do | | | | | | if PAN is | | | | | | discovered | | | | | | outside the | | | | | | CDE, | | | | | | including | | | | | | its | | | | | | retrieval, | | | | | | secure | | | | | | deletion, | | | | | | and/or | | | | | | migration | | | | | | into the | | | | | | currently | | | | | | defined | | | | | | CDE, as | | | | | | applicable. | | | | | | | | | | | | - Identifying | | | | | | whether | | | | | | sensitive | | | | | | | | | | | | authentication | | | | | | data is | | | | | | stored with | | | | | | PAN. | | | | | | | | | | | | - Determining | | | | | | where the | | | | | | account | | | | | | data came | | | | | | from and | | | | | | how it | | | | | | ended up | | | | | | where it | | | | | | was not | | | | | | expected. | | | | | | | | | | | | - Remediating | | | | | | data leaks | | | | | | or process | | | | | | gaps that | | | | | | resulted in | | | | | | the account | | | | | | data being | | | | | | where it | | | | | | was not | | | | | | expected. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +=================+===================+================================+ | **12.10.7.a** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documented | reference | | | incident | number(s) from | | | response | [Section | | | procedures to | 6 | | | verify that | ](#evidence-asses | | | procedures for | sment-workpapers) | | | responding to | for the | | | the detection | **documented | | | of stored PAN | incident response | | | anywhere it is | procedures** | | | not expected to | examined for this | | | exist, ready to | testing | | | be initiated, | procedure. | | | and include all | | | | elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | **12.10.7.b** | **Identify** the | \<Enter Response Here\> | | Interview | evidence | | | personnel and | reference | | | examine records | number(s) from | | | of response | [Section | | | actions to | 6 | | | verify that | ](#evidence-asses | | | incident | sment-workpapers) | | | response | for all | | | procedures are | **interview(s)** | | | performed upon | conducted for | | | detection of | this testing | | | stored PAN | procedure. | | | anywhere it is | | | | not expected. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all **records | | | | of response | | | | actions** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ ## Appendix A Additional PCI DSS Requirements {#appendix-a-additional-pci-dss-requirements .unnumbered} ### A1 Additional PCI DSS Requirements for Multi-Tenant Service Providers {#a1-additional-pci-dss-requirements-for-multi-tenant-service-providers .unnumbered} +-----------------------------------------------------------------------+ | > **Requirement Description** | +=======================================================================+ | **A1.1** Multi-tenant service providers protect and separate all | | customer environments and data. | +-----------------------------------------------------------------------+ | > **PCI DSS Requirement** | +-----------------------------------------------------------------------+ | **A1.1.1** Logical separation is implemented as follows: | | | | - The provider cannot access its customers\' environments without | | authorization. | | | | - Customers cannot access the provider\'s environment without | | authorization. | | | | ***Note:** This requirement is a **best practice** until **31 March | | 2025**, after which it will be required and must be fully considered | | during a PCI DSS assessment.* | +-----------------------------------------------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +=================+================+===+==============+=================+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **A1.1.1** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | documentation | > reference | | Here\> | | | and system and | > number(s) | | | | | network | > from | | | | | configurations | > [Section | | | | | and interview | > 6](#evi | | | | | personnel to | dence-assessme | | | | | verify that | nt-workpapers) | | | | | logical | > for all | | | | | separation is | > **d | | | | | implemented in | ocumentation** | | | | | accordance with | > examined for | | | | | all elements | > this testing | | | | | specified in | > procedure. | | | | | this | | | | | | requirement. | | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > **system and | | | | | | > network | | | | | | > co | | | | | | nfigurations** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > ** | | | | | | interview(s)** | | | | | | > conducted | | | | | | > for this | | | | | | > testing | | | | | | > procedure. | | | | +=================+================+===+==============+=================+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **A1.1.2** | | | | | | Controls are | | | | | | implemented | | | | | | such that each | | | | | | customer only | | | | | | has permission | | | | | | to access its | | | | | | own cardholder | | | | | | data and CDE. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | - | - | - | | - | | | | | | | | | | | | | | | | | | | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **A1.1.2.a** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | documentation | > reference | | Here\> | | | to verify | > number(s) | | | | | controls are | > from | | | | | defined such | > [Section | | | | | that each | > 6](#evi | | | | | customer only | dence-assessme | | | | | has permission | nt-workpapers) | | | | | to access its | > for all | | | | | own cardholder | > **d | | | | | data and CDE. | ocumentation** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **A1.1.2.b** | > **Identify** | | \<Enter | | | Examine system | > the evidence | | Response | | | configurations | > reference | | Here\> | | | to verify that | > number(s) | | | | | customers have | > from | | | | | privileges | > [Section | | | | | established to | > 6](#evi | | | | | only access | dence-assessme | | | | | their own | nt-workpapers) | | | | | account data | > for all | | | | | and CDE. | > **system | | | | | | > co | | | | | | nfigurations** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **A1.1.3** | | | | | | Controls are | | | | | | implemented | | | | | | such that each | | | | | | customer can | | | | | | only access | | | | | | resources | | | | | | allocated to | | | | | | them. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | - | - | - | | - | | | | | | | | | | | | | | | | | | | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +=================+================+===+==============+=================+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **A1.1.3** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | customer | > reference | | Here\> | | | privileges to | > number(s) | | | | | verify each | > from | | | | | customer can | > [Section | | | | | only access | > 6](#evi | | | | | resources | dence-assessme | | | | | allocated to | nt-workpapers) | | | | | them. | > for all | | | | | | > **customer | | | | | | > privileges** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **A1.1.4** The | | | | | | effectiveness | | | | | | of logical | | | | | | separation | | | | | | controls used | | | | | | to separate | | | | | | customer | | | | | | environments is | | | | | | confirmed at | | | | | | least once | | | | | | every six | | | | | | months via | | | | | | penetration | | | | | | testing. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | - | - | - | | - | | | | | | | | | | | | | | | | | | | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +=================+===================+================================+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **A1.1.4** | **Identify** the | \<Enter Response Here\> | | Examine the | evidence | | | results from | reference | | | the most recent | number(s) from | | | penetration | [Section | | | test to verify | 6 | | | that testing | ](#evidence-asses | | | confirmed the | sment-workpapers) | | | effectiveness | for the **results | | | of logical | from the most | | | separation | recent | | | controls used | penetration | | | to separate | test** examined | | | customer | for this testing | | | environments. | procedure. | | +-----------------+-------------------+--------------------------------+ +-----------------------------------------------------------------------+ | > **Requirement Description** | +=======================================================================+ | **A1.2** Multi-tenant service providers facilitate logging and | | incident response for all customers. | +-----------------------------------------------------------------------+ | > **PCI DSS Requirement** | +-----------------------------------------------------------------------+ | **A1.2.1** Audit log capability is enabled for each customer\'s | | environment that is consistent with PCI DSS Requirement 10, | | including: | | | | - Logs are enabled for common third-party applications. | | | | - Logs are active by default. | | | | - Logs are available for review only by the owning customer. | | | | - Log locations are clearly communicated to the owning customer. | | | | - Log data and availability is consistent with PCI DSS Requirement | | 10. | +-----------------------------------------------------------------------+ +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +=================+================+===+==============+=================+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **A1.2.1** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | documentation | > reference | | Here\> | | | and system | > number(s) | | | | | configuration | > from | | | | | settings to | > [Section | | | | | verify the | > 6](#evi | | | | | provider has | dence-assessme | | | | | enabled audit | nt-workpapers) | | | | | log capability | > for all | | | | | for each | > **d | | | | | customer | ocumentation** | | | | | environment in | > examined for | | | | | accordance with | > this testing | | | | | all elements | > procedure. | | | | | specified in | | | | | | this | | | | | | requirement. | | | | | +-----------------+----------------+---+--------------+-----------------+ | | > **Identify** | | \<Enter | | | | > the evidence | | Response | | | | > reference | | Here\> | | | | > number(s) | | | | | | > from | | | | | | > [Section | | | | | | > 6](#evi | | | | | | dence-assessme | | | | | | nt-workpapers) | | | | | | > for all | | | | | | > **system | | | | | | > | | | | | | configuration | | | | | | > settings** | | | | | | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +=================+================+===+==============+=================+ | **A1.2.2** | | | | | | Processes or | | | | | | mechanisms are | | | | | | implemented to | | | | | | support and/or | | | | | | facilitate | | | | | | prompt forensic | | | | | | investigations | | | | | | in the event of | | | | | | a suspected or | | | | | | confirmed | | | | | | security | | | | | | incident for | | | | | | any customer. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | - | - | - | | - | | | | | | | | | | | | | | | | | | | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Customized | | | | | | Approach must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | E | | | | | | .](#appendix-e- | | | | | | customized-appr | | | | | | oach-template)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **A1.2.2** | > **Identify** | | \<Enter | | | Examine | > the evidence | | Response | | | documented | > reference | | Here\> | | | procedures to | > number(s) | | | | | verify that the | > from | | | | | provider has | > [Section | | | | | processes or | > 6](#evi | | | | | mechanisms to | dence-assessme | | | | | support and/or | nt-workpapers) | | | | | facilitate a | > for the | | | | | prompt forensic | > **documented | | | | | investigation | > procedures** | | | | | of related | > examined for | | | | | servers in the | > this testing | | | | | event of a | > procedure. | | | | | suspected or | | | | | | confirmed | | | | | | security | | | | | | incident for | | | | | | any customer. | | | | | +-----------------+----------------+---+--------------+-----------------+ | **PCI DSS | | | | | | Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **A1.2.3** | | | | | | Processes or | | | | | | mechanisms are | | | | | | implemented for | | | | | | reporting and | | | | | | addressing | | | | | | suspected or | | | | | | confirmed | | | | | | security | | | | | | incidents and | | | | | | v | | | | | | ulnerabilities, | | | | | | including: | | | | | | | | | | | | - Customers | | | | | | can | | | | | | securely | | | | | | report | | | | | | security | | | | | | incidents | | | | | | and | | | | | | | | | | | | vulnerabilities | | | | | | to the | | | | | | provider. | | | | | | | | | | | | - The | | | | | | provider | | | | | | addresses | | | | | | and | | | | | | remediates | | | | | | suspected | | | | | | or | | | | | | confirmed | | | | | | security | | | | | | incidents | | | | | | and | | | | | | | | | | | | vulnerabilities | | | | | | according | | | | | | to | | | | | | Requirement | | | | | | 6.3.1. | | | | | | | | | | | | ***Note:** This | | | | | | requirement is | | | | | | a **best | | | | | | practice** | | | | | | until **31 | | | | | | March 2025**, | | | | | | after which it | | | | | | will be | | | | | | required and | | | | | | must be fully | | | | | | considered | | | | | | during a PCI | | | | | | DSS | | | | | | assessment.* | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Customized | | | | | | Approach was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Customized | | | | | | Approach was | | | | | | used. | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | ***Note:** The | | | | use of | | | | Customized | | | | Approach must | | | | also be | | | | documented in | | | | [Appendix | | | | E | | | | .](#appendix-e- | | | | customized-appr | | | | oach-template)* | | | +=================+===================+================================+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **A1.2.3** | **Identify** the | \<Enter Response Here\> | | Examine | evidence | | | documented | reference | | | procedures and | number(s) from | | | interview | [Section | | | personnel to | 6 | | | verify that the | ](#evidence-asses | | | provider has a | sment-workpapers) | | | mechanism for | for the | | | reporting and | **documented | | | addressing | procedures** | | | suspected or | examined for this | | | confirmed | testing | | | security | procedure. | | | incidents and | | | | v | | | | ulnerabilities, | | | | in accordance | | | | with all | | | | elements | | | | specified in | | | | this | | | | requirement. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **interview(s)** | | | | conducted for | | | | this testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ ### A2 Additional PCI DSS Requirements for Entities Using SSL/Early TLS for Card-Present POS POI Terminal Connections {#a2-additional-pci-dss-requirements-for-entities-using-sslearly-tls-for-card-present-pos-poi-terminal-connections .unnumbered} +-----------------+----------------+---+--------------+-----------------+ | > **Requirement | | | | | | > Description** | | | | | +=================+================+===+==============+=================+ | **A2.1** POI | | | | | | terminals using | | | | | | SSL and/or | | | | | | early TLS are | | | | | | confirmed as | | | | | | not susceptible | | | | | | to known | | | | | | SSL/TLS | | | | | | exploits. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **A2.1.1** | | | | | | Where POS POI | | | | | | terminals at | | | | | | the merchant or | | | | | | payment | | | | | | acceptance | | | | | | location use | | | | | | SSL and/or | | | | | | early TLS, the | | | | | | entity confirms | | | | | | the devices are | | | | | | not susceptible | | | | | | to any known | | | | | | exploits for | | | | | | those | | | | | | protocols. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | - | - | - | | - | | | | | | | | | | | | | | | | | | | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | This | | | | | | requirement is | | | | | | not eligible | | | | | | for the | | | | | | customized | | | | | | approach. | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +=================+================+===+==============+=================+ | **A2.1.1** For | > **Identify** | | \<Enter | | | POS POI | > the evidence | | Response | | | terminals using | > reference | | Here\> | | | SSL and/or | > number(s) | | | | | early TLS, | > from | | | | | confirm the | > [Section | | | | | entity has | > 6](#evi | | | | | documentation | dence-assessme | | | | | (for example, | nt-workpapers) | | | | | vendor | > for all | | | | | documentation, | > **d | | | | | system/network | ocumentation** | | | | | configuration | > examined for | | | | | details) that | > this testing | | | | | verifies the | > procedure. | | | | | devices are not | | | | | | susceptible to | | | | | | any known | | | | | | exploits for | | | | | | SSL/early TLS. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **A2.1.2 | | | | | | *Additional | | | | | | requirement for | | | | | | service | | | | | | providers only: | | | | | | ***All service | | | | | | providers with | | | | | | existing | | | | | | connection | | | | | | points to POS | | | | | | POI terminals | | | | | | that use SSL | | | | | | and/or early | | | | | | TLS as defined | | | | | | in A2.1 have a | | | | | | formal Risk | | | | | | Mitigation and | | | | | | Migration Plan | | | | | | in place that | | | | | | includes: | | | | | | | | | | | | - Description | | | | | | of usage, | | | | | | including | | | | | | what data | | | | | | is being | | | | | | | | | | | | transmitted, | | | | | | types and | | | | | | number of | | | | | | systems | | | | | | that use | | | | | | and/or | | | | | | support | | | | | | SSL/early | | | | | | TLS, and | | | | | | type of | | | | | | | | | | | | environment. | | | | | | | | | | | | - | | | | | | Risk-assessment | | | | | | results and | | | | | | | | | | | | risk-reduction | | | | | | controls in | | | | | | place. | | | | | | | | | | | | - Description | | | | | | of | | | | | | processes | | | | | | to monitor | | | | | | for new | | | | | | | | | | | | vulnerabilities | | | | | | associated | | | | | | with | | | | | | SSL/early | | | | | | TLS. | | | | | | | | | | | | - Description | | | | | | of change | | | | | | control | | | | | | processes | | | | | | that are | | | | | | implemented | | | | | | to ensure | | | | | | SSL/early | | | | | | TLS is not | | | | | | implemented | | | | | | into new | | | | | | | | | | | | environments. | | | | | | | | | | | | - Overview of | | | | | | migration | | | | | | project | | | | | | plan to | | | | | | replace | | | | | | SSL/early | | | | | | TLS at a | | | | | | future | | | | | | date. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | ☐ | ☐ | ☐ | | ☐ | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Customized | | | | | | Approach** | | | | | +=================+================+===+==============+=================+ | This | | | | | | requirement is | | | | | | not eligible | | | | | | for the | | | | | | customized | | | | | | approach. | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Validation | | | | | | Method -- | | | | | | Defined | | | | | | Approach** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Indicate** | | | - Yes ☐ No | | | whether a | | | | | | Compensating | | | | | | Control was | | | | | | used: | | | | | +-----------------+----------------+---+--------------+-----------------+ | **If "Yes", | | | \<Enter | | | Identify** the | | | Response | | | aspect(s) of | | | Here\> | | | the requirement | | | | | | where the | | | | | | Compensating | | | | | | Control(s) was | | | | | | used. | | | | | | | | | | | | ***Note:** The | | | | | | use of | | | | | | Compensating | | | | | | Controls must | | | | | | also be | | | | | | documented in | | | | | | [Appendix | | | | | | C.]( | | | | | | #appendix-c-com | | | | | | pensating-contr | | | | | | ols-worksheet)* | | | | | +-----------------+----------------+---+--------------+-----------------+ | **Testing | > **Reporting | | > | | | Procedures** | > | | **Reporting | | | | Instructions** | | > Details: | | | | | | > Assessor's | | | | | | > Response** | | +-----------------+----------------+---+--------------+-----------------+ | **A2.1.2 | > **Identify** | | \<Enter | | | *Additional | > the evidence | | Response | | | testing | > reference | | Here\> | | | procedure for | > number(s) | | | | | service | > from | | | | | provider | > [Section | | | | | assessments | > 6](#evi | | | | | only*:** Review | dence-assessme | | | | | the documented | nt-workpapers) | | | | | Risk Mitigation | > for the | | | | | and Migration | > **documented | | | | | Plan to verify | > Risk | | | | | it includes all | > Mitigation | | | | | elements | > and | | | | | specified in | > Migration | | | | | this | > Plan** | | | | | requirement. | > examined for | | | | | | > this testing | | | | | | > procedure. | | | | +-----------------+----------------+---+--------------+-----------------+ | > **PCI DSS | | | | | | > Requirement** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **A2.1.3 | | | | | | *Additional | | | | | | requirement for | | | | | | service | | | | | | providers only: | | | | | | ***All service | | | | | | providers | | | | | | provide a | | | | | | secure service | | | | | | offering. | | | | | +-----------------+----------------+---+--------------+-----------------+ | > **Assessment | | | | | | > Findings | | | | | | > (select | | | | | | > one)** | | | | | +-----------------+----------------+---+--------------+-----------------+ | **In Place** | **Not | * | | **Not in | | | Applicable** | * | | Place** | | | | N | | | | | | o | | | | | | t | | | | | | T | | | | | | e | | | | | | s | | | | | | t | | | | | | e | | | | | | d | | | | | | * | | | | | | * | | | +-----------------+----------------+---+--------------+-----------------+ | - | - | - | | - | | | | | | | | | | | | | | | | | | | +-----------------+----------------+---+--------------+-----------------+ | Describe why | | \ | | | | the assessment | | < | | | | finding was | | E | | | | selected. | | n | | | | | | t | | | | ***Note**: | | e | | | | Include all | | r | | | | details as | | R | | | | noted in the | | e | | | | "Required | | s | | | | Reporting" | | p | | | | column of the | | o | | | | table in | | n | | | | [Assessment | | s | | | | F | | e | | | | indings](#asses | | H | | | | sment-findings) | | e | | | | in the ROC | | r | | | | Template | | e | | | | Instructions.* | | \ | | | | | | > | | | +-----------------+----------------+---+--------------+-----------------+ +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Customized | | | | Approach** | | | +=================+===================+================================+ | This | | | | requirement is | | | | not eligible | | | | for the | | | | customized | | | | approach. | | | +-----------------+-------------------+--------------------------------+ | **Validation | | | | Method -- | | | | Defined | | | | Approach** | | | +-----------------+-------------------+--------------------------------+ | **Indicate** | | - Yes ☐ No | | whether a | | | | Compensating | | | | Control was | | | | used: | | | +-----------------+-------------------+--------------------------------+ | **If "Yes", | | \<Enter Response Here\> | | Identify** the | | | | aspect(s) of | | | | the requirement | | | | where the | | | | Compensating | | | | Control(s) was | | | | used. | | | | | | | | ***Note:** The | | | | use of | | | | Compensating | | | | Controls must | | | | also be | | | | documented in | | | | [Appendix | | | | C.]( | | | | #appendix-c-com | | | | pensating-contr | | | | ols-worksheet)* | | | +-----------------+-------------------+--------------------------------+ | > **Testing | > **Reporting | > **Reporting Details: | | > Procedures** | > Instructions** | > Assessor's Response** | +-----------------+-------------------+--------------------------------+ | **A2.1.3 | **Identify** the | \<Enter Response Here\> | | *Additional | evidence | | | testing | reference | | | procedure for | number(s) from | | | service | [Section | | | provider | 6 | | | assessments | ](#evidence-asses | | | only: | sment-workpapers) | | | ***Examine | for all **system | | | system | configurations** | | | configurations | examined for this | | | and supporting | testing | | | documentation | procedure. | | | to verify the | | | | service | | | | provider offers | | | | a secure | | | | protocol option | | | | for its | | | | service. | | | +-----------------+-------------------+--------------------------------+ | | **Identify** the | \<Enter Response Here\> | | | evidence | | | | reference | | | | number(s) from | | | | [Section | | | | 6 | | | | ](#evidence-asses | | | | sment-workpapers) | | | | for all | | | | **documentation** | | | | examined for this | | | | testing | | | | procedure. | | +-----------------+-------------------+--------------------------------+ ### A3 Designated Entities Supplemental Validation (DESV) This Appendix applies only to entities designated by a payment brand(s) or acquirer as requiring additional validation of existing PCI DSS requirements. Entities that are required to validate to these requirements should refer to the following documents for reporting: - PCI DSS v4.0 Supplemental Report on Compliance Template - Designated Entities Supplemental Validation - PCI DSS v4.0 Supplemental Attestation of Compliance for Report on Compliance - Designated Entities Supplemental Validation These documents are available in the PCI SSC Document Library. Note that an entity is ONLY required to undergo an assessment according to this Appendix if instructed to do so by an acquirer or a payment brand. ## Appendix B Compensating Controls > Compensating controls may be considered when an entity cannot meet a > PCI DSS requirement explicitly as stated, due to legitimate and > documented technical or business constraints but has sufficiently > mitigated the risk associated with not meeting the requirement through > implementation of other, or compensating, controls. > > Compensating controls must satisfy the following criteria: 1. Meet the intent and rigor of the original PCI DSS requirement. 2. Provide a similar level of defense as the original PCI DSS requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. To understand the intent of a requirement, see the Customized Approach Objective for most PCI DSS requirements. If a requirement is not eligible for the Customized Approach and therefore does not have a Customized Approach Objective, refer to the Purpose in the Guidance column for that requirement. 3. Be "above and beyond" other PCI DSS requirements. (Simply being in compliance with other PCI DSS requirements is not a compensating control.) 4. When evaluating "above and beyond" for compensating controls, consider the following: > ***Note:** All compensating controls must be reviewed and validated > for sufficiency by the assessor who conducts the PCI DSS assessment. > The effectiveness of a compensating control is dependent on the > specifics of the environment in which the control is implemented, the > surrounding security controls, and the configuration of the control. > Entities should be aware that a given compensating control will not be > effective in all environments.* a. Existing PCI DSS requirements CANNOT be considered as compensating controls if they are already required for the item under review. For example, passwords for non-console administrative access must be sent encrypted to mitigate the risk of intercepting cleartext administrative passwords. An entity cannot use other PCI DSS password requirements (intruder lockout, complex passwords, etc.) to compensate for the lack of encrypted passwords, since those other password requirements do not mitigate the risk of interception of cleartext passwords. Also, the other password controls are already PCI DSS requirements for the item under review (passwords). b. Existing PCI DSS requirements MAY be considered as compensating controls if they are required for another area but are not required for the item under review. c. Existing PCI DSS requirements may be combined with new controls to become a compensating control. For example, if a company is unable to address a vulnerability that is exploitable through a network interface because a security update is not yet available from a vendor, a compensating control could consist of controls that include all[[ ]]of the following: 1) internal network segmentation, 2) limiting network access to the vulnerable interface to only required devices (IP address or MAC address filtering), and 3) IDS/IPS monitoring of all traffic destined to the vulnerable interface. ```{=html}  ``` 5. Address the additional risk imposed by not adhering to the PCI DSS requirement. 6. Address the requirement currently and in the future. A compensating control cannot address a requirement that was missed in the past (for example, where the performance of a task was required two quarters ago, but that task was not performed). The assessor is required to thoroughly evaluate compensating controls during each annual PCI DSS assessment to confirm that each compensating control adequately addresses the risk that the original PCI DSS requirement was designed to address, per items 1-6 above. To maintain compliance, processes and controls must be in place to ensure compensating controls remain effective after the assessment is complete. Additionally, compensating control results must be documented in the applicable report for the assessment (for example, a Report on Compliance or a Self-Assessment Questionnaire) in the corresponding PCI DSS requirement section, and included when the applicable report is submitted to the requesting organization. ## Appendix C Compensating Controls Worksheet Use this worksheet to document any instance where a compensating control is used to meet a PCI DSS defined requirement. Note that compensating controls must also be documented at the corresponding PCI DSS requirement in Part II Findings and Observations. ***Note:** Only entities that have legitimate and documented technological or business constraints can consider the use of compensating controls to achieve compliance.* **Required Number and Definition:** \<Enter Response Here\> +---------------+---------------------------+--------------------------+ | | > **Information | **Explanation** | | | > Required** | | +===============+===========================+==========================+ | **1. | Document the legitimate | \<Enter Response Here\> | | Constraints** | technical or business | | | | constraints precluding | | | | compliance with the | | | | original requirement. | | +---------------+---------------------------+--------------------------+ | **2. | Define the compensating | \<Enter Response Here\> | | Definition of | controls, explain how | | | Compensating | they address the | | | Controls** | objectives of the | | | | original control and the | | | | increased risk, if any. | | +---------------+---------------------------+--------------------------+ | **3. | Define the objective of | \<Enter Response Here\> | | Objective** | the original control (for | | | | example, the Customized | | | | Approach Objective). | | +---------------+---------------------------+--------------------------+ | | Identify the objective | \<Enter Response Here\> | | | met by the compensating | | | | control (*note: this can | | | | be, but is not required | | | | to be, the stated | | | | Customized Approach | | | | Objective for the PCI DSS | | | | requirement*). | | +---------------+---------------------------+--------------------------+ | **4. | Identify any additional | \<Enter Response Here\> | | Identified | risk posed by the lack of | | | Risk** | the original control. | | +---------------+---------------------------+--------------------------+ | **5. | Define how the | \<Enter Response Here\> | | Validation of | compensating controls | | | Compensating | were validated and | | | Controls** | tested. | | +---------------+---------------------------+--------------------------+ | **6. | Define process(es) and | \<Enter Response Here\> | | Maintenance** | controls in place to | | | | maintain compensating | | | | controls. | | +---------------+---------------------------+--------------------------+ ## Appendix D Customized Approach This approach is intended for entities that decide to meet a PCI DSS requirement's stated Customized Approach Objective in a way that does not strictly follow the defined requirement. The customized approach allows an entity to take a strategic approach to meeting a requirement's Customized Approach Objective, so it can determine and design the security controls needed to meet the objective in a manner unique for that organization. **The entity** implementing a customized approach must satisfy the following criteria: - Document and maintain evidence about each customized control, including all information specified in the Controls Matrix Template in [[PCI-DSS-v4_0#Appendix E Sample Templates to Support Customized Approach]]1 of the *Payment Card Industry Data Security Standard (PCI DSS) Requirements and Testing Procedures*. - Perform and document a targeted risk analysis (PCI DSS Requirement 12.3.2) for each customized control, including all information specified in the Targeted Risk Analysis Template in Appendix E2 of the *Payment Card Industry Data Security Standard (PCI DSS) Requirements and Testing Procedures*. - Perform testing of each customized control to prove effectiveness, and document testing performed, methods used, what was tested, when testing was performed, and results of testing in the controls matrix. - Monitor and maintain evidence about the effectiveness of each customized control. - Provide completed controls matrix(es), targeted risk analysis, testing evidence, and evidence of customized control effectiveness to its assessor. **The assessor** performing an assessment of customized controls must satisfy the following criteria: - Review the entity's controls matrix(es), targeted risk analysis, and evidence of control effectiveness to fully understand the customized control(s) and to verify the entity meets all Customized Approach documentation and evidence requirements. - Derive and document the appropriate testing procedures needed to conduct thorough testing of each customized control. - Test each customized control to determine whether the entity's implementation 1) meets the requirement's Customized Approach Objective and 2) results in an "in place" finding for the requirement. - At all times, QSAs maintain independence requirements defined in the QSA Qualification Requirements. This means if a QSA is involved in designing or implementing a customized control, that QSA does not also derive testing procedures for, assess, or assist with the assessment of that customized control. - The entity and its assessor are expected to work together to ensure 1) they agree that the customized control(s) fully meets the customized approach objective, 2) the assessor fully understands the customized control, and 3) the entity understands the derived testing the assessor will perform. - Use of the customized approach must be completed by a QSA or ISA and documented in accordance with instructions in the Report on Compliance (ROC) Template and following the instructions in the *FAQs for use with PCI DSS v4.0 ROC Template* available on the PCI SSC website. - Entities that complete a Self-Assessment Questionnaire are not eligible to use a customized approach; however, these entities may elect to have a QSA or ISA perform their assessment and document it in a ROC Template. - The use of the customized approach may be regulated by organizations that manage compliance programs (for example, payment brands and acquirers). Therefore, questions about use of a customized approach must be referred to those organizations, including, for example, whether an entity is required to use a QSA, or may use an ISA to complete an assessment using the customized approach. ***Note:** Compensating controls are not an option with the customized approach. Because the customized approach allows an entity to determine and design the controls needed to meet a requirement's Customized Approach Objective, the entity is expected to effectively implement the controls it designed for that requirement without needing to also implement alternate, compensating controls.* ## Appendix E Customized Approach Template Use this template to document each instance where a customized control is used to meet a PCI DSS requirement. Note that each use of the Customized Approach must also be documented at the corresponding PCI DSS requirement in Part II Findings and Observations. **Requirement Number and Definition:** \<Enter Response Here\> +-----------------------------------+----------------------------------+ | **Identify** the **customized | \<Enter Response Here\> | | control name / identifier** for | | | each control used to meet the | | | Customized Approach Objective. | | | | | | *(**Note:** use the Customized | | | Control name from the assessed | | | entity's controls matrix)* | | +===================================+==================================+ | **Describe each** control used to | \<Enter Response Here\> | | meet the Customized Approach | | | Objective. | | | | | | *(**Note**: Refer to the Payment | | | Card Industry Data Security | | | Standard (PCI DSS) Requirements | | | and Testing Procedures for the | | | Customized Approach Objective)* | | +-----------------------------------+----------------------------------+ | **Describe how** the control(s) | \<Enter Response Here\> | | meet the Customized Approach | | | Objective. | | +-----------------------------------+----------------------------------+ | **Identify** the **Controls | \<Enter Response Here\> | | Matrix documentation** reviewed | | | that supports a customized | | | approach for this requirement. | | +-----------------------------------+----------------------------------+ | **Identify** the **Targeted Risk | \<Enter Response Here\> | | Analysis documentation** reviewed | | | that supports the customized | | | approach for this requirement. | | +-----------------------------------+----------------------------------+ | **Identify** name(s) of the | \<Report Name(s) of Assessor(s) | | assessor(s) who attests that: | Here\> | | | | | - The entity completed the | | | Controls Matrix including all | | | information specified in the | | | Controls Matrix Template in | | | Appendix E1 of *Payment Card | | | Industry Data Security | | | Standard (PCI DSS) | | | Requirements and Testing | | | Procedures* and the results | | | of the Controls Matrix | | | support the customized | | | approach for this | | | requirement. | | | | | | - The entity completed the | | | Targeted Risk Analysis | | | including all information | | | specified in the Targeted | | | Risk Analysis Template in | | | Appendix E2 of *Payment Card | | | Industry Data Security | | | Standard (PCI DSS) | | | Requirements and Testing | | | Procedures*, and that the | | | results of the Risk Analysis | | | support use of the customized | | | approach for this | | | requirement. | | +-----------------------------------+----------------------------------+ | **Describe** the testing | | | procedures derived and performed | | | by the assessor to validate that | | | the **implemented controls meet | | | the Customized Approach | | | Objective**; for example, whether | | | the customized control(s) is | | | sufficiently robust to provide at | | | least an equivalent level of | | | protection as provided by the | | | defined approach. | | | | | | ***Note 1:** Technical reviews | | | (for example, reviewing | | | configuration settings, operating | | | effectiveness, etc.) should be | | | performed where possible and | | | appropriate.* | | | | | | ***Note 2:** Add additional rows | | | for each assessor-derived testing | | | procedure, as needed. Ensure that | | | all rows to the right of the | | | "Assessor-derived testing | | | procedure" are copied for each | | | assessor-derived testing | | | procedure that is added.* | | +-----------------------------------+----------------------------------+ +-----------------+-----------------+----------------------------------+ | \<A | **Identify** | \<Enter Response Here\> | | ssessor-derived | what was tested | | | testing | (for example, | | | procedure\> | individuals | | | | interviewed, | | | | system | | | | components | | | | reviewed, | | | | processes | | | | observed, etc.) | | | | | | | | ***Note:** all | | | | items tested | | | | must be | | | | uniquely | | | | identified.* | | +=================+=================+==================================+ | | **Identify** | \<Enter Response Here\> | | | all evidence | | | | examined for | | | | this testing | | | | procedure. | | +-----------------+-----------------+----------------------------------+ | | **Describe** | \<Enter Response Here\> | | | the results of | | | | the testing | | | | performed by | | | | the assessor | | | | for this | | | | testing | | | | procedure and | | | | how these | | | | results verify | | | | the implemented | | | | controls meet | | | | the Customized | | | | Approach | | | | Objective. | | +-----------------+-----------------+----------------------------------+ | **Document** | | | | the testing | | | | procedures | | | | derived and | | | | performed by | | | | the assessor to | | | | validate **the | | | | controls are | | | | maintained to | | | | ensure ongoing | | | | e | | | | ffectiveness**; | | | | for example, | | | | how the entity | | | | monitors for | | | | control | | | | effectiveness | | | | and how control | | | | failures are | | | | detected, | | | | responded to, | | | | and the actions | | | | taken. | | | | | | | | ***Note 1:** | | | | Technical | | | | reviews (for | | | | example, | | | | reviewing | | | | configuration | | | | settings, | | | | operating | | | | effectiveness, | | | | etc.) should be | | | | performed where | | | | possible and | | | | appropriate.* | | | | | | | | ***Note 2:** | | | | Add additional | | | | rows for each | | | | a | | | | ssessor-derived | | | | testing | | | | procedure, as | | | | needed. Ensure | | | | that all rows | | | | to the right of | | | | the | | | | "A | | | | ssessor-derived | | | | testing | | | | procedure" are | | | | copied for each | | | | a | | | | ssessor-derived | | | | testing | | | | procedure that | | | | is added.* | | | +-----------------+-----------------+----------------------------------+ | \<A | **Identify** | \<Enter Response Here\> | | ssessor-derived | what was tested | | | testing | (for example, | | | procedure\> | individuals | | | | interviewed, | | | | system | | | | components | | | | reviewed, | | | | processes | | | | observed, etc.) | | | | | | | | ***Note**: all | | | | items tested | | | | must be | | | | uniquely | | | | identified.* | | +-----------------+-----------------+----------------------------------+ | | **Identify** | \<Enter Response Here\> | | | all evidence | | | | examined for | | | | this testing | | | | procedure. | | +-----------------+-----------------+----------------------------------+ | | **Describe** | \<Enter Response Here\> | | | the results of | | | | the testing | | | | performed by | | | | the assessor | | | | for this | | | | testing | | | | procedure and | | | | how these | | | | results verify | | | | the implemented | | | | controls are | | | | maintained to | | | | ensure ongoing | | | | effectiveness. | | +-----------------+-----------------+----------------------------------+