diff options
| author | Rich Kreider <rjkreider@gmail.com> | 2026-05-20 12:11:54 -0400 |
|---|---|---|
| committer | Rich Kreider <rjkreider@gmail.com> | 2026-05-20 12:11:54 -0400 |
| commit | 8d841a20191a212b639bfcd2986b68a7f5eb6453 (patch) | |
| tree | 28b99a77e4d4c9867b178ea3df1ff2175cbace4f | |
| parent | e0ba9b27116f1d3758be527390b4dcfed09a7a94 (diff) | |
cleanup old files, add requirements
| -rw-r--r-- | requirements.txt | 3 | ||||
| -rw-r--r-- | saq_b_ip.json | 1183 | ||||
| -rw-r--r-- | saq_p2pe.json | 277 |
3 files changed, 3 insertions, 1460 deletions
diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..94af715 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,3 @@ +sv_ttk>=2.6.0 +python-docx>=1.1.0 +reportlab>=4.0.0 diff --git a/saq_b_ip.json b/saq_b_ip.json deleted file mode 100644 index bc2be7d..0000000 --- a/saq_b_ip.json +++ /dev/null @@ -1,1183 +0,0 @@ -{ - "id": "saq_b_ip", - "name": "SAQ B-IP", - "version": "PCI DSS v4.0", - "description": "For merchants using standalone, PTS-approved POI devices with an IP connection to the payment processor. Account data is not electronically stored after authorization.", - "applicability": "This SAQ applies to merchants that use only standalone, PTS-approved point-of-interaction (POI) devices connected via IP to payment processors. The account data must not be transmitted, processed, or stored in any other system components. Merchants in this category do not store, process, or transmit cardholder data on any computer system.", - "requirements": [ - { - "id": "1", - "title": "Install and Maintain Network Security Controls", - "objective": "Network security controls (NSCs) such as firewalls and routers are the first line of defense against unauthorized access. Failure to implement and maintain these controls makes systems vulnerable to unauthorized access.", - "controls": [ - { - "id": "1.1", - "title": "Processes and mechanisms for installing and maintaining network security controls are defined and understood.", - "items": [ - { - "id": "1.1.1", - "question": "Are all security policies and operational procedures that are identified in Requirement 1:\n• Documented?\n• Kept up to date?\n• In use?\n• Known to all affected parties?", - "guidance": "Examine documentation and interview personnel to verify that security policies and operational procedures are documented, current, in use, and known to all affected parties." - }, - { - "id": "1.1.2", - "question": "Are all roles and responsibilities for performing activities in Requirement 1 documented, assigned, and understood?", - "guidance": "Examine documentation and interview personnel to verify that roles and responsibilities are documented, assigned, and understood." - } - ] - }, - { - "id": "1.2", - "title": "Network security controls (NSCs) are configured and maintained.", - "items": [ - { - "id": "1.2.1", - "question": "Are configuration standards for all NSC rulesets defined and implemented, and do these configuration standards address the following:\n• All traffic is denied by default, allowing only that which is necessary.\n• All other traffic is explicitly denied.", - "guidance": "Examine configuration standards and NSC configurations to verify that all traffic is denied by default and only necessary traffic is allowed." - }, - { - "id": "1.2.2", - "question": "Are all changes to network connections and to configurations of NSCs managed in accordance with the change-control process defined at Requirement 6.5.1?", - "guidance": "Examine network documentation and change-control records to verify that changes to NSCs are managed in accordance with the change-control process." - }, - { - "id": "1.2.3", - "question": "Is an accurate network diagram(s) maintained that shows all connections between the cardholder data environment (CDE) and other networks, including any wireless networks?", - "guidance": "Examine network diagrams and interview personnel to verify that an accurate diagram exists showing all CDE connections." - }, - { - "id": "1.2.4", - "question": "Is an accurate data-flow diagram(s) maintained that meets the following:\n• Shows all account data flows across systems and networks.\n• Updated as needed upon changes to the environment.", - "guidance": "Examine data-flow diagrams and interview personnel to verify that data flows are documented and updated as needed." - }, - { - "id": "1.2.5", - "question": "Are all services, protocols, and ports allowed (inbound and outbound) identified, approved, and is there a defined business need for each?", - "guidance": "Examine NSC configurations and interview personnel to verify all allowed services, protocols, and ports are documented with business justification." - }, - { - "id": "1.2.6", - "question": "Are security features defined and implemented for all services, protocols, and ports that are in use and considered to be insecure (so that those insecure services, protocols, and ports are mitigated)?", - "guidance": "Examine NSC configuration settings to verify security features are defined and implemented for all insecure services, protocols, and ports in use." - }, - { - "id": "1.2.7", - "question": "Are configurations of NSCs reviewed at least once every six months to confirm that they remain appropriate and reflect current business needs?", - "guidance": "Examine documentation and interview personnel to verify that NSC configurations are reviewed at least every six months." - }, - { - "id": "1.2.8", - "question": "Are configuration files for NSCs secured from unauthorized access and kept consistent with active network configurations?", - "guidance": "Examine configuration files for NSCs to verify they are secured from unauthorized access and kept consistent with active network configurations." - } - ] - }, - { - "id": "1.3", - "title": "Network access to and from the cardholder data environment is restricted.", - "items": [ - { - "id": "1.3.1", - "question": "Is inbound traffic to the CDE restricted to only that which is necessary, and is all other traffic denied?", - "guidance": "Examine NSC configurations to verify that inbound traffic to the CDE is restricted to only necessary traffic, with all other traffic denied." - }, - { - "id": "1.3.2", - "question": "Is outbound traffic from the CDE restricted to only that which is necessary, and is all other traffic denied?", - "guidance": "Examine NSC configurations to verify that outbound traffic from the CDE is restricted to only necessary traffic, with all other traffic denied." - }, - { - "id": "1.3.3", - "question": "Are NSCs installed between all wireless networks and the CDE, and do these NSCs deny or control (if such traffic is necessary for business purposes) all traffic from wireless environments into the CDE?", - "guidance": "Examine NSC configurations to verify that NSCs are installed between all wireless networks and the CDE and deny all unnecessary wireless traffic." - } - ] - }, - { - "id": "1.4", - "title": "Network connections between trusted and untrusted networks are controlled.", - "items": [ - { - "id": "1.4.1", - "question": "Are NSCs implemented between trusted and untrusted networks?", - "guidance": "Examine NSC configurations to verify NSCs are implemented between trusted and untrusted networks." - }, - { - "id": "1.4.2", - "question": "Does inbound traffic from untrusted networks to trusted networks pass through an NSC (including that NSC denying all traffic that is not explicitly allowed)?", - "guidance": "Examine NSC configurations and interview personnel to verify inbound traffic from untrusted networks passes through an NSC." - }, - { - "id": "1.4.3", - "question": "Are anti-spoofing measures implemented to detect and block forged source IP addresses from entering the trusted network?", - "guidance": "Examine NSC configurations to verify anti-spoofing measures are implemented." - }, - { - "id": "1.4.4", - "question": "Are system components that store cardholder data not directly accessible from untrusted networks?", - "guidance": "Examine NSC configurations to verify that system components storing cardholder data are not directly accessible from untrusted networks." - }, - { - "id": "1.4.5", - "question": "Is the disclosure of internal IP addresses and routing information to unauthorized parties limited?", - "guidance": "Examine NSC configurations to verify that internal IP addresses and routing information are not disclosed to unauthorized parties." - } - ] - }, - { - "id": "1.5", - "title": "Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.", - "items": [ - { - "id": "1.5.1", - "question": "Are security controls implemented on any computing devices (including company- and employee-owned) that connect to both untrusted networks (including the Internet) and the CDE, as follows:\n• Specific configuration settings are defined to prevent threats from being introduced into the entity's network.\n• Security controls are actively running.\n• Security controls are not alterable by users of the devices unless specifically documented and authorized by management on a case-by-case basis for a limited time period.", - "guidance": "Examine policies and configuration standards and interview personnel to verify security controls are implemented on devices connecting to both untrusted networks and the CDE." - } - ] - } - ] - }, - { - "id": "2", - "title": "Apply Secure Configurations to All System Components", - "objective": "Malicious individuals, both external and internal to an entity, often use default passwords and other vendor default settings to compromise systems. These passwords and settings are well known and are easily determined via public information.", - "controls": [ - { - "id": "2.1", - "title": "Processes and mechanisms for applying secure configurations to all system components are defined and understood.", - "items": [ - { - "id": "2.1.1", - "question": "Are all security policies and operational procedures that are identified in Requirement 2:\n• Documented?\n• Kept up to date?\n• In use?\n• Known to all affected parties?", - "guidance": "Examine documentation and interview personnel to verify policies and procedures are documented, current, in use, and known to all affected parties." - }, - { - "id": "2.1.2", - "question": "Are all roles and responsibilities for performing activities in Requirement 2 documented, assigned, and understood?", - "guidance": "Examine documentation and interview personnel to verify roles and responsibilities are documented, assigned, and understood." - } - ] - }, - { - "id": "2.2", - "title": "System components are configured and managed securely.", - "items": [ - { - "id": "2.2.1", - "question": "Are configuration standards developed, implemented, and maintained for all system components as follows:\n• The configuration standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.\n• Configuration standards are updated as new vulnerability issues are identified, as defined in Requirement 6.3.1.\n• Configuration standards are applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment.", - "guidance": "Examine system configuration standards and interview personnel to verify configuration standards are developed, implemented, and maintained for all system components." - }, - { - "id": "2.2.2", - "question": "Are vendor default accounts managed as follows:\n• If the vendor default account(s) will be used, the default password is changed per Requirement 8.3.6.\n• If the vendor default account(s) will not be used, the account is removed or disabled.", - "guidance": "Examine system configuration standards and interview personnel to verify vendor default accounts are managed appropriately." - }, - { - "id": "2.2.3", - "question": "Are all non-console administrative access encrypted using strong cryptography?", - "guidance": "Examine system configuration settings and interview personnel to verify non-console administrative access is encrypted with strong cryptography." - }, - { - "id": "2.2.4", - "question": "Are only necessary services, protocols, daemons, and functions enabled, and are all unnecessary functionality removed or disabled?", - "guidance": "Examine system configuration standards and system components to verify only necessary services, protocols, daemons, and functions are enabled." - }, - { - "id": "2.2.5", - "question": "If any insecure services, protocols, or daemons are present, is the business need documented and are additional security features implemented to reduce the risk of using insecure services, protocols, or daemons?", - "guidance": "Examine system configuration standards to verify that if insecure services, protocols, or daemons are present, the business need is documented and additional security features are implemented." - }, - { - "id": "2.2.6", - "question": "Are system security parameters configured to prevent misuse?", - "guidance": "Examine system configuration standards and interview personnel to verify system security parameters are configured to prevent misuse." - }, - { - "id": "2.2.7", - "question": "Are all non-console administrative access encrypted using strong cryptography, and is a management justification documented for use of all non-console administrative functions?", - "guidance": "Examine system configuration settings to verify non-console administrative access is encrypted." - } - ] - }, - { - "id": "2.3", - "title": "Wireless environments are configured and managed securely.", - "items": [ - { - "id": "2.3.1", - "question": "For wireless environments connected to the CDE or transmitting account data, are all wireless vendor defaults changed at installation or are they confirmed to be secure, as follows:\n• Default wireless encryption keys are changed.\n• Default passwords on wireless access points are changed.\n• Default SNMP community strings on wireless devices are changed (if applicable).\n• Default passwords/passphrases on any other security-related wireless vendor defaults are changed.\n• Firmware on wireless devices is updated to support strong encryption for authentication and transmission over wireless networks.\n• Other security-related wireless vendor defaults are changed, if applicable.", - "guidance": "Examine policies and procedures and interview responsible personnel to verify wireless vendor defaults are changed for all wireless environments connected to the CDE." - }, - { - "id": "2.3.2", - "question": "For wireless environments connected to the CDE or transmitting account data, are wireless encryption keys changed as follows:\n• Whenever personnel with knowledge of the key leave the company or the role for which the knowledge was necessary.\n• Whenever a key is known or suspected to be compromised.", - "guidance": "Examine documentation and interview personnel to verify wireless encryption keys are changed when personnel with knowledge of the key leave or when the key is known or suspected to be compromised." - } - ] - } - ] - }, - { - "id": "3", - "title": "Protect Stored Account Data", - "objective": "Protection of stored account data is key to minimizing impact of a compromise. If primary account number (PAN) data must be retained, it must be protected.", - "controls": [ - { - "id": "3.2", - "title": "Storage of account data is kept to a minimum.", - "items": [ - { - "id": "3.2.1", - "question": "Are the following data elements not stored after authorization (even if encrypted), unless there is a legitimate business need and the data is protected in accordance with all applicable PCI DSS requirements:\n• The full contents of any track (from the magnetic stripe on the back of a card, equivalent data contained on a chip, or elsewhere).\n• The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions).\n• The personal identification number (PIN) or the encrypted PIN block.", - "guidance": "Examine data sources to verify that the full contents of any track, card verification codes/values, and PINs are not stored after authorization." - } - ] - } - ] - }, - { - "id": "4", - "title": "Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks", - "objective": "Sensitive information must be encrypted during transmission over open, public networks because it is easy and common for a malicious individual to intercept and/or divert data while in transit.", - "controls": [ - { - "id": "4.1", - "title": "Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open, public networks are defined and understood.", - "items": [ - { - "id": "4.1.1", - "question": "Are all security policies and operational procedures that are identified in Requirement 4:\n• Documented?\n• Kept up to date?\n• In use?\n• Known to all affected parties?", - "guidance": "Examine documentation and interview personnel to verify policies and procedures are documented, current, in use, and known to all affected parties." - }, - { - "id": "4.1.2", - "question": "Are all roles and responsibilities for performing activities in Requirement 4 documented, assigned, and understood?", - "guidance": "Examine documentation and interview personnel to verify roles and responsibilities are documented, assigned, and understood." - } - ] - }, - { - "id": "4.2", - "title": "PAN is protected with strong cryptography during transmission.", - "items": [ - { - "id": "4.2.1", - "question": "Are strong cryptography and security protocols implemented as follows to safeguard PAN during transmission over open, public networks:\n• Only trusted keys/certificates are accepted.\n• Certificates used for safeguarding PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked.\n• The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations.\n• The encryption strength is appropriate for the encryption methodology in use.", - "guidance": "Examine documented policies and procedures, and examine inbound and outbound transmissions, to verify strong cryptography and security protocols are used." - }, - { - "id": "4.2.1.1", - "question": "Is an inventory of the entity's trusted keys and certificates maintained?", - "guidance": "Examine documented policies and procedures to verify processes are in place to maintain an inventory of trusted keys and certificates." - }, - { - "id": "4.2.2", - "question": "Are PAN secured with strong cryptography whenever it is sent via end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat)?", - "guidance": "Examine policies and procedures to verify PAN is secured with strong cryptography whenever sent via end-user messaging technologies." - } - ] - } - ] - }, - { - "id": "6", - "title": "Develop and Maintain Secure Systems and Software", - "objective": "Security vulnerabilities in systems and applications may allow criminals to access account data. Many of these vulnerabilities are eliminated by installing vendor-provided security patches.", - "controls": [ - { - "id": "6.3", - "title": "Security vulnerabilities are identified and addressed.", - "items": [ - { - "id": "6.3.3", - "question": "Are all system components protected from known vulnerabilities by installing applicable security patches/updates, as follows:\n• Patches/updates for critical vulnerabilities (identified per the risk ranking process at Requirement 6.3.1) are installed within one month of release.\n• All other applicable security patches/updates are installed within a defined time frame as established by the entity (not to exceed six months of release).", - "guidance": "Examine policies and procedures and system configuration settings to verify applicable security patches are installed within the defined time frame." - } - ] - }, - { - "id": "6.4", - "title": "Public-facing web applications are protected against attacks.", - "items": [ - { - "id": "6.4.1", - "question": "For POI devices (that is, IP-connected payment terminals):\n• Are all applicable security patches and updates installed?\n• Are configurations on POI devices consistent with the vendor's hardening recommendations?\n• Is access to POI devices controlled and logged?\n• Are POI devices checked periodically for tampering or unexpected changes?", - "guidance": "Examine policies and procedures, and interview personnel, to verify POI devices are maintained and secured per vendor recommendations and are periodically checked." - } - ] - } - ] - }, - { - "id": "8", - "title": "Identify Users and Authenticate Access to System Components", - "objective": "Two fundamental principles of identifying and authenticating users are to know who is accessing your system and to ensure that each person who accesses a system is positively identified.", - "controls": [ - { - "id": "8.1", - "title": "Processes and mechanisms for identifying users and authenticating access to system components are defined and understood.", - "items": [ - { - "id": "8.1.1", - "question": "Are all security policies and operational procedures that are identified in Requirement 8:\n• Documented?\n• Kept up to date?\n• In use?\n• Known to all affected parties?", - "guidance": "Examine documentation and interview personnel to verify policies and procedures are documented, current, in use, and known to all affected parties." - }, - { - "id": "8.1.2", - "question": "Are all roles and responsibilities for performing activities in Requirement 8 documented, assigned, and understood?", - "guidance": "Examine documentation and interview personnel to verify roles and responsibilities are documented, assigned, and understood." - } - ] - }, - { - "id": "8.2", - "title": "User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle.", - "items": [ - { - "id": "8.2.1", - "question": "Are all users assigned a unique ID before allowing them to access system components or cardholder data?", - "guidance": "Examine procedures and evidence to verify all users are assigned a unique ID." - }, - { - "id": "8.2.2", - "question": "Are group, shared, or generic accounts, or other shared authentication credentials only used when necessary on an exception basis, and are they managed as follows:\n• Account use is prevented unless needed for an exceptional circumstance.\n• Use is limited to the time needed for the exceptional circumstance.\n• Business justification is documented.\n• Use is explicitly approved by management.\n• Individual user identity is confirmed before access to an account is granted.\n• Every action taken is attributable to an individual user.", - "guidance": "Examine user account lists and interview personnel to verify group, shared, or generic accounts are managed per requirements." - }, - { - "id": "8.2.3", - "question": "Are additional authentication factors required for all non-consumer user access to all systems and any accounts within the cardholder data environment? (Note: This is the multi-factor authentication [MFA] requirement for all non-console administrative access.)", - "guidance": "Examine system configuration settings and interview personnel to verify MFA is required for non-console administrative access." - }, - { - "id": "8.2.4", - "question": "Are additions, deletions, and modifications to user IDs, authentication factors, and other identifier objects managed as follows:\n• Authorized with appropriate approval.\n• Implemented with only the privileges specified on the approved authorization.", - "guidance": "Examine authentication policies and procedures and interview personnel to verify additions, deletions, and modifications to user IDs are managed appropriately." - }, - { - "id": "8.2.5", - "question": "Are access for terminated users immediately deactivated or removed?", - "guidance": "Examine procedures for terminating users and a sample of recently terminated users to verify access was immediately deactivated or removed." - }, - { - "id": "8.2.6", - "question": "Are inactive user accounts either removed or disabled within 90 days of inactivity?", - "guidance": "Examine user accounts and interview personnel to verify inactive user accounts are removed or disabled within 90 days of inactivity." - }, - { - "id": "8.2.7", - "question": "Are accounts used by third parties to access, support, or maintain system components via remote access managed as follows:\n• Enabled only during the time period needed and disabled when not in use.\n• Use is monitored for unexpected activity.", - "guidance": "Examine policies and procedures and interview personnel to verify third-party remote access accounts are enabled only when needed and monitored." - }, - { - "id": "8.2.8", - "question": "If a user session has been idle for more than 15 minutes, is the user required to re-authenticate to re-activate the terminal or session?", - "guidance": "Examine system configuration settings to verify idle sessions are set to time out and require re-authentication after no more than 15 minutes." - } - ] - }, - { - "id": "8.3", - "title": "User authentication for users and administrators is established and managed.", - "items": [ - { - "id": "8.3.1", - "question": "Are all user passwords/passphrases for user access to system components set to meet all the following minimum requirements:\n• A minimum length of at least 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters).\n• Contains both numeric and alphabetic characters.", - "guidance": "Examine system configuration settings to verify passwords/passphrases meet minimum length and complexity requirements." - }, - { - "id": "8.3.2", - "question": "Are strong cryptography used to render all authentication factors (such as passwords/passphrases) unreadable during transmission and storage on all system components?", - "guidance": "Examine vendor documentation and system configuration settings to verify strong cryptography is used to render all authentication factors unreadable during transmission and storage." - }, - { - "id": "8.3.3", - "question": "Is user identity verified before modifying any authentication factor?", - "guidance": "Examine procedures and observe personnel to verify user identity is verified before modifying any authentication factor." - }, - { - "id": "8.3.4", - "question": "Is invalid authentication attempt tracking implemented as follows:\n• Invalid attempts are limited to not more than 10 attempts.\n• The account is locked out for a minimum of 30 minutes or until the account is reset by an administrator.", - "guidance": "Examine system configuration settings to verify invalid authentication attempts are tracked and the account is locked out appropriately." - }, - { - "id": "8.3.5", - "question": "If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, are passwords/passphrases for first use and upon reset set to a unique value for each user and changed immediately after the first use?", - "guidance": "Examine policies and procedures and interview personnel to verify first-use and reset passwords are set to a unique value for each user and changed immediately after first use." - }, - { - "id": "8.3.6", - "question": "If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, do they meet the following minimum level of complexity upon a new password/passphrase set or reset:\n• A minimum length of at least 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters).\n• Contains both numeric and alphabetic characters.", - "guidance": "Examine system configuration settings to verify passwords/passphrases meet complexity requirements when set or reset." - }, - { - "id": "8.3.7", - "question": "Are individuals not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used?", - "guidance": "Examine system configuration settings to verify that password history is enforced and individuals cannot reuse any of the last four passwords." - }, - { - "id": "8.3.8", - "question": "Are authentication policies and procedures documented and communicated to all users including:\n• Guidance on selecting strong authentication factors.\n• Guidance for how users should protect their authentication factors.\n• Instructions not to reuse previously used passwords/passphrases.\n• Instructions to change passwords/passphrases if there is any suspicion or knowledge that the password/passphrase has been compromised and how to report the incident.", - "guidance": "Examine authentication policies and procedures and interview personnel to verify authentication policies are documented and communicated to all users." - }, - { - "id": "8.3.9", - "question": "If passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation), are passwords/passphrases changed at least once every 90 days?\nOR\nIs the security posture of accounts dynamically analyzed, and real-time access to resources automatically determined accordingly?", - "guidance": "Examine system configuration settings to verify passwords are changed at least once every 90 days, OR that dynamic analysis is implemented." - }, - { - "id": "8.3.10", - "question": "Additional requirement for service providers only: If passwords/passphrases are used as the only authentication factor for customer user access to cardholder data (i.e., in any single-factor authentication implementation), are guidance provided to customers regarding changing their passwords/passphrases, and is guidance provided at a minimum annually?", - "guidance": "This requirement applies only to service providers. Examine policies and procedures to verify guidance is provided to customers." - }, - { - "id": "8.3.10.1", - "question": "Additional requirement for service providers only: If passwords/passphrases are used as the only authentication factor for customer user access, are customer passwords/passphrases changed at least once every 90 days or the security posture of accounts dynamically analyzed?", - "guidance": "This requirement applies only to service providers." - }, - { - "id": "8.3.11", - "question": "Where authentication factors such as physical or logical security tokens, smart cards, or certificates are used, are they assigned as follows:\n• Assigned to an individual user and not shared among multiple users.\n• Physical and/or logical controls ensure only the intended user can use that factor to gain access.", - "guidance": "Examine authentication policies and procedures and interview personnel to verify authentication factors are assigned to individual users and cannot be shared." - } - ] - }, - { - "id": "8.4", - "title": "Multi-factor authentication (MFA) is implemented to secure access into the CDE.", - "items": [ - { - "id": "8.4.1", - "question": "Is MFA implemented for all non-console access into the CDE for personnel with administrative access?", - "guidance": "Examine network and/or system configurations and interview personnel to verify MFA is implemented for all non-console access into the CDE for personnel with administrative access." - }, - { - "id": "8.4.2", - "question": "Is MFA implemented for all access into the CDE?", - "guidance": "Examine network and/or system configurations and interview personnel to verify MFA is implemented for all access into the CDE." - }, - { - "id": "8.4.3", - "question": "Is MFA implemented for all remote network access originating from outside the entity's network that could access or impact the CDE as follows:\n• All remote access by all personnel, both users and administrators, originating from outside the entity's network.\n• All remote access by third parties and vendors.", - "guidance": "Examine network and/or system configurations and interview personnel to verify MFA is implemented for all remote network access." - } - ] - }, - { - "id": "8.5", - "title": "Multi-factor authentication (MFA) systems are configured to prevent misuse.", - "items": [ - { - "id": "8.5.1", - "question": "Are MFA systems implemented as follows:\n• The MFA system is not susceptible to replay attacks.\n• MFA systems cannot be bypassed by any user, including administrative users, unless specifically documented and authorized by management on an exception basis, for a limited time period.\n• At least two different types of authentication factors are used.\n• Success of all authentication factors is required before access is granted.", - "guidance": "Examine vendor system documentation and system configurations to verify MFA systems are configured to prevent bypass and replay attacks." - } - ] - }, - { - "id": "8.6", - "title": "Use of application and system accounts and associated authentication factors is strictly managed.", - "items": [ - { - "id": "8.6.1", - "question": "If accounts used by systems or applications can be used for interactive login, are they managed as follows:\n• Interactive use is prevented unless needed for an exceptional circumstance.\n• Interactive use is limited to the time needed for the exceptional circumstance.\n• Business justification for interactive use is documented.\n• Interactive use is explicitly approved by management.\n• Individual user identity is confirmed before access to account is granted.\n• Every action taken is attributable to an individual user.", - "guidance": "Examine application/system accounts and interview personnel to verify system/application accounts used for interactive login are managed appropriately." - }, - { - "id": "8.6.2", - "question": "Are passwords/passphrases for any application and system accounts that can be used for interactive login not hard coded in scripts, configuration/property files, or bespoke and custom source code?", - "guidance": "Examine scripts, configuration files, and source code used by application and system accounts to verify passwords/passphrases are not hard coded." - }, - { - "id": "8.6.3", - "question": "Are passwords/passphrases for any application and system accounts protected against misuse as follows:\n• Passwords/passphrases are changed periodically (at the frequency defined in the entity's targeted risk analysis) and upon suspicion or confirmation of compromise.\n• Passwords/passphrases are constructed with sufficient complexity appropriate for how frequently the credential is rotated.", - "guidance": "Examine policies and procedures and interview personnel to verify application and system account passwords are changed periodically and are constructed with sufficient complexity." - } - ] - } - ] - }, - { - "id": "9", - "title": "Restrict Physical Access to Cardholder Data", - "objective": "Any physical access to cardholder data or systems that store, process, or transmit cardholder data provides the opportunity for individuals to access and/or remove systems or hardcopies containing cardholder data.", - "controls": [ - { - "id": "9.1", - "title": "Processes and mechanisms for restricting physical access to cardholder data are defined and understood.", - "items": [ - { - "id": "9.1.1", - "question": "Are all security policies and operational procedures that are identified in Requirement 9:\n• Documented?\n• Kept up to date?\n• In use?\n• Known to all affected parties?", - "guidance": "Examine documentation and interview personnel to verify policies and procedures are documented, current, in use, and known to all affected parties." - }, - { - "id": "9.1.2", - "question": "Are all roles and responsibilities for performing activities in Requirement 9 documented, assigned, and understood?", - "guidance": "Examine documentation and interview personnel to verify roles and responsibilities are documented, assigned, and understood." - } - ] - }, - { - "id": "9.2", - "title": "Physical access controls manage entry into facilities and systems containing cardholder data.", - "items": [ - { - "id": "9.2.1", - "question": "Are appropriate physical access controls in place for facilities containing the CDE to distinguish between employees and visitors, as follows:\n• Identification of personnel on-site (e.g., ID badges).\n• Changes to physical access requirements communicated to facility security personnel.\n• Revoking or terminating identification devices such as key cards for personnel whose access has changed or been terminated.", - "guidance": "Observe physical access controls and interview personnel to verify appropriate physical controls distinguish between employees and visitors." - }, - { - "id": "9.2.1.1", - "question": "Are individual physical access to sensitive areas within the CDE monitored with either video cameras or physical access control mechanisms (or both), and is the data from video cameras and/or physical access control mechanisms reviewed and correlated with other entries, and stored for at least three months unless otherwise restricted by law?", - "guidance": "Examine documentation and observe physical access control mechanisms to verify individual physical access to sensitive areas is monitored and data is stored for at least three months." - }, - { - "id": "9.2.2", - "question": "Are physical and/or logical controls implemented to restrict use of publicly accessible network jacks within the facility?", - "guidance": "Examine policies and procedures and observe network jacks to verify controls restrict use of publicly accessible network jacks." - }, - { - "id": "9.2.3", - "question": "Are physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the facility restricted?", - "guidance": "Examine policies and procedures and observe physical access controls to verify access to wireless access points, gateways, and networking hardware is restricted." - }, - { - "id": "9.2.4", - "question": "Is access to consoles in sensitive areas restricted via locking when not in use?", - "guidance": "Examine policies and procedures and observe consoles to verify access is restricted via locking when not in use." - } - ] - }, - { - "id": "9.3", - "title": "Physical access for personnel and visitors is authorized and managed.", - "items": [ - { - "id": "9.3.1", - "question": "Are all physical access by personnel to the CDE authorized, as follows:\n• Access is authorized before being granted.\n• Access is revoked immediately upon termination.", - "guidance": "Examine lists of personnel with access and interview personnel responsible for granting access to verify physical access is authorized and revoked appropriately." - }, - { - "id": "9.3.1.1", - "question": "Is access to the CDE by visitors authorized and managed as follows:\n• Visitors are authorized before entering areas where cardholder data is processed or maintained.\n• Visitors are escorted at all times within areas where cardholder data is processed or maintained.\n• Visitors are clearly identified and distinguished from personnel.", - "guidance": "Observe procedures for visitor access and examine visitor logs to verify visitor access is authorized and managed." - }, - { - "id": "9.3.2", - "question": "Are procedures implemented to identify and authorize visitors, as follows:\n• Visitors are required to register before entering the CDE.\n• Visitors are given a physical token (for example, a badge or access device) that expires and that identifies the visitor as not a permanent employee.\n• Visitors are asked to surrender the physical token before leaving the facility or at the date of expiration.", - "guidance": "Examine visitor control procedures and documentation to verify visitor identification and authorization procedures are implemented." - }, - { - "id": "9.3.3", - "question": "Are visitor badges or identification devices surrendered or deactivated before visitors leave the facility or upon expiration?", - "guidance": "Examine visitor control procedures and observe visitor badges to verify visitor badges are surrendered or deactivated upon leaving the facility or upon expiration." - }, - { - "id": "9.3.4", - "question": "Is a visitor log used to maintain a physical audit trail of visitor activity in the facility and in computer rooms where cardholder data is present, and is the log reviewed periodically and retained for at least three months?", - "guidance": "Examine the visitor log and interview personnel to verify a visitor log is maintained and retained for at least three months." - } - ] - }, - { - "id": "9.4", - "title": "Media with cardholder data is securely accessed, distributed, and destroyed.", - "items": [ - { - "id": "9.4.1", - "question": "Are all media with cardholder data physically secured?", - "guidance": "Examine documentation and observe physical media storage to verify all media with cardholder data is physically secured." - }, - { - "id": "9.4.1.1", - "question": "Is offline media backup with cardholder data stored in a secure location?", - "guidance": "Examine documentation and observe storage location to verify offline media backup with cardholder data is stored in a secure location." - }, - { - "id": "9.4.1.2", - "question": "Is the security of the offline media backup storage location reviewed at least once every 12 months?", - "guidance": "Examine documentation to verify security reviews of the offline media backup storage location occur at least annually." - }, - { - "id": "9.4.2", - "question": "Are all media with cardholder data classified in accordance with the sensitivity of the data?", - "guidance": "Examine documentation and observe media classification to verify all media with cardholder data is classified in accordance with the sensitivity of the data." - }, - { - "id": "9.4.3", - "question": "Is media with cardholder data sent by secured courier or other delivery method that can be accurately tracked?", - "guidance": "Examine documentation and interview personnel to verify media is sent by secured courier or other delivery method that can be accurately tracked." - }, - { - "id": "9.4.4", - "question": "Is management approval obtained prior to moving media with cardholder data from a secured area (including when media is distributed to individuals)?", - "guidance": "Examine documentation and interview personnel to verify management approval is obtained prior to moving media with cardholder data." - }, - { - "id": "9.4.5", - "question": "Are inventory logs of all electronic media with cardholder data maintained?", - "guidance": "Examine documentation to verify inventory logs of all electronic media with cardholder data are maintained." - }, - { - "id": "9.4.5.1", - "question": "Are inventories of electronic media with cardholder data conducted at least once every 12 months?", - "guidance": "Examine documentation to verify inventories of electronic media are conducted at least once every 12 months." - }, - { - "id": "9.4.6", - "question": "Are hard-copy materials with cardholder data destroyed when no longer needed for business or legal reasons, as follows:\n• Materials are cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed.\n• Materials are stored in secure storage containers prior to destruction.", - "guidance": "Examine the periodic media destruction policy and interview personnel to verify hard-copy materials with cardholder data are destroyed in a secure manner when no longer needed." - }, - { - "id": "9.4.7", - "question": "Are electronic media with cardholder data destroyed when no longer needed for business or legal reasons via one of the following:\n• The electronic media is destroyed.\n• The cardholder data is rendered unrecoverable so that cardholder data cannot be reconstructed.", - "guidance": "Examine the media destruction policy and observe the destruction process to verify electronic media with cardholder data is destroyed when no longer needed." - } - ] - }, - { - "id": "9.5", - "title": "Point-of-interaction (POI) devices are protected from tampering and unauthorized substitution.", - "items": [ - { - "id": "9.5.1", - "question": "Are POI devices that capture payment card data via direct physical interaction with the payment card form factor protected from tampering and unauthorized substitution, including the following:\n• Maintaining a list of POI devices.\n• Periodically inspecting POI devices to look for tampering or unauthorized substitution.\n• Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution of devices.", - "guidance": "Examine documented policies and procedures and interview responsible personnel to verify POI devices are protected from tampering and unauthorized substitution." - }, - { - "id": "9.5.1.1", - "question": "Is the list of POI devices maintained and does it include the following:\n• Make and model of the device.\n• Location of device (for example, the address of the site or facility where the device is located).\n• Device serial number or other method of unique identification.", - "guidance": "Examine the list of POI devices and interview personnel to verify the list includes make, model, location, and serial number or other unique identification." - }, - { - "id": "9.5.1.2", - "question": "Are POI device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices) and unauthorized substitution (for example, checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device), as follows:\n• The frequency of inspections and the type of inspections performed is defined in the entity's targeted risk analysis.\n• All POI devices are inspected.", - "guidance": "Examine documented procedures and interview personnel to verify POI devices are periodically inspected to detect tampering and unauthorized substitution." - }, - { - "id": "9.5.1.2.1", - "question": "Are inspections of POI devices performed at the frequency or more frequently as defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1?", - "guidance": "Examine the entity's targeted risk analysis for the frequency of POI device inspections and compare the analysis to documented evidence of inspections." - }, - { - "id": "9.5.1.3", - "question": "Is training provided to personnel to be aware of attempted tampering or replacement of POI devices, and does the training include the following:\n• Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.\n• Do not install, replace, or return devices without verification.\n• Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).\n• Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).", - "guidance": "Examine training materials and interview personnel to verify training covers awareness of POI device tampering and unauthorized substitution." - } - ] - } - ] - }, - { - "id": "10", - "title": "Log and Monitor All Access to System Components and Cardholder Data", - "objective": "Logging mechanisms and the ability to track user activities are critical for effective forensics and access controls. The presence of logs allows thorough tracking and analysis when something goes wrong.", - "controls": [ - { - "id": "10.1", - "title": "Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented.", - "items": [ - { - "id": "10.1.1", - "question": "Are all security policies and operational procedures that are identified in Requirement 10:\n• Documented?\n• Kept up to date?\n• In use?\n• Known to all affected parties?", - "guidance": "Examine documentation and interview personnel to verify policies and procedures are documented, current, in use, and known to all affected parties." - }, - { - "id": "10.1.2", - "question": "Are all roles and responsibilities for performing activities in Requirement 10 documented, assigned, and understood?", - "guidance": "Examine documentation and interview personnel to verify roles and responsibilities are documented, assigned, and understood." - } - ] - }, - { - "id": "10.2", - "title": "Audit logs capture all individual user access to cardholder data.", - "items": [ - { - "id": "10.2.1", - "question": "Are audit logs enabled and active for all system components in the CDE?", - "guidance": "Examine system configurations to verify audit logging is enabled for all system components in the CDE." - }, - { - "id": "10.2.1.1", - "question": "Are audit logs capture all individual user access to cardholder data?", - "guidance": "Examine audit log configurations to verify individual user access to cardholder data is captured." - }, - { - "id": "10.2.1.2", - "question": "Are all actions by any individual with root or administrative privileges captured in audit logs?", - "guidance": "Examine audit log configurations to verify all actions by root or administrative users are captured." - }, - { - "id": "10.2.1.3", - "question": "Are access to all audit logs captured in audit logs?", - "guidance": "Examine audit log configurations to verify access to audit logs is captured." - }, - { - "id": "10.2.1.4", - "question": "Are invalid logical access attempts captured in audit logs?", - "guidance": "Examine audit log configurations to verify invalid logical access attempts are captured." - }, - { - "id": "10.2.1.5", - "question": "Are use of and changes to identification and authentication mechanisms — including but not limited to creation of new accounts and elevation of privileges — and all changes, additions, or deletions to accounts with root or administrative privileges captured in audit logs?", - "guidance": "Examine audit log configurations to verify changes to authentication mechanisms and privileged accounts are captured." - }, - { - "id": "10.2.1.6", - "question": "Are initialization, stopping, or pausing of the audit logs captured in audit logs?", - "guidance": "Examine audit log configurations to verify initialization, stopping, or pausing of audit logs is captured." - }, - { - "id": "10.2.1.7", - "question": "Are creation and deletion of system-level objects captured in audit logs?", - "guidance": "Examine audit log configurations to verify creation and deletion of system-level objects is captured." - }, - { - "id": "10.2.2", - "question": "Do audit logs capture all individual user access to cardholder data and include the following elements for each event:\n• User identification.\n• Type of event.\n• Date and time.\n• Success or failure indication.\n• Origination of event.\n• Identity or name of affected data, system component, resource, or service (for example, name and protocol).", - "guidance": "Examine audit log configurations and a sample of audit logs to verify logs include the required elements." - } - ] - }, - { - "id": "10.3", - "title": "Audit logs are protected from destruction and unauthorized modifications.", - "items": [ - { - "id": "10.3.1", - "question": "Are log files protected to prevent modifications by individuals?", - "guidance": "Examine system configurations and audit log files to verify only individuals with a job-related need can view log files and that logs are protected against modifications." - }, - { - "id": "10.3.2", - "question": "Are log files protected to prevent modification by individuals by implementing one or more of the following:\n• Audit log files are sent to a centralized, internal log server or other media that is difficult to alter.\n• The audit logs are sent to an external log server.\n• Write-once media.", - "guidance": "Examine log storage systems and configurations to verify logs are protected from modifications." - }, - { - "id": "10.3.3", - "question": "Are log files, including those for external-facing technologies, promptly backed up to a centralized, secure, internal log server(s) or other media that is difficult to alter?", - "guidance": "Examine backup configurations and log storage to verify log files are promptly backed up to a secure, centralized location." - } - ] - }, - { - "id": "10.4", - "title": "Audit logs are reviewed to identify anomalies or suspicious activity.", - "items": [ - { - "id": "10.4.1", - "question": "Are the following audit logs reviewed at least once daily:\n• All security events.\n• Logs of all system components that store, process, or transmit CHD and/or SAD.\n• Logs of all critical system components.\n• Logs of all servers and system components that perform security functions (for example, NSCs, IDS/IPS, authentication servers).", - "guidance": "Examine policies and procedures and interview personnel to verify audit logs are reviewed at least once daily." - }, - { - "id": "10.4.1.1", - "question": "Are automated mechanisms used to perform audit log reviews?", - "guidance": "Examine policies, procedures, and system configurations to verify automated mechanisms are used to perform audit log reviews." - }, - { - "id": "10.4.2", - "question": "Are logs of all other system components (not specified in Requirement 10.4.1) reviewed periodically?", - "guidance": "Examine policies and procedures and interview personnel to verify logs of other system components are reviewed periodically." - }, - { - "id": "10.4.2.1", - "question": "Are reviews of logs of other system components performed at the frequency specified in the entity's targeted risk analysis?", - "guidance": "Examine the entity's targeted risk analysis and compare it with the log review frequency to verify logs are reviewed at the appropriate frequency." - }, - { - "id": "10.4.3", - "question": "Are exceptions and anomalies identified during the review process addressed?", - "guidance": "Examine policies and procedures and interview personnel to verify exceptions and anomalies identified during log reviews are addressed." - } - ] - }, - { - "id": "10.5", - "title": "Audit log history is retained and available for analysis.", - "items": [ - { - "id": "10.5.1", - "question": "Are audit logs retained for at least 12 months, with at least the most recent three months available for immediate analysis?", - "guidance": "Examine audit log storage configurations and logs to verify logs are retained for at least 12 months, with at least three months available for immediate analysis." - } - ] - }, - { - "id": "10.6", - "title": "Time-synchronization mechanisms support consistent time settings across all systems.", - "items": [ - { - "id": "10.6.1", - "question": "Are system clocks and time synchronized using time-synchronization technology?", - "guidance": "Examine system configurations and time synchronization settings to verify system clocks are synchronized using a time-synchronization technology." - }, - { - "id": "10.6.2", - "question": "Are systems configured to the correct and consistent time as follows:\n• One or more designated time servers exist, and only designated central time server(s) receive time from external sources, and time received from external sources is based on International Atomic Time or UTC.\n• Where there is more than one designated time server, the time servers peer with one another to keep accurate time.\n• Systems receive time information only from designated central time server(s).", - "guidance": "Examine system configurations to verify systems are configured to use designated central time server(s) that receive time from an external source." - }, - { - "id": "10.6.3", - "question": "Are time synchronization settings and data protected as follows:\n• Access to time data is restricted to only personnel with a business need.\n• Any changes to time settings on critical systems are logged, monitored, and reviewed.", - "guidance": "Examine system configurations to verify access to time data is restricted and changes to time settings on critical systems are logged and reviewed." - } - ] - }, - { - "id": "10.7", - "title": "Failures of critical security controls are detected, reported, and responded to promptly.", - "items": [ - { - "id": "10.7.1", - "question": "Additional requirement for service providers only: Are failures of critical security controls detected, alerted, and addressed promptly, and do detection and alerting processes address failures of NSCs, IDS/IPS, FIM, anti-malware solutions, physical access controls, logical access controls, audit logging mechanisms, and segmentation controls?", - "guidance": "This requirement applies only to service providers. Examine documentation and interview personnel." - }, - { - "id": "10.7.2", - "question": "Are failures of critical security controls detected, alerted, and addressed promptly, and do the detection and alerting processes include failures of all control types in Requirement 10.7.1 (if applicable) as well as those for:\n• NSCs.\n• IDS/IPS.\n• Change-detection mechanisms (FIM).\n• Anti-malware solutions.\n• Physical access controls.\n• Logical access controls.\n• Audit logging mechanisms.\n• Segmentation controls (if used).", - "guidance": "Examine documentation and interview personnel to verify failures of critical security controls are detected, alerted, and addressed promptly." - }, - { - "id": "10.7.3", - "question": "Are failures of critical security controls responded to promptly, and do response processes include:\n• Restoring security functions.\n• Identifying and documenting the duration (date and time start to end) of the security failure.\n• Identifying and documenting the cause(s) of the failure and documenting required remediation.\n• Identifying and addressing any security issues that arose during the failure.\n• Performing a risk assessment to determine whether further actions are required as a result of the security failure.\n• Implementing controls to prevent the cause of failure from reoccurring.\n• Resuming monitoring of security controls.", - "guidance": "Examine documentation and interview personnel to verify failures of critical security controls are responded to promptly with appropriate remediation steps." - } - ] - } - ] - }, - { - "id": "11", - "title": "Test Security of Systems and Networks Regularly", - "objective": "Vulnerabilities are being discovered continuously by malicious individuals and researchers. System components, processes, and custom software should be tested frequently to ensure that security controls continue to reflect a changing environment.", - "controls": [ - { - "id": "11.1", - "title": "Processes and mechanisms for regularly testing security of systems and networks are defined and understood.", - "items": [ - { - "id": "11.1.1", - "question": "Are all security policies and operational procedures that are identified in Requirement 11:\n• Documented?\n• Kept up to date?\n• In use?\n• Known to all affected parties?", - "guidance": "Examine documentation and interview personnel to verify policies and procedures are documented, current, in use, and known to all affected parties." - }, - { - "id": "11.1.2", - "question": "Are all roles and responsibilities for performing activities in Requirement 11 documented, assigned, and understood?", - "guidance": "Examine documentation and interview personnel to verify roles and responsibilities are documented, assigned, and understood." - } - ] - }, - { - "id": "11.2", - "title": "Wireless access points are identified and monitored, and unauthorized wireless access points are addressed.", - "items": [ - { - "id": "11.2.1", - "question": "Are authorized and unauthorized wireless access points managed as follows:\n• Testing for the presence of wireless access points (using physical/logical controls) is performed at least once every three months.\n• OR automatic monitoring is implemented to detect and alert personnel to the presence of wireless access points.\n• All detected authorized and unauthorized wireless access points are reviewed and any unauthorized access points discovered are responded to using the incident response plan.", - "guidance": "Examine policies and procedures and interview responsible personnel to verify wireless access points are managed and unauthorized access points are detected and responded to." - }, - { - "id": "11.2.2", - "question": "Is an inventory of authorized wireless access points maintained, including a documented business justification for each?", - "guidance": "Examine the inventory of authorized wireless access points and interview personnel to verify an inventory exists with business justification for each access point." - } - ] - }, - { - "id": "11.3", - "title": "External and internal vulnerabilities are regularly identified, prioritized, and addressed.", - "items": [ - { - "id": "11.3.1", - "question": "Are internal vulnerability scans performed as follows:\n• At least once every three months.\n• High-risk and critical vulnerabilities (per the entity's vulnerability risk ranking) are resolved.\n• Rescans are performed as needed to verify that all high-risk and critical vulnerabilities (as noted in Requirement 11.3.1.1) are resolved.\n• Scanning tools are kept up to date.\n• Qualified personnel perform scans.", - "guidance": "Examine the scan reports from the last 12 months and interview responsible personnel to verify internal vulnerability scans meet all requirements." - }, - { - "id": "11.3.1.1", - "question": "Are all other applicable vulnerabilities (those not ranked as high-risk or critical per the entity's vulnerability risk ranking at Requirement 6.3.1) managed as follows:\n• Addressed based on the risk defined in the entity's targeted risk analysis.\n• Rescans are conducted as needed.", - "guidance": "Examine policies and procedures and vulnerability scan reports to verify non-critical vulnerabilities are managed based on risk." - }, - { - "id": "11.3.1.2", - "question": "Are internal vulnerability scans performed via authenticated scanning as follows:\n• Systems that are unable to accept credentials for authenticated scanning are documented.\n• Sufficient privileges are used for those systems that accept credentials for scanning.\n• Network accounts used for authenticated scanning are disabled when not in use.", - "guidance": "Examine scan configuration settings and interview personnel to verify authenticated scanning is performed for internal vulnerability scans." - }, - { - "id": "11.3.1.3", - "question": "Are internal vulnerability scans performed after any significant change as follows:\n• Vulnerabilities that pose a risk to the environment are resolved.\n• Rescans are conducted as needed.\n• Scans are performed by qualified personnel.", - "guidance": "Examine change control documentation and scan reports to verify vulnerability scans are performed after significant changes." - }, - { - "id": "11.3.2", - "question": "Are external vulnerability scans performed as follows:\n• At least once every three months.\n• By a PCI SSC Approved Scanning Vendor (ASV).\n• Vulnerabilities are resolved and ASV Program Guide requirements are met.\n• Rescans are performed as needed to confirm all vulnerabilities are resolved.", - "guidance": "Examine the scan reports from the last 12 months and interview responsible personnel to verify external vulnerability scans are performed at least quarterly by an ASV." - }, - { - "id": "11.3.2.1", - "question": "Are external vulnerability scans performed after any significant change as follows:\n• Vulnerabilities that pose a risk to the environment are resolved.\n• Rescans are conducted as needed.\n• Scans are performed by qualified personnel (internal or ASV).", - "guidance": "Examine change control documentation and scan reports to verify external vulnerability scans are performed after significant changes." - } - ] - } - ] - }, - { - "id": "12", - "title": "Support Information Security with Organizational Policies and Programs", - "objective": "The organization's overall information security policy sets the tone for the whole entity and informs employees of what is expected of them. All employees should be aware of the sensitivity of cardholder data and their responsibilities for protecting it.", - "controls": [ - { - "id": "12.1", - "title": "A comprehensive information security policy that governs and provides direction for protection of the entity's information assets is known and current.", - "items": [ - { - "id": "12.1.1", - "question": "Is an overall information security policy established, published, maintained, and disseminated to all relevant personnel, as well as to relevant vendors and business partners?", - "guidance": "Examine the information security policy and interview personnel to verify an overall information security policy is established, published, maintained, and disseminated." - }, - { - "id": "12.1.2", - "question": "Is the information security policy reviewed at least once every 12 months and updated when the environment changes?", - "guidance": "Examine the information security policy and interview personnel to verify the policy is reviewed at least annually and updated as needed." - }, - { - "id": "12.1.3", - "question": "Is the information security policy clearly defines information security roles and responsibilities for all personnel, and do all personnel understand and acknowledge their information security responsibilities?", - "guidance": "Examine the information security policy and interview personnel to verify roles and responsibilities are clearly defined and acknowledged." - }, - { - "id": "12.1.4", - "question": "Is the responsibility for information security formally assigned to a Chief Information Security Officer or other information security knowledgeable member of executive management?", - "guidance": "Examine the information security policy and interview personnel to verify information security responsibility is formally assigned to a CISO or equivalent." - } - ] - }, - { - "id": "12.2", - "title": "Acceptable use policies for end-user technologies are defined and implemented.", - "items": [ - { - "id": "12.2.1", - "question": "Are acceptable use policies for end-user technologies documented and implemented as follows:\n• Explicit approval by authorized parties is required.\n• Acceptable uses of the technology are defined.\n• A list of products approved by the company for employee use, including hardware and software.", - "guidance": "Examine the acceptable use policy for end-user technologies and interview personnel to verify the policy includes all required elements." - } - ] - }, - { - "id": "12.3", - "title": "Risks to the cardholder data environment are formally identified, evaluated, and managed.", - "items": [ - { - "id": "12.3.1", - "question": "For each PCI DSS requirement that specifies completion of a targeted risk analysis, is the analysis performed and documented:\n• Identifies the assets being protected.\n• Identifies the threat(s) that the requirement is protecting against.\n• Identifies factors that contribute to the likelihood and/or impact of a threat being realized.\n• Resulting risk analysis results in an assignment of risk (high, medium, or low).\n• The risk analysis is performed by a qualified individual.", - "guidance": "Examine risk analysis documentation and interview personnel to verify that targeted risk analyses include all required elements." - }, - { - "id": "12.3.2", - "question": "Is a targeted risk analysis performed for each PCI DSS requirement that the entity meets via the customized approach, to include:\n• A thorough analysis of each customized control.\n• Evidence that each customized control meets the intent of the related PCI DSS requirement.\n• Evidence that each customized control is monitored to ensure that it continues to be effective.", - "guidance": "Examine targeted risk analyses performed for customized approach controls to verify all required elements are present." - }, - { - "id": "12.3.3", - "question": "Are all cryptographic cipher suites and protocols in use documented and reviewed at least once every 12 months to confirm they remain secure, including:\n• An up-to-date inventory of all cryptographic cipher suites and protocols in use, including purpose and where used.\n• Active monitoring of industry trends regarding continued viability of all cryptographic cipher suites and protocols in use.\n• A documented plan to respond to anticipated changes in cryptographic vulnerabilities.", - "guidance": "Examine documentation and interview personnel to verify cryptographic cipher suites and protocols are documented and reviewed annually." - }, - { - "id": "12.3.4", - "question": "Are hardware and software technologies reviewed at least once every 12 months to confirm they continue to receive security fixes from vendors promptly and continue to support the entity's PCI DSS security requirements, including:\n• An analysis for any issues noted in the review and a plan to address these issues.", - "guidance": "Examine documentation and interview personnel to verify hardware and software technologies are reviewed at least annually." - } - ] - }, - { - "id": "12.4", - "title": "PCI DSS compliance is managed.", - "items": [ - { - "id": "12.4.1", - "question": "Additional requirement for service providers only: Is the executive management responsibility for the protection of cardholder data and a PCI DSS compliance program established to include:\n• Overall accountability for maintaining PCI DSS compliance.\n• Defining a charter for a PCI DSS compliance program and communication to executive management.", - "guidance": "This requirement applies only to service providers. Examine documentation to verify executive management responsibility for PCI DSS compliance is established." - }, - { - "id": "12.4.2", - "question": "Additional requirement for service providers only: Are reviews performed at least once every three months to confirm that personnel are following security policies and operational procedures, and does the review process include:\n• Confirming that personnel are performing their tasks in accordance with all security policies and operational procedures.\n• Review results are reviewed and addressed by the responsible executive management.", - "guidance": "This requirement applies only to service providers." - }, - { - "id": "12.4.2.1", - "question": "Additional requirement for service providers only: Are reviews performed per Requirement 12.4.2 documented to include:\n• Results of reviews.\n• Review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program.", - "guidance": "This requirement applies only to service providers." - } - ] - }, - { - "id": "12.5", - "title": "PCI DSS scope is documented and validated.", - "items": [ - { - "id": "12.5.1", - "question": "Is an inventory of system components that are in scope for PCI DSS maintained, including a description of function/use, as follows:\n• The inventory is kept current.\n• The inventory includes all hardware and software in use.\n• The inventory includes all network connections.\n• All inventory data is included in the scope documentation.", - "guidance": "Examine system component inventory documentation and interview personnel to verify an inventory of in-scope system components is maintained." - }, - { - "id": "12.5.2", - "question": "Is PCI DSS scope documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment, including:\n• Identifying all locations and flows of account data and confirming that all applicable PCI DSS requirements are in scope.\n• All applicable PCI DSS requirements are applied to all locations and system components where account data is stored, processed, or transmitted.\n• All system components in the CDE.\n• All segmentation controls and their effectiveness in reducing the scope of the CDE.", - "guidance": "Examine documentation and interview personnel to verify PCI DSS scope is documented and confirmed at least once every 12 months." - }, - { - "id": "12.5.2.1", - "question": "Additional requirement for service providers only: Is PCI DSS scope documented and confirmed by the entity at least once every six months and upon significant changes to the in-scope environment?", - "guidance": "This requirement applies only to service providers." - }, - { - "id": "12.5.3", - "question": "Additional requirement for service providers only: Are significant changes to organizational structure resulting in a formal (internal) review of the impact on PCI DSS scope and applicability of controls, including:\n• Results of the review?", - "guidance": "This requirement applies only to service providers." - } - ] - }, - { - "id": "12.6", - "title": "Security awareness education is an ongoing activity.", - "items": [ - { - "id": "12.6.1", - "question": "Is a formal security awareness program implemented to make all personnel aware of the entity's information security policy and procedures, and personnel's role in protecting the cardholder data?", - "guidance": "Examine the security awareness program to verify it includes policies, procedures, and personnel roles in protecting cardholder data." - }, - { - "id": "12.6.2", - "question": "Is the security awareness program:\n• Reviewed at least once every 12 months.\n• Updated as needed to address any new threats or vulnerabilities that may impact the security of the entity's CDE, or the information provided to personnel about their role in protecting cardholder data.", - "guidance": "Examine the security awareness program and interview personnel to verify the program is reviewed and updated at least annually." - }, - { - "id": "12.6.3", - "question": "Are personnel trained upon hire and at least once every 12 months, and does training include:\n• Awareness of threats and vulnerabilities that could impact the security of the CDE.\n• Awareness of acceptable use policies for end-user technologies.\n• Awareness of the roles of personnel in protecting cardholder data.", - "guidance": "Examine security awareness training records and interview personnel to verify training occurs upon hire and at least annually." - }, - { - "id": "12.6.3.1", - "question": "Does security awareness training include awareness of threats and vulnerabilities that could impact the security of the CDE, including phishing and related attacks?", - "guidance": "Examine security awareness training content to verify phishing and related attacks are addressed." - }, - { - "id": "12.6.3.2", - "question": "Does security awareness training include awareness of the acceptable use policy for end-user technologies as specified in Requirement 12.2.1?", - "guidance": "Examine security awareness training content to verify acceptable use policy for end-user technologies is addressed." - } - ] - }, - { - "id": "12.7", - "title": "Personnel are screened to reduce risks from insider threats.", - "items": [ - { - "id": "12.7.1", - "question": "Are potential personnel who will have access to the CDE screened, within the constraints of local laws, prior to hire to minimize the risk of attacks from internal sources? (At a minimum, background checks must be performed for employees who will have access to single cardholder accounts at a time, such as store cashiers.)", - "guidance": "Examine hiring policies and procedures and interview personnel to verify that pre-hire screening is performed for personnel with access to the CDE." - } - ] - }, - { - "id": "12.8", - "title": "Risk to information assets associated with third-party service provider (TPSP) relationships is managed.", - "items": [ - { - "id": "12.8.1", - "question": "Is a list of all third-party service providers (TPSPs) maintained with which account data is shared or that could affect the security of account data, including a description of the service(s) provided?", - "guidance": "Examine policies and procedures and the list of TPSPs to verify a list of all TPSPs is maintained with a description of services provided." - }, - { - "id": "12.8.2", - "question": "Are written agreements with all TPSPs maintained to include an acknowledgment by TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity's CDE?", - "guidance": "Examine written agreements with TPSPs to verify they include an acknowledgment of TPSP responsibility for account data security." - }, - { - "id": "12.8.3", - "question": "Is an established process implemented for engaging TPSPs, including proper due diligence prior to engagement?", - "guidance": "Examine policies and procedures and interview personnel to verify a process exists for engaging TPSPs, including due diligence." - }, - { - "id": "12.8.4", - "question": "Is a program implemented to monitor TPSPs' PCI DSS compliance status at least once every 12 months?", - "guidance": "Examine documentation and interview personnel to verify TPSP PCI DSS compliance status is monitored at least annually." - }, - { - "id": "12.8.5", - "question": "Is information maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared between the TPSP and the entity?", - "guidance": "Examine documentation to verify information is maintained about which PCI DSS requirements are managed by each TPSP, which by the entity, and which are shared." - } - ] - }, - { - "id": "12.9", - "title": "Third-party service providers (TPSPs) support their customers' PCI DSS compliance.", - "items": [ - { - "id": "12.9.1", - "question": "Additional requirement for service providers only: Is there a written acknowledgment provided to customers with the following:\n• TPSPs acknowledge to the entity that they are responsible for the security of account data that the TPSP possesses or otherwise stores, processes, or transmits on behalf of the entity, or to the extent that they could impact the security of the entity's cardholder data environment.", - "guidance": "This requirement applies only to service providers." - }, - { - "id": "12.9.2", - "question": "Additional requirement for service providers only: Are TPSPs supporting the PCI DSS compliance of their customers as follows:\n• Upon request, TPSPs provide the status of relevant PCI DSS requirements for their customers to validate TPSP compliance.\n• TPSPs provide sufficient information about the PCI DSS requirements for which they are responsible for the customer.", - "guidance": "This requirement applies only to service providers." - } - ] - }, - { - "id": "12.10", - "title": "Suspected and confirmed security incidents that could impact the CDE are responded to immediately.", - "items": [ - { - "id": "12.10.1", - "question": "Is an incident response plan created and implemented to be initiated in the event of a system breach, and does the plan address the following, at a minimum:\n• Roles, responsibilities, and communication and contact strategies in the event of a suspected or confirmed compromise, including notification of payment brands and acquirers, at a minimum.\n• Incident response procedures with specific containment and mitigation activities for different types of incidents.\n• Business recovery and continuity procedures.\n• Data backup processes.\n• Analysis of legal requirements for reporting compromises.\n• Coverage and responses of all critical system components.\n• Reference or inclusion of incident response procedures from payment brands.", - "guidance": "Examine the incident response plan and interview personnel to verify the plan includes all required elements." - }, - { - "id": "12.10.1.1", - "question": "Does the incident response plan include:\n• Processes for responding to expected and unexpected media queries?\n• Processes for designating specific personnel to handle media queries?", - "guidance": "Examine the incident response plan to verify it includes processes for handling media queries." - }, - { - "id": "12.10.2", - "question": "Is the incident response plan reviewed and tested at least once every 12 months, including all elements listed in Requirement 12.10.1?", - "guidance": "Examine the incident response plan and review and testing documentation to verify the plan is reviewed and tested at least annually." - }, - { - "id": "12.10.3", - "question": "Are specific personnel designated to be available on a 24/7 basis to respond to suspected or confirmed security incidents?", - "guidance": "Examine policies and procedures and interview personnel to verify specific personnel are available 24/7 to respond to security incidents." - }, - { - "id": "12.10.4", - "question": "Is personnel appropriate to respond to a suspected or confirmed security incident trained at least once every 12 months?", - "guidance": "Examine training documentation and interview personnel to verify incident response personnel are trained at least annually." - }, - { - "id": "12.10.4.1", - "question": "Is the frequency of periodic training for incident response personnel defined in the entity's targeted risk analysis?", - "guidance": "Examine the entity's targeted risk analysis and documentation to verify the frequency of incident response personnel training is defined." - }, - { - "id": "12.10.5", - "question": "Is the incident response plan modified and evolved according to lessons learned and to incorporate industry developments?", - "guidance": "Examine the incident response plan and interview personnel to verify the plan is modified according to lessons learned and industry developments." - }, - { - "id": "12.10.6", - "question": "Is the incident response plan modified and evolved according to lessons learned and to incorporate industry developments?", - "guidance": "Examine the incident response plan and interview personnel to verify the plan is updated based on lessons learned." - }, - { - "id": "12.10.7", - "question": "Are incident response procedures in place to be initiated upon detection of stored PAN anywhere it is not expected, and does the response include:\n• Determining what to do if PAN is discovered outside the CDE, including its retrieval, secure deletion, and/or migration into the current defined CDE.\n• Root-cause analysis to determine how PANs ended up outside the CDE.\n• Remediating data leaks or process gaps that resulted in the PAN leaving the CDE.\n• Identifying the origin of the PAN.\n• Identifying all locations that the PAN has been sent to or stored in.", - "guidance": "Examine incident response procedures to verify they address discovery of stored PAN outside the CDE." - } - ] - } - ] - } - ] -} diff --git a/saq_p2pe.json b/saq_p2pe.json deleted file mode 100644 index bbbb170..0000000 --- a/saq_p2pe.json +++ /dev/null @@ -1,277 +0,0 @@ -{ - "id": "saq_p2pe", - "name": "SAQ P2PE", - "version": "PCI DSS v4.0", - "description": "For merchants using hardware payment terminals included in a validated, PCI SSC-listed Point-to-Point Encryption (P2PE) solution. No electronic cardholder data storage after authorization.", - "applicability": "This SAQ applies to merchants whose payment processing is performed only via hardware payment terminals included in a validated P2PE solution listed on the PCI SSC website. The solution handles all encryption of cardholder data at the point of interaction (POI). Merchants in this category do not have access to clear-text PAN in their environments.", - "requirements": [ - { - "id": "8", - "title": "Identify Users and Authenticate Access to System Components", - "objective": "For SAQ P2PE, Requirement 8 applies only to the limited system components involved in managing and supporting the P2PE solution. Authentication controls are required for personnel who manage the POI devices and the P2PE solution.", - "controls": [ - { - "id": "8.1", - "title": "Processes and mechanisms for identifying users and authenticating access to system components are defined and understood.", - "items": [ - { - "id": "8.1.1", - "question": "Are all security policies and operational procedures that are identified in Requirement 8:\n• Documented?\n• Kept up to date?\n• In use?\n• Known to all affected parties?", - "guidance": "Examine documentation and interview personnel to verify policies and procedures are documented, current, in use, and known to all affected parties." - }, - { - "id": "8.1.2", - "question": "Are all roles and responsibilities for performing activities in Requirement 8 documented, assigned, and understood?", - "guidance": "Examine documentation and interview personnel to verify roles and responsibilities are documented, assigned, and understood." - } - ] - }, - { - "id": "8.3", - "title": "User authentication for users and administrators is established and managed.", - "items": [ - { - "id": "8.3.1", - "question": "Are all user passwords/passphrases for user access to system components (including POI device management systems) set to meet all the following minimum requirements:\n• A minimum length of at least 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters).\n• Contains both numeric and alphabetic characters.", - "guidance": "Examine system configuration settings to verify passwords/passphrases meet minimum length and complexity requirements." - }, - { - "id": "8.3.4", - "question": "Is invalid authentication attempt tracking implemented as follows:\n• Invalid attempts are limited to not more than 10 attempts.\n• The account is locked out for a minimum of 30 minutes or until the account is reset by an administrator.", - "guidance": "Examine system configuration settings to verify invalid authentication attempts are limited and lock-out is implemented." - }, - { - "id": "8.3.9", - "question": "If passwords/passphrases are used as the only authentication factor for user access, are passwords/passphrases changed at least once every 90 days?\nOR\nIs the security posture of accounts dynamically analyzed, and real-time access to resources automatically determined accordingly?", - "guidance": "Examine system configuration settings to verify passwords are changed at least once every 90 days or dynamic analysis is implemented." - } - ] - }, - { - "id": "8.4", - "title": "Multi-factor authentication (MFA) is implemented to secure access into the CDE.", - "items": [ - { - "id": "8.4.3", - "question": "Is MFA implemented for all remote network access originating from outside the entity's network that could access or impact the CDE, including:\n• All remote access by all personnel, both users and administrators, originating from outside the entity's network.\n• All remote access by third parties and vendors.", - "guidance": "Examine network and/or system configurations and interview personnel to verify MFA is implemented for all remote access." - } - ] - } - ] - }, - { - "id": "9", - "title": "Restrict Physical Access to Cardholder Data", - "objective": "Physical security of POI devices is the primary focus of Requirement 9 for SAQ P2PE merchants. Since the P2PE solution handles encryption, protecting the physical integrity of POI devices is critical to maintaining the security of the solution.", - "controls": [ - { - "id": "9.1", - "title": "Processes and mechanisms for restricting physical access to cardholder data are defined and understood.", - "items": [ - { - "id": "9.1.1", - "question": "Are all security policies and operational procedures that are identified in Requirement 9:\n• Documented?\n• Kept up to date?\n• In use?\n• Known to all affected parties?", - "guidance": "Examine documentation and interview personnel to verify policies and procedures are documented, current, in use, and known to all affected parties." - }, - { - "id": "9.1.2", - "question": "Are all roles and responsibilities for performing activities in Requirement 9 documented, assigned, and understood?", - "guidance": "Examine documentation and interview personnel to verify roles and responsibilities are documented, assigned, and understood." - } - ] - }, - { - "id": "9.5", - "title": "Point-of-interaction (POI) devices are protected from tampering and unauthorized substitution.", - "items": [ - { - "id": "9.5.1", - "question": "Are POI devices that capture payment card data via direct physical interaction with the payment card form factor protected from tampering and unauthorized substitution, including the following:\n• Maintaining a list of POI devices.\n• Periodically inspecting POI devices to look for tampering or unauthorized substitution.\n• Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution of devices.", - "guidance": "Examine documented policies and procedures and interview responsible personnel to verify POI devices are protected from tampering and unauthorized substitution." - }, - { - "id": "9.5.1.1", - "question": "Is the list of POI devices maintained, and does it include the following:\n• Make and model of the device.\n• Location of device (for example, the address of the site or facility where the device is located).\n• Device serial number or other method of unique identification.", - "guidance": "Examine the list of POI devices and interview personnel to verify the list includes make, model, location, and serial number or other unique identification." - }, - { - "id": "9.5.1.2", - "question": "Are POI device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices) and unauthorized substitution (for example, checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device), as follows:\n• The frequency of inspections and the type of inspections performed is defined in the entity's targeted risk analysis.\n• All POI devices are inspected.", - "guidance": "Examine documented procedures and interview personnel to verify POI devices are periodically inspected to detect tampering and unauthorized substitution." - }, - { - "id": "9.5.1.2.1", - "question": "Are inspections of POI devices performed at the frequency or more frequently as defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1?", - "guidance": "Examine the entity's targeted risk analysis for the frequency of POI device inspections and compare the analysis to documented evidence of inspections." - }, - { - "id": "9.5.1.3", - "question": "Is training provided to personnel to be aware of attempted tampering or replacement of POI devices, and does the training include the following:\n• Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.\n• Do not install, replace, or return devices without verification.\n• Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).\n• Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).", - "guidance": "Examine training materials and interview personnel to verify training covers awareness of POI device tampering and unauthorized substitution." - } - ] - } - ] - }, - { - "id": "12", - "title": "Support Information Security with Organizational Policies and Programs", - "objective": "Organizational policies and programs support the overall security posture of the P2PE merchant environment, including management of the validated P2PE solution and associated POI devices.", - "controls": [ - { - "id": "12.1", - "title": "A comprehensive information security policy that governs and provides direction for protection of the entity's information assets is known and current.", - "items": [ - { - "id": "12.1.1", - "question": "Is an overall information security policy established, published, maintained, and disseminated to all relevant personnel, as well as to relevant vendors and business partners?", - "guidance": "Examine the information security policy and interview personnel to verify an overall information security policy is established, published, maintained, and disseminated." - }, - { - "id": "12.1.2", - "question": "Is the information security policy reviewed at least once every 12 months and updated when the environment changes?", - "guidance": "Examine the information security policy and interview personnel to verify the policy is reviewed at least annually and updated as needed." - }, - { - "id": "12.1.3", - "question": "Does the information security policy clearly define information security roles and responsibilities for all personnel, and do all personnel understand and acknowledge their information security responsibilities?", - "guidance": "Examine the information security policy and interview personnel to verify roles and responsibilities are clearly defined and acknowledged." - }, - { - "id": "12.1.4", - "question": "Is responsibility for information security formally assigned to a Chief Information Security Officer or other information security knowledgeable member of executive management?", - "guidance": "Examine the information security policy and interview personnel to verify information security responsibility is formally assigned to a CISO or equivalent." - } - ] - }, - { - "id": "12.3", - "title": "Risks to the cardholder data environment are formally identified, evaluated, and managed.", - "items": [ - { - "id": "12.3.1", - "question": "For each PCI DSS requirement that specifies completion of a targeted risk analysis, is the analysis performed and documented to include:\n• Identifies the assets being protected.\n• Identifies the threat(s) that the requirement is protecting against.\n• Identifies factors that contribute to the likelihood and/or impact of a threat being realized.\n• Resulting risk analysis results in an assignment of risk (high, medium, or low).\n• The risk analysis is performed by a qualified individual.", - "guidance": "Examine risk analysis documentation and interview personnel to verify targeted risk analyses include all required elements." - } - ] - }, - { - "id": "12.5", - "title": "PCI DSS scope is documented and validated.", - "items": [ - { - "id": "12.5.1", - "question": "Is an inventory of system components that are in scope for PCI DSS maintained, including a description of function/use, as follows:\n• The inventory is kept current.\n• The inventory includes all hardware and software in use (including the P2PE solution components).\n• The inventory includes all POI devices.", - "guidance": "Examine system component inventory documentation and interview personnel to verify an inventory of in-scope components is maintained, including all P2PE solution components and POI devices." - }, - { - "id": "12.5.2", - "question": "Is PCI DSS scope documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment, including:\n• Confirming that the P2PE solution in use remains on the PCI SSC list of validated P2PE solutions.\n• Confirming that all POI devices in use are included on the P2PE solution's list of validated devices.\n• Confirming all account data flows and that no clear-text PAN is present in the merchant environment.", - "guidance": "Examine documentation and interview personnel to verify PCI DSS scope is confirmed at least annually, including confirming the P2PE solution and devices remain validated." - } - ] - }, - { - "id": "12.6", - "title": "Security awareness education is an ongoing activity.", - "items": [ - { - "id": "12.6.1", - "question": "Is a formal security awareness program implemented to make all personnel aware of the entity's information security policy and procedures and personnel's role in protecting the cardholder data?", - "guidance": "Examine the security awareness program to verify it exists and is implemented." - }, - { - "id": "12.6.2", - "question": "Is the security awareness program:\n• Reviewed at least once every 12 months.\n• Updated as needed to address any new threats or vulnerabilities that may impact the security of the entity's CDE, or the information provided to personnel about their role in protecting cardholder data.", - "guidance": "Examine the security awareness program and interview personnel to verify the program is reviewed and updated at least annually." - }, - { - "id": "12.6.3", - "question": "Are personnel trained upon hire and at least once every 12 months, and does training include:\n• Awareness of threats and vulnerabilities that could impact the security of the CDE.\n• Awareness of acceptable use policies for end-user technologies.\n• Personnel roles in protecting cardholder data.\n• Specific training on the P2PE solution requirements, including POI device security and anti-tampering procedures.", - "guidance": "Examine security awareness training records and interview personnel to verify training occurs upon hire and at least annually, and includes P2PE-specific content." - }, - { - "id": "12.6.3.1", - "question": "Does security awareness training include awareness of threats and vulnerabilities that could impact the security of the CDE, including phishing and related attacks?", - "guidance": "Examine security awareness training content to verify phishing and related attacks are addressed." - } - ] - }, - { - "id": "12.8", - "title": "Risk to information assets associated with third-party service provider (TPSP) relationships is managed.", - "items": [ - { - "id": "12.8.1", - "question": "Is a list of all third-party service providers (TPSPs) maintained with which account data is shared or that could affect the security of account data (including the P2PE solution provider), including a description of the service(s) provided?", - "guidance": "Examine the list of TPSPs to verify it includes the P2PE solution provider and all other TPSPs with a description of services." - }, - { - "id": "12.8.2", - "question": "Are written agreements with all TPSPs (including the P2PE solution provider) maintained to include an acknowledgment that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity?", - "guidance": "Examine written agreements with TPSPs to verify they include an acknowledgment of TPSP responsibility for account data security." - }, - { - "id": "12.8.3", - "question": "Is an established process implemented for engaging TPSPs, including proper due diligence prior to engagement?", - "guidance": "Examine policies and procedures and interview personnel to verify a process exists for engaging TPSPs with due diligence." - }, - { - "id": "12.8.4", - "question": "Is a program implemented to monitor TPSPs' PCI DSS compliance status at least once every 12 months, including confirming that the P2PE solution remains on the PCI SSC list of validated P2PE solutions?", - "guidance": "Examine documentation and interview personnel to verify TPSP PCI DSS compliance status is monitored at least annually, including P2PE solution validation status." - }, - { - "id": "12.8.5", - "question": "Is information maintained about which PCI DSS requirements are managed by each TPSP (including the P2PE solution provider), which are managed by the entity, and any that are shared?", - "guidance": "Examine documentation to verify information is maintained about PCI DSS responsibility allocation between entity and TPSPs." - } - ] - }, - { - "id": "12.9", - "title": "Third-party service providers (TPSPs) support their customers' PCI DSS compliance.", - "items": [ - { - "id": "12.9.1", - "question": "Additional requirement for service providers only: Is there a written acknowledgment provided to customers that TPSPs are responsible for the security of account data that the TPSP possesses or otherwise stores, processes, or transmits on behalf of the entity?", - "guidance": "This requirement applies only to service providers." - } - ] - }, - { - "id": "12.10", - "title": "Suspected and confirmed security incidents that could impact the CDE are responded to immediately.", - "items": [ - { - "id": "12.10.1", - "question": "Is an incident response plan created and implemented to be initiated in the event of a system breach, and does the plan address the following, at a minimum:\n• Roles, responsibilities, and communication and contact strategies in the event of a suspected or confirmed compromise, including notification of payment brands and acquirers, at a minimum.\n• Incident response procedures with specific containment and mitigation activities for different types of incidents.\n• Business recovery and continuity procedures.\n• Data backup processes.\n• Analysis of legal requirements for reporting compromises.\n• Coverage and responses of all critical system components.\n• Reference or inclusion of incident response procedures from payment brands.\n• Procedures specifically addressing suspected or confirmed tampering or substitution of POI devices.", - "guidance": "Examine the incident response plan and interview personnel to verify the plan includes all required elements, including POI device tampering response." - }, - { - "id": "12.10.2", - "question": "Is the incident response plan reviewed and tested at least once every 12 months, including all elements listed in Requirement 12.10.1?", - "guidance": "Examine the incident response plan and review and testing documentation to verify the plan is reviewed and tested at least annually." - }, - { - "id": "12.10.3", - "question": "Are specific personnel designated to be available on a 24/7 basis to respond to suspected or confirmed security incidents, including suspected or confirmed POI device tampering?", - "guidance": "Examine policies and procedures and interview personnel to verify specific personnel are available 24/7 to respond to security incidents." - }, - { - "id": "12.10.4", - "question": "Is personnel appropriate to respond to a suspected or confirmed security incident trained at least once every 12 months?", - "guidance": "Examine training documentation and interview personnel to verify incident response personnel are trained at least annually." - }, - { - "id": "12.10.5", - "question": "Is the incident response plan modified and evolved according to lessons learned and to incorporate industry developments?", - "guidance": "Examine the incident response plan and interview personnel to verify the plan is modified and improved based on lessons learned." - } - ] - } - ] - } - ] -} |