Professional Documents
Culture Documents
Self-Assessment Questionnaire B
and Attestation of Compliance
Imprint Machines or Standalone Dial-out Terminals Only, No Electronic Cardholder Data Storage
Version .2.
October 2010
Document C!an"es
Date October 1, 2008 October 28, 2010 Version 1.2 2.0 Description To align content with new PCI DSS v1.2 and to implement minor change noted ince original v1.1. To align content with new PCI DSS v2.0 re!"irement and te ting proced"re .
PCI DSS SAQ B, v2.0, Document Changes Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C
#a$le of Contents
Document C!an"es..........................................................................................................i PCI Data Security Standard% &elated Documents......................................................iii Before you Be"in............................................................................................................iii
Completin" t!e Self-Assessment Questionnaire.................................................................iii PCI DSS Compliance ' Completion Steps............................................................................i( )uidance for *on-Applica$ility of Certain+ Specific &e,uirements...................................i(
Appendi2 A% (not used) ................................................................................................-Appendi2 B% Compensatin" Controls .........................................................................-2 Appendi2 C% Compensatin" Controls 3or4s!eet .....................................................-5
Compensatin" Controls 3or4s!eet ' Completed 62ample...............................................-7
PCI DSS SAQ B, v2.0, 2ab"e o+ Contents Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C
'ligible merchant and ervice provider 1 %ll merchant and ervice provider
S%& ( merchant are de#ined here and in the PCI DSS Se"+5Assessment Quest onna re Instruct ons an! 6u !e" nes. S%& ( merchant proce cardholder data onl$ via imprint machine or via tandalone, dial) o"t terminal , and ma$ be either bric*)and)mortar +card)pre ent, or e)commerce or mail-telephone order
1
To determine the appropriate Sel#)% e ment &"e tionnaire, ee PCI Data Secur ty Stan!ar!' Se"+5 Assessment 6u !e" nes an! Instruct ons, .Selecting the S%& and %tte tation That (e t %ppl$ to /o"r Organi0ation.1
October 2010 Page iii
PCI DSS SAQ B, v2.0, PCI Data Secur ty Stan!ar!' $e"ate! Documents Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C
+card)not)pre ent, merchant . The e merchant validate compliance b$ completing S%& ( and the a ociated %tte tation o# Compliance, con#irming that2 /o"r compan$ " e onl$ imprint machine and-or " e onl$ tandalone, dial)o"t terminal +connected via a phone line to $o"r proce or, to ta*e $o"r c" tomer 3 pa$ment card in#ormation4 The tandalone, dial)o"t terminal are not connected to an$ other $ tem within $o"r environment4 The tandalone, dial)o"t terminal are not connected to the Internet4 /o"r compan$ doe not tran mit cardholder data over a networ* +either an internal networ* or the Internet,4 /o"r compan$ retain onl$ paper report or paper copie o# receipt with cardholder data, and the e doc"ment are not received electronicall$4 and /o"r compan$ doe not tore cardholder data in electronic #ormat.
'ach ection o# the !"e tionnaire #oc" e on a peci#ic area o# ec"rit$, ba ed on the re!"irement in the PCI DSS $e%u rements an! Secur ty Assessment Proce!ures. Thi hortened ver ion o# the S%& incl"de !"e tion which appl$ to a peci#ic t$pe o# mall merchant environment, a de#ined in the above eligibilit$ criteria. I# there are PCI DSS re!"irement applicable to $o"r environment which are not covered in thi S%&, it ma$ be an indication that thi S%& i not "itable #or $o"r environment. %dditionall$, $o" m" t till compl$ with all applicable PCI DSS re!"irement in order to be PCI DSS compliant.
PCI DSS SAQ B, v2.0, PCI Data Secur ty Stan!ar!' $e"ate! Documents Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C
State-Province2 <7=2
State-Province2 <7=2
PCI DSS SAQ B, v2.0, Attestat on o+ Comp" ance Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C
Compliant% %ll ection o# the PCI S%& are complete, and all !"e tion an wered .$e ,1 re "lting in an overall C8/P;IA*# rating, thereb$ 81erchant Company 3ame9 ha demon trated #"ll compliance with the PCI DSS. *on-Compliant% 8ot all ection o# the PCI S%& are complete, or ome !"e tion are an wered .no,1 re "lting in an overall *8*-C8/P;IA*# rating, thereb$ 81erchant Company 3ame9 ha not demon trated #"ll compliance with the PCI DSS. #ar"et Date #or Compliance2 %n entit$ "bmitting thi #orm with a tat" o# 8on)Compliant ma$ be re!"ired to complete the %ction Plan in Part 6 o# thi doc"ment. Chec- , th your ac%u rer or the payment bran!8s9 be+ore comp"et ng Part ), s nce not a"" payment bran!s re%u re th s sect on.
S gnature o+ 1erchant *:ecut ve O++ cer 1erchant *:ecut ve O++ cer 3ame 1erchant Company $epresente! Date 2 t"e
Data encoded in the magnetic tripe or e!"ivalent data on a chip " ed #or a"thori0ation d"ring a card)pre ent tran action. 'ntitie ma$ not retain #"ll magnetic) tripe data a#ter tran action a"thori0ation. The onl$ element o# trac* data that ma$ be retained are acco"nt n"mber, e9piration date, and name. The three) or #o"r)digit val"e printed on or to the right o# the ignat"re panel or on the #ace o# a pa$ment card " ed to veri#$ card)not)pre ent tran action . Per onal Identi#ication 8"mber entered b$ cardholder d"ring a card)pre ent tran action, and-or encr$pted PI8 bloc* pre ent within the tran action me age.
12
?aintain a polic$ that addre in#ormation ec"rit$ #or all per onnel
Self-Assessment Questionnaire B
Note: 2he +o""o, ng %uest ons are numbere! accor! ng to PCI DSS re%u rements an! test ng proce!ures, as !e+ ne! n the PCI DSS 7e!"irement and Sec"rit$ % e ment Proced"re !ocument.
Date o# Completion2
+b, I# en itive a"thentication data i received and deleted, are proce e in place to ec"rel$ delete the data to veri#$ that the data i "nrecoverable@ +c, Do all $ tem adhere to the #ollowing re!"irement regarding non) torage o# en itive a"thentication data a#ter a"thori0ation +even i# encr$pted,@
5.2.1
The #"ll content o# an$ trac* #rom the magnetic tripe +located on the bac* o# a card, e!"ivalent data contained on a chip, or el ewhere, are not tored "nder an$ circ"m tance@ Thi data i alternativel$ called #"ll trac*, trac*, trac* 1, trac* 2, and magnetic) tripe data. In the norma" course o+ bus ness, the +o""o, ng !ata e"ements +rom the magnet c str pe may nee! to be reta ne!' 2he car!ho"!er;s name, Pr mary account number 8PA39, *:p rat on !ate, an! Serv ce co!e 2o m n m <e r s-, store on"y these !ata e"ements as nee!e! +or bus ness. The card veri#ication code or val"e +three)digit or #o"r)digit n"mber printed on the #ront or bac* o# a pa$ment card, i not tored "nder an$ circ"m tance@ The per onal identi#ication n"mber +PI8, or the encr$pted PI8 bloc* are not tored "nder an$ circ"m tance@ I the P%8 ma *ed when di pla$ed +the #ir t i9 and la t #o"r digit are the ma9im"m n"mber o# digit to be di pla$ed,@ 3otes' 2h s re%u rement !oes not app"y to emp"oyees an! other part es , th a spec + c nee! to see the +u"" PA3= 2h s re%u rement !oes not superse!e str cter re%u rements n p"ace +or ! sp"ays o+ car!ho"!er !ata>+or e:amp"e, +or po nt5o+5 sa"e 8POS9 rece pts.
5.2.2
5.2.5 5.5
.8ot %pplicable1 +8-%, or .Compen ating Control < ed.1 Organi0ation " ing thi ection m" t complete the Compen ating Control Eor* heet or '9planation o# 8on)%pplicabilit$ Eor* heet, a appropriate, in the %ppendi9.
October 2010 Page (
PCI DSS SAQ B, v2.0, Se"+5Assessment Quest onna re Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C
+b, %re policie in place that tate that "nprotected P%8 are not to be ent via end)" er me aging technologie @
.8ot %pplicable1 +8-%, or .Compen ating Control < ed.1 Organi0ation " ing thi ection m" t complete the Compen ating Control Eor* heet or '9planation o# 8on)%pplicabilit$ Eor* heet, a appropriate, in the %ppendi9.
October 2010 Page .
PCI DSS SAQ B, v2.0, Se"+5Assessment Quest onna re Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C
I acce to $ tem component and cardholder data limited to onl$ tho e individ"al who e Fob re!"ire "ch acce a #ollow 2 %re acce right #or privileged " er ID re tricted to lea t privilege nece ar$ to per#orm Fob re pon ibilitie @ %re privilege a igned to individ"al ba ed on Fob cla i#ication and #"nction +al o called .role)ba ed acce control1 or 7(%C,@
D.C
D.D
.8ot %pplicable1 +8-%, or .Compen ating Control < ed.1 Organi0ation " ing thi ection m" t complete the Compen ating Control Eor* heet or '9planation o# 8on)%pplicabilit$ Eor* heet, a appropriate, in the %ppendi9.
October 2010 Page /
PCI DSS SAQ B, v2.0, Se"+5Assessment Quest onna re Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C
&esponse% or
@es
*o
Special*
I all media de tro$ed when it i no longer needed #or b" ine legal rea on @ I de tr"ction per#ormed a #ollow 2 +a, %re hardcop$ material cro )c"t hredded, incinerated, or p"lped o that cardholder data cannot be recon tr"cted@
D.10.1
+b, %re container that tore in#ormation to be de tro$ed ec"red to prevent acce to the content @ +Hor e9ample, a .to)be) hredded1 container ha a loc* preventing acce to it content .,
PCI DSS SAQ B, v2.0, Se"+5Assessment Quest onna re Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C
I a ec"rit$ polic$ e tabli hed, p"bli hed, maintained, and di eminated to all relevant per onnel@ ?or the purposes o+ $e%u rement 12, @personne"A re+ers to +u""5t me part5t me emp"oyees, temporary emp"oyees an! personne", an! contractors an! consu"tants ,ho are @res !entA on the ent ty;s s te or other, se have access to the company;s s te car!ho"!er !ata env ronment. I the in#ormation ec"rit$ polic$ reviewed at lea t once a $ear and "pdated a needed to re#lect change to b" ine obFective or the ri * environment@ %re " age policie #or critical technologie +#or e9ample, remote) acce technologie , wirele technologie , removable electronic media, laptop , tablet , per onal data-digital a i tant IPD% J, e)mail, and Internet " age, developed to de#ine proper " e o# the e technologie #or all per onnel, and re!"ire the #ollowing2 '9plicit approval b$ a"thori0ed partie to " e the technologie @ % li t o# all "ch device and per onnel with acce %cceptable " e o# the technologie @ Do the ec"rit$ polic$ and proced"re clearl$ de#ine in#ormation ec"rit$ re pon ibilitie #or all per onnel@ %re the #ollowing in#ormation ec"rit$ management re pon ibilitie #ormall$ a igned to an individ"al or team2 ' tabli hing, doc"menting, and di trib"ting ec"rit$ incident re pon e and e calation proced"re to en "re timel$ and e##ective handling o# all it"ation @ +a, I a #ormal ec"rit$ awarene program in place to ma*e all per onnel aware o# the importance o# cardholder data ec"rit$@ I# cardholder data i hared with ervice provider , are policie and proced"re maintained and implemented to manage ervice provider , a #ollow @ I a li t o# ervice provider maintained@ I a written agreement maintained that incl"de an ac*nowledgement that the ervice provider are re pon ible #or the ec"rit$ o# cardholder data the ervice provider po e @
12.1.5
12.5
12.G 12.8
12.8.1 12.8.2
.8ot %pplicable1 +8-%, or .Compen ating Control < ed.1 Organi0ation " ing thi ection m" t complete the Compen ating Control Eor* heet or '9planation o# 8on)%pplicabilit$ Eor* heet, a appropriate, in the %ppendi9.
October 2010 Page 0
PCI DSS SAQ B, v2.0, Se"+5Assessment Quest onna re Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C
PCI DSS Question 12.8.5 I there an e tabli hed proce #or engaging ervice provider , incl"ding proper d"e diligence prior to engagement@
&esponse%
@es
*o
Special
12.8.6
PCI DSS SAQ B, v2.0, Se"+5Assessment Quest onna re Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C
PCI DSS SAQ B, v2.0, Appen! : A' 8not use!9 Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C
b, '9i ting PCI DSS re!"irement ?%/ be con idered a compen ating control i# the$ are re!"ired #or another area, b"t are not re!"ired #or the item "nder review. Hor e9ample, two)#actor a"thentication i a PCI DSS re!"irement #or remote acce . Two)#actor a"thentication +rom , th n the nterna" net,or- can al o be con idered a a compen ating control #or non)con ole admini trative acce when tran mi ion o# encr$pted pa word cannot be "pported. Two) #actor a"thentication ma$ be an acceptable compen ating control i#4 +1, it meet the intent o# the original re!"irement b$ addre ing the ri * o# intercepting clear)te9t admini trative pa word 4 and +2, it i et "p properl$ and in a ec"re environment. c, '9i ting PCI DSS re!"irement ma$ be combined with new control to become a compen ating control. Hor e9ample, i# a compan$ i "nable to render cardholder data "nreadable per re!"irement 5.6 +#or e9ample, b$ encr$ption,, a compen ating control co"ld con i t o# a device or combination o# device , application , and control that addre all o# the #ollowing2 +1, internal networ* egmentation4 +2, IP addre or ?%C addre #iltering4 and +5, two)#actor a"thentication #rom within the internal networ*. 6. (e commen "rate with the additional ri * impo ed b$ not adhering to the PCI DSS re!"irement. The a e or i re!"ired to thoro"ghl$ eval"ate compen ating control d"ring each ann"al PCI DSS a e ment to validate that each compen ating control ade!"atel$ addre e the ri * the original PCI DSS re!"irement wa de igned to addre , per item 1)6 above. To maintain compliance, proce e and control m" t be in place to en "re compen ating control remain e##ective a#ter the a e ment i complete.
PCI DSS SAQ B, v2.0, Appen! : B' Compensat ng Contro"s Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C
PCI DSS SAQ B, v2.0, Appen! : C' Compensat ng Contro"s Dor-sheet Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C
2. 8$Becti(e
De#ine the obFective o# the original control4 identi#$ the obFective met b$ the compen ating control.
5. Identified &is4
Identi#$ an$ additional ri * po ed b$ the lac* o# the original control. De#ine the compen ating control and e9plain how the$ addre the obFective o# the original control and the increa ed ri *, i# an$.
De#ine how the compen ating control were validated and te ted.
D. /aintenance
PCI DSS SAQ B, v2.0, Appen! : C' Compensat ng Contro"s Dor-sheet Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C
PCI DSS SAQ B, v2.0, Appen! : D' *:p"anat on o+ 3on5App" cab " ty Copyr ght 2010 PCI Secur ty Stan!ar!s Counc " ##C