PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)



Similar documents
PCI COMPLIANCE GUIDE For Merchants and Service Members

How To Protect Your Business From A Hacker Attack

Payment Card Industry Data Security Standards.

Why Is Compliance with PCI DSS Important?

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

How To Protect Your Data From Being Stolen

Project Title slide Project: PCI. Are You At Risk?

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Payment Card Industry - Achieving PCI Compliance Steps Steps

Payment Card Industry Data Security Standard

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Josiah Wilkinson Internal Security Assessor. Nationwide

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

La règlementation VisaCard, MasterCard PCI-DSS

Payment Card Industry (PCI) Data Security Standard

PCI DSS Presentation University of Cincinnati

Best Practices (Top Security Tips)

PCI Compliance. Top 10 Questions & Answers

PCI Data Security Standards

PCI Compliance Training

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

PCI Security Compliance

PCI Compliance Top 10 Questions and Answers

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

Qualified Integrators and Resellers (QIR) Implementation Statement

University of Sunderland Business Assurance PCI Security Policy

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

How To Comply With The Pci Ds.S.A.S

How To Protect Your Credit Card Information From Being Stolen

Payment Card Industry (PCI) Data Security Standard

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

paypoint implementation guide

SecurityMetrics Introduction to PCI Compliance

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

PCI Requirements Coverage Summary Table

PCI DSS. CollectorSolutions, Incorporated

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

Becoming PCI Compliant

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

PCI Requirements Coverage Summary Table

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

Property of CampusGuard. Compliance With The PCI DSS

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Enforcing PCI Data Security Standard Compliance

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

GFI White Paper PCI-DSS compliance and GFI Software products

Client Security Risk Assessment Questionnaire

Your Compliance Classification Level and What it Means

PCI Compliance: How to ensure customer cardholder data is handled with care

Dartmouth College Merchant Credit Card Policy for Processors

Lucas POS V4 for Windows

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

How To Protect Visa Account Information

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

PCI Standards: A Banking Perspective

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

PCI Compliance: Protection Against Data Breaches

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Catapult PCI Compliance

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

PAI Secure Program Guide

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

Two Approaches to PCI-DSS Compliance

PCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers.

PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01

Payment Card Industry (PCI) Data Security Standard

Transcription:

PDQ has created an Answer Guide for the Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C to help wash operators complete questionnaires. Part of the Access Customer Management System (CMS) operator manual is the PABP Implementation Guide, which should be reviewed for specifics on Access CMS payment application site installation. PDQ Manufacturing, Inc. is not a (QSA) Qualified Security Assessor, and is not qualified to make judgments related to PCI compliance. PDQ strongly recommends wash operators consult a QSA if there is any uncertainty how to answer this questionnaire and if this questionnaire is applicable to their business operation. A list of security assessors is available at https://www.pcisecuritystandards.org/resources/qualified_security_assessors.htm. If you are answering yes to these questions, it is assumed that you have read and met all the requirements of the PABP Implementation guide and the PCI Guidelines. To clarify requirements there is a document called Navigating PCI DSS Understanding the Intent of the Requirements at www.pcisecuritystandards.org web site. If in doubt about how to interpret the questionnaire in regarding to your operation, please contact and consult a QSA. By answering Questionnaire C, you are confirming that you do not use any Custom Integration features of the Access software. If Custom Integration is used, Questionnaire D is required and must be completed. Please check for the latest version of this questionnaire before starting. The version may change without notice. The questionnaire can be found at www.pcisecuritystandards.org PDQ Guide to Version 1.1 PCI Self-Assessment Questionnaire C Page 1

Attestation of Compliance Part 1: Qualified Security Assessor Company Information - Information to be filled out by Merchant if applicable Part 2: Merchant Organization Information - Information to be filled out by Merchant Part 2a: Type of merchant business (check all that apply) Part 2b: Relationships - 1 st box: Answer Yes. PDQ has a Loyalty Club program known as WALS (Wash Access Loyalty System) no card data is involved, website and relationship to Authorize.net - 2 nd box: Answer Yes, if you have multiple merchant accounts using separate merchant acquirers. If all merchant accounts are managed by one acquirer, answer No. Part 2c: Transaction Processing Payment Application in use: Payment Application Version: Access CMS1 8 Access CMS2 2 Part 2d: Eligibility to Complete SAQ C If only Access CMS is used for card payment processing at the site, all the below can be checked. If other devices are processing card payments please check with manufacturer. - 1 st box: Access CMS is a payment application and it makes use of a secure Internet connection for processing. - 2 nd box: Access CMS does not connect to other systems such as; a central payment processor, or database on the same network for processing payments. - 3 rd box: Access CMS does not store card holder data and is PABP validated application. - 4 th box: Access CMS will not allow printing or producing of card holder data in any external media format. - 5 th box: All unsecure methods for remote support are disabled on normal default mode of operation. PDQ Guide to Version 1.1 PCI Self-Assessment Questionnaire C Page 2

Part 3: PCI DSS Validation - To be filled out after questionnaire is complete Part 3a: Confirmation of Compliant Status - The merchant is responsible for completing the tasks listed in this section. Check with a QSA if you feel some items do not apply to your business. Check each box that has been completed. Part 3b: Merchant Acknowledgement - Appropriate merchant representatives should sign and date. Part 4: Action Plan for Non-Compliant Status - To be filled out after questionnaire is complete PDQ Guide to Version 1.1 PCI Self-Assessment Questionnaire C Page 3

Self-Assessment Questionnaire C Requirement 1: Install and maintain a firewall configuration to protect cardholder data - Firewall configurations may vary from site to site depending on the services needed. Refer to the PCI guidelines under requirement 1 to ensure your firewall meets the requirements listed. - Answer Yes, only if all requirements are met. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 2.1 Answer Yes. Access CMS software will force the user to change passwords the first time each user account is accessed. 2.1.1 1 st box: Answer Yes, if a wireless network is not used. Note: PDQ recommends not using a wireless system, but if one is available onsite, refer to section 4 of the PCI DSS Version 1.1 on wireless components. (a) Answer Yes, only if a wireless network is not used, or part of your card holder data environment. (b) Answer Yes, only if a wireless network is not used, or part of your card holder data environment. 2.3 Answer Yes Requirement 3: Protect stored cardholder data - If using Access CMS1 version 8, or Access CMS2 version 2, answer Yes to all the questions under section 3. The Access unit does not store any sensitive card holder data. 3.2 Answer Yes 3.2.1 Answer Yes 3.2.2 Answer Yes 3.3 Answer Yes Requirement 4: Encrypt transmission of cardholder data across open, public networks 4.1 Answer Yes PDQ Guide to Version 1.1 PCI Self-Assessment Questionnaire C Page 4

4.2 Answer Yes, Access CMS will not email PANs or display PAN to be able to be emailed. Requirement 5: Use and regularly update anti-virus software or programs - If another system or PC is installed on the site network you must ensure they are running the latest version of anti-virus software before answering Yes to the questions under this section. 5.1 Answer Yes - The PDQ Access is an embedded system that is not commonly affected by viruses. Answer the following questions accordingly based on the anti-virus software you are using on any connected systems. Check the anti-virus software documentation for details. 5.1.1 Answer Yes, only if all requirements are met. 5.2 Answer Yes, only if all requirements are met. Requirement 6: Develop and maintain secure systems and applications 6.1 (a) Answer Yes, if the latest version is installed. - Check PDQ s website to get the latest version of software. If you are using other devices, check with your vendor for updates. (b) Answer Yes, if you check and install updates monthly. - Check to make sure your system has the most current security patches by going to the operator s website for the latest updates (e.g. PDQ website Operator section, routers, Microsoft updates, manufacturers website etc.) (Note: you have to sign up for the operator section of the PDQ website if you are not already a member to download updates) Requirement 7: Restrict access to cardholder data by business need-to-know 7.1 Answer Yes - PDQ does not have any default passwords where anyone can log in; there is also no access to cardholder information. Make sure the site has physical locks on the Access unit and the equipment room. If you have additional site computers and routers ensure authentication is enabled PDQ Guide to Version 1.1 PCI Self-Assessment Questionnaire C Page 5

and individual user accounts are created and changed regularly. Preventing physical access to PC s and other networking devices should also be limited to those who need access only. Requirement 8: Assign a unique ID to each person with computer access 8.5.6 Answer Yes - VPN is only enabled on an as-needed-basis for support. It must be disabled at all other times of use. Authorized login to the Access system set up is always needed to temporarily enable for remote support. Requirement 9: Restrict physical access to cardholder data - If the only way that you process credit cards is through Access CMS, then answer Yes to all the questions in this section 9. If not, you will need to check with the manufacturer of the device before answering. Card holder data is never displayed on the Access CMS system. The Access CMS does not supply any hard copies or media of any cardholder data. 9.6 Answer Yes 9.7 (a) Answer Yes (b) Answer Yes 9.7.1 Answer Yes 9.7.2 Answer Yes 9.8 Answer Yes 9.9 Answer Yes 9.10 Answer Yes 9.10.1 Answer Yes Requirement 10: Track and monitor all access to network resources and cardholder data No questions applicable to SAQ C. Requirement 11: Regularly test security systems and processes - The answer to the questions in this section may vary based on what is required of your business. If you are required by your acquirer to be scanned and tested regularly then you may answer Yes to this question. There is a list of Approved Scanning Vendors on www.pcisecuritystandards.org website. 11.1 (a) Answer Yes, only if all requirements are met. (b) Answer Yes, only if all requirements are met. PDQ Guide to Version 1.1 PCI Self-Assessment Questionnaire C Page 6

Requirement 12: Maintain a policy that addresses information security for employees and contractors. - It is the responsibility of the merchant to ensure that all policies required by the PCI DSS version 1.1 are met. PDQ recommends merchants unsure of the PCI guidelines, and how to implement them, hire a consultant or Qualified Security Assessor to assist them with developing and maintaining required policies. Merchants should review the PCI Security documents and implement the policies as required based on their business. Answer Yes to all the questions in this section only if the requirements are met. PDQ Guide to Version 1.1 PCI Self-Assessment Questionnaire C Page 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information