Security • Standards Council
Payment Card Industry (PCI)
Data Security Standard
Attestation of Compliance for Onsite Assessments - Service Providers Version 3.1 April 2015
l^k
Security • Standards Council
Section 1: Assessment Information Instructions for Submission This Attestation of Compliance must be completed as a declaration of the results of the service provider's assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The service provider is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact the requesting payment brand for reporting and submission procedures. Part 1. Service Provider and Qualified Security Assessor Information Part 1a. Service Provider Organization Information Company Name:
Auric Systems International (a division of Appropriate Solutions, Inc.)
DBA (doing business as):
Contact Name:
Ray Cote
Title:
ISA Name(s) (if applicable):
Not Applicable
Title:
Telephone:
(603) 924-6079
E-mail:
[email protected] m
Business Address:
85 Grove St
City:
Peterborough
State/Province:
NH
URL:
www.AuricSystems.com
Country:
President
USA
Zip:
03458
Part 1b. Qualified Security Assessor Company Information (if applicable) Company Name:
Payment Software Company Inc (d/b/a PSC)
Lead QSA Contact Name:
Ivan Moskowitz
Title:
Telephone:
408-228-0961
E-mail:
Business Address:
591 W. Hamilton Ave #200
City:
State/Province:
CA
USA
URL:
www.paysw.com
Country:
PCI QSA Campbell Zip: | 95008
PCI DSS Attestation of Compliance for Onsite Assessments- Service Providers, v3.1 ©2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
April 2015 Page 1
Iffik
Security * Standards Council
Part 2. Executive Summary Part 2a. Scope Verification Services that were INCLUDED in the scope of the PCI DSS Assessment (check all that apply): Name of service(s) assessed:
AuricVault
Type of service(s) assessed: Hosting Provider:
Managed Services (specify): D Systems security services 13 IT support
Payment Processing:
D Infrastructure / Network D Physical space (co-location)
D Physical security G Terminal Management System
G MOTO / Call Center QATM
D Storage
13 Other services (specify):
G Other processing (specify):
•
Web
Tokenization and Secure Storage
•
Security services
• •
3-D Secure Hosting Provider Shared Hosting Provider
•
Other Hosting (specify):
D Applications / software • Hardware
G POS / card present Q Internet / e-commerce
D Account Management
D Fraud and Chargeback
G Payment Gateway/Switch
•
D Issuer Processing
G Prepaid Services
D Billing Management
•
G Records Management
•
O Merchant Services
Back-Office Services
Clearing and Settlement
Loyalty Programs
G Tax/Government Payments
D Network Provider D Others (specify): Note: These categories are provided for assistance only, and are not intended to limit or predetermine an entity's service description. If you feel these categories don't apply to your service, complete 'Others." If you're unsure whether a category could apply to your service, consult with the applicable payment brand.
PCI DSS Attestation of Compliance for Onsite Assessments - Service Providers, v3.1 © 2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
April 2015 Page 2
y^^
Security • Standa/dj Council
Services that are provided by the service provider but were NOT INCLUDED in the scope of the PCI DSS Assessment (check all that apply): Name of service(s) not assessed:
None
Type of service(s) not assessed: Managed Services (specify): Q Systems security services Q IT support G Physical security • Terminal Management System Q Other services (specify):
Payment Processing: D POS / card present G Internet / e-commerce G MOTO / Call Center QATM G Other processing (specify):
D Account Management
G Fraud and Chargeback
G Payment Gateway/Switch
D Back-Office Services
G Issuer Processing
G Prepaid Services
G Billing Management
G Loyalty Programs
G Records Management
G Clearing and Settlement
G Merchant Services
G Tax/Government Payments
Hosting Provider: D Applications / software • Hardware D Infrastructure / Network • Physical space (co-location) • Storage • Web • G D •
Security services 3-D Secure Hosting Provider Shared Hosting Provider Other Hosting (specify):
Q Network Provider G Others (specify): Provide a brief explanation why any checked services were not included in the assessment: Part 2b. Description of Payment Card Business Describe how and in what capacity your business stores, processes, and/or transmits cardholder data.
Data tokenization service that stores encrypted cardholder data and provides customers with a token. The token can later be used by the customer to retrieve the decrypted cardholder data. Customer support functions include access to and support of client's PCI environments.
Describe how and in what capacity your business is otherwise involved in or has the ability to impact the security of cardholder data.
No other form of cardholder data processing is currently supported. Part 2c. Locations
List types of facilities (for example, retail outlets, corporate offices, data centers, call centers, etc.) and a summary of locations included in the PCI DSS review. Number of facilities Locatlon(s) of facility (city, country): Type of facility: of this type Example: Retail outlets Corporate Office
3 1
Boston, MA, USA Peterborough, NH, USA
PCI DSS Attestation of Compliance for Onsite Assessments - Service Providers, v3.1 © 2006-2015 PCI Security Standards Council, LLC. All Rights Resen/ed.
April 2015 Page3
y^i
Security • Standard] Council
Primary Data Center (INetU)
1
Allentown, PA
Secondary Data Center (INetU)
1
Seattle, WA
Part 2d. Payment Applications Does the organization use one or more Payment Applications? • Yes
12 No
Provide the following information regarding the Payment Applications your organization uses: Payment Application Name
Version Number
Application Vendor
Not Applicable
is application PA-DSS Listed? •
Yes
•
PA-DSS Listing Expiry date (if applicable)
No
Part 2e. Description of Environment Provide a high-level description of the environment covered by this assessment. For example: • Connections into and out of the cardholder data environment (CDE). • Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
Tokenization service that stores encrypted cardholder data and provides customers with a Token. The token can later be used by the customer to retrieve the decrypted cardholder data. The Production environment (including networks and servers) is hosted by two PCI compliant Cloud service providers (iNetU and Firehost). The Application that performs the Tokenization is developed and managed by Auric. For the payment processing tokenization storage operations there are web servers, application servers, database servers that operate across firewalls and switches at the INetU locations.
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to 'Network Segmentation" section of PCI DSS for guidance on network segmentation)
SYes •
No
Part 2f. Third-Party Service Providers Does your company have a relationship with one or more third-party service providers (for example, gateways, payment processors, payment service providers (PSP), web-hosting companies, airline booking agents, loyalty program agents, etc.) for the purpose of the services being validated?
SYes •
No
If Yes: Type of service provider:
Description of services provided:
Managed Service Provider
Managed hosting, Network security, System security. Security monitoring
Managed Service Provider
Managed hosting, Network security, System security, Security monitoring
JVote; Requirement 12.8 applies to all entities in this list.
PCI DSS Attestation of Compliance for Onsite Assessments - Service Providers, v3.1 © 2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
April 2015 Page 4
y^i
Security * Standards Coundl •
Part 2g. Summary of Requirements Tested For each PCI DSS Requirement, select one of the following: Full - The requirement and all sub-requirements of that requirement were assessed, and no subrequirements were marked as "Not Tested" or "Not Applicable" in the ROC. •
Partial - One or more sub-requirements of that requirement were marked as "Not Tested" or "Not Applicable" in the ROC.
•
None - All sub-requirements of that requirement were marked as "Not Tested" and/or "Not Applicable" in the ROC.
For all requirements identified as either "Partial" or "None," provide details in the "Justification for Approach" column, including: •
Details of specific sub-requirements that were marked as either "Not Tested" and/or "Not Applicable" in the ROC
•
Reason why sub-requirement(s) were not tested or not applicable
Note: One table to be completed for each service covered by this AOC. Additional copies of this section are available on the PCI SSC website. Name of Service Assessed:
AuricVault Details of Requirements Assessed
PCI DSS Requirement
Justification for Approach (Required for all 'Partial* and "None* responses. Identify which sub-requirements were not tested and the reason.)
Full
Partial
None
Requirement 1:
D
IS
1.2.3 - Not applicable - wireless does not exist at the entity.
Requirement 2:
•
IS
a a
Requirement 3:
•
IS
•
3.4.1 - Not Applicable - full disk encryption is not utilized 3.6.6 - Not Applicable - Manual Clear-text cryptographic key management is not utilized
Requirement 4:
•
IS
4.1.1 - Not applicable - wireless does not exist at the entity.
Requirement 5:
(S
•
Requirement 6:
H
•
a a a
Requirement 7:
IS
•
Requirement 8:
S
a a
Requirement 9:
•
IS
a
Requirement 10:
IS
•
•
Requirement 11:
IS
a
Requirement 12:
IS
•
a a
2.1.1 - Not applicable - wireless does not exist at the entity.
• 9.9 (all) - Not Applicable - The client does not support payment devices.
PCI DSS Attestation of Compliance for Onsite Assessments- Service Providers, v3.1 © 2006-2015 PCI Security Standards Council, LLC. AH Rights Reserved.
April 2015 Page 5
I^k
Security • Standard! Council •
Appendix A:
D
•
SI
All Not Applicable - Not a hosting service provider
PCI DSS Attestation of Compliance for Onsite Assessments - Service Providers, v3.1 © 2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
April 2015 Page 6
^^k
Security * Standards Council