SUMMARY DOCUMENT
PCI DSS Documentation Requirements University of California – San Diego
A division of Sikich LLP Jano Kray, QSA Manager, Higher Education
[email protected] 877.403.LABS (5227) x223 Created June 16, 2016
PCI DSS DOCUMENTATION REQUIREMENTS
Contents Overview................................................................................................................ 2 Agreements ........................................................................................................... 3 Service Provider Security ................................................................................... 3 PCI DSS Requirement 12.8.2 ..................................................................................... 3 Applicable SAQ Validation Types: A, A-EP, B, B-IP, C, C-VT, D Merchant, P2PE ...... 3
Diagrams ............................................................................................................... 4 Network .............................................................................................................. 4 PCI DSS Requirement 1.1.2 ....................................................................................... 4 Applicable SAQ Validation Types: A-EP, B-IP, C-VT, D Merchant .............................. 4
Cardholder Data Flow ........................................................................................ 5 PCI DSS Requirement 1.1.3 ....................................................................................... 5 Applicable SAQ Validation Types: A-EP, D Merchant ................................................. 5
Inventories/Lists ................................................................................................... 6 Inventory of System Components ...................................................................... 6 PCI DSS Requirement 2.4 .......................................................................................... 6 Applicable SAQ Validation Types: D Merchant ........................................................... 6
List of Roles Needing Access to Displays of Full PAN Data .............................. 6 PCI DSS Requirement 3.3 .......................................................................................... 6 Applicable SAQ Validation Types: B, B-IP, C, C-VT, D Merchant, P2PE .................... 6
Inventory of Card Acceptance Devices .............................................................. 7 PCI DSS Requirement 9.9.1 ....................................................................................... 7 Applicable SAQ Validation Types: B, B-IP, C, D Merchant, P2PE .............................. 7
Policies and Procedures ...................................................................................... 8 Data Retention and Disposal.............................................................................. 8 PCI DSS Requirement 3.1 .......................................................................................... 8 Applicable SAQ Validation Types: D Merchant, P2PE ................................................ 8 PCI DSS Requirement 3.2 .......................................................................................... 8 Applicable SAQ Validation Types: A-EP, B, B-IP, C, C-VT, D Merchant, P2PE .......... 8 PCI DSS Requirement 3.3 .......................................................................................... 9 Applicable SAQ Validation Types: B, B-IP, C, C-VT, D Merchant, P2PE .................... 9 PCI DSS Requirement 3.4 .......................................................................................... 9 Applicable SAQ Validation Types: D Merchant ........................................................... 9 PCI DSS Requirement 3.5 .......................................................................................... 9 Applicable SAQ Validation Types: D Merchant ........................................................... 9
Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
i
PCI DSS DOCUMENTATION REQUIREMENTS PCI DSS Requirement 3.6 .......................................................................................... 10 Applicable SAQ Validation Types: D Merchant ........................................................... 10
Physical Access Control .................................................................................... 10 PCI DSS Requirement 9.1 .......................................................................................... 10 Applicable SAQ Validation Types: A-EP, C, D Merchant ............................................ 10 PCI DSS Requirement 9.1.1 ....................................................................................... 11 Applicable SAQ Validation Types: C, D Merchant ...................................................... 11 PCI DSS Requirement 9.1.2 ....................................................................................... 11 Applicable SAQ Validation Types: B-IP, C, D Merchant ............................................. 11 PCI DSS Requirement 9.1.3 ....................................................................................... 11 Applicable SAQ Validation Types: D Merchant ........................................................... 11 PCI DSS Requirement 9.2 .......................................................................................... 11 Applicable SAQ Validation Types: D Merchant ........................................................... 11 PCI DSS Requirement 9.3 .......................................................................................... 12 Applicable SAQ Validation Types: D Merchant ........................................................... 12 PCI DSS Requirement 9.4 .......................................................................................... 12 Applicable SAQ Validation Types: D Merchant ........................................................... 12
Media Management ........................................................................................... 12 PCI DSS Requirement 9.5 .......................................................................................... 12 Applicable SAQ Validation Types: A, A-EP, B, B-IP, C, C-VT, D Merchant, P2PE ...... 12 PCI DSS Requirement 9.6 .......................................................................................... 13 Applicable SAQ Validation Types: A, A-EP, B, B-IP, C, C-VT, D Merchant ................. 13 PCI DSS Requirement 9.7 .......................................................................................... 13 Applicable SAQ Validation Types: A-EP, B, B-IP, C, C-VT, D Merchant ..................... 13
Media Destruction .............................................................................................. 13 PCI DSS Requirement 9.8 .......................................................................................... 13 Applicable SAQ Validation Types: A, A-EP, B, B-IP, C, C-VT, D Merchant, P2PE ...... 13
Card Acceptance Devices .................................................................................. 14 PCI DSS Requirement 9.9 .......................................................................................... 14 Applicable SAQ Validation Types: B, B-IP, C, D Merchant, P2PE .............................. 14
Appendix A – Documentation Requirements by SAQ Validation Type ............ 15 SAQ A ................................................................................................................ 15 SAQ A-EP........................................................................................................... 16 SAQ B ................................................................................................................ 18 SAQ B-IP ............................................................................................................ 19 SAQ C ................................................................................................................ 21 SAQ C-VT........................................................................................................... 23 Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
ii
PCI DSS DOCUMENTATION REQUIREMENTS
SAQ D Merchant ................................................................................................ 25 SAQ P2PE .......................................................................................................... 27
Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
iii
PCI DSS DOCUMENTATION REQUIREMENTS
Overview At the request of University of California – San Diego (UCSD), 403 Labs, a division of Sikich LLP (403 Labs), has compiled a summary of selected documentation required by the Payment Card Industry Data Security Standard (PCI DSS). In itemizing out the required documentation, 403 Labs used the PCI DSS Requirements and Security Assessment Procedures v3.2, the PCI DSS Template for Report on Compliance v3.2 and the Self-Assessment Questionnaire v3.2 documents available on the PCI Security Standards Council website. This document contains a specific subset of the PCI DSS documentation requirements selected by UCSD during the deliverable specification process. In an effort to help UCSD generate required content, 403 Labs has included a suggested document type classification for organizing content and a description of the information required for verification when undergoing a PCI DSS compliance assessment. 403 Labs has also broken down documentation requirements by Self-Assessment Questionnaire (SAQ) Validation Type and included tables illustrating the requirements per SAQ type in Appendix A – Documentation Requirements by SAQ Validation Type. Please note that the tables listed in this appendix refer to all SAQ types and are not limited to the priority items designated by UCSD. Information included in Appendix A – Documentation Requirements by SAQ Validation Type is based upon the requirements defined by the PCI DSS. Merchants must comply with each PCI DSS requirement that is applicable to their environments. The PCI DSS SAQ is a validation tool intended to assist merchants in the process of fulfilling their annual compliance validation and reporting requirements. The PCI SSC designed each of the SAQ types to meet a specific scenario that represents a common merchant environment. However, in some cases, there may be PCI DSS requirements applicable to a merchant environment that are not included in the SAQ type that most closely aligns with the environment. In that case, the PCI SSC guidance is for merchants to consult with their acquiring institutions regarding how the merchant should validate and report on their compliance with those requirements. The SAQ validation process consists of a series of “PCI DSS Questions,” which are numbered in such a way that they map onto specific PCI DSS requirements. The questions summarize the overall intent of the requirement and are supplemented with a list of expected testing procedures that prescribe an approach to validating the relevant PCI DSS requirements. It is important for merchants familiarize themselves with requirements defined in the PCI DSS in order to confirm whether any requirements not contained in a particular SAQ are applicable to their environments. Please note that your Qualified Security Assessor (QSA) or acquirer may request additional documentation in order to assess your compliance or understand your environment.
Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
2
PCI DSS DOCUMENTATION REQUIREMENTS
Agreements This document type describes agreements made between merchants and other entities who share responsibility in the management and security of cardholder data and transactions.
Service Provider Security PCI DSS REQUIREMENT 12.8.2 APPLICABLE SAQ VALIDATION TYPES: A, A-EP, B, B-IP, C, C-VT, D MERCHANT, P2PE Merchants are required to maintain written agreements with all third-party service providers that includes an acknowledgement by the service provider that the service provider is responsible for maintaining all applicable PCI DSS requirements relating to the security of cardholder data or sensitive authentication data they possess/store, process or transmit on behalf of the merchant. Merchants are also required to maintain written agreements with all third-party service providers that manage the merchant’s cardholder data environment (CDE) or any services that may impact the security of the merchant’s CDE while not explicitly processing, storing or transmitting the actual data. The intent of the agreement is for the merchant to confirm the service provider’s commitment to maintaining proper security controls for all services that are subject to the PCI DSS requirements and to encourage a consistent understanding between the parties of their PCI DSS responsibilities. The exact wording of an acknowledgement will depend upon (a) the agreement between the two parties, (b) the details of the service being provided and (c) the responsibilities assigned to each party. The acknowledgement does not have to include the exact wording provided in PCI DSS Requirement 12.8.2.
Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
3
PCI DSS DOCUMENTATION REQUIREMENTS
Diagrams Diagrams help an organization to understand and keep track of the scope of their environment. It is critical that these diagrams are kept current and updated upon making changes to the environment.
Network PCI DSS REQUIREMENT 1.1.2 APPLICABLE SAQ VALIDATION TYPES: A-EP, B-IP, C-VT, D MERCHANT Merchants must maintain network diagrams that identify all connections between the CDE and other networks, including wireless networks. An assessor must be able to verify that the diagram exists, documents all connections to cardholder data and is kept current. Network diagrams should depict the environment in scope, including physical locations and details of the network architecture. In particular, the PCI DSS requires that organizations maintain network diagrams to illustrate (a) the overall environment from a high-level, and (b) details of how communication points between networks function and are secured.
High Level Network Diagram Merchants should maintain one or more high-level logical network diagrams that depict the overall architecture of the in-scope network environment. High-level diagrams should summarize all physical locations and systems (both systems and networks involved with payments, as well as any connected networks), and should include a clear depiction of the following information:
All connections into and out of the network
All boundaries between the CDE and other networks, including wireless networks
Critical components within the CDE (e.g. network components, POS devices, databases, web servers)
Any other necessary payment components, as applicable
Detailed Network Diagram Merchants should maintain a detailed logical network diagram for each point of communication/connection between the networks, environments and facilities in scope. The network diagram must be consistent with the organization’s firewall configuration standards. The diagram must be kept current and updated to reflect system changes that affect the CDE. The diagram of each communication point should include clear a depiction of the following information:
All boundaries of the CDE
Any network segmentation points used for scope reduction
Any boundaries between trusted and untrusted networks
Wireless and wired networks
All other connection points, as applicable
Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
4
PCI DSS DOCUMENTATION REQUIREMENTS
Details of how the point of communication/connection functions and is secured, examples of which include (a) the types of devices, (b) device interfaces, (c) the network technologies in use (VLANs, ACLs, etc.), (d) protocols in use and (e) security controls applied to the devices
Cardholder Data Flow PCI DSS REQUIREMENT 1.1.3 APPLICABLE SAQ VALIDATION TYPES: A-EP, D MERCHANT Merchants must maintain a current diagram that shows all cardholder data flows across systems and networks. This diagram must be kept current and updated as needed upon changes to the environment. To validate the accuracy of scope, it is necessary to understand all flows of card data in the environment, including:
All payment acceptance points and the supported payment acceptance methods for each (how the cardholder data is entered into the system: card swipe, manual key entry, etc.)
All electronic flows of card data across networks, systems and applications (including those not directly related to payments, such as data backup processes)
All hardcopy or paper media flows
The details of the elements of card data involved in each data flow, and any security protocols in use for transmission of data
The purpose of each data flow
Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
5
PCI DSS DOCUMENTATION REQUIREMENTS
Inventories/Lists The PCI DSS requires an organization to maintain various inventories and lists to help keep track of items such as system components, acceptable technologies, user access and media storage. Assessors also utilize these inventories and lists when performing compliance assessments of an organization’s environment.
Inventory of System Components PCI DSS REQUIREMENT 2.4 APPLICABLE SAQ VALIDATION TYPES: D MERCHANT Merchants are required to maintain an inventory of system components in scope for PCI DSS compliance that includes a description of the functions/uses for each component. Although not specifically detailed in the PCI DSS, the PCI SSC has published a PCI DSS glossary that defines a system component as:
“any network component, server, or application included in or connected to the cardholder data environment.”1 It is recommended that components maintained in this inventory include networking devices, servers, workstations, point of sale systems, any application that access cardholder data, management software, software that performs security functions, etc. This inventory should include components that reside in systems that:
Are part of the CDE
Do not store, process or transmit CHD, but that are connected to the CDE
Could impact the security of the CDE (authentication mechanisms, patch-management, systems, anti-virus-management systems, security monitoring tools, log servers, etc.)
List of Roles Needing Access to Displays of Full PAN Data PCI DSS REQUIREMENT 3.3 APPLICABLE SAQ VALIDATION TYPES: B, B-IP, C, C-VT, D MERCHANT, P2PE Merchants must maintain a list of roles needing access to displays of full primary account number (PAN) data. This requirement relates to the display of full PAN on screens, paper receipts, printouts, etc. The purpose of this list is to minimize the risk of unauthorized persons gaining access to PAN data. Merchants are required to maintain a list of all business roles that need access to view the full PAN and provide a legitimate business need for each role.
1
Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations and Acronyms
Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
6
PCI DSS DOCUMENTATION REQUIREMENTS
Inventory of Card Acceptance Devices PCI DSS REQUIREMENT 9.9.1 APPLICABLE SAQ VALIDATION TYPES: B, B-IP, C, D MERCHANT, P2PE Merchants must maintain an up-to-date inventory of devices that capture payment card data via direct physical interaction with the card. This inventory must be kept current and updated when devices are added, relocated or decommissioned. The method of maintaining the inventory may be automated through a device management system or manually kept on electronic or paper media. The inventory should include the following:
Make and model of devices
Location of devices (for example, the address of the site or facility where the device is located or the name of the personnel to whom the device is assigned)
Device serial numbers or other methods of unique identification
Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
7
PCI DSS DOCUMENTATION REQUIREMENTS
Policies and Procedures Documented policies and procedures are key components of PCI DSS requirements. They cover a variety of control areas, both technically from a system level and operationally from a business standpoint. All policies and procedures required by the PCI DSS must be documented, in use and known to all affected parties.
Data Retention and Disposal PCI DSS REQUIREMENT 3.1 APPLICABLE SAQ VALIDATION TYPES: D MERCHANT, P2PE Merchants should keep cardholder data storage to a minimum and securely destroy or delete the data as soon as it is no longer needed. This is accomplished by implementing policies and procedures that, at a minimum:
Limit data storage amounts and retention time to that which is required only for legal, regulatory and/or business requirements.
Define the specific requirements (legal, regulatory, business, etc.) for each instance cardholder data retention, and the specific retention period required
Define processes for secure deletion of data when no longer needed for legal, regulatory or business reasons
Require a quarterly process (automatic or manual) that identifies and securely deletes stored cardholder data that exceeds the defined retention period
Include all locations of stored cardholder data
PCI DSS REQUIREMENT 3.2 APPLICABLE SAQ VALIDATION TYPES: A-EP, B, B-IP, C, C-VT, D MERCHANT, P2PE Sensitive authentication data (SAD) consists of full track data, card security codes or values (CAV2, CID, CVC2, CVV2) and PIN data. SAD cannot be stored after authorization, even if it is encrypted. For organizations that receive any elements of SAD, policies and procedures must contain the following:
Language prohibiting retention of SAD after payment authorization
Definition of the processes to render all instances of SAD unrecoverable upon completion of the authorization process
Data sources covered by these policies and procedures, including: o
Paper data sources
o
Incoming transaction data
o
All logs
o
History files
o
Trace files
o
Database schemas
o
Database contents
Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
8
PCI DSS DOCUMENTATION REQUIREMENTS
PCI DSS REQUIREMENT 3.3 APPLICABLE SAQ VALIDATION TYPES: B, B-IP, C, C-VT, D MERCHANT, P2PE The primary account number (PAN) must be masked to display, at most, the first six digits and the last four digits when displayed. Only personnel with a legitimate business need can see the full PAN. Please note that this requirement pertains to the protection of PAN displayed on screens, paper receipts, printouts, etc. It does not pertain to electronic storage of PAN. Policies and procedures must be written to verify that:
A list of roles that need access to displays of full PAN is documented and contains a description of the legitimate business need for each role to have such access
The PAN must be masked when displayed such that only personnel with a legitimate business need can see the full PAN
All other roles not specifically authorized to see the full PAN must only see masked PANs
PCI DSS REQUIREMENT 3.4 APPLICABLE SAQ VALIDATION TYPES: D MERCHANT Policies and procedures must include instructions for verifying that the PAN is rendered unreadable anywhere it is stored. This includes the storage of PAN on all media, including portable digital media and backup media. It also includes the storage of PAN in audit logs, including payment application logs. Procedures for verifying this may include reviewing documentation about (a) the vendor, (b) the type of system or process involved and (c) the encryption algorithms (if applicable) used verify that the PAN is unreadable. Any of the following methods may be used to render the data unreadable:
One way hashes based on strong cryptography; the hash must include the entire PAN
Truncation
Index tokens and pads, with the pads being securely stored
Strong cryptography with associated key management processes
If disk encryption is used, logical access to the encrypted file systems must be managed separately from the native operating system. Local user account databases or general network login credentials cannot be used as authentication methods for access to the encrypted file systems. This requirement applies in addition to all other PCI DSS encryption and key management requirements.
PCI DSS REQUIREMENT 3.5 APPLICABLE SAQ VALIDATION TYPES: D MERCHANT Procedures must be documented and implemented to protect cryptographic keys used to secure stored cardholder data. These key management policies and procedures are necessary to secure the cardholder data against disclosure or misuse. The procedures specified must include, at a minimum, definitions of processes for the following:
Restricting all access to keys to the fewest number of custodians necessary
Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
9
PCI DSS DOCUMENTATION REQUIREMENTS
Using key-encrypting keys at least as strong as the data-encrypting keys they protect
Storing all key-encrypting keys separately from data-encrypting keys
Storing all keys securely in the fewest possible locations and forms
PCI DSS REQUIREMENT 3.6 APPLICABLE SAQ VALIDATION TYPES: D MERCHANT Policy and procedures for cryptographic key management must be fully documented and implemented for all keys used for encryption of cardholder data. Key management procedures must include, at a minimum, definitions of the following:
Processes for generating strong cryptographic keys
Procedures for secure distribution of all cryptographic keys, if keys are distributed
Processes for secure storage of cryptographic keys
A cryptoperiod (a timespan or a number of encryption operations for which the key type is authorized for use) based on industry-accepted guidelines
A process for changing keys that have reached the end of the cryptoperiod
Procedures for retirement or replacement of keys when the integrity of the key has been weakened
Procedures for replacement of keys known to be, or suspected of being, compromised
Verification that keys retained after retirement or replacement are not used for encryption and are securely archived
If manual clear-text cryptographic key-management operations are used, these operations must be managed using split knowledge and dual control o
It must be verified that (a) key components are under the control of at least two people who only have knowledge of their own key components and (b) at least two people are required to perform any key-management operations and no one person has access to the authentication materials (such as passwords or keys) of another
Procedures to prevent the unauthorized substitution of keys
Acknowledgement by key custodians (in writing or electronically) that they understand and accept their key-custodian responsibilities
Physical Access Control PCI DSS REQUIREMENT 9.1 APPLICABLE SAQ VALIDATION TYPES: A-EP, C, D MERCHANT Policies and procedures must be defined to use appropriate facility entry controls to limit and monitor physical access to the systems within the CDE. Access controls for computer rooms, data centers and other physical areas with systems in the CDE must implement a mechanism to identify authorized users and to control physical access. Examples include using electronic badges and badge readers, or authorized badges to be worn and displayed at all times in conjunction with a physical lock and key. In addition, system management consoles must always be locked to prevent unauthorized use.
Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
10
PCI DSS DOCUMENTATION REQUIREMENTS
PCI DSS REQUIREMENT 9.1.1 APPLICABLE SAQ VALIDATION TYPES: C, D MERCHANT Policies and procedures must define methods to monitor the entry/exit points to sensitive areas such as data centers or server rooms. This does not include public-facing areas where point of sale terminals are present. Examples of monitoring methods include the use of video cameras and/or automated access control mechanisms. These mechanisms for monitoring individual physical access must be protected from tampering or disabling. Logs and access data collected from these mechanisms must be periodically reviewed and stored for at least three months.
PCI DSS REQUIREMENT 9.1.2 APPLICABLE SAQ VALIDATION TYPES: B-IP, C, D MERCHANT Policies and procedures must be defined to implement controls in order to restrict access to publically accessible network jacks. This could be accomplished by disabling network jacks in public areas and only enabling them when network access is explicitly authorized. Alternatively, processes may be defined to escort visitors at all times in areas with active network jacks.
PCI DSS REQUIREMENT 9.1.3 APPLICABLE SAQ VALIDATION TYPES: D MERCHANT Policies and procedures must include controls to restrict physical access to the following network components, either in the CDE or connected to the CDE:
Wireless access points
Gateways
Handheld devices
Networking and communications hardware
Telecommunication lines
PCI DSS REQUIREMENT 9.2 APPLICABLE SAQ VALIDATION TYPES: D MERCHANT Policies and procedures must define facility access controls to easily distinguish between on-site personnel and visitors that include processes for:
Identifying on-site personnel and visitors (for example, by using visibly distinct badge types for visitors and on-site personnel)
Restricting access to the identification process to authorized personnel
Managing changes to individual access requirements
Revoking access for terminated on-site personnel and expired visitor identification (such as ID badges)
Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
11
PCI DSS DOCUMENTATION REQUIREMENTS
PCI DSS REQUIREMENT 9.3 APPLICABLE SAQ VALIDATION TYPES: D MERCHANT Policies and procedures for controlling physical access to sensitive areas for on-site personal must include the following requirements:
Access must be authorized and based on individual job functions
Access must be revoked immediately upon termination
All physical access mechanisms, such as keys and access cards, should be returned or disabled immediately upon termination
PCI DSS REQUIREMENT 9.4 APPLICABLE SAQ VALIDATION TYPES: D MERCHANT Policies and procedures must define processes to identify and authorize visitors that include the following controls:
Confirming visitors have been authorized prior to entering the facility and escorting visitors at all times within areas where cardholder data is processed or maintained
Confirming visitor identification and assigning a badge or other type of identification that expires and that visibly distinguishes visitors from on-site personnel
Asking visitors to surrender badges or other identification methods before leaving the facility or at the end of the identification expiration period
Maintaining a visitor log in order to provide an audit trail of visitor activity to the facility that includes:
o
The visitor’s name
o
The firm represented
o
The name of on-site personnel authorizing the physical access
Retaining the visitor log for at least three (3) months
Media Management PCI DSS REQUIREMENT 9.5 APPLICABLE SAQ VALIDATION TYPES: A, A-EP, B, B-IP, C, C-VT, D MERCHANT, P2PE2 Policies and procedures must define processes and controls for physically securing all storage media containing cardholder data, including, but not limited to:
Computers
Removable electronic media
Paper receipts
Paper reports
Faxes
2
This requirement applies to SAQ P2PE merchants that have paper records (e.g., receipts, printed reports) with account data, including PANs. Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
12
PCI DSS DOCUMENTATION REQUIREMENTS
Policies and procedures for storage of removable backup media (such as tapes) must require that backups are stored in a secure location, preferably an off-site facility, and that the security of the off-site location is reviewed at least annually.
PCI DSS REQUIREMENT 9.6 APPLICABLE SAQ VALIDATION TYPES: A, A-EP, B, B-IP, C, C-VT, D MERCHANT Policies and procedures must exist to control distribution of media. The policy must cover all distributed media, including media distributed to individuals. Classifying media aids in identifying media that is confidential to minimize the risk of that data being inadequately protected. Policy and procedures for distribution of media must include the following:
Defined media classification based on sensitivity and handling procedures for each classification that can readily determine the sensitivity of the data
Requirements for media to be sent by a secure courier or other secure delivery method
Requirements for accurately tracking media transportation
Processes to obtain management authorization whenever media is moved from a secured area, including distribution of media to individuals
PCI DSS REQUIREMENT 9.7 APPLICABLE SAQ VALIDATION TYPES: A-EP, B, B-IP, C, C-VT, D MERCHANT Policies and procedures must define processes for controlling storage and maintenance of all media that retain strict control over the storage and accessibility of media. These processes must include requirements for maintaining inventory logs of all media and for conducting media inventories at least annually.
Media Destruction PCI DSS REQUIREMENT 9.8 APPLICABLE SAQ VALIDATION TYPES: A, A-EP, B, B-IP, C, C-VT, D MERCHANT, P2PE3 Media containing cardholder data must be destroyed when it is no longer needed for business or legal reasons. Policies and procedures for the destruction must contain the following requirements:
Hard-copy materials must be crosscut shredded, incinerated or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed
Storage containers used for materials that are to be destroyed must be secured
Cardholder data on electronic media must be rendered unrecoverable (e.g., via a secure wipe program in accordance with industry-accepted standards for secure deletion, or by physically destroying the media)
3
This requirement applies to SAQ P2PE merchants that have paper records (e.g., receipts, printed reports) with account data, including PANs. Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
13
PCI DSS DOCUMENTATION REQUIREMENTS
Card Acceptance Devices PCI DSS REQUIREMENT 9.9 APPLICABLE SAQ VALIDATION TYPES: B, B-IP, C, D MERCHANT, P2PE Merchants are responsible for the monitoring and protection of all devices that capture payment card data via direct physical interaction. A list of devices should be maintained and kept current. These devices must be inspected periodically to look for signs of tampering or substitution. The type of inspection will depend on the device. The frequency of inspection will depend on the location of the device and factors such as whether the device is attended or unattended (such as a kiosk). The type and frequency of these inspections should be defined in the merchant’s annual risk assessment process. Policies and procedures must define processes for:
Maintaining a current list of all devices (see specifications in the Inventories/Lists section of this document)
Periodically inspecting all devices to look for evidence of tampering or substitution
Training personnel to be aware of suspicious behavior and to report any evidence of tampering or substitution of devices; training should include (but not be limited to) the following instructions: o
Verify the identity of any third-party persons claiming to be repair or maintenance personnel prior to granting them access to modify or troubleshoot devices
o
Do not install, replace or return devices without verification
o
Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices)
o
Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer)
Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
14
PCI DSS DOCUMENTATION REQUIREMENTS
Appendix A – Documentation Requirements by SAQ Validation Type The following tables provide a high-level list of documentation requirements by Self-Assessment Questionnaire (SAQ) validation type.
SAQ A The following documentation is required as part of completing SAQ A.
Document Type
Content
PCI DSS Requirement
Agreements
Service provider security
12
Media storage
9
Service providers
12
Service provider responsibilities
12
Media transportation
9
User identification and authentication management
8
Media management
9
Media destruction
9
Engaging service providers
12
Managing service providers
12
Inventories/Lists
Logs
Policies and procedures
Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
15
PCI DSS DOCUMENTATION REQUIREMENTS
SAQ A-EP The following documentation is required as part of completing SAQ A-EP.
Document Type
Content
PCI DSS Requirement
Agreements
Service provider security
12
Firewall and router
1
System components
2
Network
1
Cardholder Data Flow
1
Services, protocols and ports, including business justification for each
1
Media storage
9
Service providers
12
Service provider responsibilities
12
Media transportation
9
Audit trails
10
SSL/Early TLS: Risk Mitigation and Migration
2
Incident response
12
Data retention and disposal
3
Data encryption and transmission
4
Anti-virus protection
5
Risk ranking
6
Security patching
6
Change control
6
Software development
6
Software development - web applications
6
Access control
7
User identification and authentication management
8
Physical access control
9
Configuration standards
Diagrams
Inventories/Lists
Logs
Plans
Policies and procedures
Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
16
PCI DSS DOCUMENTATION REQUIREMENTS
Document Type
Policies and procedures (cont.)
Content
PCI DSS Requirement
Media management
9
Media destruction
9
Audit trails
10
Log management
10
Security systems testing
11
Information security
12
Security awareness program
12
Engaging service providers
12
Managing service providers
12
Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
17
PCI DSS DOCUMENTATION REQUIREMENTS
SAQ B The following documentation is required as part of completing SAQ B.
Document Type
Content
PCI DSS Requirement
Agreements
Service provider security
12
Roles needing access to displays of full PAN
3
Card acceptance devices
9
Media storage
9
Approved technology devices and personnel authorized to use the devices
12
Service providers
12
Service provider responsibilities
12
Logs
Media transportation
9
Plans
Incident response
12
Data retention and disposal
3
Protecting cardholder data
3
Data encryption and transmission
4
Access control
7
Media management
9
Media destruction
9
Card acceptance devices
9
Information security
12
Technology usage
12
Security awareness program
12
Log management
12
Engaging service providers
12
Managing service providers
12
Inventories/Lists
Policies and procedures
Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
18
PCI DSS DOCUMENTATION REQUIREMENTS
SAQ B-IP The following documentation is required as part of completing SAQ B-IP.
Document Type
Content
PCI DSS Requirement
Agreements
Service provider security
12
Diagrams
Network
1
Services, protocols and ports, including business justification for each
1
Roles needing access to displays of full PAN
3
Media storage
9
Card acceptance devices
9
Service providers
12
Service provider responsibilities
12
Logs
Media transportation
9
Plans
Incident response
12
Data retention and disposal
3
Protecting cardholder data
3
Data encryption and transmission
4
Risk ranking
6
Security patching
6
Access control
7
User identification and authentication management
8
Physical access control
9
Media management
9
Media destruction
9
Card acceptance devices
9
Security systems testing
11
Information security
12
Technology usage
12
Inventories/Lists
Policies and procedures
Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
19
PCI DSS DOCUMENTATION REQUIREMENTS
Document Type
Policies and procedures (cont.)
Content
PCI DSS Requirement
Security awareness program
12
Log management
12
Engaging service providers
12
Managing service providers
12
Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
20
PCI DSS DOCUMENTATION REQUIREMENTS
SAQ C The following documentation is required as part of completing SAQ C.
Document Type
Content
PCI DSS Requirement
Agreements
Service provider security
12
Firewall and router
1
System components
2
Wireless environments
4
Roles needing access to displays of full PAN
3
Media storage
9
Card acceptance devices
9
Authorized wireless access points
11
Approved technology devices and personnel authorized to use the devices
12
Service providers
12
Service provider responsibilities
12
Media transportation
9
Audit trails
10
SSL/Early TLS: Risk Mitigation and Migration Plan
2
Incident response
12
Data retention and disposal
3
Data encryption and transmission
4
Anti-virus protection
5
Risk ranking
6
Security patching
6
Software development
6
Access control
7
User identification and authentication management
8
Physical access control
9
Configuration standards
Inventories/Lists
Logs
Plans
Policies and procedures
Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
21
PCI DSS DOCUMENTATION REQUIREMENTS
Document Type
Policies and procedures (cont.)
Content
PCI DSS Requirement
Media management
9
Media destruction
9
Card acceptance devices
9
Audit trails
10
Log management
10
Security systems testing
11
Information security
12
Technology usage
12
Security awareness program
12
Engaging service providers
12
Managing service providers
12
Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
22
PCI DSS DOCUMENTATION REQUIREMENTS
SAQ C-VT The following documentation is required as part of completing SAQ C-VT.
Document Type
Content
PCI DSS Requirement
Agreements
Service provider security
12
Firewall and router
1
System components
2
Wireless environments
4
Network
1
Roles needing access to displays of full PAN
3
Media storage
9
Approved technology devices and personnel authorized to use the devices
12
Service providers
12
Service provider responsibilities
12
Media transportation
9
SSL/Early TLS: Risk Mitigation and Migration Plan
2
Incident response
12
Data retention and disposal
3
Data encryption and transmission
4
Anti-virus protection
5
Risk ranking
6
Security patching
6
Software development
6
Access control
7
Media management
9
Media destruction
9
Log management
10
Information security
12
Configuration standards
Diagrams
Inventories/Lists
Logs
Plans
Policies and procedures
Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
23
PCI DSS DOCUMENTATION REQUIREMENTS
Document Type
Policies and procedures (cont.)
Content
PCI DSS Requirement
Technology usage
12
Security awareness program
12
Engaging service providers
12
Managing service providers
12
Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
24
PCI DSS DOCUMENTATION REQUIREMENTS
SAQ D Merchant The following documentation is required as part of completing SAQ D Merchant.
Document Type
Content
PCI DSS Requirement
Agreements
Service provider security
12
Firewall and router
1
System components
2
Wireless environments
4
Time synchronization
10
Network
1
Cardholder data flow
1
Services, protocols and ports, including business justification for each
1
System components
2
Roles needing access to displays of full PAN
3
Users who have access to cryptographic keys
3
Media storage
9
Card acceptance devices
9
Authorized wireless access points
11
Approved technology devices and personnel authorized to use the devices
12
Company-approved technology devices
12
Service providers
12
Service provider responsibilities
12
Network connection changes
1
Data center and computer room visitors
9
Media transportation
9
Audit trails
10
SSL/Early TLS: Risk Mitigation and Migration Plan
4
Risk assessment
12
Configuration standards
Diagrams
Inventories/Lists
Logs
Plans
Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
25
PCI DSS DOCUMENTATION REQUIREMENTS
Document Type
Content
PCI DSS Requirement
Plans (cont.)
Incident response
12
Data retention and disposal
3
Encryption key management
3
Protecting cardholder data
3
Data encryption and transmission
4
Anti-virus protection
5
Risk ranking
6
Security patching
6
Software development
6
Change control
6
Software development - web applications
6
Access control
7
User identification and authentication management
8
Physical access control
9
Media management
9
Media destruction
9
Card acceptance devices
9
Audit trails
10
Time synchronization
10
Log management
10
Security systems testing
11
Information security
12
Technology usage
12
Security awareness program
12
Engaging service providers
12
Managing service providers
12
Policies and procedures
Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
26
PCI DSS DOCUMENTATION REQUIREMENTS
SAQ P2PE The following documentation is required as part of completing SAQ P2PE.
Document Type
Content
PCI DSS Requiremen t
Agreements
Service provider security
12
Roles needing access to displays of full PAN
3
Card acceptance devices
9
Service providers
12
Service provider responsibilities
12
Incident response
12
Data retention and disposal
3
Protecting cardholder data
3
Data encryption and transmission
4
Media management
9
Media destruction
9
Card acceptance devices
9
Information security
12
Security awareness program
12
Engaging service providers
12
Managing service providers
12
Inventories/Lists
Plans
Policies and procedures
Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
27
PCI DSS DOCUMENTATION REQUIREMENTS
© 2016 403 Labs, a division of Sikich LLP All Rights Reserved. Limitation of Liability: 403 Labs is not responsible for photographic or typographic errors. In no event is 403 Labs or its licensors liable for any indirect, punitive, incidental, special, consequential or other damages whatsoever, whether arising out of or in any way connected with the use or performance of services, related deliverables or related websites, with the delay or inability to use any deliverables, services, related equipment or related websites, the provision of or failure to provide services, or otherwise arising out of the use of services, whether based on contract, strict liability or otherwise. Warranty: This report and services are delivered AS IS, and 403 Labs does not and cannot warrant the accuracy, performance or results obtained by using recommendations provided during any service or that the results or recommendations will be error-free or complete. 403 Labs makes no warranty that the services will detect all vulnerabilities or any particular vulnerability or the services will provide the most recently developed or distributed vulnerability checks. 403 Labs makes no warranties, express or implied, as to noninfringement of third-party rights, merchantability or fitness for any particular purpose. Trademarks: 403 Labs and 403 Secured are registered and/or common law trademarks of Sikich LLP. 403 Labs’s mark may not be used in connection with any product or service that is not 403 Labs’s in any manner that is likely to cause confusion, or in any manner that disparages or discredits 403 Labs. Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation. Other company, product and service names may be trademarks or service marks of others. 403 Labs, a division of Sikich LLP 877.403.LABS (5227)
[email protected] http://www.403labs.com
Copyright © 2016 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by University of California - San Diego. Distribution or copying is strictly prohibited.
28
