Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

PCI DSS Documentation Requirements: Phase I University of California – San Diego

advertisement 
SUMMARY DOCUMENT
PCI DSS
Documentation
Requirements: Phase I
University of California – San Diego
A division of Sikich LLP
Jano Kray, QSA
Manager, Higher Education
jkray@sikich.com
877.403.LABS (5227) x223
Created July 31, 2015
Last updated August 24, 2015
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
Contents
Overview................................................................................................................ 2
Agreements ........................................................................................................... 3
Service Provider Security ................................................................................... 3
PCI DSS Requirement 12.8.2 ..................................................................................... 3
Applicable SAQ Validation Types: A, A-EP, B, B-IP, C, C-VT, D Merchant, P2PE-HW 3
Diagrams ............................................................................................................... 4
Network .............................................................................................................. 4
PCI DSS Requirement 1.1.2 ....................................................................................... 4
Applicable SAQ Validation Types: A-EP, B-IP, C-VT, D Merchant .............................. 4
Cardholder Data Flow ........................................................................................ 5
PCI DSS Requirement 1.1.3 ....................................................................................... 5
Applicable SAQ Validation Types: D Merchant ........................................................... 5
Inventories/Lists ................................................................................................... 6
Inventory of System Components ...................................................................... 6
PCI DSS Requirement 2.4 .......................................................................................... 6
Applicable SAQ Validation Types: A-EP, B-IP, C, C-VT, D Merchant ......................... 6
Roles Needing Access to Displays of Full Primary Account Number (PAN) ........... 6
PCI DSS REQUIREMENT 3.4 ...................................................................................... 6
APPLICABLE SAQ VALIDATION TYPES: B, B-IP, C, C-VT, D MERCHANT ................... 6
Inventory of Card Acceptance Devices .............................................................. 7
PCI DSS Requirement 9.9.1 ....................................................................................... 7
Applicable SAQ Validation Types: B, B-IP, C, D Merchant, P2PE-HW ....................... 7
Policies and Procedures ...................................................................................... 8
Data Retention and Disposal.............................................................................. 8
PCI DSS Requirement 3.1 .......................................................................................... 8
Applicable SAQ Validation Types: D Merchant, P2PE-HW ......................................... 8
PCI DSS Requirement 3.2 .......................................................................................... 8
Applicable SAQ Validation Types: A-EP, B, B-IP, C, C-VT, D Merchant, P2PE-HW ... 8
PCI DSS Requirement 3.3 .......................................................................................... 9
Applicable SAQ Validation Types: B, B-IP, C, C-VT, D Merchant, P2PE-HW ............. 9
PCI DSS Requirement 3.4 .......................................................................................... 9
Applicable SAQ Validation Types: D Merchant ........................................................... 9
PCI DSS Requirement 3.5 .......................................................................................... 9
Applicable SAQ Validation Types: D Merchant ........................................................... 9
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
i
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
PCI DSS Requirement 3.6 .......................................................................................... 10
Applicable SAQ Validation Types: D Merchant ........................................................... 10
Physical Access Control .................................................................................... 10
PCI DSS Requirement 9.1 .......................................................................................... 10
Applicable SAQ Validation Types: A-EP, D Merchant ................................................. 10
PCI DSS Requirement 9.1.1 ....................................................................................... 11
Applicable SAQ Validation Types: D Merchant ........................................................... 11
PCI DSS Requirement 9.1.2 ....................................................................................... 11
Applicable SAQ Validation Types: B-IP, C, D Merchant ............................................. 11
PCI DSS Requirement 9.1.3 ....................................................................................... 11
Applicable SAQ Validation Types: D Merchant ........................................................... 11
PCI DSS Requirement 9.2 .......................................................................................... 11
Applicable SAQ Validation Types: D Merchant ........................................................... 11
PCI DSS Requirement 9.3 .......................................................................................... 12
Applicable SAQ Validation Types: D Merchant ........................................................... 12
PCI DSS Requirement 9.4 .......................................................................................... 12
Applicable SAQ Validation Types: D Merchant ........................................................... 12
Media Management ........................................................................................... 12
PCI DSS Requirement 9.5 .......................................................................................... 12
Applicable SAQ Validation Types: A, A-EP, B, B-IP, C, C-VT, D Merchant, P2PE-HW 12
PCI DSS Requirement 9.6 .......................................................................................... 13
Applicable SAQ Validation Types: A, A-EP, B, B-IP, C, C-VT, D Merchant ................. 13
PCI DSS Requirement 9.7 .......................................................................................... 13
Applicable SAQ Validation Types: A-EP, B, B-IP, C, C-VT, D Merchant ..................... 13
Media Destruction .............................................................................................. 13
PCI DSS Requirement 9.8 .......................................................................................... 13
Applicable SAQ Validation Types: A, A-EP, B, B-IP, C, C-VT, D Merchant, P2PE-HW 13
Card Acceptance Devices .................................................................................. 13
PCI DSS Requirement 9.9 .......................................................................................... 13
Applicable SAQ Validation Types: B, B-IP, C, D Merchant ......................................... 13
Appendix A – Document Requirements by SAQ Validation Type ..................... 16
SAQ A ................................................................................................................ 16
SAQ A-EP........................................................................................................... 17
SAQ B ................................................................................................................ 19
SAQ B-IP ............................................................................................................ 20
SAQ C ................................................................................................................ 22
SAQ C-VT........................................................................................................... 24
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
ii
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
SAQ D Merchant ................................................................................................ 26
SAQ P2PE-HW ................................................................................................... 28
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
iii
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
Overview
At the request of University of California – San Diego (UCSD), 403 Labs, a division of Sikich LLP
(403 Labs), has compiled a summary of the documentation required by the Payment Card Industry
Data Security Standard (PCI DSS). In itemizing out the required documentation, 403 Labs used the
PCI DSS Requirements and Security Assessment Procedures v3.1, the PCI DSS Template for
Report on Compliance, and the Self-Assessment Questionnaire v3.1 documents available on
the PCI Security Standards Council (PCI SSC) website.
In an effort to help UCSD generate required content, 403 Labs has included a suggested
document type classification for organizing content and a description of the information required
for verification when undergoing a PCI DSS compliance assessment.
403 Labs has also broken down documentation requirements by Self-Assessment Questionnaire
(SAQ) Validation Type and included tables illustrating the requirements per SAQ type in this
document.
As requested by UCSD, 403 Labs has provided this draft document, which contains a subset of
the required documentation highlighting those topics that UCSD designated as priority items for
initial delivery. In its final form, the document will contain descriptions pertaining to all document
requirements expressly specified in the PCI DSS.
In addition to the tables below, and as part of the final version of this document, 403 Labs will
provide a detailed spreadsheet of PCI DSS documentation requirements broken down by PCI
DSS requirement and SAQ Validation Type.
Please note that this itemized list is based upon the requirements defined by the PCI DSS.
Merchants must comply with each PCI DSS requirement that is applicable to their environments.
The PCI DSS SAQ is a validation tool intended to assist merchants in the process of fulfilling their
annual compliance validation and reporting requirements. The PCI SSC designed each of the SAQ
types to meet a specific scenario that represents a common merchant environment. However, in
some cases, there may be PCI DSS requirements applicable to a merchant environment that are
not included in the SAQ type that most closely aligns with the environment. In that case, the PCI
SSC guidance is for merchants to consult with their acquiring institutions regarding how the
merchant should validate and report on their compliance with those requirements.
The SAQ validation process consists of a series of “PCI DSS Questions,” which are numbered in
such a way that they map onto specific PCI DSS requirements. The questions summarize the
overall intent of the requirement and are supplemented with a list of expected testing procedures
that prescribe an approach to validating the relevant PCI DSS requirements. It is important for
merchants familiarize themselves with requirements defined in the PCI DSS in order to confirm
whether any requirements not contained in a particular SAQ are applicable to their environments.
Please note that your Qualified Security Assessor (QSA) or acquirer may request additional
documentation in order to assess your compliance or understand your environment.
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
2
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
Agreements
This document type describes agreements made between merchants and other entities who share
responsibility in the management and security of cardholder data and transactions.
Service Provider Security
PCI DSS REQUIREMENT 12.8.2
APPLICABLE SAQ VALIDATION TYPES: A, A-EP, B, B-IP, C, C-VT, D MERCHANT, P2PEHW
Merchants are required to maintain written agreements with all third-party service providers that
includes an acknowledgement by the service provider that the service provider is responsible for
maintaining all applicable PCI DSS requirements relating to the security of cardholder data or
sensitive authentication data they possess/store, process or transmit on behalf of the merchant.
Merchants are also required to maintain written agreements with all third-party service providers
that manage the merchant’s cardholder data environment (CDE) or any services that may impact
the security of the merchant’s CDE while not explicitly processing, storing or transmitting the
actual data.
The intent of the agreement is for the merchant to confirm the service provider’s commitment to
maintaining proper security controls for all services that are subject to the PCI DSS requirements
and to encourage a consistent understanding between the parties of their PCI DSS
responsibilities. The exact wording of an acknowledgement will depend upon (a) the agreement
between the two parties, (b) the details of the service being provided and (c) the responsibilities
assigned to each party. The acknowledgement does not have to include the exact wording
provided in PCI DSS Requirement 12.8.2.
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
3
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
Diagrams
Diagrams help an organization to understand and keep track of the scope of their environment. It
is critical that these diagrams are kept current and updated upon making changes to the
environment.
Network
PCI DSS REQUIREMENT 1.1.2
APPLICABLE SAQ VALIDATION TYPES: A-EP, B-IP, C-VT, D MERCHANT
Merchants must maintain network diagrams that identify all connections between the CDE and
other networks, including wireless networks. An assessor must be able to verify that the diagram
exists, documents all connections to cardholder data and is kept current.
Network diagrams should depict the environment in scope, including physical locations and
details of the network architecture. In particular, the PCI DSS requires that organizations maintain
network diagrams to illustrate (a) the overall environment from a high-level, and (b) details of how
communication points between networks function and are secured.
High Level Network Diagrams
Merchants should maintain one or more high-level logical network diagrams that depict the overall
architecture of the in-scope network environment. High-level diagrams should summarize all
physical locations and systems (both systems and networks involved with payments, as well as
any connected networks), and should include a clear depiction of the following information:

All connections into and out of the network

All boundaries between the CDE and other networks

Critical components within the CDE (e.g. network components, POS devices, databases,
web servers)

Any other necessary payment components, as applicable
Detailed Network Diagrams
Merchants should maintain a detailed logical network diagram for each point of
communication/connection between the networks, environments, and facilities in scope. The
diagram of each communication point should include clear a depiction of the following
information:

All boundaries of the CDE

Any network segmentation points used for scope reduction

Any boundaries between trusted and untrusted networks

Wireless and wired networks

All other connection points, as applicable

Details of how the point of communication/connection functions and is secured,
examples of which include (a) the types of devices, (b) device interfaces, (c) the network
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
4
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
technologies in use (VLANs, ACLs, etc.), (d) protocols in use and (e) security controls
applied to the devices
Cardholder Data Flow
PCI DSS REQUIREMENT 1.1.3
APPLICABLE SAQ VALIDATION TYPES: D MERCHANT
Merchants must maintain a current diagram that shows all cardholder data flows across systems
and networks. This diagram must be kept current and updated as needed upon changes to the
environment. To validate the accuracy of scope, it is necessary to understand all flows of card
data in the environment, including:

All payment acceptance points, and the supported payment acceptance methods for
each (how the cardholder data is entered into the system: card swipe, manual key entry,
etc.)

All electronic flows of card data across networks, systems and applications (including
those not directly related to payments, such as data backup processes)

All hardcopy or paper media flows

The details of the elements of card data involved in each data flow, and any security
protocols in use for transmission of data

The purpose of each data flow
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
5
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
Inventories/Lists
The PCI DSS requires an organization to maintain various inventories and lists to help keep track
of items such as system components, acceptable technologies, user access and media storage.
Assessors also utilize these inventories and lists when performing compliance assessments of an
organization’s environment.
Inventory of System Components
PCI DSS REQUIREMENT 2.4
APPLICABLE SAQ VALIDATION TYPES: A-EP, B-IP, C, C-VT, D MERCHANT
Merchants are required to maintain an inventory of system components in scope for PCI DSS
compliance that includes a description of the functions/uses for each component. Although not
specifically detailed in the PCI DSS, the PCI SSC has published a PCI DSS glossary that defines a
system component as:
“any network component, server, or application included in or
connected to the cardholder data environment.”1
It is recommended that components maintained in this inventory include networking devices,
servers, workstations, point of sale systems, any application that access cardholder data,
management software, software that performs security functions, etc..
This inventory should include components that reside in systems that:

Are part of the CDE

Do not store, process or transmit CHD, but that are connected to the CDE

Could impact the security of the CDE (authentication mechanisms, patch-management,
systems, anti-virus-management systems, security monitoring tools, log servers, etc.)
Roles Needing Access to Displays of Full Primary
Account Number (PAN)
PCI DSS REQUIREMENT 3.4
APPLICABLE SAQ VALIDATION TYPES: B, B-IP, C, C-VT, D MERCHANT
Merchants must maintain a list of roles needing access to displays of full PAN data. This
requirement relates to the display of full PAN on screens, paper receipts, printouts, etc. The
purpose of this list is to minimize the risk of unauthorized persons gaining access to PAN data.
Merchants are required to maintain a list of all business roles that need access to view the full
PAN and provide a business justification for each role.
1
Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations and Acronyms
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
6
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
Inventory of Card Acceptance Devices
PCI DSS REQUIREMENT 9.9.1
APPLICABLE SAQ VALIDATION TYPES: B, B-IP, C, D MERCHANT, P2PE-HW
Merchants must maintain an up-to-date inventory of devices that capture payment card data via
direct physical interaction with the card. This inventory must be kept current and updated when
devices are added, relocated or decommissioned. The method of maintaining the inventory may
be automated through a device management system or manually kept on electronic or paper
media.
The inventory should include the following:

Make and model of devices

Location of devices (for example, the address of the site or facility where the device is
located or the name of the personnel to whom the device is assigned)

Device serial numbers or other methods of unique identification
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
7
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
Policies and Procedures
Documented policies and procedures are key components of PCI DSS requirements. They cover a
variety of control areas, both technically from a system level and operationally from a business
standpoint. All policies and procedures required by the PCI DSS must be documented, in use and
known to all affected parties.
Data Retention and Disposal
PCI DSS REQUIREMENT 3.1
APPLICABLE SAQ VALIDATION TYPES: D MERCHANT, P2PE-HW
Merchants should keep cardholder data storage to a minimum and securely destroy or delete the
data as soon as it is no longer needed. This is accomplished by implementing policies and
procedures that, at a minimum:

Limit data storage amounts and retention time to that which is required only for legal,
regulatory and/or business requirements.

Define the specific requirements (legal, regulatory, business, etc.) for each instance
cardholder data retention, and the specific retention period required

Define processes for secure deletion of data

Require a quarterly process (automatic or manual) that identifies and securely deletes
stored cardholder data that exceeds the defined retention period

Include all locations of stored cardholder data
PCI DSS REQUIREMENT 3.2
APPLICABLE SAQ VALIDATION TYPES: A-EP, B, B-IP, C, C-VT, D MERCHANT, P2PE-HW
Sensitive authentication data (SAD) consists of full track data, card security codes or values
(CAV2, CID, CVC2, CVV2) and PIN data. SAD cannot be stored after authorization, even if it is
encrypted.
For organizations that receive any elements of SAD, policies and procedures must contain the
following:

Language prohibiting retention of SAD after payment authorization

Definition of the processes to render all instances of SAD unrecoverable upon completion
of the authorization process

Data sources covered by these policies and procedures, including:
o
Incoming transaction data
o
All logs
o
History files
o
Trace files
o
Databases
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
8
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
PCI DSS REQUIREMENT 3.3
APPLICABLE SAQ VALIDATION TYPES: B, B-IP, C, C-VT, D MERCHANT, P2PE-HW
The primary account number (PAN) must be masked to display, at most, the first six digits and the
last four digits when displayed. Only personnel with a legitimate business need can see the full
PAN. Please note that this requirement pertains to the protection of PAN displayed on screens,
paper receipts, printouts, etc. It does not pertain to electronic storage of PAN.
Policies and procedures must be written to verify that:

A list of roles that need access to displays of full PAN is documented and contains a
description of the business need for each role to have such access

The PAN must be masked when displayed such that only personnel with a legitimate
business need can see the full PAN

All other roles not specifically authorized to see the full PAN must only see masked PANs
PCI DSS REQUIREMENT 3.4
APPLICABLE SAQ VALIDATION TYPES: D MERCHANT
Policies and procedures must include instructions for verifying that the PAN is rendered
unreadable anywhere it is stored. This includes the storage of PAN on all media, including portable
digital media, backup media and in logs. Procedures for verifying this may include reviewing
documentation about (a) the vendor, (b) the type of system or process involved and (c) the
encryption algorithms (if applicable) used verify that the PAN is unreadable.
Any of the following methods may be used to render the data unreadable:

One way hashes based on strong cryptography; the hash must include the entire PAN

Truncation

Index tokens and pads, with the pads being securely stored

Strong cryptography with associated key management processes
If disk encryption is used, logical access to the encrypted file systems must be managed
separately from the native operating system. Local user account databases or general network
login credentials cannot be used as authentication methods for access to the encrypted file
systems.
PCI DSS REQUIREMENT 3.5
APPLICABLE SAQ VALIDATION TYPES: D MERCHANT
Procedures must be documented and implemented to protect cryptographic keys used to secure
stored cardholder data. These key management policies and procedures are necessary to secure
the cardholder data against disclosure or misuse. The procedures specified must include, at a
minimum, definitions of processes for the following:

Restricting all access to keys to the fewest number of custodians necessary

Using key-encrypting keys at least as strong as the data-encrypting keys they protect

Storing all key-encrypting keys separately from data-encrypting keys
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
9
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I

Storing all keys securely in the fewest possible locations and forms
PCI DSS REQUIREMENT 3.6
APPLICABLE SAQ VALIDATION TYPES: D MERCHANT
Policy and procedures for cryptographic key management must be fully documented and
implemented for all keys used for encryption of cardholder data. Key management procedures
must include, at a minimum, definitions of the following:

Processes for generating strong cryptographic keys

Procedures for secure distribution of all cryptographic keys, if keys are distributed

Processes for secure storage of cryptographic keys

A cryptoperiod (a timespan or a number of encryption operations for which the key type
is authorized for use) based on industry-accepted guidelines

A process for changing keys that have reached the end of the cryptoperiod

Procedures for retirement or replacement of keys when the integrity of the key has been
weakened

Procedures for replacement of keys known to be, or suspected of being, compromised

Verification that keys retained after retirement or replacement are not used for encryption
and are securely archived

If manual clear-text cryptographic key-management operations are used, these
operations must be managed using split knowledge and dual control
o
It must be verified that (a) key components are under the control of at least two
people who only have knowledge of their own key components and (b) at least
two people are required to perform any key-management operations and no one
person has access to the authentication materials (such as passwords or keys)
of another

Procedures to prevent the unauthorized substitution of keys

Acknowledgement by key custodians (in writing or electronically) that they understand
and accept their key-custodian responsibilities
Physical Access Control
PCI DSS REQUIREMENT 9.1
APPLICABLE SAQ VALIDATION TYPES: A-EP, D MERCHANT
Policies and procedures must be defined to use appropriate facility entry controls to limit and
monitor physical access to the systems within the CDE.
Access controls for computer rooms, data centers and other physical areas with systems in the
CDE must implement a mechanism to identify authorized users and to control physical access.
Examples include using electronic badges and badge readers, or authorized badges to be worn
and displayed at all times in conjunction with a physical lock and key. In addition, system
management consoles must always be locked to prevent unauthorized use.
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
10
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
PCI DSS REQUIREMENT 9.1.1
APPLICABLE SAQ VALIDATION TYPES: D MERCHANT
Policies and procedures must define methods to monitor the entry/exit points to sensitive areas
such as data centers or server rooms. This does not include public-facing areas where point of
sale terminals are present. Examples of monitoring methods include the use of video cameras
and/or automated access control mechanisms. These mechanisms for monitoring individual
physical access must be protected from tampering or disabling. Logs and access data collected
from these mechanisms must be periodically reviewed and stored for at least three months.
PCI DSS REQUIREMENT 9.1.2
APPLICABLE SAQ VALIDATION TYPES: B-IP, C, D MERCHANT
Policies and procedures must be defined to implement controls in order to restrict access to
publically accessible network jacks. This could be accomplished by disabling network jacks in
public areas and only enabling them when network access is explicitly authorized. Alternatively,
processes may be defined to escort visitors at all times in areas with active network jacks.
PCI DSS REQUIREMENT 9.1.3
APPLICABLE SAQ VALIDATION TYPES: D MERCHANT
Policies and procedures must include controls to restrict physical access to the following network
components, either in the CDE or connected to the CDE:

Wireless access points

Gateways

Handheld devices

Networking and communications hardware

Telecommunication lines
PCI DSS REQUIREMENT 9.2
APPLICABLE SAQ VALIDATION TYPES: D MERCHANT
Policies and procedures must define facility access controls to easily distinguish between on-site
personnel and visitors that include processes for:

Identifying on-site personnel and visitors (for example, by using visibly distinct badge
types for visitors and on-site personnel)

Restricting access to the identification process to authorized personnel

Managing changes to individual access requirements

Revoking access for terminated on-site personnel and expired visitor identification (such
as ID badges)
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
11
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
PCI DSS REQUIREMENT 9.3
APPLICABLE SAQ VALIDATION TYPES: D MERCHANT
Policies and procedures for controlling physical access to sensitive areas for on-site personal
must include the following requirements:

Access must be authorized and based on individual job functions

Access must be revoked immediately upon termination

All physical access mechanisms, such as keys and access cards, should be returned or
disabled immediately upon termination
PCI DSS REQUIREMENT 9.4
APPLICABLE SAQ VALIDATION TYPES: D MERCHANT
Policies and procedures must define processes to identify and authorize visitors that include the
following controls:

Confirming visitors have been authorized prior to entering the facility and escorting
visitors at all times within areas where cardholder data is processed or maintained

Confirming visitor identification and assigning a badge or other type of identification that
expires and that visibly distinguishes visitors from on-site personnel

Asking visitors to surrender badges or other identification methods before leaving the
facility or at the end of the identification expiration period

Maintaining a visitor log in order to provide an audit trail of visitor activity to the facility
that includes:

o
The visitor’s name
o
The firm represented
o
The name of on-site personnel authorizing the physical access
Retaining the visitor log for at least three (3) months
Media Management
PCI DSS REQUIREMENT 9.5
APPLICABLE SAQ VALIDATION TYPES: A, A-EP, B, B-IP, C, C-VT, D MERCHANT, P2PEHW
Policies and procedures must define processes and controls for physically securing all storage
media containing cardholder data, including, but not limited to:

Computers

Removable electronic media

Paper receipts

Paper reports

Faxes
Policies and procedures for storage of removable backup media (such as tapes) must require that
backups are stored in a secure location, preferably an off-site facility, and that the security of the
off-site location is reviewed at least annually.
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
12
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
PCI DSS REQUIREMENT 9.6
APPLICABLE SAQ VALIDATION TYPES: A, A-EP, B, B-IP, C, C-VT, D MERCHANT
Policies and procedures must exist to control distribution of media. The policy must cover all
distributed media, including media distributed to individuals. Classifying media aids in identifying
media that is confidential to minimize the risk of that data being inadequately protected.
Policy and procedures for distribution of media must include the following:

Defined media classification based on sensitivity and handling procedures for each
classification that can readily determine the sensitivity of the data

Requirements for media to be sent by a secure courier or other secure delivery method

Requirements for accurately tracking media transportation

Processes to obtain management authorization whenever media is moved from a
secured area, including distribution of media to individuals
PCI DSS REQUIREMENT 9.7
APPLICABLE SAQ VALIDATION TYPES: A-EP, B, B-IP, C, C-VT, D MERCHANT
Policies and procedures must define processes for controlling storage and maintenance of all
media that retain strict control over the storage and accessibility of media. These processes must
include requirements for maintaining inventory logs of all media and for conducting media
inventories at least annually.
Media Destruction
PCI DSS REQUIREMENT 9.8
APPLICABLE SAQ VALIDATION TYPES: A, A-EP, B, B-IP, C, C-VT, D MERCHANT, P2PEHW
Media containing cardholder data must be destroyed when it is no longer needed for business or
legal reasons. Policies and procedures for the destruction must contain the following
requirements:

Hard-copy materials must be crosscut shredded, incinerated or pulped such that there is
reasonable assurance the hard-copy materials cannot be reconstructed

Storage containers used for materials that are to be destroyed must be secured

Cardholder data on electronic media must be rendered unrecoverable (e.g., via a secure
wipe program in accordance with industry-accepted standards for secure deletion, or by
physically destroying the media)
Card Acceptance Devices
PCI DSS REQUIREMENT 9.9
APPLICABLE SAQ VALIDATION TYPES: B, B-IP, C, D MERCHANT
Merchants are responsible for the monitoring and protection of all devices that capture payment
card data via direct physical interaction. A list of devices should be maintained and kept current.
These devices must be inspected periodically to look for signs of tampering or substitution.
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
13
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
The type of inspection will depend on the device. The frequency of inspection will depend on the
location of the device and factors such as whether the device is attended or unattended (such as
a kiosk). The type and frequency of these inspections should be defined in the merchant’s annual
risk assessment process.
Policies and procedures must define processes for:
Maintaining a current list of all devices (see specifications in the
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
14
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I

Inventories/Lists section of this document)

Periodically inspecting all devices to look for evidence of tampering or substitution

Training personnel to be aware of suspicious behavior and to report any evidence of
tampering or substitution of devices; training should include (but not be limited to) the
following instructions:
o
Verify the identity of any third-party persons claiming to be repair or
maintenance personnel prior to granting them access to modify or troubleshoot
devices
o
Do not install, replace or return devices without verification
o
Be aware of suspicious behavior around devices (for example, attempts by
unknown persons to unplug or open devices)
o
Report suspicious behavior and indications of device tampering or substitution
to appropriate personnel (for example, to a manager or security officer)
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
15
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
Appendix A – Document
Requirements by SAQ Validation
Type
The following tables provide a high-level list of document requirements by Self-Assessment
Questionnaire (SAQ) validation type.
SAQ A
The following documentation is required as part of completing SAQ A.
Document Type
Content
PCI DSS
Requirement
Agreements
Service provider security
12
Media storage
9
Service providers
12
Media transportation
9
Media management
9
Media destruction
9
Managing service providers
12
Inventories/Lists
Logs
Policies and
procedures
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
16
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
SAQ A-EP
The following documentation is required as part of completing SAQ A-EP.
Document Type
Content
PCI DSS
Requirement
Agreements
Service provider security
12
Firewall and router
1
System components
2
Network
1
Services, protocols and ports, including business
justification for each
1
System components
2
Media storage
9
Service providers
12
Media transportation
9
Audit trails
10
SSL/Early TLS: Risk Mitigation and Migration
2
Incident response
12
Data retention and disposal
3
Data encryption and transmission
4
Anti-virus protection
5
Risk ranking
6
Security patching
6
Change control
6
Software development
6
Software development - web applications
6
Access control
7
User identification and authentication management
8
Physical access control
9
Media management
9
Configuration
standards
Diagrams
Inventories/Lists
Logs
Plans
Policies and
procedures
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
17
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
Document Type
Policies and
procedures
(cont.)
Content
PCI DSS
Requirement
Media destruction
9
Audit trails
10
Log management
10
Security systems testing
11
Information security
12
Security awareness program
12
Managing service providers
12
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
18
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
SAQ B
The following documentation is required as part of completing SAQ B.
Document Type
Content
PCI DSS
Requirement
Agreements
Service provider security
12
Roles needing access to displays of full PAN
3
Card acceptance devices
9
Media storage
9
Approved technology devices and personnel authorized
to use the devices
12
Service providers
12
Logs
Media transportation
9
Plans
Incident response
12
Data retention and disposal
3
Protecting cardholder data
3
Data encryption and transmission
4
Access control
7
Media management
9
Media destruction
9
Card acceptance devices
9
Information security
12
Technology usage
12
Security awareness program
12
Log management
12
Managing service providers
12
Inventories/Lists
Policies and
procedures
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
19
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
SAQ B-IP
The following documentation is required as part of completing SAQ B-IP.
Document Type
Content
PCI DSS
Requirement
Agreements
Service provider security
12
Diagrams
Network
1
Services, protocols and ports, including business
justification for each
1
System components
2
Roles needing access to displays of full PAN
3
Media storage
9
Card acceptance devices
9
Service providers
12
Logs
Media transportation
9
Plans
Incident response
12
Data retention and disposal
3
Protecting cardholder data
3
Data encryption and transmission
4
Risk ranking
6
Security patching
6
Access control
7
User identification and authentication management
8
Physical access control
9
Media management
9
Media destruction
9
Card acceptance devices
9
Security systems testing
11
Information security
12
Technology usage
12
Inventories/Lists
Policies and
procedures
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
20
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
Document Type
Policies and
procedures
(cont.)
Content
PCI DSS
Requirement
Security awareness program
12
Log management
12
Managing service providers
12
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
21
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
SAQ C
The following documentation is required as part of completing SAQ C.
Document Type
Content
PCI DSS
Requirement
Agreements
Service provider security
12
Firewall and router
1
System components
2
Wireless environments
4
System components
2
Roles needing access to displays of full PAN
3
Media storage
9
Card acceptance devices
9
Authorized wireless access points
11
Approved technology devices and personnel authorized
to use the devices
12
Service providers
12
Media transportation
9
Audit trails
10
SSL/Early TLS: Risk Mitigation and Migration Plan
2
Incident response
12
Data retention and disposal
3
Data encryption and transmission
4
Anti-virus protection
5
Risk ranking
6
Security patching
6
Software development
6
Access control
7
User identification and authentication management
8
Physical access control
9
Configuration
standards
Inventories/Lists
Logs
Plans
Policies and
procedures
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
22
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
Document Type
Policies and
procedures
(cont.)
Content
PCI DSS
Requirement
Media management
9
Media destruction
9
Card acceptance devices
9
Audit trails
10
Log management
10
Security systems testing
11
Information security
12
Technology usage
12
Security awareness program
12
Managing service providers
12
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
23
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
SAQ C-VT
The following documentation is required as part of completing SAQ C-VT.
Document Type
Content
PCI DSS
Requirement
Agreements
Service provider security
12
Firewall and router
1
System components
2
Wireless environments
4
Network
1
System components
2
Roles needing access to displays of full PAN
3
Media storage
9
Approved technology devices and personnel authorized
to use the devices
12
Service providers
12
Media transportation
9
SSL/Early TLS: Risk Mitigation and Migration Plan
2
Incident response
12
Data retention and disposal
3
Data encryption and transmission
4
Anti-virus protection
5
Risk ranking
6
Security patching
6
Software development
6
Access control
7
Media management
9
Media destruction
9
Information security
12
Technology usage
12
Configuration
standards
Diagrams
Inventories/Lists
Logs
Plans
Policies and
procedures
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
24
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
Document Type
Content
PCI DSS
Requirement
Policies and
procedures
(cont.)
Security awareness program
12
Managing service providers
12
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
25
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
SAQ D Merchant
The following documentation is required as part of completing SAQ D Merchant.
Document Type
Content
PCI DSS
Requirement
Agreements
Service provider security
12
Firewall and router
1
System components
2
Wireless environments
4
Time synchronization
10
Network
1
Cardholder data flow
1
Services, protocols and ports, including business
justification for each
1
System components
2
Roles needing access to displays of full PAN
3
Users who have access to cryptographic keys
3
Media storage
9
Card acceptance devices
9
Authorized wireless access points
11
Approved technology devices and personnel authorized
to use the devices
12
Company-approved technology devices
12
Service providers
12
Network connection changes
1
Data center and computer room visitors
9
Media transportation
9
Audit trails
10
SSL/Early TLS: Risk Mitigation and Migration Plan
4
Risk assessment
12
Incident response
12
Configuration
standards
Diagrams
Inventories/Lists
Logs
Plans
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
26
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
Document Type
Policies and
procedures
Content
PCI DSS
Requirement
Data retention and disposal
3
Encryption key management
3
Protecting cardholder data
3
Data encryption and transmission
4
Anti-virus protection
5
Risk ranking
6
Security patching
6
Software development
6
Change control
6
Software development - web applications
6
Access control
7
User identification and authentication management
8
Physical access control
9
Media management
9
Media destruction
9
Card acceptance devices
9
Audit trails
10
Time synchronization
10
Log management
10
Security systems testing
11
Information security
12
Technology usage
12
Security awareness program
12
Managing service providers
12
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
27
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
SAQ P2PE-HW
The following documentation is required as part of completing SAQ P2PE-HW.
Document Type
Content
PCI DSS
Requiremen
t
Agreements
Service provider security
12
Roles that need access to displays of full PAN
3
Card acceptance devices
9
Service providers
12
Incident response
12
Data retention and disposal
3
Protecting cardholder data
3
Data encryption and transmission
4
Media management
9
Media destruction
9
Card acceptance devices
9
Information security
12
Security awareness program
12
Managing service providers
12
Inventories/Lists
Plans
Policies and
procedures
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
28
PCI DSS DOCUMENTATION REQUIREMENTS: PHASE I
© 2015 403 Labs, a division of Sikich LLP
All Rights Reserved.
Limitation of Liability: 403 Labs is not responsible for photographic or typographic errors. In no event is 403
Labs or its licensors liable for any indirect, punitive, incidental, special, consequential or other damages
whatsoever, whether arising out of or in any way connected with the use or performance of services, related
deliverables or related websites, with the delay or inability to use any deliverables, services, related equipment
or related websites, the provision of or failure to provide services, or otherwise arising out of the use of
services, whether based on contract, strict liability or otherwise.
Warranty: This report and services are delivered AS IS, and 403 Labs does not and cannot warrant the
accuracy, performance or results obtained by using recommendations provided during any service or that the
results or recommendations will be error-free or complete. 403 Labs makes no warranty that the services will
detect all vulnerabilities or any particular vulnerability or the services will provide the most recently developed
or distributed vulnerability checks. 403 Labs makes no warranties, express or implied, as to noninfringement of
third-party rights, merchantability or fitness for any particular purpose.
Trademarks: 403 Labs and 403 Secured are registered and/or common law trademarks of Sikich LLP. 403
Labs’s mark may not be used in connection with any product or service that is not 403 Labs’s in any manner
that is likely to cause confusion, or in any manner that disparages or discredits 403 Labs.
Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation.
Other company, product and service names may be trademarks or service marks of others.
403 Labs, a division of Sikich LLP
877.403.LABS (5227)
support@403labs.com
http://www.403labs.com
Copyright © 2015 403 Labs, a division of Sikich LLP. All rights reserved. The information contained within this report may contain
information that is privileged, confidential, or otherwise protected from disclosure and is only authorized to be used and viewed by
University of California - San Diego. Distribution or copying is strictly prohibited.
29
Related documents
Gathering and using information extracted and integrated from
Gathering and using information extracted and integrated from
Cubilis by Stardekk
Cubilis by Stardekk
Payment Card - California State University, Sacramento
Payment Card - California State University, Sacramento
cts-software-engineer-junior
cts-software-engineer-junior
PCI Compliance
PCI Compliance
Leading Causes of a Data Breach
Leading Causes of a Data Breach
System Integration Engineer
System Integration Engineer
The ABC's of PCI DSS - Utility Payment Conference
The ABC's of PCI DSS - Utility Payment Conference
Download
advertisement