DOC

AP PCI self-assessment questionnaire - PCI Self-Assessment

By Tommy Sanders,2014-10-17 09:27
9 views 0
AP PCI self-assessment questionnaire - PCI Self-Assessment

Payment Card Industry (PCI)

Self-Assessment Questionnaire

Disclaimer

    The Payment Card Industry (PCI) Self-Assessment Questionnaire is to be used as a ‗checklist‘ to ensure all entities that store, process, or transmit Visa cardholder data meet PCI Data Security Standard. Visa Asia Pacific, however, makes no warranty or claim that completion or compliance with the questionnaire will prevent security breaches or losses, and disclaims any responsibility or liability for any security breaches or losses incurred, whether the recommendation of Self-Assessment Questionnaire has been implemented or not.

Important

    The Payment Card Industry (PCI) Self-Assessment Questionnaire is part of Visa Asia Pacific‘s Account Information Security (AIS) documentation suite. All Members and their agents (merchants and service providers) must ensure they process, store and transmit cardholder information in accordance with the PCI Data Security Standard (this standard supersedes Visa‘s AIS Standard v1.4, March 2000).

For more information on Visa Asia Pacific‘s AIS program please visit http://www.visa-

    asia.com/ap/secured

Visa Payment Security Services Risk Management, Asia Pacific

     ? 2004 Visa Asia Pacific, Risk Management, Payment Card Industry Self-Assessment Questionnaire - 1 -Visa International 30 Raffles Place #10-00 Caltex House Singapore 048622 http://www.visa-asia.com/vpss

How to Complete the Questionnaire

The questionnaire is divided into six sections. Each section focuses on a specific area of

    security, based on the requirements included in the PCI Data Security Standard. For any

    questions where ‗N/A‘ is marked, a brief explanation should be attached.

Questionnaire Reporting

    The following must be included with the self-assessment questionnaire and system

    perimeter scan results:

    ORGANIZATION INFORMATION

    Corporate Name: DBA(s):

    Contact Name: Title:

    Phone: E-Mail:

    Approximate Number Of Transactions/Accounts Handled Per Year:

PLEASE INCLUDE A BRIEF DESCRIPTION OF YOUR BUSINESS.

    What is your business‘ role in the payment flow? How, and in what capacity does your business store, process and/or transmit cardholder data?

LIST ALL THIRD PARTY SERVICE PROVIDERS:

    Processor: Gateway:

    Web Hosting: Shopping Cart:

    Co-Location: Other:

    LIST POINT-OF-SALE (POS) SOFTWARE/HARDWARE IN USE:

Visa Payment Security Services, Asia Pacific Visa CONFIDENTIAL (when complete)

? 2004 Visa Asia Pacific, Risk Management, Payment Card Industry Self-Assessment Questionnaire - 2 -

    Rating the Assessment

    After completing each section of the assessment, users should fill in the rating boxes as

    follows:

In each section IF… THEN, the section rating is …

    ALL questions are answered with Green - The merchant or service provider is compliant ―yes‖ or ―N/A‖ with the self-assessment portion of the PCI Data Security

    Standard.

    Note: If ―N/A‖ is marked, attach a brief explanation.

    ANY questions are answered with Red The merchant or service provider is not considered ―no‖ compliant. To reach compliance, the risk(s) must be

    resolved and the self-assessment must be retaken to

    demonstrate compliance.

    Green Red Green Red Section 1: Section 4:

    Section 2: Green Red Section 5: Green Red

    Section 3: Green Red Green Red Section 6:

     Overall Rating: Green Red

Visa Payment Security Services, Asia Pacific Visa CONFIDENTIAL (when complete)

    ? 2004 Visa Asia Pacific, Risk Management, Payment Card Industry Self-Assessment Questionnaire - 3 -

    Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect data

     Response Description

    1.1 Are all router, switches, wireless access points, and ; Yes ; No

    firewall configurations secured and do they conform to

    documented security standards?

    1.2 If wireless technology is used, is access to the network ; Yes ; No ; N/A

    limited to authorized devices?

    1.3 Do changes to the firewall need authorization and are the ; Yes ; No

    changes logged?

    1.4 Is a firewall used to protect the network and limit traffic to ; Yes ; No

    that which is required to conduct business?

    1.5 Are egress and ingress filters installed on all border routers ; Yes ; No

    to prevent impersonation with spoofed IP addresses?

    1.6 Is payment card account information stored in a database ; Yes ; No

    located on the internal network (not the DMZ) and

    protected by a firewall?

    1.7 If wireless technology is used, do perimeter firewalls exist ; Yes ; No ; N/A

    between wireless networks and the payment card

    environment?

    1.8 Does each mobile computer with direct connectivity to the ; Yes ; No ; N/A

    Internet have a personal firewall and anti-virus software

    installed?

    1.9 Are Web servers located on a publicly reachable network ; Yes ; No

    segment separated from the internal network by a firewall

    (DMZ)?

    1.10 Is the firewall configured to translate (hide) internal IP ; Yes ; No

    addresses, using network address translation (NAT)?

? 2004 Visa Asia Pacific, Risk Management, Payment Card Industry Self-Assessment Questionnaire - 4 -

    Build and Maintain a Secure Network

Requirement 2: Do not use vendor-supplied defaults for system passwords and other

    security parameters

     Response Description

    2.1 Are vendor default security settings changed on production ; Yes ; No

    systems before taking the system into production?

    2.2 Are vendor default accounts and passwords disabled or ; Yes ; No

    changed on production systems before putting a system

    into production?

    2.3 If wireless technology is used, are vendor default settings ; Yes ; No ; N/A

    changed (i.e. WEP keys, SSID, passwords, SNMP

    community strings, disabling SSID broadcasts)?

    2.4 If wireless technology is used, is Wi-Fi Protected Access ; Yes ; No ; N/A

    (WPA) technology implemented for encryption and

    authentication when WPA-capable?

    2.5 Are all production systems (servers and network ; Yes ; No

    components) hardened by removing all unnecessary

    services and protocols installed by the default

    configuration?

    2.6 Are secure, encrypted communications used for remote ; Yes ; No ; N/A

    administration of production systems and applications?

    Visa Payment Security Services, Asia Pacific Visa CONFIDENTIAL (when complete)

? 2004 Visa Asia Pacific, Risk Management, Payment Card Industry Self-Assessment Questionnaire - 5 -

    Protect Cardholder Data

Requirement 3: Protect stored data

     ResponseResponseResponse DescriptionDescriptionDescription

     3.13.13.1 Is sensitive cardholder data securely disposed ofIs sensitive cardholder data securely disposed of when no Is sensitive cardholder data securely disposed of when when no no ;;; YesYesYes ;;; NoNoNo

    longer needed?longer needed?longer needed?

     3.23.23.2 Is it prohibited to store the full contents of any track from Is it prohibited to store the full coIs it prohibited to store the full contents of any track from ntents of any track from ;;; YesYesYes ;;; NoNoNo

    the magnetic stripe (on the back of the card, in a chip, etc.) the magnetic stripe (on the back of the card, in a chip, etc.) the magnetic stripe (on the back of the card, in a chip, etc.)

    in the database, log files, or pointin the database, log files, or pointin the database, log files, or point---ofofof---sale products? sale products? sale products?

     3.33.33.3 Is it prohibited Is it prohibited to store the cardIs it prohibited to stto store the cardore the card---validation code (threevalidation code (threevalidation code (three---digit digit digit ;;; YesYesYes ;;; NoNoNo

    value printed on the signature panel of a card) in the value printed on the signature value printed on the signature panel of a card) in the panel of a card) in the

    database, log files, or pointdatabase, log files, or pointdatabase, log files, or point---ofofof---sale products?sale products?sale products?

     3.43.43.4 Are all but the last four digits of the account number Are all but the last four digits of the account number Are all but the last four digits of the account number ;;; YesYesYes ;;; NoNoNo

    masked when displaying cardholder masked when displaying cardholder data?masked when displaying cardholder data?data?

     3.53.53.5 Are account numbers (in databases, logs, files, backup Are account numbers (in databases, logs, files, backup Are account numbers (in databases, logs, files, backup ;;; YesYesYes ;;; NoNoNo

    media, etc.) stored securelymedia, etc.) stored securelymedia, etc.) stored securely for example, by means of for example, by means of for example, by means of

    encryption or truncation?encryption or truncation?encryption or truncation?

    3.63.63.6 Are account numbers sanitized before being logged in the Are account numbers sanitized before being logged in the Are account numbers sanitized before being logged in the ;;; YesYesYes ;;; NoNoNo

    audit log?audit log?audit log?

Requirement 4: Encrypt transmission of cardholder data and sensitive information

    across public networks

     Response Description

    Are transmissions of sensitive cardholder data encrypted 4.1 ; Yes ; No over public networks through the use of SSL or other

    industry acceptable methods?

    If SSL is used for transmission of sensitive cardholder 4.2 ; Yes ; No ; N/A data, is it using version 3.0 with 128-bit encryption?

    If wireless technology is used, is the communication 4.3 ; Yes ; No ; N/A encrypted using Wi-Fi Protected Access (WPA), VPN, SSL

    at 128-bit, or WEP?

    4.4 If wireless technology is used, are WEP at 128-bit and ; Yes ; No ; N/A

    additional encryption technologies in use, and are shared

    WEP keys rotated quarterly?

    4.5 Is encryption used in the transmission of account numbers ; Yes ; No ; N/A

    via e-mail?

Visa Payment Security Services, Asia Pacific Visa CONFIDENTIAL (when complete)

? 2004 Visa Asia Pacific, Risk Management, Payment Card Industry Self-Assessment Questionnaire - 6 -

    Protect Cardholder Data

    Requirement 5: Use and regularly update anti-virus software

     Response Description

    5.1 Is there a virus scanner installed on all servers and on all ; Yes ; No

    workstations, and is the virus scanner regularly updated?

    Requirement 6: Develop and maintain secure systems and applications

     Response Description

     6.1 Are development, testing and production systems updated ; Yes ; No

    with the latest security-related patches released by the

    vendors?

    6.2 Is the software and application development process ; Yes ; No ; N/A

    based on an industry best practice and is information

    security included throughout the software development life

    cycle (SDLC) process?

    6.3 If production data is used for testing and development ; Yes ; No ; N/A

    purposes, is sensitive cardholder data sanitized before

    usage?

     6.4 Are all changes to the production environment and ; Yes ; No

    applications formally authorized, planned, and logged

    before being implemented?

    6.5 Were the guidelines commonly accepted by the security ; Yes ; No ; N/A

    community (such as Open Web Application Security

    Project group (www.owasp.org)) taken into account in the

    development of Web applications?

    6.6 When authenticating over the Internet, is the application ; Yes ; No ; N/A

    designed to prevent malicious users from trying to

    determine existing user accounts?

    6.7 Is sensitive cardholder data stored in cookies secured or ; Yes ; No ; N/A

    encrypted?

    6.8 Are controls implemented on the server side to prevent ; Yes ; No ; N/A

    SQL injection and other bypassing of client side-input

    controls?

    Visa Payment Security Services, Asia Pacific Visa CONFIDENTIAL (when complete)

? 2004 Visa Asia Pacific, Risk Management, Payment Card Industry Self-Assessment Questionnaire - 7 -

    Implement Strong Control Measures

    Requirement 7: Restrict access to data by business need-to-know

     Response Description

    7.1 Is access to payment card account numbers restricted for ; Yes ; No

    users on a need-to-know basis?

Requirement 8: Assign a unique ID to each person with computer access

     Response Description

    8.1 Are all users required to authenticate using, at a minimum, ; Yes ; No

    a unique username and password?

    8.2 If employees, administrators, or third parties access the ; Yes ; No ; N/A

    network remotely, is remote access software (such as

    PCAnywhere, dial-in, or VPN) configured with a unique

    username and password and with encryption and other

    security features turned on?

    8.3 Are all passwords on network devices and systems ; Yes ; No

    encrypted?

    8.4 When an employee leaves the company, are that ; Yes ; No

    employee‘s user accounts and passwords immediately

    revoked?

    8.5 Are all user accounts reviewed on a regular basis to ; Yes ; No

    ensure that malicious, out-of-date, or unknown accounts

    do not exist?

    8.6 Are non-consumer accounts that are not used for a lengthy ; Yes ; No

    amount of time (inactive accounts) automatically disabled

    in the system after a pre-defined period?

    8.7 Are accounts used by vendors for remote maintenance ; Yes ; No ; N/A

    enabled only during the time needed?

    8.8 Are group, shared or generic accounts and passwords ; Yes ; No

    prohibited for non-consumer users?

    8.9 Are non-consumer users required to change their ; Yes ; No

    passwords on a pre-defined regular basis?

    8.10 Is there a password policy for non-consumer users that ; Yes ; No

    enforces the use of strong passwords and prevents the

    resubmission of previously used passwords?

    8.11 Is there an account-lockout mechanism that blocks a ; Yes ; No

    malicious user from obtaining access to an account by

    multiple passwords retries or brute force?

    Visa Payment Security Services, Asia Pacific Visa CONFIDENTIAL (when complete)

? 2004 Visa Asia Pacific, Risk Management, Payment Card Industry Self-Assessment Questionnaire - 8 -

    Implement Strong Control Measures

    Requirement 9: Restrict physical access to cardholder data

     Response Description

     9.1 Are there multiple physical security controls (such as ; Yes ; No

    badges, escorts, or mantraps) in place that would prevent

    unauthorized individuals from gaining access to the

    facility?

    9.2 If wireless technology is used, do you restrict access to ; Yes ; No ; N/A

    wireless access points, wireless gateways, and wireless

    handheld devices?

     9.3 Are equipment (such as servers, workstations, laptops, ; Yes ; No

    and hard drives) and media containing cardholder data

    physically protected against unauthorized access?

     9.4 Is all cardholder data printed on paper or received by fax ; Yes ; No

    protected against unauthorized access?

     9.5 Are procedures in place to handle secure distribution and ; Yes ; No

    disposal of backup media and other media containing

    sensitive cardholder data?

     9.6 Are all media devices that store cardholder data properly ; Yes ; No

    inventoried and securely stored?

    9.7 Is cardholder data deleted or destroyed before it is ; Yes ; No

    physically disposed (for example, by shredding papers or

    degaussing backup media)?

    Visa Payment Security Services, Asia Pacific Visa CONFIDENTIAL (when complete)

Report this document

For any questions or suggestions please email
cust-service@docsford.com