PCI SAQ PCI SAQ Step 1 of 13 0% Before You Begin SAQ D for Merchants applies to SAQ-eligible merchants not meeting the criteria for any other SAQ type. Examples of merchant environments that would use SAQ D may include but are not limited to: • E-commerce merchants who accept cardholder data on their website • Merchants with electronic storage of cardholder data • Merchants that don’t store cardholder data electronically but that do not meet the criteria of another SAQ type • Merchants with environments that might meet the criteria of another SAQ type, but that have additional PCI DSS requirements applicable to their environment. While many organizations completing SAQ D will need to validate compliance with every PCI DSS requirement, some organizations with very specific business models may find that some requirements do not apply. See the guidance below for information about the exclusion of certain, specific requirements. PCI DSS Self-Assessment Completion Steps (a) Identify the applicable SAQ for your environment⎯refer to the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website for information. (b) Confirm that your environment is properly scoped and meets the eligibility criteria for the SAQ you are using. (c) Assess your environment for compliance with PCI DSS requirements. (d) Complete all sections of this document: • Section 1 (Parts 1 & 2 of the AOC) - Assessment Information and Executive Summary • Section 2 - PCI DSS Self-Assessment Questionnaire (SAQ D) • Section 3 (Parts 3 & 4 of the AOC) - Validation and Attestation Details and Action Plan for Non- Compliant Requirements (if applicable) (e) Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation—such as ASV scan reports—to your acquirer, payment brand, or other requester. ASSESMENT INFORMATIONCOMPANY NAMECONTACT NAMEDBA(Doing Business As)PhoneEmail Address Street Address Address Line 2 City State / Province / Region ZIP / Postal Code AfghanistanÅland IslandsAlbaniaAlgeriaAmerican SamoaAndorraAngolaAnguillaAntarcticaAntigua and BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBoliviaBonaire, Sint Eustatius and SabaBosnia and HerzegovinaBotswanaBouvet IslandBrazilBritish Indian Ocean TerritoryBrunei DarussalamBulgariaBurkina FasoBurundiCambodiaCameroonCanadaCape VerdeCayman IslandsCentral African RepublicChadChileChinaChristmas IslandCocos IslandsColombiaComorosCongo, Democratic Republic of theCongo, Republic of theCook IslandsCosta RicaCôte d'IvoireCroatiaCubaCuraçaoCyprusCzech RepublicDenmarkDjiboutiDominicaDominican RepublicEcuadorEgyptEl SalvadorEquatorial GuineaEritreaEstoniaEswatini (Swaziland)EthiopiaFalkland IslandsFaroe IslandsFijiFinlandFranceFrench GuianaFrench PolynesiaFrench Southern TerritoriesGabonGambiaGeorgiaGermanyGhanaGibraltarGreeceGreenlandGrenadaGuadeloupeGuamGuatemalaGuernseyGuineaGuinea-BissauGuyanaHaitiHeard and McDonald IslandsHoly SeeHondurasHong KongHungaryIcelandIndiaIndonesiaIranIraqIrelandIsle of ManIsraelItalyJamaicaJapanJerseyJordanKazakhstanKenyaKiribatiKuwaitKyrgyzstanLao People's Democratic RepublicLatviaLebanonLesothoLiberiaLibyaLiechtensteinLithuaniaLuxembourgMacauMacedoniaMadagascarMalawiMalaysiaMaldivesMaliMaltaMarshall IslandsMartiniqueMauritaniaMauritiusMayotteMexicoMicronesiaMoldovaMonacoMongoliaMontenegroMontserratMoroccoMozambiqueMyanmarNamibiaNauruNepalNetherlandsNew CaledoniaNew ZealandNicaraguaNigerNigeriaNiueNorfolk IslandNorth KoreaNorthern Mariana IslandsNorwayOmanPakistanPalauPalestine, State ofPanamaPapua New GuineaParaguayPeruPhilippinesPitcairnPolandPortugalPuerto RicoQatarRéunionRomaniaRussiaRwandaSaint BarthélemySaint HelenaSaint Kitts and NevisSaint LuciaSaint MartinSaint Pierre and MiquelonSaint Vincent and the GrenadinesSamoaSan MarinoSao Tome and PrincipeSaudi ArabiaSenegalSerbiaSeychellesSierra LeoneSingaporeSint MaartenSlovakiaSloveniaSolomon IslandsSomaliaSouth AfricaSouth GeorgiaSouth KoreaSouth SudanSpainSri LankaSudanSurinameSvalbard and Jan Mayen IslandsSwedenSwitzerlandSyriaTaiwanTajikistanTanzaniaThailandTimor-LesteTogoTokelauTongaTrinidad and TobagoTunisiaTurkeyTurkmenistanTurks and Caicos IslandsTuvaluUgandaUkraineUnited Arab EmiratesUnited KingdomUnited StatesUruguayUS Minor Outlying IslandsUzbekistanVanuatuVenezuelaVietnamVirgin Islands, BritishVirgin Islands, U.S.Wallis and FutunaWestern SaharaYemenZambiaZimbabwe Country Self-Assessment Questionnaire D for MerchantsNote: The following questions are numbered according to PCI DSS requirements and testing procedures, as defined in the PCI DSS Requirements and Security Assessment Procedures document.1. Build and Maintain a Secure Network and SystemsRequirement 1: Install and maintain a firewall configuration to protect dataQ.1.1 Are firewall and router configuration standards established and implemented to include the following:1.1.1 Is there a formal process for approving and testing all network connections and changes to the firewall and router configurations?▪ Review documented process. ▪ Interview personnel. ▪ Examine network configurationsYESYES WITH CCWNON/ANOT TESTED1.1.2 (a) Is there a current network diagram that documents all connections between the cardholder data environment and other networks, including any wireless networks?▪ Review current network diagram. ▪ Examine network configurations.YESYES WITH CCWNON/ANOT TESTED1.1.2(b) Is there a process to ensure the diagram is kept current?Interview responsible personnelYESYES WITH CCWNON/ANOT TESTED1.1.3 (a) Is there a current diagram that shows all cardholder data flows across systems and networks?▪ Review current dataflow diagram. ▪ Examine network configurations.YESYES WITH CCWNON/ANOT TESTED1.1.3 (b) Is there a process to ensure the diagram is kept current?▪ Review current dataflow diagram. ▪ Examine network configurations.YESYES WITH CCWNON/ANOT TESTED1.1.4 (a) Is a firewall required and implemented at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone?▪ Review firewall configuration standards. ▪ Observe network configurations to verify that a firewall(s) is in place.YESYES WITH CCWNON/ANOT TESTED1.1.4 (b) Is the current network diagram consistent with the firewall configuration standards?▪ Compare firewall configuration standards to current network diagram.YESYES WITH CCWNON/ANOT TESTED Build and Maintain a Secure Network and SystemsRequirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters2.1 (a) Are vendor-supplied defaults always changed before installing a system on the network?This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.). ▪ Review policies and procedures. ▪ Examine vendor documentation. ▪ Observe system configurations and account settings. ▪ Interview personnel.YESYES WITH CCWNON/ANOT TESTED2.1 (b) Are unnecessary default accounts removed or disabled before installing a system on the network?Review policies and procedures. ▪ Review vendor documentation. ▪ Examine system configurations and account settings. ▪ Interview personnelYESYES WITH CCWNON/ANOT TESTED Section 3: Protect Cardholder DataRequirement 3: Protect stored cardholder data3.2 (a) Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process?▪ Review policies and procedures. ▪ Examine system configurations. ▪ Examine deletion processesYESYES WITH CCWNON/ANOT TESTED3.2.1 The full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained on a chip, or elsewhere) are not stored after authorization? This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data. Note: In the normal course of business, the following data elements from the magnetic stripe may need to be retained: • The cardholder’s name, • Primary account number (PAN), • Expiration date, and • Service code To minimize risk, store only these data elements as needed for business. Examine data sources including: - Incoming transaction data - All logs - History files - Trace files - Database schema - Database contents YESYES WITH CCWNON/ANOT TESTED3.2.2 The card verification code or value (three-digit or fourdigit number printed on the front or back of a payment card) is not stored after authorization?Examine data sources including: - Incoming transaction data - All logs - History files - Trace files - Database schema - Database contentsYESYES WITH CCWNON/ANOT TESTED3.2.2 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization?Examine data sources including: - Incoming transaction data - All logs - History files - Trace files - Database schema - Database contentsYESYES WITH CCWNON/ANOT TESTED3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization?YESYES WITH CCWNON/ANOT TESTED3.2.4 Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN?Review policies and procedures. ▪ Review roles that need access to displays of full PAN. ▪ Examine system configurations. ▪ Observe displays of PAN.YESYES WITH CCWNON/ANOT TESTED Requirement 4: Encrypt transmission of cardholder data across open, public networks4.2 Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies?Review policies and procedures. ▪ Review roles that need access to displays of full PAN. ▪ Examine system configurations. ▪ Observe displays of PAN.YESYES WITH CCWNON/ANOT TESTED Implement Strong Access Control MeasuresRequirement 5: Restrict access to cardholder data by business need to know. Is access to system components and cardholder data limited to only those individuals whose jobs require such access, as follows5.1.2 Is access to privileged user IDs restricted as follows: A) To least privileges necessary to perform job responsibilities? B) Assigned only to roles that specifically require that privileged access?▪ Examine written access control policy ▪ Interview personnel. ▪ Interview management. ▪ Review privileged user IDs.YESYES WITH CCWNON/ANOT TESTED5.2 (a) Is all media destroyed when it is no longer needed for business or legal reasons?▪ Examine written access control policy ▪ Interview personnel. ▪ Interview management. ▪ Review privileged user IDs.YESYES WITH CCWNON/ANOT TESTED Maintain a Vulnerability Management ProgramRequirement 6: Develop and maintain secure systems and applications6 (a) Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches?▪ Review policies and procedures.YESYES WITH CCWNON/ANOT TESTED6 b) Are critical security patches installed within one month of release?▪ Review policies and procedures. ▪ Examine system components. ▪ Compare list of security patches installed to recent vendor patch lists.YESYES WITH CCWNON/ANOT TESTED Implement Strong Access Control MeasuresRequirement 7: Identify and authenticate access to system components7.1.1 Are all users assigned a unique ID before allowing them to access system components or cardholder data?▪ Review policies and procedures. ▪ Examine system components. ▪ Compare list of security patches installed to recent vendor patch lists.YESYES WITH CCWNON/ANOT TESTED7.1.2 Is access for any terminated users immediately deactivated or removed?▪ Review policies and procedures. ▪ Examine system components. ▪ Compare list of security patches installed to recent vendor patch lists.YESYES WITH CCWNON/ANOT TESTED7.2 In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users? A) Something you know, such as a password or passphrase B) Something you have, such as a token device or smart card C) Something you are, such as a biometric▪ Review password procedures. ▪ Examine terminated users accounts. ▪ Review current access lists. ▪ Observe returned physical authentication devicesYESYES WITH CCWNON/ANOT TESTED Maintain an Information Security PolicyRequirement 12: Maintain a policy that addresses information security for all personnel. Note: For the purposes of Requirement 12, “personnel” refers to full-time part-time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the entity’s site or otherwise have access to the company’s site cardholder data environment Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:8.1 Is a list of service providers maintained, including a description of the service(s) provided?▪ Review policies and procedures. ▪ Observe processes. ▪ Review list of service providers.YESYES WITH CCWNON/ANOT TESTED8.2 Is there an established process for engaging service providers, including proper due diligence prior to engagement?▪ Review policies and procedures. ▪ Observe processes. ▪ Review list of service providers.YESYES WITH CCWNON/ANOT TESTED Appendix B: Compensating Controls WorksheetUse this worksheet to define compensating controls for any requirement where “YES with CCW” was checked. Note: Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance. Refer to Appendices B, C, and D of PCI DSS for information about compensating controls and guidance on how to complete this worksheet.1. ConstraintsList constraints precluding compliance with the original requirement. EXPLANATION:2. ObjectiveDefine the objective of the original control; identify the objective met by the compensating control. EXPLANATION:3. Identified RiskIdentify any additional risk posed by the lack of the original control. EXPLANATION:4. Definition of Compensating ControlsDefine the compensating controls and explain how they address the objectives of the original control and the increased risk, if any EXPLANATION:5. Validation of Compensating ControlsDefine how the compensating controls were validated and tested.6. MaintenanceDefine process and controls in place to maintain compensating controls. Section 3: Validation and Attestation DetailsPart 3a. Acknowledgement of StatusSignatory(s) confirms: (Check all that apply) PCI DSS Self-Assessment Questionnaire A, Version (version of SAQ), was completed according to the instructions therein All information within the above-referenced SAQ and in this attestation fairly represents the results of my assessment in all material respects. I have confirmed with my payment application vendor that my payment system does not store sensitive authentication data after authorization. I have read the PCI DSS and I recognize that I must maintain PCI DSS compliance, as applicable to my environment, at all times If my environment changes, I recognize I must reassess my environment and implement any additional PCI DSS requirements that apply No evidence of full track data1 , CAV2, CVC2, CID, or CVV2 data2 , or PIN data3 storage after transaction authorization was found on ANY system reviewed during this assessment ASV scans are being completed by the PCI SSC Approved Scanning Vendor (ASV Name) Part 4. Action Plan for Non-Compliant RequirementsSelect the appropriate response for “Compliant to PCI DSS Requirements” for each requirement. If you answer “No” to any of the requirements, you may be required to provide the date your Company expects to be compliant with the requirement and a brief description of the actions being taken to meet the requirement. Check with your acquirer or the payment brand(s) before completing Part 4. Do not use vendor-supplied defaults for system passwords and other security parameters.YesNoRemediation Date and ActionsDevelop and maintain secure systems and applicationsYesNoRemediation Date and ActionsPhoneThis field is for validation purposes and should be left unchanged.