Professional blog

Payment Card Industry Data Security Standard

Self-Assessment Questionnaire D for Merchants and Attestation of Compliance For use with PCI DSS Version 4.0 Revision 1 Publication Date: December 2022

PCI DSS v4.0 SAQ D for Merchants r1 December 2022 © 2006-2022 PCI Security Standards Council, LLC. All Rights Reserved. Page i

Document Changes

Date PCI DSS Version

SAQ Revision Description

October 2008 1.2 To align content with new PCI DSS v1.2 and to implement

minor changes noted since original v1.1.

October 2010 2.0 To align content with new PCI DSS v2.0 requirements and

testing procedures.

February 2014 3.0 To align content with PCI DSS v3.0 requirements and testing

procedures and incorporate additional response options.

April 2015 3.1 Updated to align with PCI DSS v3.1. For details of PCI DSS changes, see PCI DSS – Summary of Changes from PCI DSS Version 3.0 to 3.1.

July 2015 3.1 1.1 Updated to remove references to “best practices” prior to June 30, 2015, and remove the PCI DSS v2 reporting option for Requirement 11.3.

April 2016 3.2 1.0 Updated to align with PCI DSS v3.2. For details of PCI DSS changes, see PCI DSS – Summary of Changes from PCI DSS Version 3.1 to 3.2.

January 2017 3.2 1.1 Updated version numbering to align with other SAQs.

June 2018 3.2.1 1.0 Updated to align with PCI DSS v3.2.1. For details of PCI DSS changes, see PCI DSS – Summary of Changes from PCI DSS Version 3.2 to 3.2.1.

April 2022 4.0

Updated to align with PCI DSS v4.0. For details of PCI DSS changes, see PCI DSS – Summary of Changes from PCI DSS Version 3.2.1 to 4.0. Rearranged, retitled, and expanded information in the “Completing the Self-Assessment Questionnaire” section (previously titled “Before You Begin”). Aligned content in Sections 1 and 3 of Attestation of Compliance (AOC) with PCI DSS v4.0 Report on Compliance AOC.

Added appendices to support new reporting responses.

December 2022 4.0 1

Removed “In Place with Remediation” as a reporting option from Requirement Responses table, Attestation of Compliance (AOC) Part 2g, SAQ Section 2 Response column, and AOC Section 3. Also removed former Appendix C. Added “In Place with CCW” to AOC Section 3. Added guidance for responding to future-dated requirements.

Added minor clarifications and addressed typographical errors.

PCI DSS v4.0 SAQ D for Merchants r1 December 2022 © 2006-2022 PCI Security Standards Council, LLC. All Rights Reserved. Page ii

Contents

Document Changes …………………………………………………………………………………………………… i Completing the Self-Assessment Questionnaire ………………………………………………………….iii

Merchant Eligibility Criteria for Self-Assessment Questionnaire D …………………………………………… iii Defining Account Data, Cardholder Data, and Sensitive Authentication Data …………………………… iii PCI DSS Self-Assessment Completion Steps ………………………………………………………………………….. iv Expected Testing ………………………………………………………………………………………………………………….. iv Requirement Responses …………………………………………………………………………………………………………. v Additional PCI SSC Resources ……………………………………………………………………………………………… viii

Section 1: Assessment Information …………………………………………………………………………. 1 Section 2: Self-Assessment Questionnaire D for Merchants ……………………………………… 6

Build and Maintain a Secure Network and Systems ………………………………………………………………….. 6 Requirement 1: Install and Maintain Network Security Controls ……………………………………………………. 6 Requirement 2: Apply Secure Configurations to All System Components …………………………………….. 11

Protect Account Data …………………………………………………………………………………………………………….. 15 Requirement 3: Protect Stored Account Data……………………………………………………………………………. 15 Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open,

Public Networks ………………………………………………………………………………………….. 27 Maintain a Vulnerability Management Program ………………………………………………………………………. 30

Requirement 5: Protect All Systems and Networks from Malicious Software ………………………………… 30 Requirement 6: Develop and Maintain Secure Systems and Software …………………………………………. 34

Implement Strong Access Control Measures ………………………………………………………………………….. 43 Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to

Know …………………………………………………………………………………………………………. 43 Requirement 8: Identify Users and Authenticate Access to System Components ………………………….. 47 Requirement 9: Restrict Physical Access to Cardholder Data …………………………………………………….. 59

Regularly Monitor and Test Networks …………………………………………………………………………………….. 66 Requirement 10: Log and Monitor All Access to System Components and Cardholder Data ………….. 66 Requirement 11: Test Security of Systems and Networks Regularly ……………………………………………. 73

Maintain an Information Security Policy …………………………………………………………………………………. 84 Requirement 12: Support Information Security with Organizational Policies and Programs ……………. 84

Appendix A: Additional PCI DSS Requirements ……………………………………………………………………… 97 Appendix A1: Additional PCI DSS Requirements for Multi-Tenant Service Providers …………………….. 97 Appendix A2: Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-Present

POS POI Terminal Connections ……………………………………………………………………. 97 Appendix A3: Designated Entities Supplemental Validation (DESV)………………………………………. 98

Appendix B: Compensating Controls Worksheet ……………………………………………………………. 99 Appendix C: Explanation of Requirements Noted as Not Applicable …………………………….. 100 Appendix D: Explanation of Requirements Noted as Not Tested …………………………………… 101

Section 3: Validation and Attestation Details …………………………………………………………. 102

PCI DSS v4.0 SAQ D for Merchants r1, Completing the SAQ December 2022 © 2006-2022 PCI Security Standards Council, LLC. All Rights Reserved. Page iii

Completing the Self-Assessment Questionnaire

Merchant Eligibility Criteria for Self-Assessment Questionnaire D Self-Assessment Questionnaire (SAQ) D for Merchants applies to merchants that are eligible to complete a self-assessment questionnaire but do not meet the criteria for any other SAQ type. Examples of merchant environments to which SAQ D may apply include but are not limited to:  E-commerce merchants that accept account data on their website.

 Merchants with electronic storage of account data.

 Merchants that don’t store account data electronically but that do not meet the criteria of another SAQ type.

 Merchants with environments that might meet the criteria of another SAQ type, but that have additional PCI DSS requirements applicable to their environment.

This SAQ is not applicable to service providers.

Defining Account Data, Cardholder Data, and Sensitive Authentication Data

PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). Cardholder data and sensitive authentication data are considered account data and are defined as follows:

Account Data

Cardholder Data includes: Sensitive Authentication Data includes:

• Primary Account Number (PAN) • Cardholder Name • Expiration Date • Service Code

• Full track data (magnetic-stripe data or equivalent on a chip)

• Card verification code • PINs/PIN blocks

Refer to PCI DSS Section 2, PCI DSS Applicability Information, for further details.

PCI DSS v4.0 SAQ D for Merchants r1, Completing the SAQ December 2022 © 2006-2022 PCI Security Standards Council, LLC. All Rights Reserved. Page iv

PCI DSS Self-Assessment Completion Steps

1. Confirm by review of the eligibility criteria in this SAQ and the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website that this is the correct SAQ for the merchant’s environment.

2. Confirm that the merchant environment is properly scoped.

3. Assess environment for compliance with PCI DSS requirements.

4. Complete all sections of this document:

• Section 1: Assessment Information (Parts 1 & 2 of the Attestation of Compliance (AOC) – Contact Information and Executive Summary).

• Section 2: Self-Assessment Questionnaire D for Merchants.

• Section 3: Validation and Attestation Details (Parts 3 & 4 of the AOC – PCI DSS Validation and Action Plan for Non-Compliant Requirements (if Part 4 is applicable)).

5. Submit the SAQ and AOC, along with any other requested documentation—such as ASV scan reports—to the requesting organization (those organizations that manage compliance programs such as payment brands and acquirers).

Expected Testing

The instructions provided in the “Expected Testing” column are based on the testing procedures in PCI DSS and provide a high-level description of the types of testing activities that a merchant is expected to perform to verify that a requirement has been met.

The intent behind each testing method is described as follows:

 Examine: The merchant critically evaluates data evidence. Common examples include documents (electronic or physical), screenshots, configuration files, audit logs, and data files.

 Observe: The merchant watches an action or views something in the environment. Examples of observation subjects include personnel performing a task or process, system components performing a function or responding to input, environmental conditions, and physical controls.

 Interview: The merchant converses with individual personnel. Interview objectives may include confirmation of whether an activity is performed, descriptions of how an activity is performed, and whether personnel have particular knowledge or understanding.

The testing methods are intended to allow the merchant to demonstrate how it has met a requirement. The specific items to be examined or observed and personnel to be interviewed should be appropriate for both the requirement being assessed and the merchant’s particular implementation.

Full details of testing procedures for each requirement can be found in PCI DSS.

PCI DSS v4.0 SAQ D for Merchants r1, Completing the SAQ December 2022 © 2006-2022 PCI Security Standards Council, LLC. All Rights Reserved. Page v

Requirement Responses

For each requirement item, there is a choice of responses to indicate the merchant’s status regarding that requirement. Only one response should be selected for each requirement item.

A description of the meaning for each response is provided in the table below:

Response When to use this response:

In Place The expected testing has been performed, and all elements of the requirement have been met as stated.

In Place with CCW

(Compensating Controls Worksheet)

The expected testing has been performed, and the requirement has been met with the assistance of a compensating control.

All responses in this column require completion of a Compensating Controls Worksheet (CCW) in Appendix B of this SAQ.

Information on the use of compensating controls and guidance on how to complete the worksheet is provided in PCI DSS Appendices B and C.

Not Applicable The requirement does not apply to the merchant’s environment. (See “Guidance for Not Applicable Requirements” below for examples.)

All responses in this column require a supporting explanation in Appendix C of this SAQ.

Not Tested The requirement was not included for consideration in the assessment and was not tested in any way. (See “Understanding the Difference between Not Applicable and Not Tested” below for examples of when this option should be used.)

All responses in this column require a supporting explanation in Appendix D of this SAQ.

Not in Place Some or all elements of the requirement have not been met, or are in the process of being implemented, or require further testing before the merchant can confirm they are in place. Responses in this column may require the completion of Part 4, if requested by the entity to which this SAQ will be submitted.

This response is also used if a requirement cannot be met due to a legal restriction. (See “Legal Exception” below for more guidance).

PCI DSS v4.0 SAQ D for Merchants r1, Completing the SAQ December 2022 © 2006-2022 PCI Security Standards Council, LLC. All Rights Reserved. Page vi

Guidance for Not Applicable Requirements While many merchants completing SAQ D will need to validate compliance with every PCI DSS requirement, some entities with very specific business models may find that some requirements do not apply. For example, entities that do not use wireless technology in any capacity are not expected to comply with the PCI DSS requirements that are specific to managing wireless technology. Similarly, entities that do not store any account data electronically at any time are not expected to comply with the PCI DSS requirements related to secure storage of account data (for example, Requirement 3.5.1). Another example is requirements specific to application development and secure coding (for example, Requirements 6.2.1 through 6.2.4), which only apply to an entity with bespoke software (developed for the entity by a third party per the entity’s specifications) or custom software (developed by the entity for its own use).

For each response where Not Applicable is selected in this SAQ, complete Appendix C: Explanation of Requirements Noted as Not Applicable.

Understanding the Difference between Not Applicable and Not Tested Requirements that are deemed to be not applicable to an environment must be verified as such. Using the wireless example above, for a merchant to select “Not Applicable” for Requirements 1.3.3, 2.3.1, 2.3.2, and 4.2.1.2, the merchant first needs to confirm that there are no wireless technologies used in its cardholder data environment (CDE) or that connect to their CDE. Once this has been confirmed, the merchant may select “Not Applicable” for those specific requirements.

If a requirement is completely excluded from review without any consideration as to whether it could apply, the “Not Tested” option should be selected. Examples of situations where this could occur may include:

 A merchant is asked by their acquirer to validate a subset of requirements—for example, using the PCI DSS Prioritized Approach to validate only certain milestones.

 A merchant is confirming a new security control that impacts only a subset of requirements—for example, implementation of a new encryption methodology that only requires assessment of PCI DSS Requirements 2, 3, and 4.

In these scenarios, the merchant’s assessment only includes certain PCI DSS requirements even though other requirements might also apply to its environment.

If any requirements are completely excluded from the merchant’s self-assessment, select Not Tested for that specific requirement, and complete Appendix D: Explanation of Requirements Not Tested for each “Not Tested” entry. An assessment with any Not Tested responses is a “Partial” PCI DSS assessment and will be noted as such by the merchant in the Attestation of Compliance in Section 3, Part 3 of this SAQ.

PCI DSS v4.0 SAQ D for Merchants r1, Completing the SAQ December 2022 © 2006-2022 PCI Security Standards Council, LLC. All Rights Reserved. Page vii

Guidance for Responding to Future Dated Requirements In Section 2 below, each new PCI DSS v4.0 requirement or bullet with an extended implementation period includes the following note: “This requirement [or bullet] is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.”

These new requirements are not required to be included in a PCI DSS assessment until the future date has passed. Prior to that future date, any new requirements with an extended implementation date that have not been implemented by the merchant may be marked as Not Applicable and documented in Appendix C: Explanation of Requirements Noted as Not Applicable.

Legal Exception If your organization is subject to a legal restriction that prevents the organization from meeting a PCI DSS requirement, select Not in Place for that requirement and complete the relevant attestation in Section 3, Part 3 of this SAQ.

Note: A legal restriction is one where meeting the PCI DSS requirement would violate a local or regional law or regulation. Contractual obligations or legal advice are not legal restrictions.

Use of the Customized Approach

SAQs cannot be used to document use of the Customized Approach to meet PCI DSS requirements. For this reason, the Customized Approach Objectives are not included in SAQs. Entities wishing to validate using the Customized Approach may be able to use the PCI DSS Report on Compliance (ROC) Template to document the results of their assessment.

The use of the customized approach may be regulated by organizations that manage compliance programs, such as payment brands and acquirers. Questions about use of a customized approach should always be referred to those organizations. This includes whether an entity that is eligible for an SAQ may instead complete a ROC to use a customized approach, and whether an entity is required to use a QSA, or may use an ISA, to complete an assessment using the customized approach. Information about the use of the Customized Approach can be found in Appendices D and E of PCI DSS.

Use of the Customized Approach is not supported in SAQs.

PCI DSS v4.0 SAQ D for Merchants r1, Completing the SAQ December 2022 © 2006-2022 PCI Security Standards Council, LLC. All Rights Reserved. Page viii

Additional PCI SSC Resources Additional resources that provide guidance on PCI DSS requirements and how to complete the self- assessment questionnaire have been provided below to assist with the assessment process.

Resource Includes:

PCI DSS

(PCI Data Security Standard Requirements and Testing Procedures)

 Guidance on Scoping  Guidance on the intent of all PCI DSS Requirements  Details of testing procedures  Guidance on Compensating Controls  Appendix G: Glossary of Terms, Abbreviations, and

Acronyms

SAQ Instructions and Guidelines  Information about all SAQs and their eligibility criteria  How to determine which SAQ is right for your

organization

Frequently Asked Questions (FAQs)  Guidance and information about SAQs.

Online PCI DSS Glossary  PCI DSS Terms, Abbreviations, and Acronyms

Information Supplements and Guidelines  Guidance on a variety of PCI DSS topics including: − Understanding PCI DSS Scoping and Network

Segmentation − Third-Party Security Assurance − Multi-Factor Authentication Guidance − Best Practices for Maintaining PCI DSS

Compliance

Getting Started with PCI  Resources for smaller merchants including: − Guide to Safe Payments − Common Payment Systems − Questions to Ask Your Vendors − Glossary of Payment and Information Security

Terms − PCI Firewall Basics

These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org).

Organizations are encouraged to review PCI DSS and other supporting documents before beginning an assessment.

PCI DSS v4.0 SAQ D for Merchants r1, Section 1: AOC Assessment Information December 2022 © 2006-2022 PCI Security Standards Council, LLC. All Rights Reserved. Page 1

Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment against the Payment Card Industry Data Security Standard (PCI DSS) Requirements and Testing Procedures. Complete all sections. The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact the entity(ies) to which the Attestation of Compliance (AOC) will be submitted for reporting and submission procedures.

Part 1. Contact Information Part 1a. Assessed Merchant

Company name:

DBA (doing business as):

Company mailing address:

Company main website:

Company contact name:

Company contact title:

Contact phone number:

Contact e-mail address:

Part 1b. Assessor

Provide the following information for all assessors involved in the assessment. If there was no assessor for a given assessor type, enter Not Applicable.

PCI SSC Internal Security Assessor(s)

ISA name(s):

Qualified Security Assessor

Company name:

Company mailing address:

Company website:

Lead Assessor Name:

Assessor phone number:

Assessor e-mail address:

Assessor certificate number:

PCI DSS v4.0 SAQ D for Merchants r1, Section 1: AOC Assessment Information December 2022 © 2006-2022 PCI Security Standards Council, LLC. All Rights Reserved. Page 2

Part 2. Executive Summary Part 2a. Merchant Business Payment Channels (select all that apply):

Indicate all payment channels used by the business that are included in this assessment.

Mail order/telephone order (MOTO)

E-Commerce

Card-present

Are any payment channels not included in this assessment? If yes, indicate which channel(s) is not included in the assessment and provide a brief explanation about why the channel was excluded.

Yes No

Note: If the organization has a payment channel that is not covered by this SAQ, consult with the entity(ies) to which this AOC will be submitted about validation for the other channels.

Part 2b. Description of Role with Payment Cards

For each payment channel included in this assessment as selected in Part 2a above, describe how the business stores, processes, and/or transmits account data.

Channel How Business Stores, Processes, and/or Transmits Account Data

Part 2c. Description of Payment Card Environment Provide a high-level description of the environment covered by this assessment. For example: • Connections into and out of the cardholder data

environment (CDE). • Critical system components within the CDE, such as POI

devices, databases, web servers, etc., and any other necessary payment components, as applicable.

• System components that could impact the security of account data.

Indicate whether the environment includes segmentation to reduce the scope of the assessment. (Refer to “Segmentation” section of PCI DSS for guidance on segmentation.)

Yes No

PCI DSS v4.0 SAQ D for Merchants r1, Section 1: AOC Assessment Information December 2022 © 2006-2022 PCI Security Standards Council, LLC. All Rights Reserved. Page 3

Part 2. Executive Summary (continued)

Part 2d. In-Scope Locations/Facilities List all types of physical locations/facilities (for example, retail locations, corporate offices, data centers, call centers, and mail rooms) in scope for the PCI DSS assessment.

Facility Type Total number of locations (How many locations of this

type are in scope) Location(s) of facility (city, country)

Example: Data centers 3 Boston, MA, USA

Part 2e. PCI SSC Validated Products and Solutions

Does the merchant use any item identified on any PCI SSC Lists of Validated Products and Solutions♦? Yes No

Provide the following information regarding each item the merchant uses from PCI SSC’s Lists of Validated Products and Solutions.

Name of PCI SSC- validated Product or

Solution

Version of Product or Solution

PCI SSC Standard to which product or

solution was validated

PCI SSC listing reference number

Expiry date of listing (YYYY-MM-DD)

YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD

♦ For purposes of this document, ”Lists of Validated Products and Solutions” means the lists of validated products, solutions, and/or components appearing on the PCI SSC website (www.pcisecuritystandards.org)for example, 3DS Software Development Kits, Approved PTS Devices, Validated Payment Software, Payment Applications (PA- DSS), Point to Point Encryption (P2PE) solutions, Software-Based PIN Entry on COTS (SPoC) solutions, a

The post IT591-3:?Apply auditing processes within a technical scenario. Purpose? This assignment helps you learn how to prepare for a specific audit, in this case, the PCI-DSS audit. You will use t first appeared on Writeden.