pci_dss_v1-2 (1027411), страница 14
Текст из файла (страница 14)
Action Plan for Non-Compliant StatusPlease select the appropriate “Compliance Status” for each requirement. If you answer “No” to any ofthe requirements, you are required to provide the date Company will be compliant with the requirementand a brief description of the actions being taken to meet the requirement. Check with your acquirer orthe payment brand(s) before completing Part 4 since not all payment brands require this section.PCIRequirementDescriptionComplianceStatus(Select One)1Install and maintain a firewallconfiguration to protectcardholder data.YesNo2Do not use vendor-supplieddefaults for system passwordsand other security parameters.YesNo3Protect stored cardholder data.YesNo4Encrypt transmission ofcardholder data across open,public networks.YesNo5Use and regularly update antivirus software.YesNo6Develop and maintain securesystems and applications.YesNo7Restrict access to cardholder databy business need to know.YesNo8Assign a unique ID to eachperson with computer access.YesNo9Restrict physical access tocardholder data.YesNo10Track and monitor all access tonetwork resources and cardholderdata.YesNo11Regularly test security systemsand processes.YesNo12Maintain a policy that addressesinformation security.YesNoRemediation Date and Actions(if Compliance Status is “No”)PCI DSS Requirements and Security Assessment Procedures, v1.2Appendix D: Attestation of Compliance for Onsite Assessment – MerchantsOctober 2008Page 67Appendix E: Attestation of Compliance – Service ProvidersPayment Card Industry (PCI)Data Security StandardAttestation of Compliance forOnsite Assessments – Service ProvidersVersion 1.2October 2008Instructions for SubmissionThe Qualified Security Assessor (QSA) and Service Provider must complete this document as a declaration of theService Provider’s compliance status with the Payment Card Industry Data Security Standard (PCI DSS).
Completeall applicable sections and submit to the requesting payment brand.Part 1. Qualified Security Assessor Company InformationCompany Name:Lead QSA Contact Name:Title:Telephone:E-mail:Business Address:City:State/Province:Country:ZIP:URL:Part 2. Service Provider Organization InformationCompany Name:DBA(s):Contact Name:Title:Telephone:E-mail:Business Address:City:State/Province:Country:ZIP:URL:Part 2a.
Services Provided (check all that apply)AuthorizationSwitchingPayment GatewayHostingLoyalty ProgramsIPSP (E-commerce)Clearing & SettlementIssuing Processing3-D Secure Access Control ServerProcess Magnetic-Stripe TransactionsProcess MO/TO TransactionsOthers (please specify):List facilities and locations included in PCI DSS review:Part 2b. RelationshipsDoes your company have a relationship with one or more third-party service providers (for example,gateways, web-hosting companies, airline booking agents, loyalty program agents, etc)?YesNoPart 2c.
Transaction ProcessingHow and in what capacity does your business store, process and/or transmit cardholder data?Payment Application in use:Payment Application Version:PCI DSS Requirements and Security Assessment Procedures, v1.2Appendix E: Attestation of Compliance for Onsite Assessment – Service ProvidersOctober 2008Page 69Part 3.
PCI DSS ValidationBased on the results noted in the Report on Compliance (“ROC”) dated (date of ROC), (QSA Name) assertsthe following compliance status for the entity identified in Part 2 of this document as of (date) (check one):Compliant: All requirements in the ROC are marked “in place8,” and a passing scan has beencompleted by the PCI SSC Approved Scanning Vendor (ASV Name) thereby (Service Provider Name)has demonstrated full compliance with the PCI DSS (insert version number).Non-Compliant: Some requirements in the ROC are marked “not in place,” resulting in an overallNON-COMPLIANT rating, or a passing scan has not been completed by a PCI SSC Approved ScanningVendor, thereby (Service Provider Name) has not demonstrated full compliance with the PCI DSS.Target Date for Compliance:An entity submitting this form with a status of Non-Compliant may be required to complete the ActionPlan in Part 4 of this document.
Check with the payment brand(s) before completing Part 4, since not allpayment brands require this section.Part 3a. Confirmation of Compliant StatusQSA and Service Provider confirm:The ROC was completed according to the PCI DSS Requirements and Security AssessmentProcedures, Version (insert version number), and was completed according to the instructions therein.All information within the above-referenced ROC and in this attestation fairly represents the results ofthe assessment in all material respects.The Service Provider has read the PCI DSS and recognizes that they must maintain full PCI DSScompliance at all times.No evidence of magnetic stripe (i.e., track) data9, CAV2, CVC2, CID, or CVV2 data10, or PIN data11storage after transaction authorization was found on ANY systems reviewed during this assessment.Part 3b.
QSA and Service Provider AcknowledgmentsSignature of Lead QSA ÇLead QSA Name:Date:Title:Signature of Service Provider Executive Officer ÇService Provider Executive Officer Name:89Date:Title:“In place” results should include compensating controls reviewed by the QSA. If compensating controls are determined tosufficiently mitigate the risk associated with the requirement, the QSA should mark the requirement as “in place”.Data encoded in the magnetic stripe used for authorization during a card-present transaction.
Entities may not retain full magneticstripe data after transaction authorization. The only elements of track data that may be retained are account number, expirationdate, and name.10The three- or four-digit value printed on the signature panel or face of a payment card used to verify card-not-presenttransactions.11Personal Identification Number entered by cardholder during a card-present transaction, and/or encrypted PIN block presentwithin the transaction message.PCI DSS Requirements and Security Assessment Procedures, v1.2Appendix E: Attestation of Compliance for Onsite Assessment – Service ProvidersOctober 2008Page 70Part 4.
Action Plan for Non-Compliant StatusPlease select the appropriate “Compliance Status” for each requirement. If you answer “No” to any ofthe requirements, you are required to provide the date Company will be compliant with the requirementand a brief description of the actions being taken to meet the requirement. Check with the paymentbrand(s) before completing Part 4 since not all payment brands require this section.PCIRequirementDescriptionComplianceStatus(Select One)1Install and maintain a firewallconfiguration to protectcardholder data.YesNo2Do not use vendor-supplieddefaults for system passwordsand other security parameters.YesNo3Protect stored cardholder data.YesNo4Encrypt transmission ofcardholder data across open,public networks.YesNo5Use and regularly update antivirus software.YesNo6Develop and maintain securesystems and applications.YesNo7Restrict access to cardholder databy business need to know.YesNo8Assign a unique ID to eachperson with computer access.YesNo9Restrict physical access tocardholder data.YesNo10Track and monitor all access tonetwork resources and cardholderdata.YesNo11Regularly test security systemsand processes.YesNo12Maintain a policy that addressesinformation security.YesNoRemediation Date and Actions(if Compliance Status is “No”)PCI DSS Requirements and Security Assessment Procedures, v1.2Appendix E: Attestation of Compliance for Onsite Assessment – Service ProvidersOctober 2008Page 71Appendix F: PCI DSS Reviews — Scoping and Selecting SamplesPCI DSS Requirements and Security Assessment Procedures, v1.2Appendix F: Scoping and Selecting SamplesOctober 2008Page 72.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
