diff options
| author | Rich Kreider <rjkreider@gmail.com> | 2026-06-08 10:48:41 -0400 |
|---|---|---|
| committer | Rich Kreider <rjkreider@gmail.com> | 2026-06-08 10:48:41 -0400 |
| commit | 8a0d12776967844df9f3c58b460467ebe84d7aba (patch) | |
| tree | 5e74f29e6cff6fdbd9c0d05e75bac3ec67f25d32 /data/saq_b.json | |
| parent | 7e0eafd5987e27ed8585aea8210caf4243142dfe (diff) | |
added additional SAQ questionnaires and fixed PDF export bug
Diffstat (limited to 'data/saq_b.json')
| -rw-r--r-- | data/saq_b.json | 371 |
1 files changed, 371 insertions, 0 deletions
diff --git a/data/saq_b.json b/data/saq_b.json new file mode 100644 index 0000000..178f492 --- /dev/null +++ b/data/saq_b.json @@ -0,0 +1,371 @@ +{ + "id": "saq_b", + "name": "SAQ B", + "version": "PCI DSS v4.0", + "description": "For merchants using only imprint machines with no electronic cardholder data storage, or standalone, dial-out terminals with no electronic cardholder data storage and not connected to any other systems or networks.", + "applicability": "This SAQ applies to merchants that process cardholder data only via imprint machines or standalone dial-out (PSTN) terminals. These merchants do not transmit cardholder data over the Internet or any IP-based networks. No electronic storage of cardholder data occurs.", + "requirements": [ + { + "id": "2", + "title": "Apply Secure Configurations to All System Components", + "objective": "For SAQ B, Requirement 2 applies to any system components in use, including the dial-out terminals and any associated systems.", + "controls": [ + { + "id": "2.1", + "title": "Processes and mechanisms for applying secure configurations to all system components are defined and understood.", + "items": [ + { + "id": "2.1.1", + "question": "Are all security policies and operational procedures that are identified in Requirement 2 documented, kept up to date, in use, and known to all affected parties?", + "guidance": "Examine documentation and interview personnel." + }, + { + "id": "2.1.2", + "question": "Are all roles and responsibilities for performing activities in Requirement 2 documented, assigned, and understood?", + "guidance": "Examine documentation and interview personnel." + } + ] + }, + { + "id": "2.2", + "title": "System components are configured and managed securely.", + "items": [ + { + "id": "2.2.2", + "question": "Are vendor default accounts managed as follows:\n• If the vendor default account(s) will be used, the default password is changed.\n• If the vendor default account(s) will not be used, the account is removed or disabled.", + "guidance": "Examine system configuration standards and interview personnel." + } + ] + } + ] + }, + { + "id": "3", + "title": "Protect Stored Account Data", + "objective": "Sensitive authentication data must not be stored after authorization.", + "controls": [ + { + "id": "3.2", + "title": "Storage of account data is kept to a minimum.", + "items": [ + { + "id": "3.2.1", + "question": "Are the full contents of any track, card verification codes/values, and PINs not stored after authorization, even if encrypted?", + "guidance": "Examine data sources, including paper-based records, to verify that sensitive authentication data is not stored after authorization." + } + ] + } + ] + }, + { + "id": "9", + "title": "Restrict Physical Access to Cardholder Data", + "objective": "Physical security is critical for SAQ B merchants as paper-based cardholder data and physical terminals must be protected.", + "controls": [ + { + "id": "9.1", + "title": "Processes and mechanisms for restricting physical access to cardholder data are defined and understood.", + "items": [ + { + "id": "9.1.1", + "question": "Are all security policies and operational procedures that are identified in Requirement 9 documented, kept up to date, in use, and known to all affected parties?", + "guidance": "Examine documentation and interview personnel." + }, + { + "id": "9.1.2", + "question": "Are all roles and responsibilities for performing activities in Requirement 9 documented, assigned, and understood?", + "guidance": "Examine documentation and interview personnel." + } + ] + }, + { + "id": "9.3", + "title": "Physical access for personnel and visitors is authorized and managed.", + "items": [ + { + "id": "9.3.1", + "question": "Is all physical access by personnel to the CDE authorized before being granted and revoked immediately upon termination?", + "guidance": "Examine lists of personnel with physical access and interview personnel responsible for granting access." + }, + { + "id": "9.3.1.1", + "question": "Is access to the CDE by visitors authorized and managed as follows:\n• Visitors are authorized before entering areas where cardholder data is processed or maintained.\n• Visitors are escorted at all times within areas where cardholder data is processed or maintained.\n• Visitors are clearly identified and distinguished from personnel.", + "guidance": "Observe procedures for visitor access and examine visitor logs." + } + ] + }, + { + "id": "9.4", + "title": "Media with cardholder data is securely accessed, distributed, and destroyed.", + "items": [ + { + "id": "9.4.1", + "question": "Are all media with cardholder data physically secured?", + "guidance": "Examine documentation and observe physical media storage." + }, + { + "id": "9.4.2", + "question": "Are all media with cardholder data classified in accordance with the sensitivity of the data?", + "guidance": "Examine documentation and observe media classification." + }, + { + "id": "9.4.3", + "question": "Is media with cardholder data sent by secured courier or other delivery method that can be accurately tracked?", + "guidance": "Examine documentation and interview personnel." + }, + { + "id": "9.4.4", + "question": "Is management approval obtained prior to moving media with cardholder data from a secured area?", + "guidance": "Examine documentation and interview personnel." + }, + { + "id": "9.4.6", + "question": "Are hard-copy materials with cardholder data destroyed when no longer needed via cross-cut shredding, incineration, or pulping, and are materials stored in secure containers prior to destruction?", + "guidance": "Examine the media destruction policy and interview personnel." + } + ] + }, + { + "id": "9.5", + "title": "Point-of-interaction (POI) devices are protected from tampering and unauthorized substitution.", + "items": [ + { + "id": "9.5.1", + "question": "Are POI devices that capture payment card data protected from tampering and unauthorized substitution, including:\n• Maintaining a list of POI devices.\n• Periodically inspecting POI devices to look for tampering or unauthorized substitution.\n• Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution of devices.", + "guidance": "Examine documented policies and procedures and interview responsible personnel." + }, + { + "id": "9.5.1.1", + "question": "Is the list of POI devices maintained, and does it include make and model, location, and device serial number or other method of unique identification?", + "guidance": "Examine the list of POI devices and interview personnel." + }, + { + "id": "9.5.1.2", + "question": "Are POI device surfaces periodically inspected to detect tampering and unauthorized substitution at the frequency defined in the entity's targeted risk analysis, and are all POI devices inspected?", + "guidance": "Examine documented procedures and interview personnel." + }, + { + "id": "9.5.1.2.1", + "question": "Are inspections of POI devices performed at the frequency defined in the entity's targeted risk analysis?", + "guidance": "Examine the entity's targeted risk analysis and compare to documented inspection evidence." + }, + { + "id": "9.5.1.3", + "question": "Is training provided to personnel to be aware of attempted tampering or replacement of POI devices, including verifying third-party identities, not installing/replacing/returning devices without verification, reporting suspicious behavior, and recognizing tampering indicators?", + "guidance": "Examine training materials and interview personnel." + } + ] + } + ] + }, + { + "id": "11", + "title": "Test Security of Systems and Networks Regularly", + "objective": "For SAQ B, Requirement 11 applies to testing for unauthorized wireless access points.", + "controls": [ + { + "id": "11.1", + "title": "Processes and mechanisms for regularly testing security of systems and networks are defined and understood.", + "items": [ + { + "id": "11.1.1", + "question": "Are all security policies and operational procedures that are identified in Requirement 11 documented, kept up to date, in use, and known to all affected parties?", + "guidance": "Examine documentation and interview personnel." + }, + { + "id": "11.1.2", + "question": "Are all roles and responsibilities for performing activities in Requirement 11 documented, assigned, and understood?", + "guidance": "Examine documentation and interview personnel." + } + ] + }, + { + "id": "11.2", + "title": "Wireless access points are identified and monitored, and unauthorized wireless access points are addressed.", + "items": [ + { + "id": "11.2.1", + "question": "Are authorized and unauthorized wireless access points managed by testing for their presence at least once every three months or via automatic monitoring, and are all detected unauthorized access points responded to using the incident response plan?", + "guidance": "Examine policies and procedures and interview responsible personnel." + }, + { + "id": "11.2.2", + "question": "Is an inventory of authorized wireless access points maintained with documented business justification for each?", + "guidance": "Examine the inventory of authorized wireless access points." + } + ] + } + ] + }, + { + "id": "12", + "title": "Support Information Security with Organizational Policies and Programs", + "objective": "Organizational policies and programs support the overall security posture for the SAQ B merchant environment.", + "controls": [ + { + "id": "12.1", + "title": "A comprehensive information security policy that governs and provides direction for protection of the entity's information assets is known and current.", + "items": [ + { + "id": "12.1.1", + "question": "Is an overall information security policy established, published, maintained, and disseminated to all relevant personnel and relevant vendors and business partners?", + "guidance": "Examine the information security policy and interview personnel." + }, + { + "id": "12.1.2", + "question": "Is the information security policy reviewed at least once every 12 months and updated when the environment changes?", + "guidance": "Examine the information security policy and interview personnel." + }, + { + "id": "12.1.3", + "question": "Does the information security policy clearly define roles and responsibilities for all personnel, and do all personnel acknowledge their responsibilities?", + "guidance": "Examine the information security policy and interview personnel." + }, + { + "id": "12.1.4", + "question": "Is responsibility for information security formally assigned to a CISO or other information security knowledgeable member of executive management?", + "guidance": "Examine the information security policy and interview personnel." + } + ] + }, + { + "id": "12.2", + "title": "Acceptable use policies for end-user technologies are defined and implemented.", + "items": [ + { + "id": "12.2.1", + "question": "Are acceptable use policies for end-user technologies documented and implemented with explicit approval, defined acceptable uses, and a list of approved products?", + "guidance": "Examine the acceptable use policy and interview personnel." + } + ] + }, + { + "id": "12.3", + "title": "Risks to the cardholder data environment are formally identified, evaluated, and managed.", + "items": [ + { + "id": "12.3.1", + "question": "For each PCI DSS requirement that specifies completion of a targeted risk analysis, is the analysis performed and documented including assets, threats, likelihood/impact factors, risk assignment, and a qualified individual performing the analysis?", + "guidance": "Examine risk analysis documentation." + } + ] + }, + { + "id": "12.5", + "title": "PCI DSS scope is documented and validated.", + "items": [ + { + "id": "12.5.1", + "question": "Is an inventory of system components that are in scope for PCI DSS maintained, including a description of function/use?", + "guidance": "Examine system component inventory documentation." + }, + { + "id": "12.5.2", + "question": "Is PCI DSS scope documented and confirmed at least once every 12 months and upon significant change, including all account data locations and flows?", + "guidance": "Examine documentation and interview personnel." + } + ] + }, + { + "id": "12.6", + "title": "Security awareness education is an ongoing activity.", + "items": [ + { + "id": "12.6.1", + "question": "Is a formal security awareness program implemented to make all personnel aware of the entity's information security policy and procedures and their role in protecting cardholder data?", + "guidance": "Examine the security awareness program." + }, + { + "id": "12.6.2", + "question": "Is the security awareness program reviewed at least once every 12 months and updated as needed to address new threats or vulnerabilities?", + "guidance": "Examine the security awareness program and interview personnel." + }, + { + "id": "12.6.3", + "question": "Are personnel trained upon hire and at least once every 12 months covering awareness of threats, acceptable use policies, and personnel roles in protecting cardholder data?", + "guidance": "Examine security awareness training records and interview personnel." + }, + { + "id": "12.6.3.1", + "question": "Does security awareness training include awareness of threats and vulnerabilities that could impact the security of the CDE, including phishing and related attacks?", + "guidance": "Examine training content." + } + ] + }, + { + "id": "12.7", + "title": "Personnel are screened to reduce risks from insider threats.", + "items": [ + { + "id": "12.7.1", + "question": "Are potential personnel who will have access to the CDE screened within the constraints of local laws prior to hire to minimize the risk of attacks from internal sources?", + "guidance": "Examine hiring policies and procedures and interview personnel." + } + ] + }, + { + "id": "12.8", + "title": "Risk to information assets associated with third-party service provider (TPSP) relationships is managed.", + "items": [ + { + "id": "12.8.1", + "question": "Is a list of all TPSPs maintained with which account data is shared or that could affect the security of account data, including a description of services provided?", + "guidance": "Examine the list of TPSPs." + }, + { + "id": "12.8.2", + "question": "Are written agreements with all TPSPs maintained that include acknowledgment of TPSP responsibility for account data security?", + "guidance": "Examine written agreements with TPSPs." + }, + { + "id": "12.8.3", + "question": "Is an established process implemented for engaging TPSPs, including proper due diligence prior to engagement?", + "guidance": "Examine policies and procedures and interview personnel." + }, + { + "id": "12.8.4", + "question": "Is a program implemented to monitor TPSPs' PCI DSS compliance status at least once every 12 months?", + "guidance": "Examine documentation." + }, + { + "id": "12.8.5", + "question": "Is information maintained about which PCI DSS requirements are managed by each TPSP, which by the entity, and any that are shared?", + "guidance": "Examine documentation." + } + ] + }, + { + "id": "12.10", + "title": "Suspected and confirmed security incidents that could impact the CDE are responded to immediately.", + "items": [ + { + "id": "12.10.1", + "question": "Is an incident response plan created and implemented covering roles, responsibilities, communication strategies, containment activities, business recovery, data backup, legal requirements, and critical system coverage?", + "guidance": "Examine the incident response plan and interview personnel." + }, + { + "id": "12.10.2", + "question": "Is the incident response plan reviewed and tested at least once every 12 months?", + "guidance": "Examine the incident response plan and testing documentation." + }, + { + "id": "12.10.3", + "question": "Are specific personnel designated to be available on a 24/7 basis to respond to suspected or confirmed security incidents?", + "guidance": "Examine policies and procedures and interview personnel." + }, + { + "id": "12.10.4", + "question": "Is personnel appropriate to respond to a suspected or confirmed security incident trained at least once every 12 months?", + "guidance": "Examine training documentation." + }, + { + "id": "12.10.5", + "question": "Is the incident response plan modified and evolved according to lessons learned and industry developments?", + "guidance": "Examine the incident response plan and interview personnel." + } + ] + } + ] + } + ] +}
\ No newline at end of file |