diff options
| author | Rich Kreider <rjkreider@gmail.com> | 2026-06-08 10:48:41 -0400 |
|---|---|---|
| committer | Rich Kreider <rjkreider@gmail.com> | 2026-06-08 10:48:41 -0400 |
| commit | 8a0d12776967844df9f3c58b460467ebe84d7aba (patch) | |
| tree | 5e74f29e6cff6fdbd9c0d05e75bac3ec67f25d32 /data/saq_c_vt.json | |
| parent | 7e0eafd5987e27ed8585aea8210caf4243142dfe (diff) | |
added additional SAQ questionnaires and fixed PDF export bug
Diffstat (limited to 'data/saq_c_vt.json')
| -rw-r--r-- | data/saq_c_vt.json | 582 |
1 files changed, 582 insertions, 0 deletions
diff --git a/data/saq_c_vt.json b/data/saq_c_vt.json new file mode 100644 index 0000000..175dd2f --- /dev/null +++ b/data/saq_c_vt.json @@ -0,0 +1,582 @@ +{ + "id": "saq_c_vt", + "name": "SAQ C-VT", + "version": "PCI DSS v4.0", + "description": "For merchants who manually enter a single transaction at a time via a keyboard into an internet-based virtual terminal solution, with no electronic cardholder data storage.", + "applicability": "This SAQ applies to merchants that process cardholder data only via web-based virtual terminals accessed through a web browser on a computer connected to the Internet. The virtual terminal solution is provided by a PCI DSS validated third-party service provider. Cardholder data is not electronically stored after authorization.", + "requirements": [ + { + "id": "2", + "title": "Apply Secure Configurations to All System Components", + "objective": "Secure configurations reduce the attack surface available to malicious actors.", + "controls": [ + { + "id": "2.1", + "title": "Processes and mechanisms for applying secure configurations to all system components are defined and understood.", + "items": [ + { + "id": "2.1.1", + "question": "Are all security policies and operational procedures that are identified in Requirement 2 documented, kept up to date, in use, and known to all affected parties?", + "guidance": "Examine documentation and interview personnel." + }, + { + "id": "2.1.2", + "question": "Are all roles and responsibilities for performing activities in Requirement 2 documented, assigned, and understood?", + "guidance": "Examine documentation and interview personnel." + } + ] + }, + { + "id": "2.2", + "title": "System components are configured and managed securely.", + "items": [ + { + "id": "2.2.1", + "question": "Are configuration standards developed, implemented, and maintained for all system components that address all known security vulnerabilities and are consistent with industry-accepted system hardening standards?", + "guidance": "Examine system configuration standards and interview personnel." + }, + { + "id": "2.2.2", + "question": "Are vendor default accounts managed by changing default passwords if used or removing/disabling accounts if not used?", + "guidance": "Examine system configuration standards and interview personnel." + }, + { + "id": "2.2.3", + "question": "Is all non-console administrative access encrypted using strong cryptography?", + "guidance": "Examine system configuration settings and interview personnel." + }, + { + "id": "2.2.4", + "question": "Are only necessary services, protocols, daemons, and functions enabled, and are all unnecessary functionality removed or disabled?", + "guidance": "Examine system configuration standards and system components." + }, + { + "id": "2.2.5", + "question": "If any insecure services, protocols, or daemons are present, is the business need documented and are additional security features implemented to reduce the risk?", + "guidance": "Examine system configuration standards." + }, + { + "id": "2.2.6", + "question": "Are system security parameters configured to prevent misuse?", + "guidance": "Examine system configuration standards and interview personnel." + }, + { + "id": "2.2.7", + "question": "Is all non-console administrative access encrypted using strong cryptography?", + "guidance": "Examine system configuration settings." + } + ] + }, + { + "id": "2.3", + "title": "Wireless environments are configured and managed securely.", + "items": [ + { + "id": "2.3.1", + "question": "For wireless environments connected to the CDE or transmitting account data, are all wireless vendor defaults changed at installation or confirmed to be secure, including default wireless encryption keys, passwords on wireless access points, SNMP community strings, and firmware?", + "guidance": "Examine policies and interview responsible personnel." + }, + { + "id": "2.3.2", + "question": "For wireless environments connected to the CDE or transmitting account data, are wireless encryption keys changed whenever personnel with knowledge of the key leave the company or the role, or whenever a key is known or suspected to be compromised?", + "guidance": "Examine documentation and interview personnel." + } + ] + } + ] + }, + { + "id": "3", + "title": "Protect Stored Account Data", + "objective": "Sensitive authentication data must not be stored after authorization.", + "controls": [ + { + "id": "3.2", + "title": "Storage of account data is kept to a minimum.", + "items": [ + { + "id": "3.2.1", + "question": "Are the full contents of any track, card verification codes/values, and PINs not stored after authorization, even if encrypted?", + "guidance": "Examine data sources to verify sensitive authentication data is not stored after authorization." + } + ] + } + ] + }, + { + "id": "4", + "title": "Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks", + "objective": "Strong cryptography protects cardholder data transmitted over open, public networks.", + "controls": [ + { + "id": "4.1", + "title": "Processes and mechanisms for protecting cardholder data with strong cryptography during transmission are defined and understood.", + "items": [ + { + "id": "4.1.1", + "question": "Are all security policies and operational procedures that are identified in Requirement 4 documented, kept up to date, in use, and known to all affected parties?", + "guidance": "Examine documentation and interview personnel." + }, + { + "id": "4.1.2", + "question": "Are all roles and responsibilities for performing activities in Requirement 4 documented, assigned, and understood?", + "guidance": "Examine documentation and interview personnel." + } + ] + }, + { + "id": "4.2", + "title": "PAN is protected with strong cryptography during transmission.", + "items": [ + { + "id": "4.2.1", + "question": "Are strong cryptography and security protocols implemented to safeguard PAN during transmission over open, public networks, including only accepting trusted keys/certificates, confirming certificates are valid and not expired or revoked, the protocol supports only secure versions or configurations without fallback to insecure versions, and the encryption strength is appropriate for the encryption methodology in use?", + "guidance": "Examine documented policies and inbound and outbound transmissions." + }, + { + "id": "4.2.1.1", + "question": "Is an inventory of the entity's trusted keys and certificates maintained?", + "guidance": "Examine documented policies to verify an inventory of trusted keys and certificates is maintained." + }, + { + "id": "4.2.2", + "question": "Are PAN secured with strong cryptography whenever sent via end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat)?", + "guidance": "Examine policies and procedures." + } + ] + } + ] + }, + { + "id": "5", + "title": "Protect All Systems and Networks from Malicious Software", + "objective": "Anti-malware software protects systems from known malware threats.", + "controls": [ + { + "id": "5.1", + "title": "Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood.", + "items": [ + { + "id": "5.1.1", + "question": "Are all security policies and operational procedures that are identified in Requirement 5 documented, kept up to date, in use, and known to all affected parties?", + "guidance": "Examine documentation and interview personnel." + }, + { + "id": "5.1.2", + "question": "Are all roles and responsibilities for performing activities in Requirement 5 documented, assigned, and understood?", + "guidance": "Examine documentation and interview personnel." + } + ] + }, + { + "id": "5.2", + "title": "Malicious software (malware) is prevented, or detected and addressed.", + "items": [ + { + "id": "5.2.1", + "question": "Is an anti-malware solution(s) deployed on all system components, except for those identified per the targeted risk analysis at Requirement 5.2.3 as not being at risk from malware?", + "guidance": "Examine system configurations and interview personnel." + }, + { + "id": "5.2.2", + "question": "Is the deployed anti-malware solution(s) kept current, performing periodic scans, generating audit logs, actively running, and not able to be disabled or altered by users unless specifically documented and authorized by management for a limited time?", + "guidance": "Examine anti-malware configurations, audit logs, and interview personnel." + }, + { + "id": "5.2.3", + "question": "Are any system components not at risk from malware evaluated periodically to confirm that the anti-malware solution is still not required, and is the evaluation documented?", + "guidance": "Examine documentation to verify non-covered system components have been evaluated for malware risk." + } + ] + }, + { + "id": "5.3", + "title": "Anti-malware mechanisms and processes are active, maintained, and monitored.", + "items": [ + { + "id": "5.3.1", + "question": "Is the anti-malware solution(s) kept current via automatic updates?", + "guidance": "Examine anti-malware configurations and interview personnel." + }, + { + "id": "5.3.2", + "question": "Is the anti-malware solution(s) performing periodic scans and active or continuous behavioral analysis?", + "guidance": "Examine anti-malware configurations." + }, + { + "id": "5.3.3", + "question": "For removable electronic media, is a scan performed when the media is inserted, connected, or logically mounted, or is the media blocked from use entirely?", + "guidance": "Examine anti-malware configurations." + }, + { + "id": "5.3.4", + "question": "Are audit logs for the anti-malware solution(s) enabled and retained in accordance with Requirement 10.5.1?", + "guidance": "Examine anti-malware configurations." + }, + { + "id": "5.3.5", + "question": "Are anti-malware mechanisms not alterable by users unless specifically documented and authorized by management on a case-by-case basis for a limited time period?", + "guidance": "Examine anti-malware configurations and interview personnel." + } + ] + }, + { + "id": "5.4", + "title": "Anti-phishing mechanisms protect users against phishing attacks.", + "items": [ + { + "id": "5.4.1", + "question": "Are processes and automated mechanisms in place to detect and protect personnel against phishing attacks?", + "guidance": "Examine system configurations and interview personnel." + } + ] + } + ] + }, + { + "id": "8", + "title": "Identify Users and Authenticate Access to System Components", + "objective": "User identification and authentication controls protect access to the virtual terminal and associated systems.", + "controls": [ + { + "id": "8.1", + "title": "Processes and mechanisms for identifying users and authenticating access to system components are defined and understood.", + "items": [ + { + "id": "8.1.1", + "question": "Are all security policies and operational procedures that are identified in Requirement 8 documented, kept up to date, in use, and known to all affected parties?", + "guidance": "Examine documentation and interview personnel." + }, + { + "id": "8.1.2", + "question": "Are all roles and responsibilities for performing activities in Requirement 8 documented, assigned, and understood?", + "guidance": "Examine documentation and interview personnel." + } + ] + }, + { + "id": "8.2", + "title": "User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle.", + "items": [ + { + "id": "8.2.1", + "question": "Are all users assigned a unique ID before allowing them to access system components or cardholder data?", + "guidance": "Examine procedures and evidence." + }, + { + "id": "8.2.2", + "question": "Are group, shared, or generic accounts only used when necessary on an exception basis, with use prevented unless needed, use limited to the time needed, business justification documented, use explicitly approved by management, individual user identity confirmed before access granted, and every action attributable to an individual user?", + "guidance": "Examine user account lists and interview personnel." + }, + { + "id": "8.2.4", + "question": "Are additions, deletions, and modifications to user IDs authorized with appropriate approval and implemented with only the specified privileges?", + "guidance": "Examine authentication policies and procedures and interview personnel." + }, + { + "id": "8.2.5", + "question": "Is access for terminated users immediately deactivated or removed?", + "guidance": "Examine termination procedures and a sample of recently terminated users." + }, + { + "id": "8.2.6", + "question": "Are inactive user accounts removed or disabled within 90 days of inactivity?", + "guidance": "Examine user accounts and interview personnel." + }, + { + "id": "8.2.7", + "question": "Are accounts used by third parties to access, support, or maintain system components enabled only when needed and monitored for unexpected activity?", + "guidance": "Examine policies and procedures and interview personnel." + }, + { + "id": "8.2.8", + "question": "If a user session has been idle for more than 15 minutes, is the user required to re-authenticate?", + "guidance": "Examine system configuration settings." + } + ] + }, + { + "id": "8.3", + "title": "User authentication for users and administrators is established and managed.", + "items": [ + { + "id": "8.3.1", + "question": "Are all user passwords/passphrases for user access to system components set to meet minimum requirements of at least 12 characters (or eight if the system does not support 12) with both numeric and alphabetic characters?", + "guidance": "Examine system configuration settings." + }, + { + "id": "8.3.2", + "question": "Are strong cryptography used to render all authentication factors unreadable during transmission and storage?", + "guidance": "Examine system configuration settings." + }, + { + "id": "8.3.4", + "question": "Is invalid authentication attempt tracking implemented with account lockout after no more than 10 attempts for a minimum of 30 minutes or until reset by an administrator?", + "guidance": "Examine system configuration settings." + }, + { + "id": "8.3.6", + "question": "Do passwords/passphrases meet minimum complexity requirements upon set or reset?", + "guidance": "Examine system configuration settings." + }, + { + "id": "8.3.9", + "question": "If passwords/passphrases are used as the only authentication factor for user access, are passwords/passphrases changed at least once every 90 days OR is the security posture of accounts dynamically analyzed?", + "guidance": "Examine system configuration settings." + } + ] + }, + { + "id": "8.4", + "title": "Multi-factor authentication (MFA) is implemented to secure access into the CDE.", + "items": [ + { + "id": "8.4.2", + "question": "Is MFA implemented for all access into the CDE?", + "guidance": "Examine network and system configurations and interview personnel." + }, + { + "id": "8.4.3", + "question": "Is MFA implemented for all remote network access originating from outside the entity's network that could access or impact the CDE?", + "guidance": "Examine network and system configurations and interview personnel." + } + ] + }, + { + "id": "8.6", + "title": "Use of application and system accounts and associated authentication factors is strictly managed.", + "items": [ + { + "id": "8.6.3", + "question": "Are passwords/passphrases for any application and system accounts changed periodically and upon suspicion or confirmation of compromise, and constructed with sufficient complexity?", + "guidance": "Examine policies and procedures and interview personnel." + } + ] + } + ] + }, + { + "id": "9", + "title": "Restrict Physical Access to Cardholder Data", + "objective": "Physical access to the computer used to access the virtual terminal must be controlled.", + "controls": [ + { + "id": "9.1", + "title": "Processes and mechanisms for restricting physical access to cardholder data are defined and understood.", + "items": [ + { + "id": "9.1.1", + "question": "Are all security policies and operational procedures that are identified in Requirement 9 documented, kept up to date, in use, and known to all affected parties?", + "guidance": "Examine documentation and interview personnel." + }, + { + "id": "9.1.2", + "question": "Are all roles and responsibilities for performing activities in Requirement 9 documented, assigned, and understood?", + "guidance": "Examine documentation and interview personnel." + } + ] + }, + { + "id": "9.4", + "title": "Media with cardholder data is securely accessed, distributed, and destroyed.", + "items": [ + { + "id": "9.4.1", + "question": "Are all media with cardholder data physically secured?", + "guidance": "Examine documentation and observe physical media storage." + }, + { + "id": "9.4.6", + "question": "Are hard-copy materials with cardholder data destroyed when no longer needed via cross-cut shredding, incineration, or pulping, and are materials stored in secure containers prior to destruction?", + "guidance": "Examine the media destruction policy and interview personnel." + } + ] + } + ] + }, + { + "id": "12", + "title": "Support Information Security with Organizational Policies and Programs", + "objective": "Organizational policies and programs support the overall security of the virtual terminal merchant environment.", + "controls": [ + { + "id": "12.1", + "title": "A comprehensive information security policy that governs and provides direction for protection of the entity's information assets is known and current.", + "items": [ + { + "id": "12.1.1", + "question": "Is an overall information security policy established, published, maintained, and disseminated to all relevant personnel and relevant vendors and business partners?", + "guidance": "Examine the information security policy and interview personnel." + }, + { + "id": "12.1.2", + "question": "Is the information security policy reviewed at least once every 12 months and updated when the environment changes?", + "guidance": "Examine the information security policy and interview personnel." + }, + { + "id": "12.1.3", + "question": "Does the information security policy clearly define roles and responsibilities for all personnel, and do all personnel acknowledge their responsibilities?", + "guidance": "Examine the information security policy and interview personnel." + }, + { + "id": "12.1.4", + "question": "Is responsibility for information security formally assigned to a CISO or other information security knowledgeable member of executive management?", + "guidance": "Examine the information security policy and interview personnel." + } + ] + }, + { + "id": "12.2", + "title": "Acceptable use policies for end-user technologies are defined and implemented.", + "items": [ + { + "id": "12.2.1", + "question": "Are acceptable use policies for end-user technologies documented and implemented with explicit approval, defined acceptable uses, and a list of approved products?", + "guidance": "Examine the acceptable use policy and interview personnel." + } + ] + }, + { + "id": "12.3", + "title": "Risks to the cardholder data environment are formally identified, evaluated, and managed.", + "items": [ + { + "id": "12.3.1", + "question": "For each PCI DSS requirement that specifies completion of a targeted risk analysis, is the analysis performed and documented including assets, threats, likelihood/impact factors, risk assignment, and a qualified individual performing the analysis?", + "guidance": "Examine risk analysis documentation and interview personnel." + }, + { + "id": "12.3.3", + "question": "Are all cryptographic cipher suites and protocols in use documented and reviewed at least once every 12 months to confirm they remain secure, including an up-to-date inventory with purpose and where used, active monitoring of industry trends, and a documented plan to respond to anticipated changes?", + "guidance": "Examine documentation and interview personnel." + }, + { + "id": "12.3.4", + "question": "Are hardware and software technologies reviewed at least once every 12 months to confirm they continue to receive security fixes and support the entity's PCI DSS requirements?", + "guidance": "Examine documentation and interview personnel." + } + ] + }, + { + "id": "12.5", + "title": "PCI DSS scope is documented and validated.", + "items": [ + { + "id": "12.5.1", + "question": "Is an inventory of system components that are in scope for PCI DSS maintained, including a description of function/use?", + "guidance": "Examine system component inventory documentation." + }, + { + "id": "12.5.2", + "question": "Is PCI DSS scope documented and confirmed at least once every 12 months and upon significant change, including all account data locations and flows, all applicable PCI DSS requirements, all CDE system components, and all segmentation controls?", + "guidance": "Examine documentation and interview personnel." + } + ] + }, + { + "id": "12.6", + "title": "Security awareness education is an ongoing activity.", + "items": [ + { + "id": "12.6.1", + "question": "Is a formal security awareness program implemented to make all personnel aware of the entity's information security policy and procedures and their role in protecting cardholder data?", + "guidance": "Examine the security awareness program." + }, + { + "id": "12.6.2", + "question": "Is the security awareness program reviewed at least once every 12 months and updated as needed to address new threats or vulnerabilities?", + "guidance": "Examine the security awareness program and interview personnel." + }, + { + "id": "12.6.3", + "question": "Are personnel trained upon hire and at least once every 12 months covering awareness of threats, acceptable use policies, and personnel roles in protecting cardholder data?", + "guidance": "Examine security awareness training records and interview personnel." + }, + { + "id": "12.6.3.1", + "question": "Does security awareness training include awareness of threats and vulnerabilities that could impact the security of the CDE, including phishing and related attacks?", + "guidance": "Examine training content." + }, + { + "id": "12.6.3.2", + "question": "Does security awareness training include awareness of the acceptable use policy for end-user technologies as specified in Requirement 12.2.1?", + "guidance": "Examine training content." + } + ] + }, + { + "id": "12.8", + "title": "Risk to information assets associated with third-party service provider (TPSP) relationships is managed.", + "items": [ + { + "id": "12.8.1", + "question": "Is a list of all TPSPs maintained with which account data is shared or that could affect the security of account data, including a description of services provided?", + "guidance": "Examine the list of TPSPs." + }, + { + "id": "12.8.2", + "question": "Are written agreements with all TPSPs maintained that include acknowledgment of TPSP responsibility for account data security?", + "guidance": "Examine written agreements with TPSPs." + }, + { + "id": "12.8.3", + "question": "Is an established process implemented for engaging TPSPs, including proper due diligence prior to engagement?", + "guidance": "Examine policies and procedures and interview personnel." + }, + { + "id": "12.8.4", + "question": "Is a program implemented to monitor TPSPs' PCI DSS compliance status at least once every 12 months?", + "guidance": "Examine documentation." + }, + { + "id": "12.8.5", + "question": "Is information maintained about which PCI DSS requirements are managed by each TPSP, which by the entity, and any that are shared?", + "guidance": "Examine documentation." + } + ] + }, + { + "id": "12.10", + "title": "Suspected and confirmed security incidents that could impact the CDE are responded to immediately.", + "items": [ + { + "id": "12.10.1", + "question": "Is an incident response plan created and implemented covering roles, responsibilities, communication strategies, containment and mitigation activities, business recovery, data backup, legal requirements, critical system coverage, and payment brand procedures?", + "guidance": "Examine the incident response plan and interview personnel." + }, + { + "id": "12.10.2", + "question": "Is the incident response plan reviewed and tested at least once every 12 months?", + "guidance": "Examine the incident response plan and testing documentation." + }, + { + "id": "12.10.3", + "question": "Are specific personnel designated to be available on a 24/7 basis to respond to suspected or confirmed security incidents?", + "guidance": "Examine policies and procedures and interview personnel." + }, + { + "id": "12.10.4", + "question": "Is personnel appropriate to respond to a suspected or confirmed security incident trained at least once every 12 months?", + "guidance": "Examine training documentation." + }, + { + "id": "12.10.4.1", + "question": "Is the frequency of periodic training for incident response personnel defined in the entity's targeted risk analysis?", + "guidance": "Examine the entity's targeted risk analysis." + }, + { + "id": "12.10.5", + "question": "Is the incident response plan modified and evolved according to lessons learned and to incorporate industry developments?", + "guidance": "Examine the incident response plan and interview personnel." + }, + { + "id": "12.10.7", + "question": "Are incident response procedures in place to be initiated upon detection of stored PAN anywhere it is not expected, including determining what to do if PAN is discovered outside the CDE, root-cause analysis, and remediation of data leaks or process gaps?", + "guidance": "Examine incident response procedures." + } + ] + } + ] + } + ] +}
\ No newline at end of file |