{ "id": "saq_a", "name": "SAQ A", "version": "PCI DSS v4.0", "description": "For card-not-present merchants (e-commerce, mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers.", "applicability": "This SAQ applies to merchants where all payment processing is handled by a third-party service provider and the merchant does not electronically store, process, or transmit any cardholder data on merchant systems or premises.", "requirements": [ { "id": "2", "title": "Apply Secure Configurations to All System Components", "objective": "For SAQ A, Requirement 2 applies only to ensuring that any systems used to administer or access the outsourced payment environment use encrypted non-console administrative access.", "controls": [ { "id": "2.2", "title": "System components are configured and managed securely.", "items": [ { "id": "2.2.7", "question": "Is all non-console administrative access encrypted using strong cryptography?", "guidance": "Examine system configuration settings and interview personnel to verify that all non-console administrative access is encrypted with strong cryptography." } ] } ] }, { "id": "4", "title": "Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks", "objective": "Verify that the outsourced payment page uses strong cryptography to protect cardholder data during transmission.", "controls": [ { "id": "4.2", "title": "PAN is protected with strong cryptography during transmission.", "items": [ { "id": "4.2.1", "question": "Are strong cryptography and security protocols implemented to safeguard PAN during transmission over open, public networks as follows:\n• Only trusted keys/certificates are accepted.\n• Certificates are confirmed as valid and not expired or revoked.\n• The protocol supports only secure versions or configurations without fallback to insecure versions.\n• The encryption strength is appropriate for the encryption methodology in use.", "guidance": "Examine documented policies and verify that the third-party payment page uses strong cryptography for all PAN transmissions." }, { "id": "4.2.1.1", "question": "Is an inventory of the entity's trusted keys and certificates maintained?", "guidance": "Examine documented policies and procedures to verify processes are in place to maintain an inventory of trusted keys and certificates." } ] } ] }, { "id": "8", "title": "Identify Users and Authenticate Access to System Components", "objective": "For SAQ A, Requirement 8 applies to management of accounts that can access the cardholder data environment administered by the third-party service provider.", "controls": [ { "id": "8.2", "title": "User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle.", "items": [ { "id": "8.2.2", "question": "Are group, shared, or generic accounts, or other shared authentication credentials only used when necessary on an exception basis, and are they managed as follows:\n• Account use is prevented unless needed for an exceptional circumstance.\n• Use is limited to the time needed for the exceptional circumstance.\n• Business justification is documented.\n• Use is explicitly approved by management.\n• Individual user identity is confirmed before access to an account is granted.\n• Every action taken is attributable to an individual user.", "guidance": "Examine user account lists and interview personnel to verify shared/group accounts are managed per requirements." } ] }, { "id": "8.3", "title": "User authentication for users and administrators is established and managed.", "items": [ { "id": "8.3.10", "question": "Additional requirement for service providers only: If passwords/passphrases are used as the only authentication factor for customer user access to cardholder data, is guidance provided to customers regarding changing their passwords/passphrases at a minimum annually?", "guidance": "This requirement applies only to service providers." }, { "id": "8.3.10.1", "question": "Additional requirement for service providers only: If passwords/passphrases are used as the only authentication factor for customer user access, are customer passwords/passphrases changed at least once every 90 days or is the security posture of accounts dynamically analyzed?", "guidance": "This requirement applies only to service providers." } ] }, { "id": "8.6", "title": "Use of application and system accounts and associated authentication factors is strictly managed.", "items": [ { "id": "8.6.3", "question": "Are passwords/passphrases for any application and system accounts protected against misuse as follows:\n• Passwords/passphrases are changed periodically (at the frequency defined in the entity's targeted risk analysis) and upon suspicion or confirmation of compromise.\n• Passwords/passphrases are constructed with sufficient complexity appropriate for how frequently the credential is rotated.", "guidance": "Examine policies and procedures and interview personnel to verify application and system account passwords are changed periodically and constructed with sufficient complexity." } ] } ] }, { "id": "9", "title": "Restrict Physical Access to Cardholder Data", "objective": "For SAQ A merchants with POI devices, physical protection of those devices is required.", "controls": [ { "id": "9.5", "title": "Point-of-interaction (POI) devices are protected from tampering and unauthorized substitution.", "items": [ { "id": "9.5.1", "question": "Are POI devices that capture payment card data via direct physical interaction with the payment card form factor protected from tampering and unauthorized substitution, including the following:\n• Maintaining a list of POI devices.\n• Periodically inspecting POI devices to look for tampering or unauthorized substitution.\n• Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution of devices.", "guidance": "Examine documented policies and procedures and interview responsible personnel to verify POI devices are protected from tampering and unauthorized substitution." }, { "id": "9.5.1.1", "question": "Is the list of POI devices maintained, and does it include the following:\n• Make and model of the device.\n• Location of device (for example, the address of the site or facility where the device is located).\n• Device serial number or other method of unique identification.", "guidance": "Examine the list of POI devices and interview personnel to verify the list includes make, model, location, and serial number or other unique identification." }, { "id": "9.5.1.2", "question": "Are POI device surfaces periodically inspected to detect tampering and unauthorized substitution, with the frequency of inspections defined in the entity's targeted risk analysis, and are all POI devices inspected?", "guidance": "Examine documented procedures and interview personnel to verify POI devices are periodically inspected." }, { "id": "9.5.1.2.1", "question": "Are inspections of POI devices performed at the frequency defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1?", "guidance": "Examine the entity's targeted risk analysis for the frequency of POI device inspections and compare to documented evidence of inspections." }, { "id": "9.5.1.3", "question": "Is training provided to personnel to be aware of attempted tampering or replacement of POI devices, and does the training include the following:\n• Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.\n• Do not install, replace, or return devices without verification.\n• Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).\n• Report suspicious behavior and indications of device tampering or substitution to appropriate personnel.", "guidance": "Examine training materials and interview personnel to verify training covers awareness of POI device tampering and unauthorized substitution." } ] } ] }, { "id": "12", "title": "Support Information Security with Organizational Policies and Programs", "objective": "Organizational policies and programs support the overall security posture and management of third-party service provider relationships.", "controls": [ { "id": "12.1", "title": "A comprehensive information security policy that governs and provides direction for protection of the entity's information assets is known and current.", "items": [ { "id": "12.1.1", "question": "Is an overall information security policy established, published, maintained, and disseminated to all relevant personnel, as well as to relevant vendors and business partners?", "guidance": "Examine the information security policy and interview personnel." }, { "id": "12.1.2", "question": "Is the information security policy reviewed at least once every 12 months and updated when the environment changes?", "guidance": "Examine the information security policy and interview personnel." }, { "id": "12.1.3", "question": "Does the information security policy clearly define information security roles and responsibilities for all personnel, and do all personnel understand and acknowledge their information security responsibilities?", "guidance": "Examine the information security policy and interview personnel." }, { "id": "12.1.4", "question": "Is responsibility for information security formally assigned to a Chief Information Security Officer or other information security knowledgeable member of executive management?", "guidance": "Examine the information security policy and interview personnel." } ] }, { "id": "12.2", "title": "Acceptable use policies for end-user technologies are defined and implemented.", "items": [ { "id": "12.2.1", "question": "Are acceptable use policies for end-user technologies documented and implemented as follows:\n• Explicit approval by authorized parties is required.\n• Acceptable uses of the technology are defined.\n• A list of products approved by the company for employee use, including hardware and software.", "guidance": "Examine the acceptable use policy and interview personnel." } ] }, { "id": "12.3", "title": "Risks to the cardholder data environment are formally identified, evaluated, and managed.", "items": [ { "id": "12.3.1", "question": "For each PCI DSS requirement that specifies completion of a targeted risk analysis, is the analysis performed and documented to include:\n• Identifies the assets being protected.\n• Identifies the threat(s) that the requirement is protecting against.\n• Identifies factors that contribute to the likelihood and/or impact of a threat being realized.\n• Resulting risk analysis results in an assignment of risk (high, medium, or low).\n• The risk analysis is performed by a qualified individual.", "guidance": "Examine risk analysis documentation and interview personnel." } ] }, { "id": "12.5", "title": "PCI DSS scope is documented and validated.", "items": [ { "id": "12.5.1", "question": "Is an inventory of system components that are in scope for PCI DSS maintained, including a description of function/use?", "guidance": "Examine system component inventory documentation and interview personnel." }, { "id": "12.5.2", "question": "Is PCI DSS scope documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment, including identifying all locations and flows of account data, confirming all applicable PCI DSS requirements are applied, all system components in the CDE, and all segmentation controls and their effectiveness?", "guidance": "Examine documentation and interview personnel." } ] }, { "id": "12.6", "title": "Security awareness education is an ongoing activity.", "items": [ { "id": "12.6.1", "question": "Is a formal security awareness program implemented to make all personnel aware of the entity's information security policy and procedures and their role in protecting cardholder data?", "guidance": "Examine the security awareness program to verify it is implemented." }, { "id": "12.6.2", "question": "Is the security awareness program reviewed at least once every 12 months and updated as needed to address new threats or vulnerabilities?", "guidance": "Examine the security awareness program and interview personnel." }, { "id": "12.6.3", "question": "Are personnel trained upon hire and at least once every 12 months covering awareness of threats, acceptable use policies, and personnel roles in protecting cardholder data?", "guidance": "Examine security awareness training records and interview personnel." }, { "id": "12.6.3.1", "question": "Does security awareness training include awareness of threats and vulnerabilities that could impact the security of the CDE, including phishing and related attacks?", "guidance": "Examine security awareness training content." }, { "id": "12.6.3.2", "question": "Does security awareness training include awareness of the acceptable use policy for end-user technologies as specified in Requirement 12.2.1?", "guidance": "Examine security awareness training content." } ] }, { "id": "12.8", "title": "Risk to information assets associated with third-party service provider (TPSP) relationships is managed.", "items": [ { "id": "12.8.1", "question": "Is a list of all third-party service providers (TPSPs) maintained with which account data is shared or that could affect the security of account data, including a description of the service(s) provided?", "guidance": "Examine policies and procedures and the list of TPSPs." }, { "id": "12.8.2", "question": "Are written agreements with all TPSPs maintained to include an acknowledgment by TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity?", "guidance": "Examine written agreements with TPSPs." }, { "id": "12.8.3", "question": "Is an established process implemented for engaging TPSPs, including proper due diligence prior to engagement?", "guidance": "Examine policies and procedures and interview personnel." }, { "id": "12.8.4", "question": "Is a program implemented to monitor TPSPs' PCI DSS compliance status at least once every 12 months?", "guidance": "Examine documentation and interview personnel." }, { "id": "12.8.5", "question": "Is information maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared?", "guidance": "Examine documentation." } ] }, { "id": "12.9", "title": "Third-party service providers (TPSPs) support their customers' PCI DSS compliance.", "items": [ { "id": "12.9.1", "question": "Additional requirement for service providers only: Is there a written acknowledgment provided to customers that TPSPs are responsible for the security of account data that the TPSP possesses or otherwise stores, processes, or transmits on behalf of the entity?", "guidance": "This requirement applies only to service providers." }, { "id": "12.9.2", "question": "Additional requirement for service providers only: Are TPSPs supporting the PCI DSS compliance of their customers by providing the status of relevant PCI DSS requirements upon request and sufficient information about the PCI DSS requirements for which they are responsible?", "guidance": "This requirement applies only to service providers." } ] }, { "id": "12.10", "title": "Suspected and confirmed security incidents that could impact the CDE are responded to immediately.", "items": [ { "id": "12.10.1", "question": "Is an incident response plan created and implemented to be initiated in the event of a system breach, and does the plan address the following:\n• Roles, responsibilities, and communication and contact strategies in the event of a suspected or confirmed compromise, including notification of payment brands and acquirers.\n• Incident response procedures with specific containment and mitigation activities.\n• Business recovery and continuity procedures.\n• Data backup processes.\n• Analysis of legal requirements for reporting compromises.\n• Coverage and responses of all critical system components.\n• Reference or inclusion of incident response procedures from payment brands.", "guidance": "Examine the incident response plan and interview personnel." }, { "id": "12.10.2", "question": "Is the incident response plan reviewed and tested at least once every 12 months?", "guidance": "Examine the incident response plan and testing documentation." }, { "id": "12.10.3", "question": "Are specific personnel designated to be available on a 24/7 basis to respond to suspected or confirmed security incidents?", "guidance": "Examine policies and procedures and interview personnel." }, { "id": "12.10.4", "question": "Is personnel appropriate to respond to a suspected or confirmed security incident trained at least once every 12 months?", "guidance": "Examine training documentation and interview personnel." }, { "id": "12.10.4.1", "question": "Is the frequency of periodic training for incident response personnel defined in the entity's targeted risk analysis?", "guidance": "Examine the entity's targeted risk analysis." }, { "id": "12.10.5", "question": "Is the incident response plan modified and evolved according to lessons learned and to incorporate industry developments?", "guidance": "Examine the incident response plan and interview personnel." }, { "id": "12.10.7", "question": "Are incident response procedures in place to be initiated upon detection of stored PAN anywhere it is not expected, including determining what to do if PAN is discovered outside the CDE, root-cause analysis, and remediation of data leaks or process gaps?", "guidance": "Examine incident response procedures." } ] } ] } ] }