1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
|
{
"id": "saq_b",
"name": "SAQ B",
"version": "PCI DSS v4.0",
"description": "For merchants using only imprint machines with no electronic cardholder data storage, or standalone, dial-out terminals with no electronic cardholder data storage and not connected to any other systems or networks.",
"applicability": "This SAQ applies to merchants that process cardholder data only via imprint machines or standalone dial-out (PSTN) terminals. These merchants do not transmit cardholder data over the Internet or any IP-based networks. No electronic storage of cardholder data occurs.",
"requirements": [
{
"id": "2",
"title": "Apply Secure Configurations to All System Components",
"objective": "For SAQ B, Requirement 2 applies to any system components in use, including the dial-out terminals and any associated systems.",
"controls": [
{
"id": "2.1",
"title": "Processes and mechanisms for applying secure configurations to all system components are defined and understood.",
"items": [
{
"id": "2.1.1",
"question": "Are all security policies and operational procedures that are identified in Requirement 2 documented, kept up to date, in use, and known to all affected parties?",
"guidance": "Examine documentation and interview personnel."
},
{
"id": "2.1.2",
"question": "Are all roles and responsibilities for performing activities in Requirement 2 documented, assigned, and understood?",
"guidance": "Examine documentation and interview personnel."
}
]
},
{
"id": "2.2",
"title": "System components are configured and managed securely.",
"items": [
{
"id": "2.2.2",
"question": "Are vendor default accounts managed as follows:\n• If the vendor default account(s) will be used, the default password is changed.\n• If the vendor default account(s) will not be used, the account is removed or disabled.",
"guidance": "Examine system configuration standards and interview personnel."
}
]
}
]
},
{
"id": "3",
"title": "Protect Stored Account Data",
"objective": "Sensitive authentication data must not be stored after authorization.",
"controls": [
{
"id": "3.2",
"title": "Storage of account data is kept to a minimum.",
"items": [
{
"id": "3.2.1",
"question": "Are the full contents of any track, card verification codes/values, and PINs not stored after authorization, even if encrypted?",
"guidance": "Examine data sources, including paper-based records, to verify that sensitive authentication data is not stored after authorization."
}
]
}
]
},
{
"id": "9",
"title": "Restrict Physical Access to Cardholder Data",
"objective": "Physical security is critical for SAQ B merchants as paper-based cardholder data and physical terminals must be protected.",
"controls": [
{
"id": "9.1",
"title": "Processes and mechanisms for restricting physical access to cardholder data are defined and understood.",
"items": [
{
"id": "9.1.1",
"question": "Are all security policies and operational procedures that are identified in Requirement 9 documented, kept up to date, in use, and known to all affected parties?",
"guidance": "Examine documentation and interview personnel."
},
{
"id": "9.1.2",
"question": "Are all roles and responsibilities for performing activities in Requirement 9 documented, assigned, and understood?",
"guidance": "Examine documentation and interview personnel."
}
]
},
{
"id": "9.3",
"title": "Physical access for personnel and visitors is authorized and managed.",
"items": [
{
"id": "9.3.1",
"question": "Is all physical access by personnel to the CDE authorized before being granted and revoked immediately upon termination?",
"guidance": "Examine lists of personnel with physical access and interview personnel responsible for granting access."
},
{
"id": "9.3.1.1",
"question": "Is access to the CDE by visitors authorized and managed as follows:\n• Visitors are authorized before entering areas where cardholder data is processed or maintained.\n• Visitors are escorted at all times within areas where cardholder data is processed or maintained.\n• Visitors are clearly identified and distinguished from personnel.",
"guidance": "Observe procedures for visitor access and examine visitor logs."
}
]
},
{
"id": "9.4",
"title": "Media with cardholder data is securely accessed, distributed, and destroyed.",
"items": [
{
"id": "9.4.1",
"question": "Are all media with cardholder data physically secured?",
"guidance": "Examine documentation and observe physical media storage."
},
{
"id": "9.4.2",
"question": "Are all media with cardholder data classified in accordance with the sensitivity of the data?",
"guidance": "Examine documentation and observe media classification."
},
{
"id": "9.4.3",
"question": "Is media with cardholder data sent by secured courier or other delivery method that can be accurately tracked?",
"guidance": "Examine documentation and interview personnel."
},
{
"id": "9.4.4",
"question": "Is management approval obtained prior to moving media with cardholder data from a secured area?",
"guidance": "Examine documentation and interview personnel."
},
{
"id": "9.4.6",
"question": "Are hard-copy materials with cardholder data destroyed when no longer needed via cross-cut shredding, incineration, or pulping, and are materials stored in secure containers prior to destruction?",
"guidance": "Examine the media destruction policy and interview personnel."
}
]
},
{
"id": "9.5",
"title": "Point-of-interaction (POI) devices are protected from tampering and unauthorized substitution.",
"items": [
{
"id": "9.5.1",
"question": "Are POI devices that capture payment card data protected from tampering and unauthorized substitution, including:\n• Maintaining a list of POI devices.\n• Periodically inspecting POI devices to look for tampering or unauthorized substitution.\n• Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution of devices.",
"guidance": "Examine documented policies and procedures and interview responsible personnel."
},
{
"id": "9.5.1.1",
"question": "Is the list of POI devices maintained, and does it include make and model, location, and device serial number or other method of unique identification?",
"guidance": "Examine the list of POI devices and interview personnel."
},
{
"id": "9.5.1.2",
"question": "Are POI device surfaces periodically inspected to detect tampering and unauthorized substitution at the frequency defined in the entity's targeted risk analysis, and are all POI devices inspected?",
"guidance": "Examine documented procedures and interview personnel."
},
{
"id": "9.5.1.2.1",
"question": "Are inspections of POI devices performed at the frequency defined in the entity's targeted risk analysis?",
"guidance": "Examine the entity's targeted risk analysis and compare to documented inspection evidence."
},
{
"id": "9.5.1.3",
"question": "Is training provided to personnel to be aware of attempted tampering or replacement of POI devices, including verifying third-party identities, not installing/replacing/returning devices without verification, reporting suspicious behavior, and recognizing tampering indicators?",
"guidance": "Examine training materials and interview personnel."
}
]
}
]
},
{
"id": "11",
"title": "Test Security of Systems and Networks Regularly",
"objective": "For SAQ B, Requirement 11 applies to testing for unauthorized wireless access points.",
"controls": [
{
"id": "11.1",
"title": "Processes and mechanisms for regularly testing security of systems and networks are defined and understood.",
"items": [
{
"id": "11.1.1",
"question": "Are all security policies and operational procedures that are identified in Requirement 11 documented, kept up to date, in use, and known to all affected parties?",
"guidance": "Examine documentation and interview personnel."
},
{
"id": "11.1.2",
"question": "Are all roles and responsibilities for performing activities in Requirement 11 documented, assigned, and understood?",
"guidance": "Examine documentation and interview personnel."
}
]
},
{
"id": "11.2",
"title": "Wireless access points are identified and monitored, and unauthorized wireless access points are addressed.",
"items": [
{
"id": "11.2.1",
"question": "Are authorized and unauthorized wireless access points managed by testing for their presence at least once every three months or via automatic monitoring, and are all detected unauthorized access points responded to using the incident response plan?",
"guidance": "Examine policies and procedures and interview responsible personnel."
},
{
"id": "11.2.2",
"question": "Is an inventory of authorized wireless access points maintained with documented business justification for each?",
"guidance": "Examine the inventory of authorized wireless access points."
}
]
}
]
},
{
"id": "12",
"title": "Support Information Security with Organizational Policies and Programs",
"objective": "Organizational policies and programs support the overall security posture for the SAQ B merchant environment.",
"controls": [
{
"id": "12.1",
"title": "A comprehensive information security policy that governs and provides direction for protection of the entity's information assets is known and current.",
"items": [
{
"id": "12.1.1",
"question": "Is an overall information security policy established, published, maintained, and disseminated to all relevant personnel and relevant vendors and business partners?",
"guidance": "Examine the information security policy and interview personnel."
},
{
"id": "12.1.2",
"question": "Is the information security policy reviewed at least once every 12 months and updated when the environment changes?",
"guidance": "Examine the information security policy and interview personnel."
},
{
"id": "12.1.3",
"question": "Does the information security policy clearly define roles and responsibilities for all personnel, and do all personnel acknowledge their responsibilities?",
"guidance": "Examine the information security policy and interview personnel."
},
{
"id": "12.1.4",
"question": "Is responsibility for information security formally assigned to a CISO or other information security knowledgeable member of executive management?",
"guidance": "Examine the information security policy and interview personnel."
}
]
},
{
"id": "12.2",
"title": "Acceptable use policies for end-user technologies are defined and implemented.",
"items": [
{
"id": "12.2.1",
"question": "Are acceptable use policies for end-user technologies documented and implemented with explicit approval, defined acceptable uses, and a list of approved products?",
"guidance": "Examine the acceptable use policy and interview personnel."
}
]
},
{
"id": "12.3",
"title": "Risks to the cardholder data environment are formally identified, evaluated, and managed.",
"items": [
{
"id": "12.3.1",
"question": "For each PCI DSS requirement that specifies completion of a targeted risk analysis, is the analysis performed and documented including assets, threats, likelihood/impact factors, risk assignment, and a qualified individual performing the analysis?",
"guidance": "Examine risk analysis documentation."
}
]
},
{
"id": "12.5",
"title": "PCI DSS scope is documented and validated.",
"items": [
{
"id": "12.5.1",
"question": "Is an inventory of system components that are in scope for PCI DSS maintained, including a description of function/use?",
"guidance": "Examine system component inventory documentation."
},
{
"id": "12.5.2",
"question": "Is PCI DSS scope documented and confirmed at least once every 12 months and upon significant change, including all account data locations and flows?",
"guidance": "Examine documentation and interview personnel."
}
]
},
{
"id": "12.6",
"title": "Security awareness education is an ongoing activity.",
"items": [
{
"id": "12.6.1",
"question": "Is a formal security awareness program implemented to make all personnel aware of the entity's information security policy and procedures and their role in protecting cardholder data?",
"guidance": "Examine the security awareness program."
},
{
"id": "12.6.2",
"question": "Is the security awareness program reviewed at least once every 12 months and updated as needed to address new threats or vulnerabilities?",
"guidance": "Examine the security awareness program and interview personnel."
},
{
"id": "12.6.3",
"question": "Are personnel trained upon hire and at least once every 12 months covering awareness of threats, acceptable use policies, and personnel roles in protecting cardholder data?",
"guidance": "Examine security awareness training records and interview personnel."
},
{
"id": "12.6.3.1",
"question": "Does security awareness training include awareness of threats and vulnerabilities that could impact the security of the CDE, including phishing and related attacks?",
"guidance": "Examine training content."
}
]
},
{
"id": "12.7",
"title": "Personnel are screened to reduce risks from insider threats.",
"items": [
{
"id": "12.7.1",
"question": "Are potential personnel who will have access to the CDE screened within the constraints of local laws prior to hire to minimize the risk of attacks from internal sources?",
"guidance": "Examine hiring policies and procedures and interview personnel."
}
]
},
{
"id": "12.8",
"title": "Risk to information assets associated with third-party service provider (TPSP) relationships is managed.",
"items": [
{
"id": "12.8.1",
"question": "Is a list of all TPSPs maintained with which account data is shared or that could affect the security of account data, including a description of services provided?",
"guidance": "Examine the list of TPSPs."
},
{
"id": "12.8.2",
"question": "Are written agreements with all TPSPs maintained that include acknowledgment of TPSP responsibility for account data security?",
"guidance": "Examine written agreements with TPSPs."
},
{
"id": "12.8.3",
"question": "Is an established process implemented for engaging TPSPs, including proper due diligence prior to engagement?",
"guidance": "Examine policies and procedures and interview personnel."
},
{
"id": "12.8.4",
"question": "Is a program implemented to monitor TPSPs' PCI DSS compliance status at least once every 12 months?",
"guidance": "Examine documentation."
},
{
"id": "12.8.5",
"question": "Is information maintained about which PCI DSS requirements are managed by each TPSP, which by the entity, and any that are shared?",
"guidance": "Examine documentation."
}
]
},
{
"id": "12.10",
"title": "Suspected and confirmed security incidents that could impact the CDE are responded to immediately.",
"items": [
{
"id": "12.10.1",
"question": "Is an incident response plan created and implemented covering roles, responsibilities, communication strategies, containment activities, business recovery, data backup, legal requirements, and critical system coverage?",
"guidance": "Examine the incident response plan and interview personnel."
},
{
"id": "12.10.2",
"question": "Is the incident response plan reviewed and tested at least once every 12 months?",
"guidance": "Examine the incident response plan and testing documentation."
},
{
"id": "12.10.3",
"question": "Are specific personnel designated to be available on a 24/7 basis to respond to suspected or confirmed security incidents?",
"guidance": "Examine policies and procedures and interview personnel."
},
{
"id": "12.10.4",
"question": "Is personnel appropriate to respond to a suspected or confirmed security incident trained at least once every 12 months?",
"guidance": "Examine training documentation."
},
{
"id": "12.10.5",
"question": "Is the incident response plan modified and evolved according to lessons learned and industry developments?",
"guidance": "Examine the incident response plan and interview personnel."
}
]
}
]
}
]
}
|
