Transcription

Payment Card Industry (PCI)Data Security StandardReport on ComplianceTemplate for Report on Compliance foruse with PCI DSS v3.1Revision 1.0April 2015

Document ChangesDateVersionDescriptionPCI DSS 3.0,Revision1.0To introduce the template for submitting Reports on Compliance.February 2014July 2014PCI DSS 3.0,Revision 1.1Errata - Minor edits made to address typos and general errors, slight addition of contentApril 2015PCI DSS 3.1,Revision1.0Revision to align with changes from PCI DSS 3.0 to PCI DSS 3.1 (see PCI DSS – Summary ofChanges from PCI DSS Version 3.0 to 3.1 for details of those changes). Also includes minor editsmade for clarification and/or format.This document is intended for use with version 3.0 of the PCI Data Security Standard.PCI DSS Template for Report on Compliance for use with PCI DSS v3.1, Revision 1.0 2015 PCI Security Standards Council, LLC. All Rights Reserved.April 2015Page i

Table of ContentsDocument Changes . iIntroduction to the ROC Template . 1ROC Template for PCI Data Security Standard v3.1 . ntact Information and Report Date. 8Contact information . 8Date and timeframe of assessment . 9PCI DSS version . 9Additional services provided by QSA company . 9Summary Overview . 10Description of the entity’s payment card business . 10High-level network diagram(s) . 10Description of Scope of Work and Approach Taken . 11Assessor’s validation of defined cardholder data environment and scope accuracy . 11Cardholder Data Environment (CDE) overview . 11Network segmentation . 12Network segment details . 13Connected entities for processing . 13Other business entities that require compliance with the PCI DSS. 14Wireless summary . 14Wireless details . 15Details about Reviewed Environment . 16Detailed network diagram(s) . 16Description of cardholder data flows . 16Cardholder data storage . 17Critical hardware in use in the cardholder data environment . 17Critical software in use in the cardholder data environment . 17Sampling. 18Sample sets for reporting. 19Service providers and other third parties with which the entity shares cardholder data . 19Third-party payment applications/solutions . 20Documentation reviewed . 21Individuals interviewed . 21Managed service providers. 21Disclosure summary for “In Place with Compensating Control” responses . 22Disclosure summary for “Not Tested” responses . 22PCI DSS Template for Report on Compliance for use with PCI DSS v3.1, Revision 1.0 2015 PCI Security Standards Council, LLC. All Rights Reserved.April 2015Page ii

5.Quarterly Scan Results . 235.1 Quarterly scan results – initial PCI DSS compliance validation. 235.2 Quarterly scan results – all other PCI DSS compliance validation . 245.3 Attestations of scan compliance . 246.Findings and Observations . 25Build and Maintain a Secure Network and Systems . 25Requirement 1: Install and maintain a firewall configuration to protect cardholder data . 25Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters . 36Protect Stored Cardholder Data . 50Requirement 3: Protect stored cardholder data . 50Requirement 4: Encrypt transmission of cardholder data across open, public networks . 67Maintain a Vulnerability Management Program. 73Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs . 73Requirement 6: Develop and maintain secure systems and applications . 77Implement Strong Access Control Measures . 97Requirement 7: Restrict access to cardholder data by business need to know . 97Requirement 8: Identify and authenticate access to system components . 101Requirement 9: Restrict physical access to cardholder data . 117Regularly Monitor and Test Networks . 131Requirement 10: Track and monitor all access to network resources and cardholder data . 131Requirement 11: Regularly test security systems and processes . 146Maintain an Information Security Policy . 165Requirement 12: Maintain a policy that addresses information security for all personnel. 165Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers . 184Appendix B:Compensating Controls . 191Appendix C:Compensating Controls Worksheet . 192Appendix D:Segmentation and Sampling of Business Facilities/System Components . 194PCI DSS Template for Report on Compliance for use with PCI DSS v3.1, Revision 1.0 2015 PCI Security Standards Council, LLC. All Rights Reserved.April 2015Page iii

Introduction to the ROC TemplateThis document, the PCI DSS Template for Report on Compliance for use with PCI DSS v3.1, Revision 1.0 (“ROC Reporting Template”), is the mandatorytemplate for Qualified Security Assessors (QSAs) completing a Report on Compliance (ROC) for assessments against the PCI DSS Requirements andSecurity Assessment Procedures v3.1. The ROC Reporting Template provides reporting instructions and the template for QSAs to use. This can helpprovide reasonable assurance that a consistent level of reporting is present among assessors.Use of this Reporting Template is mandatory for all v3.1 submissions.Tables have been included in this template to facilitate the reporting process for certain lists and other information as appropriate. The tables in thistemplate may be modified to increase/decrease the number of rows, or to change column width. Additional appendices may be added if the assessorfeels there is relevant information to be included that is not addressed in the current format. However, the assessor must not remove any details from thetables provided in this document. Personalization, such as the addition of company logos, is acceptable.Do not delete any content from any place in this document, including this section and the versioning above. These instructions are importantfor the assessor as the report is written and for the recipient in understanding the context the responses and conclusions are made. Additionof text or sections is applicable within reason, as noted above. Refer to the “Frequently Asked Questions for use with ROC ReportingTemplate for PCI DSS v3.x” document on the PCI SSC website for further guidance.The Report on Compliance (ROC) is produced during onsite PCI DSS assessments as part of an entity’s validation process. The ROC provides detailsabout the entity’s environment and assessment methodology, and documents the entity’s compliance status for each PCI DSS Requirement. A PCI DSScompliance assessment involves thorough testing and assessment activities, from which the assessor will generate detailed work papers. These workpapers contain comprehensive records of the assessment activities, including observations, results of system testing, configuration data, file lists,interview notes, documentation excerpts, references, screenshots, and other evidence collected during the course of the assessment. The ROC iseffectively a summary of evidence derived from the assessor’s work papers to describe how the assessor performed the validation activities and howthe resultant findings were reached. At a high level, the ROC provides a comprehensive summary of testing activities performed and informationcollected during the assessment against the PCI DSS Requirements and Security Assessment Procedures v3.1. The information contained in a ROCmust provide enough detail and coverage to verify that the assessed entity is compliant with all PCI DSS requirements.ROC SectionsThe ROC includes the following sections and appendices: Section 1: Contact Information and Report Date Section 2: Summary Overview Section 3: Description of Scope of Work and Approach Taken Section 4: Details about Reviewed Environment Section 5: Quarterly Scan Results Section 6: Findings and ObservationsPCI DSS Template for Report on Compliance for use with PCI DSS v3.1, Revision 1.0 2015 PCI Security Standards Council, LLC. All Rights Reserved.April 2015Page 1

Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers Appendices B and C: Compensating Controls and Compensating Controls Worksheet (as applicable) Appendix D: Segmentation and Sampling of Business Facilities/System Components (diagram)The first five sections must be thoroughly and accurately completed, in order for the assessment findings in Section 6 and any applicable responses inthe Appendices to have the proper context. The Reporting Template includes tables with Reporting Instructions built-in to help assessors provide allrequired information throughout the document. Responses should be specific, but efficient. Details provided should focus on concise quality of detail,rather than lengthy, repeated verbiage. Parroting the testing procedure within a description is discouraged, as it does not add any level of assurance tothe narrative. Use of template language for summaries and descriptions is discouraged and details should be specifically relevant to the assessed entity.ROC Summary of Assessor FindingsWith the Reporting Template, an effort was made to efficiently use space, and as such, there is one response column for results/evidence (“ROCReporting Details: Assessor’s Response”) instead of three. Additionally, the results for “Summary of Assessor Findings” were expanded to moreeffectively represent the testing and results that took place, which should be aligned with the Attestation of Compliance (AOC).There are now five results possible – In Place, In Place with CCW (Compensating Control Worksheet), Not Applicable, Not Tested, and Not in Place. Ateach sub-requirement there is a place to designate the result (“Summary of Assessor Findings”), which can be checked as appropriate. See the exampleformat on the following page, as referenced.The following table is a helpful representation when considering which selection to make. Remember, only one response should be selected at the subrequirement level, and reporting of that should be consistent with other required documents, such as the AOC.Refer to the “Frequently Asked Questions for use with ROC Reporting Template for PCI DSS v3.x” document on the PCI SSC website forfurther guidance.RESPONSEIn PlaceWHEN TO USE THIS RESPONSE:The expected testing has been performed, and allelements of the requirement have been met as stated.PCI DSS Template for Report on Compliance for use with PCI DSS v3.1, Revision 1.0 2015 PCI Security Standards Council, LLC. All Rights Reserved.USING THE SAMPLE BELOW:In the sample, the Summary of Assessment Findings at1.1 is “in place” if all report findings are in place for 1.1.aand 1.1.b or a combination of in place and notapplicable.April 2015Page 2

RESPONSEIn Place w/ CCW(CompensatingControlWorksheet)WHEN TO USE THIS RESPONSE:The expected testing has been performed, and therequirement has been met with the assistance of acompensating control.All responses in this column require completion of aCompensating Control Worksheet (CCW)USING THE SAMPLE BELOW:In the sample, the Summary of Assessment Findings at1.1 is “in place with CCW” if all report findings are inplace for 1.1.a and 1.1.b with the use of a CCW for oneor both (completed at the end of the report) or acombination of in place with CCW and not applicable.Information on the use of compensating controls andguidance on how to complete the worksheet is providedin the PCI DSS.No