The questionnaire is divided into six sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard. For any questions where N/A is marked, a brief explanation should be attached.
Section 1: Build and Maintain a Secure Network |
|
Requirement 1: Install and maintain a firewall configuration to protect data
|
|
| Description |
Response |
| 1.1 |
Are all router, switches, wireless access points, and firewall configurations secured and do they conform to documented security standards?
|
|
| 1.2 |
If wireless technology is used, is the access to the network limited to authorized devices?
|
|
| 1.3 |
Do changes to the firewall need authorization and are the changes logged?
|
|
| 1.4 |
Is a firewall used to protect the network and limit traffic to that which is required to conduct business?
|
|
| 1.5 |
Are egress and ingress filters installed on all border routers to prevent impersonation with spoofed IP addresses?
|
|
| 1.6 |
Is payment card account information stored in a database located on the internal network (not the DMZ) and protected by a firewall?
|
|
| 1.7 |
If wireless technology is used, do perimeter firewalls exist between wireless networks and the payment card environment?
|
|
| 1.8 |
Does each mobile computer with direct connectivity to the Internet have a personal firewall and anti-virus software installed?
|
|
| 1.9 |
Are Web servers located on a publicly reachable network segment separated from the internal network by a firewall (DMZ)?
|
|
| 1.10 |
Is the firewall configured to translate (hide) internal IP addresses, using network address translation (NAT)?
|
|
|
Please provide any explanations for this section here. (For example, please clarify N/A responses.)
|
|
|
|
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
|
|
| Description |
Response |
| 2.1 |
Are vendor default security settings changed on production systems before taking the system into production?
|
|
| 2.2 |
Are vendor default accounts and passwords disabled or changed on production systems before putting a system into production?
|
|
| 2.3 |
If wireless technology is used, are vendor default settings changed (i.e. WEP keys, SSID, passwords, SNMP community strings, disabling SSID broadcasts)?
|
|
| 2.4 |
If wireless technology is used, is Wi-Fi Protected Access (WPA) technology implemented for encryption and authentication when WPA-capable?
|
|
| 2.5 |
Are all production systems (servers and network components) hardened by removing all unnecessary services and protocols installed by the default configuration?
|
|
| 2.6 |
Are secure, encrypted communications used for remote administration of production systems and applications?
|
|
|
Please provide any explanations for this section here. (For example, please clarify N/A responses.)
|
|
|
Section 2: Protect Cardholder Data |
|
Requirement 3: Protect stored data
|
|
| Description |
Response |
| 3.1 |
Is sensitive cardholder data securely disposed of when no longer needed?
|
|
| 3.2 |
Is it prohibited to store the full contents of any track from the magnetic stripe (on the back of the card, in a chip, etc.) in the database, log files, or point-of-sale products?
|
|
| 3.3 |
Is it prohibited to store the card-validation code (three-digit value printed on the signature panel of a card) in the database, log files, or point-of-sale products?
|
|
| 3.4 |
Are all but the last four digits of the account number masked when displaying cardholder data?
|
|
| 3.5 |
Are account numbers (in databases, logs, files, backup media, etc.) stored securely— for example, by means of encryption or truncation?
|
|
| 3.6 |
Are account numbers sanitized before being logged in the audit log?
|
|
|
Please provide any explanations for this section here. (For example, please clarify N/A responses.)
|
|
|
|
Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks
|
|
| Description |
Response |
| 4.1 |
Are transmissions of sensitive cardholder data encrypted over public networks through the use of SSL or other industry acceptable methods?
|
|
| 4.2 |
If SSL is used for transmission of sensitive cardholder data, is it using version 3.0 with 128-bit encryption?
|
|
| 4.3 |
If wireless technology is used, is the communication encrypted using Wi-Fi Protected Access (WPA), VPN, SSL at 128-bit, or WEP?
|
|
| 4.4 |
If wireless technology is used, are WEP at 128-bit and additional encryption technologies in use, and are shared WEP keys rotated quarterly?
|
|
| 4.5 |
Is encryption used in the transmission of account numbers via e-mail?
|
|
|
Please provide any explanations for this section here. (For example, please clarify N/A responses.)
|
|
|
Section 3: Maintain a Vulnerability Management Program |
|
Requirement 5: Use and regularly update anti-virus software
|
|
| Description |
Response |
| 5.1 |
Is there a virus scanner installed on all servers and on all workstations, and is the virus scanner regularly updated? |
|
|
Please provide any explanations for this section here. (For example, please clarify N/A responses.)
|
|
|
|
Requirement 6: Develop and maintain secure systems and applications
|
|
| Description |
Response |
| 6.1 |
Are development, testing, and production systems updated with the latest security-related patches released by the vendors?
|
|
| 6.2 |
Is the software and application development process based on an industry best practice and is information security included throughout the software development life cycle (SDLC) process?
|
|
| 6.3 |
If production data is used for testing and development purposes, is sensitive cardholder data sanitized before usage?
|
|
| 6.4 |
Are all changes to the production environment and applications formally authorized, planned, and logged before being implemented?
|
|
| 6.5 |
Were the guidelines commonly accepted by the security community (such as Open Web Application Security Project group (www.owasp.org)) taken into account in the development of Web applications?
|
|
| 6.6 |
When authenticating over the Internet, is the application designed to prevent malicious users from trying to determine existing user accounts?
|
|
| 6.7 |
Is sensitive cardholder data stored in cookies secured or encrypted?
|
|
| 6.8 |
Are controls implemented on the server side to prevent SQL injection and other bypassing of client side-input controls?
|
|
|
Please provide any explanations for this section here. (For example, please clarify N/A responses.)
|
|
|
Section 4: Implement Strong Access Control Measures |
|
Requirement 7: Restrict access to data by business need-to-know
|
|
| Description |
Response |
| 7.1 |
Is access to payment card account numbers restricted for users on a need-to-know basis?
|
|
|
Please provide any explanations for this section here. (For example, please clarify N/A responses.)
|
|
|
|
Requirement 8: Assign a unique ID to each person with computer access
|
|
| Description |
Response |
| 8.1 |
Are all users required to authenticate using, at a minimum, a unique username and password?
|
|
| 8.2 |
If employees, administrators, or third parties access the network remotely, is remote access software (such as PCAnywhere,
dial-in, or VPN) configured with a unique username and password and with encryption and other security features
turned on?
|
|
| 8.3 |
Are all passwords on network devices and systems encrypted?
|
|
| 8.4 |
When an employee leaves the company, are that employee’s user accounts and passwords immediately revoked?
|
|
| 8.5 |
Are all user accounts reviewed on a regular basis to ensure that malicious, out-of-date, or unknown accounts do not exist?
|
|
| 8.6 |
Are non-consumer accounts that are not used for a lengthy amount of time (inactive accounts) automatically disabled in the system after a pre-defined period?
|
|
| 8.7 |
Are accounts used by vendors for remote maintenance enabled only during the time needed?
|
|
| 8.8 |
Are group, shared, or generic accounts and passwords prohibited for non-consumer users?
|
|
| 8.9 |
Are non-consumer users required to change their passwords on a pre-defined regular basis?
|
|
| 8.10 |
Is there a password policy for non-consumer users that enforces the use of strong passwords and prevents the resubmission of previously used passwords?
|
|
| 8.11 |
Is there an account-lockout mechanism that blocks a malicious user from obtaining access to an account by multiple password retries or brute force?
|
|
|
Please provide any explanations for this section here. (For example, please clarify N/A responses.)
|
|
|
|
Requirement 9: Restrict physical access to cardholder data
|
|
| Description |
Response |
| 9.1 |
Are there multiple physical security controls (such as badges, escorts, or mantraps) in place that would prevent unauthorized individuals from gaining access to the facility?
|
|
| 9.2 |
If wireless technology is used, do you restrict access to wireless access points, wireless gateways, and wireless handheld devices?
|
|
| 9.3 |
Are equipment (such as servers, workstations, laptops, and hard drives) and media containing cardholder data physically protected against unauthorized access?
|
|
| 9.4 |
Is all cardholder data printed on paper or received by fax protected against unauthorized access?
|
|
| 9.5 |
Are procedures in place to handle secure distribution and disposal of backup media and other media containing sensitive cardholder data?
|
|
| 9.6 |
Are all media devices that store cardholder data properly inventoried and securely stored?
|
|
| 9.7 |
Is cardholder data deleted or destroyed before it is physically disposed (for example, by shredding papers or degaussing backup media)?
|
|
|
Please provide any explanations for this section here. (For example, please clarify N/A responses.)
|
|
|
Section 5: Regularly Monitor and Test Networks |
|
Requirement 10: Track and monitor all access to network resources and cardholder data
|
|
| Description |
Response |
| 10.1 |
Is all access to cardholder data, including root/administration access, logged?
|
|
| 10.2 |
Do access control logs contain successful and unsuccessful login attempts and access to audit logs?
|
|
| 10.3 |
Are all critical system clocks and times synchronized, and do logs include date and time stamp?
|
|
| 10.4 |
Are the firewall, router, wireless access points, and authentication server logs regularly reviewed for unauthorized traffic?
|
|
| 10.5 |
Are audit logs regularly backed up, secured, and retained for at least three months online and one-year offline for all critical systems?
|
|
|
Please provide any explanations for this section here. (For example, please clarify N/A responses.)
|
|
|
|
Requirement 11: Regularly test security systems and processes
|
|
| Description |
Response |
| 11.1 |
If wireless technology is used, is a wireless analyzer periodically run to identify all wireless devices?
|
|
| 11.2 |
Is a vulnerability scan or penetration test performed on all Internet-facing applications and systems before they go into production?
|
|
| 11.3 |
Is an intrusion detection or intrusion prevention system used on the network?
|
|
| 11.4 |
Are security alerts from the intrusion detection or intrusion prevention system (IDS/IPS) continuously monitored, and are the latest IDS/IPS signatures installed?
|
|
|
Please provide any explanations for this section here. (For example, please clarify N/A responses.)
|
|
|
Section 6: Maintain a policy that addresses information security |
|
Requirement 12: Maintain a policy that addresses information security
|
|
| Description |
Response |
| 12.1 |
Are information security policies, including policies for access control, application and system development, operational, network and physical security, formally documented?
|
|
| 12.2 |
Are information security policies and other relevant security information disseminated to all system users (including vendors, contractors, and business partners)?
|
|
| 12.3 |
Are information security policies reviewed at least once a year and updated as needed?
|
|
| 12.4 |
Have the roles and responsibilities for information security been clearly defined within the company?
|
|
| 12.5 |
Is there an up-to-date information security awareness and training program in place for all system users?
|
|
| 12.6 |
Are employees required to sign an agreement verifying they have read and understood the security policies and procedures?
|
|
| 12.7 |
Is a background investigation (such as a credit- and criminal-record check, within the limits of local law) performed on all employees with access to account numbers?
|
|
| 12.8 |
Are all third parties with access to sensitive cardholder data contractually obligated to comply with card association security standards?
|
|
| 12.9 |
Is a security incident response plan formally documented and disseminated to the appropriate responsible parties?
|
|
| 12.10 |
Are security incidents reported to the person responsible for security investigation?
|
|
| 12.11 |
Is there an incident response team ready to be deployed in case of a cardholder data compromise?
|
|
|
Please provide any explanations for this section here. (For example, please clarify N/A responses.)
|
|
|
|