Documente Academic
Documente Profesional
Documente Cultură
Self-Assessment Questionnaire D
and Attestation of Compliance for
Service Providers
Document Changes
Date
PCI DSS
Version
SAQ
Revision
Description
October
2008
1.2
October
2010
2.0
February
2014
3.0
April 2015
3.1
Updated to align with PCI DSS v3.1. For details of PCI DSS
changes, see PCI DSS Summary of Changes from PCI DSS
Version 3.0 to 3.1.
July 2015
3.1
1.1
July 2015
Page i
Table of Contents
Document Changes .................................................................................................................. i
Before You Begin .....................................................................................................................iii
PCI DSS Self-Assessment Completion Steps ...................................................................................... iii
Understanding the Self-Assessment Questionnaire ........................................................................... iii
Expected Testing iii
Completing the Self-Assessment Questionnaire ................................................................................. iv
Guidance for Non-Applicability of Certain, Specific Requirements ................................................... iv
Understanding the difference between Not Applicable and Not Tested .................................................. v
Legal Exception
Requirement 2:
Do not use vendor-supplied defaults for system passwords and other security
parameters ................................................................................................................ 12
Requirement 4:
Protect all systems against malware and regularly update anti-virus software or
programs ................................................................................................................... 32
Requirement 6:
Requirement 8:
Requirement 9:
Appendix B:
Appendix C:
Explanation of Non-Applicability........................................................................... 84
Appendix D:
July 2015
Page ii
Section 1 (Part 1 & 2 of the AOC) Assessment Information and Executive Summary
Section 3 (Parts 3 & 4 of the AOC) Validation and Attestation Details and Action Plan for NonCompliant Requirements (if applicable)
4. Submit the SAQ and Attestation of Compliance, along with any other requested documentationsuch
as ASV scan reportsto the payment brand, or other requester.
Includes:
PCI DSS
Guidance on Scoping
These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org).
Organizations are encouraged to review the PCI DSS and other supporting documents before
beginning an assessment.
Expected Testing
The instructions provided in the Expected Testing column are based on the testing procedures in the
PCI DSS, and provide a high-level description of the types of testing activities that should be performed in
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page iii
order to verify that a requirement has been met. Full details of testing procedures for each requirement
can be found in the PCI DSS.
No
Some or all elements of the requirement have not been met, or are in
the process of being implemented, or require further testing before it will
be known if they are in place.
N/A
(Not Applicable)
The questions specific to securing wireless technologies (for example, Requirements 1.2.3, 2.1.1,
and 4.1.1) only need to be answered if wireless is present anywhere in your network. Note that
Requirement 11.1 (use of processes to identify unauthorized wireless access points) must still be
July 2015
Page iv
answered even if you dont use wireless technologies in your network, since the process detects
any rogue or unauthorized devices that may have been
added without your
knowledge.
The questions specific to application development and secure coding (Requirements 6.3 and 6.5)
only need to be answered if your organization develops its own custom applications.
The questions for Requirements 9.1.1 and 9.3 only need to be answered for facilities with
sensitive areas as defined here: Sensitive areas refers to any data center, server room or any
area that houses systems that store, process, or transmit cardholder data. This excludes the
areas where only point-of-sale terminals are present, such as the cashier areas in a retail store,
but does include retail store back-office server rooms that store cardholder data, and storage
areas for large quantities of cardholder data.
If any requirements are deemed not applicable to your environment, select the N/A option for that
specific requirement, and complete the Explanation of Non-Applicability worksheet in Appendix C for
each N/A entry.
An organization may wish to validate a new security control that impacts only a subset of
requirementsfor example, implementation of a new encryption methodology that requires
assessment of PCI DSS Requirements 2, 3 and 4.
A service provider organization might offer a service which covers only a limited number of PCI
DSS requirementsfor example, a physical storage provider may only wish to validate the
physical security controls per PCI DSS Requirement 9 for their storage facility.
In these scenarios, the organization only wishes to validate certain PCI DSS requirements even though
other requirements might also apply to their environment.
Legal Exception
If your organization is subject to a legal restriction that prevents the organization from meeting a PCI DSS
requirement, check the No column for that requirement and complete the relevant attestation in Part 3.
July 2015
Page v
UAB Mistertango
DBA (doing
business as):
Mistertango
Contact Name:
Povilas Ziba
Title:
Project manager
Title:
Telephone:
+3705215546
E-mail:
povilas.ziba@mistertango.co
m
Business Address:
Perkunkiemio street 2
City:
Vilnius
State/Province:
Vilnius
LT
URL:
www.mistertango.com
Country:
Zip:
LT12126
Title:
Telephone:
E-mail:
Business Address:
City:
State/Province:
Country:
US
Zip:
URL:
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 1: Assessment Information
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 1
Tadas Kvedaras
Payment Processing:
Applications / software
Hardware
IT support
Internet / e-commerce
Infrastructure / Network
Physical security
ATM
Storage
Account Management
Payment Gateway/Switch
Back-Office Services
Issuer Processing
Prepaid Services
Billing Management
Loyalty Programs
Records Management
Merchant Services
Tax/Government Payments
Web
Security services
3-D Secure Hosting Provider
Shared Hosting Provider
Other Hosting (specify):
Network Provider
Others (specify):
Note: These categories are provided for assistance only, and are not intended to limit or predetermine
an entitys service description. If you feel these categories dont apply
to your
service, complete Others.
If youre unsure whether a category could apply to your service, consult with the
applicable payment brand.
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 1: Assessment Information
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 2
Services that are provided by the service provider but were NOT INCLUDED in the scope of
the PCI DSS Assessment (check all that apply):
Name of service(s) not assessed:
Not applicable
Payment Processing:
POS / card present
Internet / e-commerce
MOTO / Call Center
ATM
Other processing (specify):
Account Management
Payment Gateway/Switch
Back-Office Services
Issuer Processing
Prepaid Services
Billing Management
Loyalty Programs
Records Management
Merchant Services
Tax/Government Payments
Network Provider
Others (specify):
Provide a brief explanation why any checked services
were not included in the assessment:
centers, call
July 2015
Page 3
Number of facilities
of this type
Type of facility
Office
No
Provide the following information regarding the Payment Applications your organization
uses:
Payment Application
Name
Version
Number
Application
Vendor
Is application
PA-DSS Listed?
Yes No
For example:
Connections into and out of the cardholder data
environment (CDE).
Critical system components within the CDE, such as
POS devices, databases, web servers,
etc., and any other necessary payment components, as
applicable.
Does your business use network segmentation to affect the scope of your PCI DSS
environment?
(Refer to Network Segmentation section of PCI DSS for guidance on network segmentation)
Yes
No
Yes
No
If Yes:
Type of service provider:
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 1: Assessment Information
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 4
Full The requirement and all sub-requirements were assessed for that Requirement, and no
sub-requirements were marked as Not Tested or Not Applicable in the SAQ.
Partial One or more sub-requirements of that Requirement were marked as Not Tested or Not
Applicable in the SAQ.
None All sub-requirements of that Requirement were marked as Not Tested and/or Not
Applicable in the SAQ.
For all requirements identified as either Partial or None, provide details in the Justification for Approach
column, including:
Details of specific sub-requirements that were marked as either Not Tested and/or Not Applicable in
the SAQ
Note: One table to be completed for each service covered by this AOC. Additional copies of this
section are available on the PCI SSC website.
Name of Service Assessed:
Full
Partial
None
Requirement 1:
Requirement 2:
Requirement 3:
Requirement 4:
Requirement 5:
Requirement 6:
6.4.3, 6.4.4
Requirement 7:
7.1, 7.3
Requirement 8:
8.1.1, 8.1.2
Requirement 9:
Requirement 10:
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 1: Assessment Information
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 5
Requirement 12:
Appendix A:
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 1: Assessment Information
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 6
Expected Testing
Yes
1.1
1.1.1
1.1.2
1.1.4
No
N/A
Not
Tested
Interview personnel
Interview personnel
(a)
(b)
1.1.3
Yes
with
CCW
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 7
Response
(Check one response for each question)
Expected Testing
Yes
1.1.6
No
N/A
Not
Tested
Interview personnel
(b) Are firewall and router rule sets reviewed at least every
six months?
(b)
1.1.5
Yes
with
CCW
1.1.7
1.2
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 8
Response
(Check one response for each question)
Expected Testing
Yes
1.2.1
(b)
1.2.2
1.2.3
1.3
Yes
with
CCW
No
N/A
Not
Tested
1.3.1
1.3.2
1.3.3
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 9
Response
(Check one response for each question)
1.3.4
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
1.3.5
1.3.6
1.3.7
1.3.8
Interview personnel
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 10
Response
(Check one response for each question)
1.4
1.5
Expected Testing
Documented
Interview personnel
In use
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
Yes
Yes
with
CCW
No
N/A
Not
Tested
July 2015
Page 11
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Response
(Check one response for each question)
2.1
2.1.1
Expected Testing
Interview personnel
Interview personnel
Interview personnel
Interview personnel
Interview personnel
Yes
Yes
with
CCW
No
N/A
Not
Tested
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 12
Response
(Check one response for each question)
2.2
Expected Testing
Review industry-accepted
hardening standards
Interview personnel
Interview personnel
Interview personnel
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
Yes
Yes
with
CCW
No
N/A
Not
Tested
July 2015
Page 13
Response
(Check one response for each question)
Yes
Yes
with
CCW
No
N/A
Not
Tested
2.2.1
Expected Testing
2.2.2
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 14
Response
(Check one response for each question)
2.2.3
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
For example, use secured technologies such as SSH, SFTP, TLS, or IPSec VPN to protect insecure services such
as NetBIOS, file-sharing, Telnet, FTP, etc.
Note: SSL and early TLS are not considered strong
cryptography and cannot be used as a security control
after 30th June, 2016. Prior to this date, existing
implementations that use SSL and/or early TLS must have
a formal Risk Mitigation and Migration Plan in place.
and/or
Interview personnel
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 15
Response
(Check one response for each question)
2.3
Yes
Yes
with
CCW
No
N/A
Not
Tested
Review documentation
Review documentation
2.2.5
Expected Testing
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 16
Response
(Check one response for each question)
Expected Testing
Interview personnel
(a)
(b)
(c)
(d)
(e)
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
Yes
Yes
with
CCW
No
N/A
Not
Tested
July 2015
Page 17
Response
(Check one response for each question)
(f)
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
2.4
2.5
(a)
(b)
Interview personnel
Documented
Interview personnel
In use
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 18
Response
(Check one response for each question)
2.6
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 19
3.1
3.2
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
Interview personnel
Interview personnel
Interview personnel
Interview personnel
Interview personnel
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 20
Response
(Check one response for each question)
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
3.2.1
3.2.2
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 21
Response
(Check one response for each question)
3.2.3
Expected Testing
3.3
Yes
Yes
with
CCW
No
N/A
Not
Tested
Is the PAN masked when displayed (the first six and last
four digits are the maximum number of digits to be
displayed) such that only personnel with a legitimate
business need can see the full PAN?
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 22
Response
(Check one response for each question)
3.4
Expected Testing
Observe processes
Interview personnel
Yes
Yes
with
CCW
No
N/A
Not
Tested
3.4.1
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 23
Response
(Check one response for each question)
Expected Testing
Observe processes
Yes
Yes
with
CCW
No
N/A
Not
Tested
3.5
3.5.1
3.5.2
Observe processes
3.5.3
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 24
Response
(Check one response for each question)
3.6
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
Review key-management
procedures
Review key-management
procedures
Review key-management
procedures
Review key-management
procedures
Interview personnel
3.6.1
3.6.2
3.6.3
3.6.4
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 25
Response
(Check one response for each question)
3.6.5
3.6.6
Expected Testing
Review key-management
procedures
Interview personnel
Review key-management
procedures
Interview personnel
Review key-management
procedures
Interview personnel
Review key-management
procedures
Observe processes
Yes
Yes
with
CCW
No
N/A
Not
Tested
AND
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 26
Response
(Check one response for each question)
3.6.7
3.6.8
3.7
Expected Testing
Review procedures
Observe processes
Review procedures
Documented
Interview personnel
In use
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
Yes
Yes
with
CCW
No
N/A
Not
Tested
July 2015
Page 27
4.1
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 28
Response
(Check one response for each question)
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 29
Response
(Check one response for each question)
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
Observe processes
(g)
4.1.1
4.2
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 30
Response
(Check one response for each question)
4.3
Expected Testing
Documented
Interview personnel
In use
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
Yes
Yes
with
CCW
No
N/A
Not
Tested
July 2015
Page 31
5.1
5.1.1
5.1.2
5.2
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
Interview personnel
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 32
Response
(Check one response for each question)
5.3
5.4
Expected Testing
Actively running?
Observe processes
Interview personnel
Documented
Interview personnel
In use
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
Yes
Yes
with
CCW
No
N/A
Not
Tested
July 2015
Page 33
6.1
Expected Testing
Interview personnel
Observe processes
Yes
Yes
with
CCW
No
N/A
Not
Tested
6.2
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 34
Response
(Check one response for each question)
6.3
Expected Testing
Observe processes
Interview personnel
Observe processes
Interview personnel
Observe processes
Interview personnel
Interview personnel
Yes
Yes
with
CCW
No
N/A
Not
Tested
6.3.1
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 35
Response
(Check one response for each question)
6.3.2
Expected Testing
Interview personnel
Yes
Yes
with
CCW
No
N/A
Not
Tested
6.4
6.4.1
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 36
Response
(Check one response for each question)
6.4.2
6.4.3
6.4.4
6.4.5
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
Observe processes
Interview personnel
Observe processes
Interview personnel
Observe processes
Interview personnel
Documentation of impact
Documented change control approval by authorized
parties
Functionality testing to verify that the change does
not adversely impact the
security
of the system
Back-out procedures
Documentation of impact?
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 37
Response
(Check one response for each question)
6.4.5.2
6.4.5.3
6.4.5.4
6.5
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
Back-out procedures?
Review software-development
policies and procedures
Interview personnel
July 2015
Page 38
Response
(Check one response for each question)
6.5.1
6.5.2
6.5.3
6.5.4
6.5.5
6.5.6
Expected Testing
Examine software-development
policies and procedures
Examine software-development
policies and procedures
Examine software-development
policies and procedures
Examine software-development
policies and procedures
Examine software-development
policies and procedures
Examine software-development
policies and procedures
6.5.7
6.5.8
Yes
Yes
with
CCW
No
N/A
Not
Tested
applications
the following
Examine software-development
policies and procedures
Examine software-development
policies and procedures
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 39
Response
(Check one response for each question)
6.5.9
6.5.10
Expected Testing
Examine software-development
policies and procedures
Examine software-development
policies and procedures
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
Yes
Yes
with
CCW
No
N/A
Not
Tested
July 2015
Page 40
Response
(Check one response for each question)
6.6
Expected Testing
Interview personnel
Yes
Yes
with
CCW
No
N/A
Not
Tested
- At least annually
- After any changes
- By an organization that specializes in application
security
- That, at a minimum, all vulnerabilities in
Requirement 6.5 are included in the assessment
- That all vulnerabilities are corrected
- That the application is re-evaluated after the
corrections
Note: This assessment is not the same as the vulnerability
scans performed for Requirement
11.2.
OR
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 41
Response
(Check one response for each question)
6.7
Documented
In use
Expected Testing
Interview personnel
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
Yes
Yes
with
CCW
No
N/A
Not
Tested
July 2015
Page 42
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
7.1
Interview personnel
Interview management
Interview management
7.1.1
7.1.2
7.1.3
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 43
Response
(Check one response for each question)
7.1.4
Documented
Interview personnel
In use
Yes
Yes
with
CCW
No
N/A
Not
Tested
7.2
7.2.1
7.2.2
7.2.3
7.3
Expected Testing
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 44
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
8.1
8.1.1
8.1.2
8.1.3
8.1.4
8.1.5
Interview personnel
Interview personnel
Observe processes
Interview personnel
Observe processes
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 45
Response
(Check one response for each question)
8.1.6
8.1.7
8.1.8
8.2
8.2.1
Expected Testing
Review documentation
Observe processes
Observe authentication
processes
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
Yes
Yes
with
CCW
No
N/A
Not
Tested
July 2015
Page 46
Response
(Check one response for each question)
8.2.2
8.2.3
Expected Testing
No
N/A
Not
Tested
Review authentication
procedures
Observe personnel
Review customer/user
documentation
Review customer/user
documentation
8.2.4
Yes
Yes
with
CCW
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 47
Response
(Check one response for each question)
8.2.5
8.2.6
8.3
Expected Testing
Review customer/user
documentation
Examine system
configurations
Observe personnel
Yes
Yes
with
CCW
No
N/A
Not
Tested
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 48
Response
(Check one response for each question)
8.4
8.5
8.5.1
Expected Testing
Interview personnel
Interview users
Review documentation
provided to users
Interview personnel
Interview personnel
Yes
Yes
with
CCW
No
N/A
Not
Tested
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 49
Response
(Check one response for each question)
8.6
Interview personnel
(a) Is all user access to, user queries of, and user actions
on (for example, move, copy, delete), the database
through programmatic methods only (for example,
through stored procedures)?
Review database
authentication policies and
procedures
Review database
authentication policies and
procedures
8.7
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 50
Response
(Check one response for each question)
Review database
authentication policies and
procedures
Documented
Interview personnel
In use
8.8
Expected Testing
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
Yes
Yes
with
CCW
No
N/A
Not
Tested
July 2015
Page 51
Observe personnel
Observe processes
Interview personnel
Interview personnel
Observe locations
9.1
9.1.1
9.1.2
Expected Testing
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
Yes
Yes
with
CCW
No
N/A
Not
Tested
July 2015
Page 52
Response
(Check one response for each question)
9.1.3
9.2
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
Interview personnel
Observe devices
Interview personnel
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 53
Response
(Check one response for each question)
9.3
Expected Testing
Interview personnel
Interview personnel
Examine identification
Observe process
Examine identification
Observe processes
Yes
Yes
with
CCW
No
N/A
Not
Tested
9.4
9.4.1
9.4.2
9.4.3
9.4.4
(g) Does the visitor log contain the visitors name, the firm
represented, and the onsite personnel authorizing
physical access?
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 54
Response
(Check one response for each question)
Yes
Yes
with
CCW
No
N/A
Not
Tested
Interview personnel
Interview personnel
Interview personnel
9.5
Expected Testing
9.5.1
9.6
9.6.1
9.6.2
9.6.3
9.7
9.7.1
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 55
Response
(Check one response for each question)
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
Interview personnel
Interview personnel
Examine procedures
Observe processes
Observe processes
Interview personnel
9.8
9.8.2
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 56
Response
(Check one response for each question)
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
9.9
9.9.1
(c)
Interview personnel
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 57
Response
(Check one response for each question)
9.9.2
Expected Testing
Interview personnel
Interview personnel
Yes
Yes
with
CCW
No
N/A
Not
Tested
9.9.3
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 58
Response
(Check one response for each question)
9.10
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
Documented
Interview personnel
In use
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 59
10.1
10.2
10.2.1
10.2.2
10.2.3
10.2.4
10.2.5
Expected Testing
Observe processes
Interview system
administrator
Observe processes
Interview system
administrator
Interview personnel
Interview personnel
Interview personnel
Interview personnel
Interview personnel
Yes
Yes
with
CCW
No
N/A
Not
Tested
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 60
Response
(Check one response for each question)
10.2.6
10.2.7
10.3
10.3.1
10.3.2
10.3.3
10.3.4
10.3.5
10.3.6
Expected Testing
Interview personnel
Interview personnel
Interview personnel
Interview personnel
Interview personnel
Interview personnel
Interview personnel
Interview personnel
Yes
Yes
with
CCW
No
N/A
Not
Tested
Are the following audit trail entries recorded for all system
components for each event:
User identification?
Type of event?
Origination of event?
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 61
Response
(Check one response for each question)
10.4
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
10.4.1
10.4.2
Examine system
configurations and timesynchronization settings
Examine system
configurations and timesynchronization settings
and logs
Examine time-related
system parameters
Examine time-related
system parameters
Examine time-related
system parameters
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 62
Response
(Check one response for each question)
10.4.3
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
Examine system
configurations
Interview system
administrators
Examine system
configurations and
permissions
Interview system
administrators
Examine system
configurations and
permissions
Interview system
administrators
Examine system
configurations and
permissions
Interview system
administrators
Examine system
configurations and
permissions
10.5
10.5.1
10.5.2
10.5.3
10.5.4
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 63
Response
(Check one response for each question)
10.5.5
10.6
Expected Testing
Examine settings,
monitored files, and results
from monitoring activities
Yes
Yes
with
CCW
No
N/A
Not
Tested
10.6.1
Observe processes
Interview personnel
10.6.2
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 64
Response
(Check one response for each question)
10.6.3
10.7
10.8
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
Interview personnel
Observe processes
Interview personnel
Interview personnel
Interview personnel
Observe processes
Interview personnel
Documented
In use
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 65
11.1
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
11.1.1
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 66
Response
(Check one response for each question)
11.1.2
11.2
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
11.2.1
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 67
Response
(Check one response for each question)
11.2.2
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
Interview personnel
11.2.3
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 68
Response
(Check one response for each question)
11.3
11.3.1
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
Interview personnel
Examine penetration-testing
methodology
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 69
Response
(Check one response for each question)
11.3.2
Expected Testing
No
N/A
Not
Tested
Review penetration-testing
methodology
11.3.4
Yes
Yes
with
CCW
repeated
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 70
Response
(Check one response for each question)
11.4
Examine IDS/IPS
configurations
11.5
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
System executables
Application executables
Configuration and parameter files
Centrally stored, historical or archived, log, and audit files
Additional critical files determined by entity (for example,
through risk assessment or other means)
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 71
Response
(Check one response for each question)
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
Interview personnel
11.5.1
11.6
Documented
In use
Known to all affected parties?
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 72
12.1
12.1.1
12.2
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
Interview personnel
12.3
12.3.1
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 73
Response
(Check one response for each question)
12.3.2
12.3.3
12.3.4
12.3.5
12.3.6
12.3.7
12.3.8
12.3.9
12.3.10
Expected Testing
(a) For personnel accessing cardholder data via remoteaccess technologies, does the policy specify the
prohibition of copying, moving, and storage of
cardholder data onto local hard drives and removable
electronic media, unless explicitly authorized for a
defined business need?
of
Yes
Yes
with
CCW
No
N/A
Not
Tested
July 2015
Page 74
Response
(Check one response for each question)
12.4
12.5
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
Interview a sample of
responsible personnel
12.5.1
12.5.2
12.5.3
12.5.4
12.5.5
12.6
July 2015
Page 75
Response
(Check one response for each question)
12.6.1
12.7
Yes
Yes
with
CCW
No
N/A
Not
Tested
Interview personnel
12.6.2
Expected Testing
12.8
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 76
Response
(Check one response for each question)
12.8.1
12.8.2
Expected Testing
Observe processes
Observe processes
Observe processes
Observe processes
Yes
Yes
with
CCW
No
N/A
Not
Tested
12.8.3
12.8.4
12.8.5
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 77
Response
(Check one response for each question)
12.9
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
12.10
12.10.1
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 78
Response
(Check one response for each question)
12.10.2
12.10.3
12.10.4
12.10.5
12.10.6
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
Observe processes
Review policies
Observe processes
Observe processes
Observe processes
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 79
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
A.1
A.1.1
(a) Are the user IDs for application processes not privileged
users (root/admin)?
For example:
No entity on the system can use a shared web server
user ID.
All CGI scripts used by an entity must be created and run
as the entitys unique user ID
A.1.2
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 80
Response
(Check one response for each question)
Expected Testing
Yes
Yes
with
CCW
No
N/A
Not
Tested
Disk space,
Bandwidth,
Memory,
CPU
Disk space
Bandwidth
Memory
CPU
A.1.3
(a) Are logging and audit trails enabled and unique to each
entitys cardholder data
environment and consistent with PCI DSS Requirement
10?
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 81
Response
(Check one response for each question)
A.1.4
Expected Testing
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
Yes
Yes
with
CCW
No
N/A
Not
Tested
July 2015
Page 82
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 83
Requirement
1.1.2.a
We do not provide wireless network. We are SAQ-D level 2 and we do not save
cardholder data, only the acquiring bank.
1.1.3.a
We are SAQ-D level 2 service providers and we do not save cardholder data, only
the acquiring bank.
1.2.1.a
We are SAQ-D level 2 service providers and we do not save cardholder data, only
the acquiring bank.
1.2.3
1.3.3
We are SAQ-D level 2 service providers and we do not save cardholder data, only
the acquiring bank.
1.3.5
We are SAQ-D level 2 service providers and we do not save cardholder data, only
the acquiring bank.
1.3.7
We are SAQ-D level 2 service providers and we do not save cardholder data, only
the acquiring bank.
1.4.a
2.1.1.b
2.1.1.d
2.1.1.e
2.6
We do not use shared hosting provider. We do not save any cardholder data. it is
saved by our acquiring bank.
3.1.b
3.1.c
We do not save any cardholder data. it is saved by our acquiring bank. We are
complying for SAQ-D Level 2 service provider.
3.1.d
We do not save any cardholder data. it is saved by our acquiring bank. We are
complying for SAQ-D Level 2 service provider.
3.1.e
We do not save any cardholder data. it is saved by our acquiring bank. We are
complying for SAQ-D Level 2 service provider.
3.2.a
We are not saving cardholder data. Our acquiring bank saves cardholder data.
3.2.b
We are not saving cardholder data. Our acquiring bank saves cardholder data.
3.2.c
We are not saving cardholder data. Our acquiring bank saves cardholder data.
3.2.1
We are not saving cardholder data. Our acquiring bank saves cardholder data.
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 84
Requirement
3.2.2
We are not saving cardholder data. Our acquiring bank saves cardholder data.
3.2.3
We are not saving cardholder data. Our acquiring bank saves cardholder data.
3.3
We are not saving cardholder data. Our acquiring bank saves cardholder data.
3.4
We are not saving cardholder data. Our acquiring bank saves cardholder data.
3.4.1.c
We are not saving cardholder data. Our acquiring bank saves the cardholder data.
3.5.2
We are not saving cardholder data. Our acquiring bank saves the cardholder data.
3.6.a
We are not saving cardholder data. Our acquiring bank saves the cardholder data.
3.6.b
We are not saving cardholder data. Our acquiring bank saves the cardholder data.
3.7
We are not saving any cardholder data. Our acquiring bank saves the cardholder
data.
4.1.a
We are not saving any cardholder data. Our acquiring bank saves the cardholder
data.
4.1.e
We are not saving any cardholder data. Our acquiring bank saves the cardholder
data.
4.2.a
We are not saving any cardholder data. Our acquiring bank saves the cardholder
data.
4.2.b
We are not saving any cardholder data. Our acquiring bank saves the cardholder
data.
4.3
We are not saving any cardholder data. Our acquiring bank saves the cardholder
data.
6.4.3
We are not saving any cardholder data. Our acquiring bank saves the cardholder
data.
6.4.4
We are not saving any cardholder data. Our acquiring bank saves the cardholder
data.
7.1
We do not save any cardholder data. Our acquiring bank saves data.
7.3
We do not save any cardholder data. Our acquiring bank saves data.
8.1.1
We do not save any cardholder data. Our acquiring bank saves data.
8.1.2
We do not save any cardholder data. Our acquiring bank saves data. We aim for
SAQ-D level 2 service provider status.
9.1
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardhoder data. We are aiming for SAQ-D level 2 service provider.
9.1.3
9.4.2.b
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 85
Requirement
9.4.4.a
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardhoder data. We are aiming for SAQ-D level 2 service provider.
9.5
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardhoder data. We are aiming for SAQ-D level 2 service provider.
9.5.1.a
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardhoder data. We are aiming for SAQ-D level 2 service provider.
9.5.1.b
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardhoder data. We are aiming for SAQ-D level 2 service provider.
9.6.a
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardhoder data. We are aiming for SAQ-D level 2 service provider.
9.6.1
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardhoder data. We are aiming for SAQ-D level 2 service provider.
9.6.2
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardhoder data. We are aiming for SAQ-D level 2 service provider.
9.6.3
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardhoder data. We are aiming for SAQ-D level 2 service provider.
9.7
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
9.7.1.a
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
9.7.1.b
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
9.8.a
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
9.8.b
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
9.8.1.a
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
9.8.1.b
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
9.8.2
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
9.9.a
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
9.9.b
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
9.9.c
We do not save any cardholder data. Our acquiring bank saves data and is
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 86
Requirement
9.9.1.a
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
9.9.1.b
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
9.9.1.c
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
9.9.2.a
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
9.9.2.b
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
9.9.3.a
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
9.9.3.b
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
9.10
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.1.a
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.1.b
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.2.1
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.2.2
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.2.3
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.2.4
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.2.5
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 87
Requirement
10.2.6
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.2.7
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.3.1
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.3.2
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.3.3
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.3.4
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.3.5
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.3.6
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.4
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.4.1.a
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.4.1.b
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.4.1.c
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.4.2.a
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 88
Requirement
10.4.2.b
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.4.3
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.5.1
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.5.2
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.5.3
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.5.4
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.5.5
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.6.1.a
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.7.a
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.7.b
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.7.c
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
10.8
We do not save any cardholder data. Our acquiring bank saves data and is
responsible for cardholder data. We are aiming for SAQ-D level 2 service provider.
We are licensed. E-money institution.
11.1.a
11.1.b
11.1.c
We do not provide/use wireless network. We do not save any cardholder data. Our
acquiring bank saves data and is responsible for cardholder data. We are aiming for
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 89
Requirement
11.1.d
We do not provide/use Wireless network. We do not save any cardholder data. Our
acquiring bank saves data and is responsible for cardholder data. We are aiming for
SAQ-D level 2 service provider. We are licensed. E-money institution.
11.1.1
We do not provide/use wireless network. We do not save any cardholder data. Our
acquiring bank saves data and is responsible for cardholder data. We are aiming for
SAQ-D level 2 service provider. We are licensed. E-money institution.
11.1.2.a
We do not provide/use wireless network. We do not save any cardholder data. Our
acquiring bank saves data and is responsible for cardholder data. We are aiming for
SAQ-D level 2 service provider. We are licensed. E-money institution.
11.1.2.b
We do not provide/use wireless network. We do not save any cardholder data. Our
acquiring bank saves data and is responsible for cardholder data. We are aiming for
SAQ-D level 2 service provider. We are licensed. E-money institution.
11.3
We are not saving any cardholder data. Our acquiring bank will be responsible for
saving data. We aim for SAQ-D level 2 service provider. We are licensed E-money
payment institution.
11.3.1.a
We are not saving any cardholder data. Our acquiring bank will be responsible for
saving data. We aim for SAQ-D level 2 service provider. We are licensed E-money
payment institution.
11.3.2.a
We are not saving any cardholder data. Our acquiring bank will be responsible for
saving data. We aim for SAQ-D level 2 service provider. We are licensed E-money
payment institution.
11.3.3
We are not saving any cardholder data. Our acquiring bank will be responsible for
saving data. We aim for SAQ-D level 2 service provider. We are licensed E-money
payment institution.
11.3.4.a
We are not saving any cardholder data. Our acquiring bank will be responsible for
saving data. We aim for SAQ-D level 2 service provider. We are licensed E-money
payment institution.
11.3.4.b
We are not saving any cardholder data. Our acquiring bank will be responsible for
saving data. We aim for SAQ-D level 2 service provider. We are licensed E-money
payment institution.
11.4.a
We are not saving any cardholder data. Our acquiring bank will be responsible for
saving data. We aim for SAQ-D level 2 service provider. We are licensed E-money
payment institution.
11.4.b
We are not saving any cardholder data. Our acquiring bank will be responsible for
saving data. We aim for SAQ-D level 2 service provider. We are licensed E-money
payment institution.
11.4.c
We are not saving any cardholder data. Our acquiring bank will be responsible for
saving data. We aim for SAQ-D level 2 service provider. We are licensed E-money
payment institution.
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 90
Requirement
11.5.a
We are not saving any cardholder data. Our acquiring bank will be responsible for
saving data. We aim for SAQ-D level 2 service provider. We are licensed E-money
payment institution.
11.5.b
We are not saving any cardholder data. Our acquiring bank will be responsible for
saving data. We aim for SAQ-D level 2 service provider. We are licensed E-money
payment institution.
11.5.1
We are not saving any cardholder data. Our acquiring bank will be responsible for
saving data. We aim for SAQ-D level 2 service provider. We are licensed E-money
payment institution.
12.1
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.1.1
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.2.a
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.2.b
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.3.1
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.3.2
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.3.3
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.3.4
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.3.5
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.3.6
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.3.7
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 91
Requirement
12.3.8
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.3.9
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.3.10.a
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.3.10.b
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.4
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.5.a
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.5.1
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.5.2
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.5.3
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.5.4
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.5.5
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.6.a
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.6.1.a
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 92
Requirement
12.6.1.b
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.6.1.c
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.6.2
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.7
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.8.1
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.8.2
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution.
12.8.3
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution. Payment service provider.
12.8.4
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution. Payment service provider.
12.8.5
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution. Payment service provider.
12.9
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution. Payment service provider.
12.10.1.a
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution. Payment service provider.
12.10.1.b__1
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution. Payment service provider.
12.10.1.b__2
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution. Payment service provider.
12.10.1.b__3
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 93
Requirement
12.10.1.b__4
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution. Payment service provider.
12.10.1.b__5
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution. Payment service provider.
12.10.1.b__6
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution. Payment service provider.
12.10.1.b__7
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution. Payment service provider.
12.10.2
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution. Payment service provider.
12.10.4
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution. Payment service provider.
12.10.5
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution. Payment service provider.
12.10.6
We are not saving any cardholder data. Our acquiring bank responsible for saving
cardholder data. We are aiming for SAQ-D level 2 service provider. We are licensed
E-money payments institution. Payment service provider.
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 94
Examples:
Requirement 12
Requirements 1-8,
10-12
Company is a physical hosting provider (COLO), and only physical security controls were
considered for this assessment.
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 2: Self-Assessment Questionnaire
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 95
Compliant: All sections of the PCI DSS SAQ are complete, all questions answered affirmatively,
resulting in an overall COMPLIANT rating; thereby UAB Mistertango has demonstrated full compliance
with the PCI DSS.
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or not all questions are answered
affirmatively, resulting in an overall NON-COMPLIANT rating, thereby UAB Mistertango has not
demonstrated full compliance with the PCI DSS.
Target Date for Compliance:
An entity submitting this form with a status of Non-Compliant may be required to complete the Action
Plan in Part 4 of this document. Check with the payment brand(s) before completing Part 4.
Compliant but with Legal exception: One or more requirements are marked No due to a legal
restriction that prevents the requirement from being met. This option requires additional review from
acquirer or payment brand.
If checked, complete the following:
Affected Requirement
PCI DSS Self-Assessment Questionnaire D, Version 3.1, was completed according to the instructions
therein.
All information within the above-referenced SAQ and in this attestation fairly
represents the results of my assessment in all material respects.
I have confirmed with my payment application vendor that my payment system does not
store sensitive authentication data after authorization.
I have read the PCI DSS and I recognize that I must maintain PCI DSS compliance, as applicable to
my environment, at all times.
If my environment changes, I recognize I must reassess my environment and implement any additional
PCI DSS requirements that apply.
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 3: Validation and Attestation Details
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 96
No evidence of full track data1, CAV2, CVC2, CID, or CVV2 data2, or PIN data3 storage after
transaction authorization was found on ANY system reviewed during this assessment.
ASV scans are being completed by the PCI SSC Approved Scanning Vendor Comodo CA Limited
Date: 08/04/16
Date:
QSA Company:
Signature of ISA
Date:
ISA Name:
Title:
Data encoded in the magnetic stripe or equivalent data on a chip used for authorization during a card-present transaction. Entities
may not retain full track data after transaction authorization. The only elements of track data that may be retained are primary
account number (PAN), expiration date, and cardholder name.
The three- or four-digit value printed by the signature panel or on the face of a payment card used to verify card-not-present
transactions.
Personal identification number entered by cardholder during a card-present transaction, and/or encrypted PIN block present
within the transaction message.
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 3: Validation and Attestation Details
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 97
PCI DSS
Requirement
Description of
Requirement
(Select One)
YES
NO
security parameters
A.1
Encrypt transmission of
cardholder data across
open, public networks
software or
programs
6
Restrict access to
cardholder data by
business need to know
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 3: Validation and Attestation Details
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 98
PCI DSS
Requirement
Description of
Requirement
(Select One)
YES
NO
10
11
12
Povilas iba
PCI DSS v3.1 SAQ D for Service Providers, Rev. 1.1 Section 3: Validation and Attestation Details
2006-2015 PCI Security Standards Council, LLC. All Rights Reserved.
July 2015
Page 99