Help Center

PCI Compliance

How to complete SAQ C

SAQ C is a PCI compliance questionnaire designed for merchants with point-of-sale (POS) systems that connect to the internet and do not store cardholder data electronically.

How do I start?

Paystri has partnered with SecureTrust to provide you with the tools to complete the SAQ online, as well as schedule any necessary scans. You should receive an email when it's time to attest to your annual compliance. You will need to log in to the SecureTrust Portal.

If this is your first time completing your PCI SAQ, you will need to complete your business profile. You will only need to do this once, the information will be saved for you next year, and you can simply update it if something has changed.

Select Manage on the business profile section to begin.

You will be taken to a page detailing the next steps. Click Next until you are asked to pick an assessment method. Choose Expert then click Next.

You will need to select your PCI DSS compliance assessment type. For CCI merchants, choose type C for card-present using card readers that fully outsource all cardholder data functions to a PCI DSS validated third-party service.

When asked if your compliance assessment requires scanning, answer by choosing "No."

Third Party payment service providers

When asked if your company shares cardholder data with third-party providers or uses more than one acquirer, Answer "No.".

Next, it will ask if you enforce a minimum password length of seven characters. Answer "Yes."

Third Party Managed System Service Providers

When asked if your company has relationships with one or more third party service providers that manage system components, Answer "NO".

Other Third Party Service Providers that may impact card data security.

When asked if your company has relationships with other third party service providers, Answer "NO"

When you arrive at the summary page, hover over the orange question marks for additional details on each description box. See below for some examples of what information to include.

Your next steps

Once you've completed the above steps, your next step is to complete your PCI compliance questionnaire.

Completing your Security Assessment Questionnaire

The answers you provide on the business profile will determine which Self Assessment Questionnaire (SAQ) you need to complete. The answers you have already provided are used to fill out the SAQ as thoroughly as possible, though there are likely to still be a handful of questions you will need to answer.

On your dashboard, under the Complete security assessment section, select Manage, then choose Answer Now.

The rest of the questions will will be about your specific business practices, computer use and security, and physical security. If you need clarification on a question, there will be a blue information box with additional details. You can also call Secure Trust at 1-800-363-1621 for assistance.

What to Expect When Completing PCI SAQ C

Questions are divided into seven sections. The SAQ C is designed for merchants who have outsourced all cardholder data functions to third-party service providers. You should be answering "yes," to most if not all questions indicating compliance with the PCI DSS requirements. Below is a guide on how to approach the questions, and why you should answer yes to each question.

This is what the opening dashboard looks like, and you will notice it lists the number of questions in each section. As you go through each section it is a good practice to check that all questions have been answered in each question before moving to the next section.

Question 2.1.1

Why You Should Answer "Yes"

Documented: Ensures all staff are aware of operational procedures.
Kept up to Date: Since requirements change over time they need to be kept up to date.
In Use: Knowing the operational requirements and procedures and following them at all times.
Known to All Affected Parties: Making sure all affected parties are aware of, and following operational procedures.

This approach ensures timely and effective vulnerability management, enhancing security and compliance.

Question 2.2.1

Why You Should Answer "Yes"

Cover All System Components: All system components represent a vulnerability and therefore must be secured.
Address All Known Security Vulnerabilities: Regularly update all systems to protect against vulnerabilities.
Be Consistent with Industry-Accepted System Hardening Standards or Vendor Hardening Recommendations: Follow all system hardening recommendations.
Be Updated as New Vulnerability Issues are Identified, as Defined in Requirement 6.3.1: Keeping systems updated to protect against known weaknesses.
Be Applied When new Systems are Configured and Verified as In Place Before or Immediately After a System Component is Connected to a Production Environment: To ensure any new components are hardened and secure.

These practices maintain security and ensure PCI DSS compliance by promptly addressing vulnerabilities.

Question 2.2.2

Why You Should Answer "Yes"

If the Vendor Default Account(s) will be used, the Default Password is changed as per Requirement 8.3.6: Ensures nobody can gain access with the default password.
If the Vendor Default Account(s) will not be used, the account is removed or disabled: Helps control access, enhancing security.

These practices maintain secure access and comply with PCI DSS requirements.

Question 2.2.3

Why You Should Answer "Yes"

Only one primary function exists on a system component: This keeps the system secure to protect CDE.
Primary functions with differing security levels that exist on the same system component are isolated from each other: This keeps the system secure to protect CDE.
Primary functions with differing security levels on the same system component are all secured to the level required by the function with the highest security need: This keeps the system secure to protect CDE.

These practices ensure security, accountability, and compliance with PCI DSS.

Question 2.2.4

Why You Should Answer "Yes"

Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled: This reduces the risk someone can compromise a network. Promptly revoking access maintains security and ensures PCI DSS compliance.

These practices ensure security, accountability, and compliance with PCI DSS.

Question 2.2.5

Why You Should Answer "Yes"

Business justification is documented: This shows the business need for using them.
Additional security features are documented and implemented that reduce the risk of using insecure services, protocols, or daemons: Ensures secure access and protects system components.

Implementing these authentication factors strengthens security and ensures PCI DSS compliance.

Question 2.2.6

Why You Should Answer "Yes"

System security parameters are configured to prevent misuse: Ensure the system is secure at all time.

These practices enhance security and ensure PCI DSS compliance.

Question 2.2.7

Why You Should Answer "Yes"

All non-console administrative access is encrypted using strong cryptography: This keeps access from outside the console secure.

Implementing this policy strengthens security and ensures PCI DSS compliance.

Question 2.3.1

Why You Should Answer "Yes"

Default wireless encryption keys: By using default wireless encryption keys the system is not secure.
Passwords on wireless access points: Use real-time security assessments to control access.
SNMP defaults: These are usually public so it is important to ensure they are secured.
Any other security-related wireless vendor defaults. It is important to eliminate all vendor defaults. as they are easy to find

Both methods enhance security and ensure PCI DSS compliance.

Question 2.3.2

Why You Should Answer "Yes"

Whenever personnel with knowledge of the keys leaves the company or the role where the knowledge was necessary : Only people whose job function requires the knowledge of the keys should have that access.
Whenever a key is suspected of or known to be compromised: If a key is suspected of or known to be compromised it must be changed immediately.

These practices ensure security, accountability, and compliance with PCI DSS.

Question 3.1.1

Why You Should Answer "Yes"

Documented: To ensure everyone understands what the policies and procedures are.
Kept up to date: Policies and procedures change over time so they must be kept up to date.
In use: The required policies and procedures must be followed at all times.
Known to all affected parties: This is to ensure everyone is on the same page so to speak.

Properly securing offline backups ensures data safety and PCI DSS compliance.

Question 3.3.1

Why You Should Answer "Yes"

SAD is not retained after authorization: All SAD is stored at the network so there is no reason to retain it after the authorization.

These practices enhance data protection and ensure PCI DSS compliance.

Question 3.3.1.2

Why You Should Answer "Yes"

The card verification code is not retained after the authorization process: The card verification code is part of the SAD so it is never retained.

These practices protect cardholder data during transit and ensure PCI DSS compliance.

Question 3.3.1.3

Why You Should Answer "Yes"

The personal identification number (PIN) and PIN block are not retained after authorization: The PIN and PIN block are also parts of the SAD and are never retained.
.

These practices ensure oversight and security, maintaining PCI DSS compliance.

Question 3.4.1

Why You Should Answer "Yes"

PAN is masked when displayed (The BIN and last 4 digits are the only things allowed to be displayed) such that only personnel with a legitimate business need can see more than the BIN and last 4: By limiting the number of people with access to SAD, we are minimizing the risks of a breach.

These practices ensure data is irrecoverable and maintain PCI DSS compliance.

Question 4.2.1.a

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks: By using only trusted keys and certificates we ensure the SAD can't be compromised.

These practices ensure oversight and accountability, supporting PCI DSS compliance.

Question 4.2.1,c

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks: By using only secure versions and configurations we are further hardening the system from to combat fraud.
.

These practices ensure clear responsibilities and PCI DSS compliance.

Question 4.2.1.d

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks:
The encryption strength should always be appropriate for encryption methodology in use.

These practices ensure the security and compliance of TPSPs with PCI DSS requirements.

Question 4.2.1.2

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

Wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong cryptography for authentication and transmission: Wireless networks that transmit PAN or are connected to the CDE must be secure at all times.

These practices maintain oversight and ensure ongoing PCI DSS compliance.

Question 4.2.2

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies: PAN data must always be encrypted with strong cryptogrophy.

These practices maintain oversight and ensure ongoing PCI DSS compliance.

Question 5.1.1

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

Documented: To ensure everyone understands what the policies and procedures are.
Kept up to date: Policies and procedures change over time so they must be kept up to date.
In use: The required policies and procedures must be followed at all times.
Known to all affected parties: This is to ensure everyone is on the same page so to speak.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 5.2.1

An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware: Anti-malware solutions must be deployed to prevent the constant stream of attacks targeting vulnerabilities in any system.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 5.2.2

Why You Should Answer "Yes"

Detects all known types of malware: This measure is to prevent unauthorized access.

Removes, blocks, or contains all known types of malware: All types of malware must be blocked or removed to harden the system.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 5.2.3

Why You Should Answer "Yes"

A documented list of all system components not at risk for malware: This is a list of all systems not currently at risk for malware.

Identification and evaluation of evolving malware threats for those system components: Review of industry vulnerability alerts and notices to determine if new threats exist for any identified system.
Confirmation whether such system components continue to not require anti-malware protection: A documented conclusion about whether the system types remain not susceptible to malware.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 5.3.1

Why You Should Answer "Yes"

The anti-malware solution(s) is kept current via automatic updates: Having an automated update process avoids burdening end users with responsibility for manually installing updates and provides greater assurance that anti-malware protection mechanisms are updated as quickly as possible after an update is released.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 5.3.2

Why You Should Answer "Yes"

Performs periodic scans and active or real time scans: Using a combination of periodic scans (scheduled and on-demand) and active, real-time (on-access) scanning helps ensure that malware residing in both static and dynamic elements of the CDE is addressed.

Performs continuous behavioral analysis of systems or processes: Scans should include the entire file system, including all disks, memory, and start-up files and boot records (at system restart) to detect all malware upon file execution, including any software that may be resident on a system but not currently active.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 5.3.4

Why You Should Answer "Yes"

Audit logs for the anti-malware solution(s) are enabled and retained in accordance with Requirement 10.5.1: Audit logs allow an entity to determine how malware entered the environment and track its activity when inside the entity’s network.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 5.3.5

Why You Should Answer "Yes"

Anti-malware mechanisms cannot be disabled or altered by users, unless specifically documented, and authorized by management on a case-by-case basis for a limited time period: Where there is a legitimate need to temporarily disable a system’s anti-malware protection—for example, to support a specific maintenance activity or investigation of a technical problem— the reason for taking such action should be understood and approved by an appropriate management representative.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 6.2.1

Why You Should Answer "Yes"

Based on industry standards and/or best practices for secure development: Understanding how sensitive data is handled by the application—including when stored, transmitted, and in memory—can help identify where data needs to be protected.
PCI DSS requirements must be considered when developing software to meet those requirements by design, rather than trying to retrofit the software later.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 6.2.2

Why You Should Answer "Yes"

On software security relevant to their job functions and development languages: As industry-accepted secure coding practices change, organizational coding practices and developer training may need to be updated to address new threats.

Including secure software design and secure coding techniques: Having staff knowledgeable in secure coding methods, including techniques defined in Requirement 6.2.4, will help minimize the number of security vulnerabilities introduced through poor coding practices.
Including, if security testing tools are used, how to use the tools for detecting vulnerabilities in software: Training should include, but is not limited to, development languages in use, secure software design, secure coding techniques, use of techniques/methods for finding vulnerabilities in code, processes to prevent reintroducing previously resolved vulnerabilities, and how to use any automated security testing tools for detecting vulnerabilities in software.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

You will be asked to document when you last completed this task as noted in the screenshot below. Click on the calendar and select the 1st of the current month. Then select finish.

Question 6.2.3.1

Why You Should Answer "Yes"

Reviewed by individuals other than the originating code author, and who are knowledgeable about code-review techniques and secure coding practices: Having code reviewed by someone other than the original author, who is both experienced in code reviews and knowledgeable about secure coding practices, minimizes the possibility that code containing security or logic errors that could affect the security of cardholder data is released into a production environment.

Reviewed and approved by management prior to release: Requiring management approval that the code was reviewed limits the ability for the process to be bypassed.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 6.2.4.a

Why You Should Answer "Yes"

Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software, including but not limited to the following: Injection attacks, including SQL, LDAP, XPath, or other command, parameter, object, fault, or injection-type flaws: Detecting or preventing common errors that result in vulnerable code as early as possible in the software development process lowers the probability that such errors make it through to production and lead to a compromise. Having formal engineering techniques and tools embedded in the development process will catch these errors early. This philosophy is sometimes called “shifting security left.”

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 6.2.4.b

Why You Should Answer "Yes"

Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software, including but not limited to the following: Attacks on data and data structures, including attempts to manipulate buffers, pointers, input data, or shared data: Detecting or preventing common errors that result in vulnerable code as early as possible in the software development process lowers the probability that such errors make it through to production and lead to a compromise. Having formal engineering techniques and tools embedded in the development process will catch these errors early. This philosophy is sometimes called “shifting security left.”

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 6.2.4.c

Why You Should Answer "Yes"

Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software, including but not limited to the following: Attacks on cryptography usage, including attempts to exploit weak, insecure, or inappropriate cryptographic implementations, algorithms, cipher suites, or modes of operation: Detecting or preventing common errors that result in vulnerable code as early as possible in the software development process lowers the probability that such errors make it through to production and lead to a compromise. Having formal engineering techniques and tools embedded in the development process will catch these errors early. This philosophy is sometimes called “shifting security left.”

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 6.2.4.d

Why You Should Answer "Yes"

Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software, including but not limited to the following: Attacks on business logic, including attempts to abuse or bypass application features and functionalities through the manipulation of APIs, communication protocols and channels, client-side functionality, or other system/application functions and resources. This includes cross-site scripting (XSS) and cross-site request forgery (CSRF): Detecting or preventing common errors that result in vulnerable code as early as possible in the software development process lowers the probability that such errors make it through to production and lead to a compromise. Having formal engineering techniques and tools embedded in the development process will catch these errors early. This philosophy is sometimes called “shifting security left.”

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 6.2.4.e

Why You Should Answer "Yes"

Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software, including but not limited to the following: Attacks on access control mechanisms, including attempts to bypass or abuse identification, authentication, or authorization mechanisms, or attempts to exploit weaknesses in the implementation of such mechanisms: Detecting or preventing common errors that result in vulnerable code as early as possible in the software development process lowers the probability that such errors make it through to production and lead to a compromise. Having formal engineering techniques and tools embedded in the development process will catch these errors early. This philosophy is sometimes called “shifting security left.”

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 6.2.4.f

Why You Should Answer "Yes"

Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software, including but not limited to the following: Attacks via any “high-risk” vulnerabilities identified in the vulnerability identification process, as defined in Requirement 6.3.1.: Detecting or preventing common errors that result in vulnerable code as early as possible in the software development process lowers the probability that such errors make it through to production and lead to a compromise. Having formal engineering techniques and tools embedded in the development process will catch these errors early. This philosophy is sometimes called “shifting security left.”

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 6.3.1

Why You Should Answer "Yes"

New security vulnerabilities are identified using industry recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTS): As industry-accepted secure coding practices change, organizational coding practices and developer training may need to be updated to address Classifying the risks (for example, as critical, high, medium, or low) allows organizations to identify, prioritize, and address the highest risk items more quickly and reduce the likelihood that vulnerabilities posing the greatest risk will be exploited.
Vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact: When an entity is assigning its risk rankings, it should consider using a formal, objective, justifiable methodology that accurately portrays the risks of the vulnerabilities pertinent to the organization and translates to an appropriate entity-assigned priority for resolution.
Risk rankings identify, at a minimum, all vulnerabilities considered to be a high risk or critical to the environment: Some organizations that issue alerts to advise entities about urgent vulnerabilities requiring immediate patches/updates are national Computer Emergency Readiness/Response Teams (CERTs) and vendors.
Vulnerabilities for bespoke and custom, and third-party software (for example operating systems and databases) are covered: If software is developed inhouse, the internal development team should also consider sources of information about new vulnerabilities that may affect internally developed applications.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 6.3.3

Why You Should Answer "Yes"

Critical or high security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release.: Prioritizing security patches/updates for critical infrastructure ensures that high-priority systems and devices are protected from vulnerabilities as soon as possible after a patch is released.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 6.5.1

Why You Should Answer "Yes"

Reason for, and description of, the change: It is important to document the reason for a change and the change description so that relevant parties understand and agree the change is needed.
Documentation of the security impact: Likewise, documenting the impacts of the change allows all affected parties to plan appropriately for any processing changes.
Testing to verify that the change does not adversely impact system security: Thorough testing by the entity confirms that the security of the environment is not reduced by implementing a change and that all existing security controls either remain in place or are replaced with equal or stronger security controls after the change.
For bespoke and custom software changes, all updates are tested for compliance with Requirement 6.2.4 before being deployed into production: The specific testing to be performed will vary according to the type of change and system component(s) affected.
Procedures to address failures and return to a secure state: For each change, it is important to have documented procedures that address any failures and provide instructions on how to return to a secure state in case the change fails or adversely affects the security of an application or system.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 6.5.2

Why You Should Answer "Yes"

Upon completion of a significant change, all applicable PCI DSS requirements are confirmed to be in place on all new and changed systems and networks, and documentation is updated as applicable.: Building this validation into change management processes helps ensure that device inventories and configuration standards are kept up to date and security controls are applied where needed.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 7.2.2

Why You Should Answer "Yes"

Job classification and function: Once needs are defined for user functions (per PCI DSS requirement 7.2.1), it is easy to grant individuals access according to their job classification and function by using the already created roles.
Least privileges necessary to perform job responsibilities: When assigning privileged access, it is important to assign individuals only the privileges they need to perform their job (the “least privileges”). For example, the database administrator or backup administrator should not be assigned the same privileges as the overall systems administrator.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 7.2.3

Why You Should Answer "Yes"

Required privileges are approved by authorized personnel.: Documented approval (for example, in writing or electronically) assures that those with access and privileges are known and authorized by management, and that their access is necessary for their job function.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 8.1.1

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

Documented: To ensure everyone understands what the policies and procedures are.
Kept up to date: Policies and procedures change over time so they must be kept up to date.
In use: The required policies and procedures must be followed at all times.
Known to all affected parties: This is to ensure everyone is on the same page so to speak.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 8.2.1

Why You Should Answer "Yes"

All users are assigned a unique ID before access to system components or cardholder data is allowed: By ensuring each user is uniquely identified, instead of using one ID for several employees, an organization can maintain individual responsibility for actions and an effective record in the audit log per employee

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 8.2.2

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

Account use is prevented unless needed for an exceptional circumstance: An example of an exceptional circumstance is where all other authentication methods have failed, and a shared account is needed for emergency use or “break the glass” administrator access.
Use is limited to the time needed for the exceptional circumstance: This keeps the systems secure by limiting the time someone has access secure data and information.
Business justification for use is documented: The documentation of the business justification is essential for future reference if any issues arise from resolving the exceptional circumstance.
Use is explicitly approved by management: If shared accounts are used for any reason, strong management controls need to be established to maintain individual accountability and traceability.
Individual user identity is confirmed before access to an account is granted: Tools and techniques can facilitate both management and security of these types of accounts and confirm individual user identity before access to an account is granted.
Every action taken is attributable to an individual user: The ability to associate individuals to the actions performed with an account is essential to provide individual accountability and traceability regarding who performed an action, what action was performed, and when that action occurred.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 8.2.4

Why You Should Answer "Yes"

Authorized with the appropriate approval: The approval to add, modify. or delete a user ID has to come from management to ensure security.
Implemented with only the privileges specified on the documented approval: If a user ID is created it should only have the specific privileges specified on the approval document.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 8.2.5

Why You Should Answer "Yes"

Access for terminated users is immediately revoked: By ensuring users are revoked as soon as they are terminated ensures they are not able to access cardholder data.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 8.2.6

Why You Should Answer "Yes"

Inactive user accounts are removed or disabled within 90 days of inactivity: If a user account will not be used for an extended period such as an extended leave it is a good practice to remove or disable the user when the leave begins.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 8.2.7

Why You Should Answer "Yes"

Enabled only during the time period needed and disabled when not in use: Enabling access only for the time periods needed and disabling it as soon as it is no longer required helps prevent misuse of these connections.
Use is monitored for unexpected activity: Monitoring third-party access helps ensure that third parties are accessing only the systems necessary and only during approved time frames. Any unusual activity using third-party accounts should be followed up and resolved.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 8.2.8

Why You Should Answer "Yes"

If a user session has been idle for more than 15 minutes, the user is required to re-authenticate or reactivate the terminal or session: When users walk away from an open machine with access to system components or cardholder data, there is a risk that the machine may be used by others in the user’s absence, resulting in unauthorized account access and/or misuse.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 8.3.1

Why You Should Answer "Yes"

Something you know such as a password or passphrase: Passwords or passphrases should be secure (ie something difficult for others to guess).
Something you have such as a token device or smart card: Examples would be Google authenticator or a smart card provided by your employer.
Something you are, such as a biometric element: Your finger print or facial recognition would be examples of biometric elements.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 8.3.2

Why You Should Answer "Yes"

Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components: To ensure authentication factors can't be used to gain unauthorized access them must remain unreadable at all times.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 8.3.3

Why You Should Answer "Yes"

User identity is verified before modifying any authentication factor: Methods to verify a user’s identity include a secret question/answer, knowledge-based information, and calling the user back at a known and previously established phone number.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 8.3.4

Why You Should Answer "Yes"

Locking out the user ID after not more than 10 attempts: Without account-lockout mechanisms in place, an attacker can continually try to guess a password through manual or automated tools (for example, password cracking) until the attacker succeeds and gains access to a user’s account.
Setting the lockout duration to a minimum of 30 minutes, or until the user's identity is confirmed: Before reactivating a locked account, the user’s identity should be confirmed.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 8.3.5

Why You Should Answer "Yes"

Set to a unique value for first-time use and upon reset: Setting the value to something unique prevents a malicious individual from being able to guess the value based on information related to the user.
Forced to be changed after the first use: Forcing the password to be changed after the first use ensures only the user knows what the password iis.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 8.3.7

Why You Should Answer "Yes"

Individuals are not allowed to submit a new password/passphrase that is the same as any of the last 4 passwords/passphrases used: By requiring a unique password outside the last 4 used, it is less likely a malicious individual can guess the password.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 8.3.8

Why You Should Answer "Yes"

Guidance on selecting strong authentication factors: Guidance on selecting strong passwords may include suggestions to help personnel select hard-to-guess passwords that do not contain dictionary words or information about the user, such as the user ID, names of family members, date of birth, etc.
Guidance on how users should protect their authentication factors: Guidance for protecting authentication factors may include not writing down passwords or not saving them in insecure files, and being alert to malicious individuals who may try to exploit their passwords (for example, by calling an employee and asking for their password so the caller can “troubleshoot a problem”).
Instructions not to reuse previously used passwords/passphrases: Using a previous password could compromise it's security if someone knew you had used it in the past.
Instructions to change passwords/passphrases if there is any suspicion or knowledge that the password/passphrases have been compromised and how to report the incident: If there is any suspicion a password has been compromised it is always prudent to change it to something completely different and report the matter to management.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 8.3.9

Why You Should Answer "Yes"

Passwords/passphrases are changed at least once every 90 days: Periodically changing passwords offers less time for a malicious individual to crack a password/passphrase and less time to use a compromised password.
The security posture of accounts is dynamically analyzed, and real-time access to resources is automatically determined accordingly: Dynamically analyzing an account’s security posture is another option that allows for more rapid detection and response to address potentially compromised credentials. Such analysis takes a number of data points, which may include device integrity, location, access times, and the resources accessed to determine in real time whether an account can be granted access to a requested resource.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 8.4.1

Why You Should Answer "Yes"

MFA is implemented for all non-console access into the CDE for personnel with administrative access: Requiring more than one type of authentication factor reduces the probability that an attacker can gain access to a system by masquerading as a legitimate user, because the attacker would need to compromise multiple authentication factors.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 8.4.3

Why You Should Answer "Yes"

All remote access by all personnel, both users and administrators, originating from outside the entity's network: By using MFA for all users outside the network it is more difficult for a malicious individual to gain access to the CDE.
All remote access by third parties and vendors: By using MFA for all users outside the network it is more difficult for a malicious individual to gain access to the CDE.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 9.1.1

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

Documented: To ensure everyone understands what the policies and procedures are.
Kept up to date: Policies and procedures change over time so they must be kept up to date.
In use: The required policies and procedures must be followed at all times.
Known to all affected parties: This is to ensure everyone is on the same page so to speak.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 9.2.1

Why You Should Answer "Yes"

Appropriate facility entry controls are in place to restrict physical access to systems in the CDE: Facility entry controls include physical security controls at each computer room, data center, and other physical areas with systems in the CDE. It can also include badge readers or other devices that manage physical access controls, such as lock and key with a current list of all individuals holding the keys.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 9.2.1.1

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

Entry and exit points to/from sensitive areas within the CDE are monitored: Maintaining details of individuals entering and exiting the sensitive areas can help with investigations of physical breaches by identifying individuals that physically accessed the sensitive areas, as well as when they entered and exited.
Monitoring devices or mechanisms are protected from tampering or disabling: Criminals attempting to gain physical access to sensitive areas will often try to disable or bypass the monitoring controls. To protect these controls from tampering, video cameras could be positioned so they are out of reach and/or be monitored to detect tampering.
Collected data is reviewed and correlated with other entries: Keeping records of this data helps with any investigations should there be a breach of the CDE.
Collected data is stored for at least three months, unless otherwise restricted by law: Keeping these records for at least 3 months ensures if something went undetected for a short period, the data collected can be used to determine how the system was compromised.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 9.2.2

Why You Should Answer "Yes"

Physical and/or logical controls are implemented to restrict use of publicly accessible network jacks within the facility: Whether logical or physical controls, or a combination of both, are used, they should prevent an individual or device that is not explicitly authorized from being able to connect to the network.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 9.4.1

Why You Should Answer "Yes"

All media with cardholder data is physically secured: Controls for physically securing media are intended to prevent unauthorized persons from gaining access to cardholder data on any media. Cardholder data is susceptible to unauthorized viewing, copying, or scanning if it is unprotected while it is on removable or portable media, printed out, or left on someone’s desk.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 9.4.1.1

Why You Should Answer "Yes"

Offline media backups with cardholder data are stored in a secure location: For secure storage of backup media, a good practice is to store media in an off-site facility, such as an alternate or backup site or commercial storage facility.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 9.4.2

Why You Should Answer "Yes"

All media with cardholder data is classified in accordance with the sensitivity of the data: Media not identified as confidential may not be adequately protected or may be lost or stolen.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 9.4.3

Why You Should Answer "Yes"

Media is sent by secured courier or other delivery method that can be accurately tracked: The use of secure couriers to deliver any media that contains cardholder data allows organizations to use their tracking systems to maintain inventory and location of shipments.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 9.4.4

Why You Should Answer "Yes"

Management approves all media with cardholder data that is moved outside the facility (including when media is distributed to individuals): Without a firm process for ensuring that all media movements are approved before the media is removed from secure areas, the media would not be tracked or appropriately protected, and its location would be unknown, leading to lost or stolen media.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 9.4.6

Why You Should Answer "Yes"

Materials are cross-cut shredded, incinerated, or pulped so cardholder data cannot be reconstructed: If steps are not taken to destroy information contained on hard-copy media before disposal, malicious individuals may retrieve information from the disposed media, leading to a data compromise.
Materials are stored in secure storage containers prior to destruction: Securing storage containers used for materials that are going to be destroyed prevents sensitive information from being captured while the materials are being collected.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 9.5.1

Why You Should Answer "Yes"

Maintaining a list of POI devices: By maintaining a list of POI devices and you can clearly see if an unauthorized POI has been placed.
Periodically inspecting POI devices to look for tampering or unauthorized substitution: Inspecting the POI devices can detect if they have been tampered with rendering them unsecured.
Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution devices: By training personnel to be aware of suspicious behavior it is harder for malicious individuals to tamper with POI devices.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 9.5.1.1

Why You Should Answer "Yes"

Make and model of the device: The method for maintaining a list of devices may be automated (for example, a device management system) or manual (for example, documented in electronic or paper records).
Location of the device: Methods to maintain device locations include identifying the address of the site or facility where the device is located.
Device serial number or other methods of unique identification: Keeping a list of the device serial number and other unique identifiers allows you to determine if a device was switched out or has gone missing.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 9.5.1.2

Why You Should Answer "Yes"

POI device surfaces are periodically inspected to detect tampering or unauthorized substitution: Methods for periodic inspection include checking the serial number or other device characteristics and comparing the information to the list of POI devices to verify the device has not been swapped with a fraudulent device.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 9.5.1.3

Why You Should Answer "Yes"

Verifying the identity of any third-party persons claiming to be repair or maintenance personnel, before granting them access to modify or troubleshoot devices: All third parties requesting access to devices should always be verified before being provided access—for example, by checking with management or phoning the POI maintenance company, such as the vendor or acquirer, for verification.
Procedures to ensure devices are not installed, replaced, or returned without verification: Inspecting the POI devices can detect if they have been tampered with rendering them unsecured.
Being aware of suspicious behavior around devices: Suspicious behavior that personnel should be aware of includes attempts by unknown persons to unplug or open devices.
Reporting suspicious behavior and indications of tampering or substitution to appropriate personnel: Another trick that criminals use is to send a “new” POI device with instructions for swapping it with a legitimate device and “returning” the legitimate device. The criminals may even provide return postage to their specified address. Therefore, personnel should always verify with their manager or supplier that the device is legitimate and came from a trusted source before installing it or using it for business.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 10.1.1

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

Documented: To ensure everyone understands what the policies and procedures are.
Kept up to date: Policies and procedures change over time so they must be kept up to date.
In use: The required policies and procedures must be followed at all times.
Known to all affected parties: This is to ensure everyone is on the same page so to speak.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 10.2.1.2

Why You Should Answer "Yes"

Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts: Accounts with increased access privileges, such as the “administrator” or “root” account, have the potential to significantly impact the security or operational functionality of a system. Without a log of the activities performed, an organization is cannot trace any issues resulting from an administrative mistake or misuse of privilege back to the specific action and account.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 10.2.1.4

Why You Should Answer "Yes"

Audit logs capture all invalid logical access attempts: Malicious individuals will often perform multiple access attempts on targeted systems. Multiple invalid login attempts may be an indication of an unauthorized user’s attempts to “brute force” or guess a password.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 10.2.1.5

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

Creation of new accounts: Logging the creation of new accounts allows you to keep track of who has access to the system.
Elevation of privileges: Logging elevation of privileges keeps track of who has access to what parts of the system.
All changes, additions, or deletions to accounts with administrative access: Logging changes, additions, and deletions of accounts with administrative access keeps track of users in the system, and what access they have.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 10.2.2

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

User identification: Who is logged into the system.
Type of event: What is being done to the system.
Date and time: Date and time of user who logged in.
Success and failure indication: If user was successful or failed in procedure being performed.
Origination of event: What was the reason the user logged into the account
Identity or name of affected data, system component, resource, or service (for example name and protocol): Identifying the data, system component, resource, or service that was affected prompting the login.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 10.3.1

Why You Should Answer "Yes"

Read access to audit log files is limited to those with a job related need: Audit log files contain sensitive information, and read access to the log files must be limited only to those with a valid business need.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 10.3.2

Why You Should Answer "Yes"

Audit log files are protected to prevent modifications by individuals: Often a malicious individual who has entered the network will try to edit the audit logs to hide their activity. Without adequate protection of audit logs, their completeness, accuracy, and integrity cannot be guaranteed, and the audit logs can be rendered useless as an investigation tool after a compromise.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 10.3.3

Why You Should Answer "Yes"

Audit log files, including those for external facing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify: Promptly backing up the logs to a centralized log server or media that is difficult to alter keeps the logs protected, even if the system generating the logs becomes compromised.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 10.3.4

Why You Should Answer "Yes"

Audit log files, including those for external facing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify: Software used to monitor changes to audit logs should be configured to provide alerts when existing log data or files are changed or deleted. However, new log data being added to an audit log should not generate an alert.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 10.4.1

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

All security events: Checking logs daily (7 days a week, 365 days a year, including holidays) minimizes the amount of time and exposure of a potential breach.
Logs of all system components that store, process, or transmit CHD and/or SAD: Logs of all system components that store, process, or transmit sensitive information is critical knowledge if there is ever a breach of the system.
Logs of all critical system components: Logs of all critical system components is also critical knowledge if there is ever a breach of the system.
Logs of all servers and system components that perform security functions (for example network security controls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers): Daily review of security events—for example, notifications or alerts that identify suspicious or anomalous activities—as well as logs from critical system components, and logs from systems that perform security functions, such as firewalls, IDS/IPS, file integrity monitoring (FIM) systems, etc., is necessary to identify potential issues.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 10.4.2

Why You Should Answer "Yes"

Logs of all system components (those not specified in Requirement 10.4.1) are reviewed periodically: Periodic review of logs for all other system components (not specified in Requirement 10.4.1) helps to identify indications of potential issues or attempts to access critical systems via less-critical systems.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 10.4.3

Why You Should Answer "Yes"

Exceptions and anomalies identified during the review process are addressed: If exceptions and anomalies identified during the log-review process are not investigated, the entity may be unaware of unauthorized and potentially malicious activities occurring within their network.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 10.5.1

Why You Should Answer "Yes"

Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis: Retaining historical audit logs for at least 12 months is necessary because compromises often go unnoticed for significant lengths of time.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 10.6.1

Why You Should Answer "Yes"

System clocks and time are synchronized using time-synchronization technology: Time synchronization technology is used to synchronize clocks on multiple systems.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 10.6.2

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

One or more designated time servers are in use: Using reputable time servers is a critical component of the time synchronization process.
Only the designated central time server(s) receives time from external sources: Maintaining the integrity of the time on the time servers is critical in the event of a breach
Time received from external sources is based on International Atomic Time or Coordinated Universal Time (UTC): Keeping the time to a recognized standard maintains the accuracy of any time stamps.
The designated time server(s) accept time updates only from specific industry-accepted external sources: Accepting time updates from specific, industry accepted external sources helps prevent a malicious individual from changing time settings on systems.
Where there is more than one designated time server, the time servers peer with one another to keep accurate time: A good practice is to prevent unauthorized use of internal time servers by encrypting updates with a symmetric key and create access control lists that specify the IP addresses of client machines that will be provided with the time updates.
Internal servers receive time information only from designated central time server(s): By using designated central time servers the integrity of the time accuracy is ensured.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 10.6.3

Why You Should Answer "Yes"

Access to time data is restricted to only personnel with a business need: Restricting access to only personnel with a business need lessens the chances of changes being made by malicious individuals.
Any changes to time settings on critical systems are logged, monitored, and reviewed: Attackers will try to change time configurations to hide their activity. Therefore, restricting the ability to change or modify time synchronization configurations or the system time to administrators will lessen the probability of an attacker successfully changing time configurations.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 11.2.1

You will need to indicate when was the last time these tasks were completed as shown in the screenshot below. Select the beginning of the current month and select finish to move to the next question.

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

The presence of wireless (WI-FI) access points is checked for: By performing physical system inspections in conjunction with the results of a wireless analyzer you can identify the wireless access points.
All authorized and unauthorized access points are detected and identified: Logs of all system components that store, process, or transmit sensitive information is critical knowledge if there is ever a breach of the system.
Testing, detection, and identification occurs at least every three months: By performing these tasks quarterly it makes it difficult for malicious individuals to find weaknesses in the system.
If automated monitoring is used, personnel are notified via generated alerts: Wireless IDS/IPS. NAC and wireless IDS/IPS are examples of automated monitoring tools.

Question 11.2.2

Why You Should Answer "Yes"

An inventory of authorized wireless access points is maintained, including a documented business justification: An inventory of authorized wireless access points can help administrators quickly respond when unauthorized wireless access points are detected. This helps to proactively minimize the exposure of CDE to malicious individuals.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 11.3.1.3

Why You Should Answer "Yes"

High-risk and critical vulnerabilities (per the entity's vulnerability risk rankings defined at Requirement 6.3.1) are resolved: By following the risk rankings of Requirement 6.3.1 the company will determine their high risk and critical vulnerabilities, and resolve them.
Rescans are conducted as needed: Scanning an environment after any significant changes ensures that changes were completed appropriately such that the security of the environment was not compromised because of the change.
Scans are performed by qualified personnel and organizational independence of the tester exists (Not required to be a QSA or ASV): Individuals performing the scans should not be someone within the organization. This ensures the integrity of the scans accuracy.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 11.4.5

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

At least once every 12 months and after any changes to segmentation controls/methods: Performing penetration testing at regular intervals and after any changes to segmentation controls/methods keep the systems secure.
Covering all segmentation controls/methods in use: If any of the segmentation controls/methods are not covered they become a weakness in the system.
Confirming that the segmentation controls/methods are operational and effective, and isolate the CDE from all out-of-scope systems: Techniques such as host discovery and port scanning can be used to verify out-of-scope segments have no access to the CDE.
Confirming effectiveness of any use of isolation to separate systems with differing security levels (see Requirement 2.2.3): By following Requirement 2.2.3 you can confirm the effectiveness of the isolation to separate systems with differing security levels.
Performed by a qualified internal resource or qualified external third party: A good practice is to utilize a qualified external third party for penetration testing to ensure organizational independence.
Organizational independence of the tester exists (not required to be a QSA or ASV): Use of a qualified third party testers accomplishes that.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

You will need to indicate when was the last time these tasks were completed as shown in the screenshot below. Select the beginning of the current month and select finish to move to the next question.

Question 11.5.2

Why You Should Answer "Yes"

To alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files: A change detection mechanism will detect and evaluate such changes to critical files and generate alerts that can be responded to following defined processes so that personnel can take appropriate actions.
To perform critical file comparisons at least once weekly: Attackers will try to find a way into systems and exploit any weaknesses at any time, so weekly critical file comparisons are a must.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 12.1.1

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

Established: The security policy for the organization identifies the purpose, scope, accountability, and information that clearly defines the organization’s position regarding information security.
Published: The organizations security policies must be kept published to all affected parties both internally and externally.
Maintained: The security policy for the organization may change over time and must be updated in all published forms.
Disseminated to all relevant personnel, as well as to relevant vendors and business partners: It is important that all relevant personnel within the organization, as well as relevant third parties, vendors, and business partners are aware of the organization’s information security policy and their responsibilities for protecting information assets.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 12.1.2

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

Reviewed at least once every 12 months: The information security policy for the organization should be reviewed annually at a minimum.
Updated as needed to reflect to reflect changes to business objectives or risks to the environment: The organizations security policies must be updated to reflect changes in business objectives or risks to the environment.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

You will be asked to document when you last completed this task as noted in the screenshot below. Click on the calendar and select the 1st of the current month. Then select finish.

Question 12.1.3

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

The security policy clearly defines information security roles and responsibilities for all personnel, and all personnel are aware of and acknowledge their information security responsibilities: Without clearly defined security roles and responsibilities assigned, there could be misuse of the organization’s information assets or inconsistent interaction with information security personnel, leading to insecure implementation of technologies or use of outdated or insecure technologies.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 12.2.1

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

Explicit approval by authorized parties: Acceptable use policies outline the expected behavior from personnel when using the organization’s information technology and reflect the organization’s risk tolerance.
Acceptable uses of technology: These policies instruct personnel on what they can and cannot do with company equipment and instruct personnel on correct and incorrect uses of company Internet and email resources.
List of products approved by the company for employee use, including hardware and software: This list must be disseminated to all employees so they are aware of what can and cannot be used in their job function.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 12.6.1

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

A formal security awareness program is implemented to make all personnel aware of the entity's information security policy and procedures, and their role in protecting the cardholder data: If personnel are not educated about their company’s information security policies and procedures and their own security responsibilities, security safeguards and processes that have been implemented may become ineffective through unintentional errors or intentional actions.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 12.8.1

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

A list of all third-party service providers (TPSPs) with which account data is shared or that could affect the security of account data is maintained, including a description for each of the services provided: Maintaining a list of all TPSPs identifies where potential risk extends outside the organization and defines the organization’s extended attack surface.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 12.8.2

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE.: The written acknowledgment from a TPSP demonstrates its commitment to maintaining proper security of account data that it obtains from its customers and that the TPSP is fully aware of the assets that could be affected during the provisioning of the TPSP’s service.
Written agreements include acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE.: The extent to which a specific TPSP is responsible for the security of account data will depend on the service provided and the agreement between the provider and assessed entity (the customer). In conjunction with Requirement 12.9.1, this requirement is intended to promote a consistent level of understanding between parties about their applicable PCI DSS responsibilities.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 12.8.3

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement: Specific due-diligence processes and goals will vary for each organization. Elements that should be considered include the provider’s reporting practices, breach-notification and incident response procedures, details of how PCI DSS responsibilities are assigned between each party, how the TPSP validates their PCI DSS compliance and what evidence they provide.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 12.8.4

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months: All merchants need to confirm their PCI DSS compliance every 12 months to ensure the security of cardholder data.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

You will be asked to document when you last completed this task as noted in the screenshot below. Click on the calendar and select the 1st of the current month. Then select finish.

Question 12.8.5

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

Information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared between the TPSP and the entity: Entities can document these responsibilities via a matrix that identifies all applicable PCI DSS requirements and indicates for each requirement whether the entity or TPSP is responsible for meeting that requirement or whether it is a shared responsibility.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 12.10.1

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

Roles, responsibilities, and communication and contact strategies in the event of a suspected or confirmed security incident, including notification of payment brands and acquirers, at a minimum.: It is important to keep the plan up to date with current contact information of all individuals designated as having a role in incident response.
Incident response procedures with specific containment and mitigation activities for different types of incidents: Entities should consider how to address all compromises of data within the CDE in their incident response plans, including to account data, wireless encryption keys, encryption keys used for transmission and storage or account data or cardholder data, etc.
Business recovery and continuity procedures: The incident response plan should be thorough and contain all the key elements for stakeholders (for example, legal, communications) to allow the entity to respond effectively in the event of a breach that could impact account data.
Data backup processes: A formal data backup process approved by management should be in place at all times.
Analysis of legal requirements for reporting compromises: Entities should consider how to address all compromises of data within the CDE in their incident response plans, including to account data, wireless encryption keys, encryption keys used for transmission and storage or account data or cardholder data, etc.
Coverage and responses of all critical system components: It is important to keep the plan up to date with current contact information of all individuals designated as having a role in incident response. Other relevant parties for notifications may include customers, financial institutions (acquirers and issuers), and business partners.
Reference or inclusion of incident response procedures from the payment brands: A good practice is to always include incident response procedures from V/MC/Disc/Amex.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 12.10.3

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

Specific personnel are designated to be available on a 24/7 basis to respond to suspected or confirmed security incidents: An incident could occur at any time, therefore if a person who is trained in incident response and familiar with the entity’s plan is available when an incident is detected, the entity’s ability to correctly respond to the incident is increased.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question A2.1.1

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

Where POS POI terminals at the merchant or payment acceptance location use SSL and/or early TLS, the entity confirms the devices are not susceptible to any known exploits for those protocols.: POS POI terminals used in card-present environments can continue using SSL/early TLS when it can be shown that the POS POI terminal is not susceptible to the currently known exploits.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Now that you have answered all of the questions you will need see the screen below. You will select next to move to the page where you confirm your compliance.

On this page you will fill in the areas you see highlighted and then scroll to the bottom of the page and select confirm your attestation.

You will then see the screen below showing you are now PCI compliant for the next 12 months. Congratulations!!!