Title Page
-
Conducted on
-
Prepared by
-
Location
Common PCI DSS Control Failures
-
Storage of sensitive authentication data (SAD), such as track data, after authorization. <br><br>Is your system storing this data? If so, are you aware of it?
-
Did you check for for inadequate access controls due to improperly installed point-of-sale (POS) systems, allowing malicious users in via paths intended for POS vendors?
-
Default system settings and passwords were changed when the system was installed?
-
Unnecessary and insecure services removed or secured when the system was installed?
-
Checked for poorly coded web applications that could result in SQL injection and other vulnerabilities, which allow access to the database storing cardholder data directly from the website?
-
Checked for missing and outdated security patches?
-
Checked for adequate logging protocols?
-
Checked for adequate monitoring? (via log reviews, intrusion detection/prevention, quarterly vulnerability scans, and file integrity monitoring systems)?
POS Vendor System's Security (Ask POS Vendor)
-
Have default settings and passwords been changed on the systems and databases that are part of the POS system?
-
Do you access my POS system remotely?
-
If so, have you implemented appropriate controls to prevent others from accessing my POS system, such as using secure remote access methods and not using common or default passwords?
-
How often do you access my POS device remotely and why?
-
Who is authorized to access my POS remotely?
-
Have all unnecessary and insecure services been removed from the systems and databases that are part of the POS system?
-
Is my POS software validated to the Payment Application Data Security Standard (PA-DSS)?
-
Does my POS software store sensitive authentication data, such as track data or PIN blocks?
-
If so, this storage is prohibited: how quickly can you help me remove it?
-
Does my POS software store primary account numbers (PANs)?
-
If so, this storage must be protected: how is the POS protecting this data?
-
Will you document the list of files written by the application with a summary of each file's contents to verify that the above-mentioned, prohibited data is not stored?
-
Does my POS software enforce complex and unique passwords for all user access?
-
Can you confirm that you do not use common or default passwords for access to my system and other merchant systems you support?
-
Have all the systems and databases that are part of the POS system been patched with all applicable security updates?
-
Is the logging capability turned on for the systems and databases that are part of the POS system?
-
If prior versions of my POS software stored sensitive authentication data, has this feature been removed during current updates to the POS software? Was a secure wipe utility used to remove this data?
Cardholder Data
-
Payment brand rules allow for the storage of primary account number (PAN), expiration date, cardholder name, and service code.
-
Is the storage of this data absolutely necessary for the business and its purpose? State why the data should be stored or eliminated.
-
Is the risk of having the data compromised worth the effort to store it?
-
Are the additional PCI DSS controls that need to be applied to protect the data worth the continued storage of this data?
-
Are the ongoing maintenance efforts to remain PCI DSS compliant over time worth the continued storage of this data?
-
The cardholder data that NEEDS to be stored are properly consolidated and and isolated through proper network segmentation
Compliance Officer Sign-off
-
Full name and signature of Compliance Officer in-charge