PCI DSS v4.0 Retail Industry-Brick n Mortar Payment Channels.xmind

PCI SSC Validated (IP-Connected) PTS Devices SAQ B-IP (49 Assessment Requirents)  The merchant uses only standalone, PCI-listed approved1 PTS POI devices (excludes SCRs and SCRPs) connected via IP to merchant’s payment processor to take customers’ payment card information;  The standalone, IP-connected POI devices are validated to the PTS POI program as listed on the PCI SSC website (excludes SCRs and SCRPs);  The standalone, IP-connected PTS POI devices are not connected to any other systems within the merchant environment (this can be achieved via network segmentation to isolate PTS POI devices from other systems);  The only transmission of account data is from the approved PTS POI devices to the payment processor;  The PTS POI device does not rely on any other device (e.g., computer, mobile phone, tablet, etc.) to connect to the payment processor;  The merchant does not store account data in electronic format; and  Any account data the merchant might retain is on paper (for example, printed reports or receipts), and these documents are not received electronically.
1. Goal 1: Build and Maintain a Secure Network and Systems
  1. Requirement 1: Install and Maintain Network Security Controls
    1. 1.2 Network security controls (NSCs) are configured and maintained.
      1. 1.2.3 Network Diagram
      2. 1.2.5 Documented allowed Services, Ports & Protocols
      3. 1.2.6 Documented, risk-managed, insecure features.
    2. 1.3 Network access to and from the cardholder data environment is restricted.
      1. 1.3.1 Inbound network is strictly controlled.
      2. 1.3.2 Outbound network traffic is strictly controlled.
      3. 1.3.3 All wireless networks are isolated from the CDE.
    3. 1.4 Network connections between trusted and untrusted networks are controlled.
      1. 1.4.3 Anti-Spoofing measures are in place and managed.
  2. Requirement 2: Apply Secure Configurations to All System Components
    1. 2.2 System components are configured and managed securely.
      1. 2.2.2 Vendor defaults are changed. Note: For SAQ B-IP, this requirement applies to firewall/router devices on the merchant’s network that connect its PTS POI devices to the payment processor.
      2. 2.2.7 Encrypted non-console admin access
    2. 2.3 Wireless environments are configured and managed securely.
      1. 2.3.1 Defaults on connected wireless environments are changed.
      2. 2.3.2 Wireless environment encryption keys are changed.
2. Goal 2: Protect Account Data
  1. Requirement 3: Protect Stored Account Data Note: For SAQ B-IP, Requirement 3 applies only to merchants with paper records that include account data (for example, receipts or printed reports).
    1. 3.1 Processes and mechanisms for protecting stored account data are defined and understood.
      1. 3.1.1 Data Lifecycle Management policies & procedures.
    2. 3.3 Sensitive authentication data (SAD) is not stored after authorization.
      1. 3.3.1. SAD retention limitation.
      2. 3.3.1.1 Track data retention limitation.
      3. 3.3.1.2 CVV data retention limitation.
      4. 3.3.1.3 PIN data retention limitation.
    3. 3.4 Access to displays of full PAN and ability to copy PAN is restricted.
      1. 3.4.1 PAN display restriction.
3. Goal 3: Maintain a Vulnerability Management Program
  1. Requirement 6: Develop and Maintain Secure Systems and Software
    1. 6.3 Security vulnerabilities are identified and addressed. Note: For SAQ B-IP, this requirement applies to the merchant’s firewall/router devices that connect PTS POI devices to the payment processor. Identification and management of security vulnerabilities for PTS POI devices are often handled by the merchant’s terminal provider or processor. The merchant should contact the entity managing its terminals to understand how this requirement is met and the responsibilities of the merchant and of the entity managing the terminals.
      1. 6.3.1 Vulnerability lifecycle management.
      2. 6.3.3 Patch & Vulnerability management.
4. Goal 4: Implement Strong Access Control Measures
  1. Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know
    1. 7.2 Access to system components and data is appropriately defined and assigned.
      1. 7.2.2 Least Privilege principle
  2. Requirement 8: Identify Users and Authenticate Access to System Components
    1. 8.1 Processes and mechanisms for identifying users and authenticating access to system components are defined and understood..
      1. 8.1.1 Logical Access Management policies & procedures. SAQ Completion Guidance: Selection of any of the In Place responses for Requirement 8.1.1 means that the merchant has policies and procedures in place that govern merchant activities for Requirement 8
    2. 8.2 User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle.
      1. 8.2.2 Group, Shared or Generic user accounts are strictly managed.
      2. 8.2.7 Third-Party Access Management.
    3. 8.4 Multi-factor authentication (MFA) is implemented to secure access into the CDE.
      1. 8.4.3 Access from outside the corporate network is protected by MFA.
  3. Requirement 9: Restrict Physical Access to Cardholder Data
    1. 9.1 Processes and mechanisms for restricting physical access to cardholder data are defined and understood.
      1. 9.1.1 Physical Security & Access Management policies & procedures. SAQ Completion Guidance: Selection of any of the In Place responses for Requirement 9.1.1 means that the merchant has policies and procedures in place that govern merchant activities for Requirement 9, including how any paper media with cardholder data is secured, and how POI devices are protected.
    2. 9.2 Physical access controls manage entry into facilities and systems containing cardholder data.
      1. 9.2.2 Protection of publicly-accessible network jacks
    3. 9.4 Media with cardholder data is securely stored, accessed, distributed, and destroyed. Note: For SAQ B-IP, Requirements at 9.4 only apply to merchants with paper records (for example, receipts or printed reports) with account data, including primary account numbers (PANs). SAQ Completion Guidance: Selection of any of the In Place responses for Requirements at 9.4 means that the merchant securely stores any paper media with account data, for example by storing the paper in a locked drawer, cabinet, or safe, and that the merchant destroys such paper when no longer needed for business purposes. This includes a written document or policy for employees, so they know how to secure paper with account data and how to destroy the paper when no longer needed. If the merchant never stores any paper with account data, mark this requirement as Not Applicable and complete Appendix C: Explanation of Requirements Noted as Not Applicable.
      1. 9.4.1 Physically secure media
      2. 9.4.1.1 Secure offline media backups
      3. 9.4.2 Data classification
      4. 9.4.3 Secure media distribution
      5. 9.4.4 Management approval
      6. 9.4.6 Hardcopy secure destruction
    4. 9.5 Point-of-interaction (POI) devices are protected from tampering and unauthorized substitution.
      1. 9.5.1 Measures to protect POI devices
      2. 9.5.1.1 Maintain asset inventory
      3. 9.5.1.2 Maintain physical inspection schedule
      4. 9.5.1.3 Staff POI physical security training
5. Goal 5: Regularly Monitor and Test Networks
  1. Requirement 11: Test Security of Systems and Networks Regularly
    1. 11.3 External and internal vulnerabilities are regularly identified, prioritized, and addressed.
      1. 11.3.2 Quarterly Internal Vulnerability Management
6. Goal 6: Maintain an Information Security Policy
  1. Requirement 12: Support Information Security with Organizational Policies and Programs
    1. 12.1 A comprehensive information security policy that governs and provides direction for protection of the entity’s information assets is known and current. SAQ Completion Guidance: Selection of any of the In Place responses for Requirements 12.1.1 and 12.1.2 means that the merchant has a security policy that is reasonable for the size and complexity of the merchant’s operations, and that the policy is reviewed at least once every 12 months and updated if needed. For example, such a policy could be a simple document that covers how to protect the store and payment devices in accordance with the solution provider’s guidance/instruction manual, and who to call in an emergency.
      1. 12.1.1 Implement an Information Security Policy
      2. 12.1.2 Maintain an Information Security Policy
      3. 12.1.3 Information Security roles & responsibilities are clearly defined SAQ Completion Guidance: Selection of any of the In Place responses for Requirement 12.1.3 means that the merchant’s security policy defines basic security responsibilities for all personnel, consistent with the size and complexity of the merchant’s operations. For example, security responsibilities could be defined according to basic responsibilities by employee levels, such as the responsibilities expected of a manager/owner and those expected of clerks.
    2. 12.6 Security awareness education is an ongoing activity.
      1. 12.6.1 Formal Information Security awareness program SAQ Completion Guidance: Selection of any of the In Place responses for Requirement 12.6.1 means that the merchant has a security awareness program in place, consistent with the size and complexity of the merchant’s business operations. For example, a simple awareness program could be a flyer posted in the back office, or a periodic e-mail sent to all employees. Examples of awareness program messaging include descriptions of security tips all employees should follow, such as how to lock doors and storage containers, how to determine whether a payment terminal has been tampered with, and processes to confirm the identity and verify there is a legitimate business reason for any service workers when they arrive to service payment terminals.
    3. 12.8 Risk to information assets associated with third-party service provider (TPSP) relationships is managed.
      1. 12.8.1 Maintain a list of TPSP
      2. 12.8.2 Manage TPSP written agreements
      3. 12.8.3 TPSP due diligence
      4. 12.8.4 TPSP PCI DSS compliance status management
      5. 12.8.5 Understand outsourced responsibilities.
    4. 12.10 Suspected and confirmed security incidents that could impact the CDE are responded to immediately.
      1. 12.10.1 Implement an effective Incident Response Plan SAQ Completion Guidance: Selection of any of the In Place responses for Requirement 12.10.1 means that the merchant has documented an incident response and escalation plan to be used for emergencies, consistent with the size and complexity of the merchant’s operations. For example, such a plan could be a simple document posted in the back office that lists who to call in the event of various situations with an annual review to confirm it is still accurate, but could extend all the way to a full incident response plan including backup “hotsite” facilities and thorough annual testing. This plan should be readily available to all personnel as a resource in an emergency.
7. Appendix A2: Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-Present POS POI Terminal Connections
  1. A2.1 POI terminals using SSL and/or early TLS are not susceptible to known SSL/TLS exploits.
    1. A2.1.1 The risk to SSL, or early TLS, vulnerable POI terminals are managed
PCI SSC Validated (Non-IP) PTS Devices SAQ B (27 Assessment Requirements)  The merchant uses only an imprint machine and/or uses only standalone, dial-out terminals (connected via a phone line to the merchant processor) to take customers’ payment card information;  The standalone, dial-out terminals are not connected to any other systems within the merchant environment;  The standalone, dial-out terminals are not connected to the Internet;  The merchant does not store account data in electronic format, and  Any account data the merchant might retain is on paper (for example, printed reports or receipts), and these documents are not received electronically.
1. Goal 2: Protect Account Data
  1. Requirement 3: Protect Stored Account Data SAQ Completion Guidance: Selection of any of the In Place responses for Requirement 3.1.1 means that, if the merchant has paper storage of account data, the merchant has policies and procedures in place that govern merchant activities for Requirement 3. This helps to ensure personnel are aware of and following security policies and documented operational procedures for managing the secure storage of any paper records with account data. If merchant does not store paper records with account data, mark this requirement as Not Applicable and complete Appendix C: Explanation of Requirements Noted as Not Applicable.
    1. 3.1 Processes and mechanisms for protecting stored account data are defined and understood.
      1. 3.1.1 Data Lifecycle Management policies & procedures.
    2. 3.3 Sensitive authentication data (SAD) is not stored after authorization. SAQ Completion Guidance: Selection of any of the In Place responses for Requirement 3.3.1.2 means that if the merchant writes down the card verification code while a transaction is being conducted, the merchant either securely destroys the paper (for example, with a shredder) immediately after the transaction is complete, or obscures the code (for example, by “blacking it out” with a marker) before the paper is stored. If the merchant never requests the three-digit or four-digit number printed on the front or back of a payment card (“card verification code”), mark this requirement as Not Applicable and complete Appendix C: Explanation of Requirements Noted as Not Applicable.
      1. 3.3.1. SAD retention limitation.
      2. 3.3.1.1 Track data retention limitation.
      3. 3.3.1.2 CVV data retention limitation.
      4. 3.3.1.3 PIN data retention limitation.
    3. 3.4 Access to displays of full PAN and ability to copy PAN is restricted.
      1. 3.4.1 PAN display restriction.
2. Goal 4: Implement Strong Access Control Measures
  1. Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know
    1. 7.2 Access to system components and data is appropriately defined and assigned.
      1. 7.2.2 Least Privilege principle
  2. Requirement 9: Restrict Physical Access to Cardholder Data
    1. 9.4 Media with cardholder data is securely stored, accessed, distributed, and destroyed. SAQ Completion Guidance: Selection of any of the In Place responses for Requirements at 9.4 means that the merchant securely stores any paper media with account data, for example by storing the paper in a locked drawer, cabinet, or safe, and that the merchant destroys such paper when no longer needed for business purposes. This includes a written document or policy for employees, so they know how to secure paper with account data and how to destroy the paper when no longer needed. If the merchant never stores any paper with account data, mark this requirement as Not Applicable and complete Appendix C: Explanation of Requirements Noted as Not Applicable.
      1. 9.4.1 Physically secure media
      2. 9.4.1.1 Secure offline media backups
      3. 9.4.2 Data classification
      4. 9.4.3 Secure media distribution
      5. 9.4.4 Management approval
      6. 9.4.6 Hardcopy secure destruction
    2. 9.5 Point-of-interaction (POI) devices are protected from tampering and unauthorized substitution. Selection of any of the In Place responses for Requirements at 9.5 means that the merchant has policies and procedures in place for Requirements 9.5.1, 9.5.1.1, 9.5.1.2, and 9.5.1.3, and that they maintain a current list of devices, conduct periodic device inspections, and train employees about what to look for to detect tampered or substituted devices.
      1. 9.5.1 Measures to protect POI devices
      2. 9.5.1.1 Maintain asset inventory
      3. 9.5.1.2 Maintain physical inspection schedule
      4. 9.5.1.3 Staff POI physical security training
3. Goal 6: Maintain an Information Security Policy
  1. Requirement 12: Support Information Security with Organizational Policies and Programs
    1. 12.1 A comprehensive information security policy that governs and provides direction for protection of the entity’s information assets is known and current. SAQ Completion Guidance: Selection of any of the In Place responses for Requirements 12.1.1 and 12.1.2 means that the merchant has a security policy that is reasonable for the size and complexity of the merchant’s operations, and that the policy is reviewed at least once every 12 months and updated if needed. For example, such a policy could be a simple document that covers how to protect the store and payment devices in accordance with the solution provider’s guidance/instruction manual, and who to call in an emergency.
      1. 12.1.1 Implement an Information Security Policy
      2. 12.1.2 Maintain an Information Security Policy
      3. 12.1.3 Information Security roles & responsibilities are clearly defined SAQ Completion Guidance: Selection of any of the In Place responses for Requirement 12.1.3 means that the merchant’s security policy defines basic security responsibilities for all personnel, consistent with the size and complexity of the merchant’s operations. For example, security responsibilities could be defined according to basic responsibilities by employee levels, such as the responsibilities expected of a manager/owner and those expected of clerks.
    2. 12.6 Security awareness education is an ongoing activity.
      1. 12.6.1 Formal Information Security awareness program SAQ Completion Guidance: Selection of any of the In Place responses for Requirement 12.6.1 means that the merchant has a security awareness program in place, consistent with the size and complexity of the merchant’s business operations. For example, a simple awareness program could be a flyer posted in the back office, or a periodic e-mail sent to all employees. Examples of awareness program messaging include descriptions of security tips all employees should follow, such as how to lock doors and storage containers, how to determine whether a payment terminal has been tampered with, and processes to confirm the identity and verify there is a legitimate business reason for any service workers when they arrive to service payment terminals.
    3. 12.8 Risk to information assets associated with third-party service provider (TPSP) relationships is managed. SAQ Completion Guidance: Selection of any of the In Place responses for requirements at 12.8.1 through 12.8.5 means that the merchant has a list of, and agreements with, service providers it shares account data with or that could impact the security of the merchant’s cardholder data environment. For example, such agreements would be applicable if a merchant uses a document-retention company to store paper documents that include account data or if a merchant’s vendor accesses merchant systems remotely to perform maintenance.
      1. 12.8.1 Maintain a list of TPSP
      2. 12.8.2 Manage TPSP written agreements
      3. 12.8.3 TPSP due diligence
      4. 12.8.4 TPSP PCI DSS compliance status management
      5. 12.8.5 Understand outsourced responsibilities.
    4. 12.10 Suspected and confirmed security incidents that could impact the CDE are responded to immediately.
      1. 12.10.1 Implement an effective Incident Response Plan SAQ Completion Guidance: Selection of any of the In Place responses for Requirement 12.10.1 means that the merchant has documented an incident response and escalation plan to be used for emergencies, consistent with the size and complexity of the merchant’s operations. For example, such a plan could be a simple document posted in the back office that lists who to call in the event of various situations with an annual review to confirm it is still accurate, but could extend all the way to a full incident response plan including backup “hotsite” facilities and thorough annual testing. This plan should be readily available to all personnel as a resource in an emergency..
PCI SSC Validated Point To Point Encryption (P2PE) Solution (21 Assessment Requirements)  All payment processing is via a validated♦ PCI-listed P2PE solution;  The only systems in the merchant environment that store, process or transmit account data are the payment terminals from a validated♦ PCI-listed P2PE solution;  The merchant does not otherwise receive, transmit, or store account data electronically.  Any account data the merchant might retain is on paper (for example, printed reports or receipts), and these documents are not received electronically; and  The merchant has implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider.
1. Goal 2: Protect Account Data
  1. Requirement 3: Protect Stored Account Data SAQ Completion Guidance: Selection of any of the In Place responses for Requirement 3.1.1 means that, if the merchant has paper storage of account data, the merchant has policies and procedures in place that govern merchant activities for Requirement 3. This helps to ensure personnel are aware of and following security policies and documented operational procedures for managing the secure storage of any paper records with account data. If merchant does not store paper records with account data, mark this requirement as Not Applicable and complete Appendix C: Explanation of Requirements Noted as Not Applicable.
    1. 3.1 Processes and mechanisms for protecting stored account data are defined and understood. Note: For SAQ P2PE, Requirement 3 applies only to merchants with paper records that include account data (for example, receipts or printed reports).
      1. 3.1.1 Data Lifecycle Management policies & procedures.
    2. 3.2 Storage of account data is kept to a minimum.
      1. 3.2.1 Storage of account data is minimised. SAQ Completion Guidance: Selection of any of the In Place responses for Requirement 3.2.1 means that the merchant has data disposal policies that govern account data storage and if a merchant stores any paper (for example, receipts or paper reports) that contain account data, the merchant stores the paper per that policy (for example, only as long as it is needed for business, legal, and/or regulatory reasons) and destroys the paper once it is no longer needed. If a merchant never prints or stores any paper containing account data, mark this requirement as Not Applicable and complete Appendix C: Explanation of Requirements Noted as Not Applicable.
    3. 3.3 Sensitive authentication data (SAD) is not stored after authorization. SAQ Completion Guidance: Selection of any of the In Place responses for Requirement 3.3.1.2 means that if the merchant writes down the card verification code while a transaction is being conducted, the merchant either securely destroys the paper (for example, with a shredder) immediately after the transaction is complete, or obscures the code (for example, by “blacking it out” with a marker) before the paper is stored. If the merchant never requests the three-digit or four-digit number printed on the front or back of a payment card (“card verification code”), mark this requirement as Not Applicable and complete Appendix C: Explanation of Requirements Noted as Not Applicable.
      1. 3.3.1. SAD retention limitation.
      2. 3.3.1.2 CVV data retention limitation.
    4. 3.4 Access to displays of full PAN and ability to copy PAN is restricted.
      1. 3.4.1 PAN display restriction.
2. Goal 4: Implement Strong Access Control Measures
  1. Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know
    1. 7.2 Access to system components and data is appropriately defined and assigned.
      1. 7.2.2 Least Privilege principle
  2. Requirement 9: Restrict Physical Access to Cardholder Data
    1. 9.1 Processes and mechanisms for restricting physical access to cardholder data are defined and understood.
      1. 9.1.1 Physical Security & Access Management policies & procedures. SAQ Completion Guidance: Selection of any of the In Place responses for Requirement 9.1.1 means that the merchant has policies and procedures in place that govern merchant activities for Requirement 9, including how any paper media with cardholder data is secured, and how POI devices are protected.
    2. 9.4 Media with cardholder data is securely stored, accessed, distributed, and destroyed. Note: For SAQ P2PE, Requirements at 9.4 only apply to merchants with paper records (for example, receipts or printed reports) with account data, including primary account numbers (PANs) SAQ Completion Guidance: Selection of any of the In Place responses for Requirements at 9.4 means that the merchant securely stores any paper media with account data, for example by storing the paper in a locked drawer, cabinet, or safe, and that the merchant destroys such paper when no longer needed for business purposes. This includes a written document or policy for employees, so they know how to secure paper with account data and how to destroy the paper when no longer needed. If the merchant never stores any paper with account data, mark this requirement as Not Applicable and complete Appendix C: Explanation of Requirements Noted as Not Applicable.
      1. 9.4.1 Physically secure media
      2. 9.4.1.1 Secure offline media backups
      3. 9.4.2 Data classification
      4. 9.4.3 Secure media distribution
      5. 9.4.4 Management approval
      6. 9.4.6 Hardcopy secure destruction
    3. 9.5 Point-of-interaction (POI) devices are protected from tampering and unauthorized substitution. Note: For SAQ P2PE, these requirements apply to the POI devices used by the merchant at part of the P2PE solution. SAQ Completion Guidance: Selection of any of the In Place responses for Requirements at 9.5 means that the merchant has policies and procedures in place for Requirements 9.5.1, 9.5.1.1, 9.5.1.2, and 9.5.1.3, and that they maintain a current list of devices, conduct periodic device inspections, and train employees about what to look for to detect tampered or substituted devices.
      1. 9.5.1 Measures to protect POI devices
      2. 9.5.1.1 Maintain asset inventory
      3. 9.5.1.2 Maintain physical inspection schedule
      4. 9.5.1.3 Staff POI physical security training
3. Goal 6: Maintain an Information Security Policy
  1. Requirement 12: Support Information Security with Organizational Policies and Programs
    1. 12.1 A comprehensive information security policy that governs and provides direction for protection of the entity’s information assets is known and current. SAQ Completion Guidance: Selection of any of the In Place responses for Requirements 12.1.1 and 12.1.2 means that the merchant has a security policy that is reasonable for the size and complexity of the merchant’s operations, and that the policy is reviewed at least once every 12 months and updated if needed. For example, such a policy could be a simple document that covers how to protect the store and payment devices in accordance with the solution provider’s guidance/instruction manual, and who to call in an emergency.
      1. 12.1.1 Implement an Information Security Policy
      2. 12.1.2 Maintain an Information Security Policy
      3. 12.1.3 Information Security roles & responsibilities are clearly defined SAQ Completion Guidance: Selection of any of the In Place responses for Requirement 12.1.3 means that the merchant’s security policy defines basic security responsibilities for all personnel, consistent with the size and complexity of the merchant’s operations. For example, security responsibilities could be defined according to basic responsibilities by employee levels, such as the responsibilities expected of a manager/owner and those expected of clerks.
    2. 12.6 Security awareness education is an ongoing activity.
      1. 12.6.1 Formal Information Security awareness program SAQ Completion Guidance: Selection of any of the In Place responses for Requirement 12.6.1 means that the merchant has a security awareness program in place, consistent with the size and complexity of the merchant’s operations. For example, a simple awareness program could be a flyer posted in the back office, or a periodic e-mail sent to all employees. Examples of awareness program messaging include descriptions of security tips all employees should follow, such as how to lock doors and storage containers, how to determine whether a payment terminal has been tampered with, and processes to confirm the identity and verify there is a legitimate business reason for any service workers when they arrive to service payment terminals.
    3. 12.8 Risk to information assets associated with third-party service provider (TPSP) relationships is managed. SAQ Completion Guidance: Selection of any of the In Place responses for Requirements 12.8.1 through 12.8.5 means that the merchant has a list of, and agreements with, service providers they share account data with or that could impact the security of the merchant’s cardholder data environment. For example, such agreements would be applicable if a merchant uses a document-retention company to store paper documents that include account data or if a merchant’s vendor accesses merchant systems remotely to perform maintenance.
      1. 12.8.1 Maintain a list of TPSP
      2. 12.8.2 Manage TPSP written agreements
      3. 12.8.3 TPSP due diligence
      4. 12.8.4 TPSP PCI DSS compliance status management
      5. 12.8.5 Understand outsourced responsibilities.
    4. 12.10 Suspected and confirmed security incidents that could impact the CDE are responded to immediately.
      1. 12.10.1 Implement an effective Incident Response Plan SAQ Completion Guidance: Selection of any of the In Place responses for Requirement 12.10.1 means that the merchant has documented an incident response and escalation plan to be used for emergencies, consistent with the size and complexity of the merchant’s operations. For example, such a plan could be a simple document posted in the back office that lists who to call in the event of various situations with an annual review to confirm it is still accurate, but could extend all the way to a full incident response plan including backup “hotsite” facilities and thorough annual testing. This plan should be readily available to all personnel as a resource in an emergency.
PCI Point to Point Encryption Solutions
1. Vendor's P2PE Implementation Manual (PIM)
PCI Approved PIN Transaction Security (PTS) Devices