| PCI Compliance Check List | Back Forward Print this topic |
Overview
The Payment Card Industry (PCI) developed and has recently enhanced a set of standards to assist merchants and service providers in maintaining card data security. PCI is a consortium between Visa®, MasterCard®, Discover®, American Express®, and JCB®. You have committed to abide by these standards in the agreement with your merchant services provider.
If you have not already, you may receive a letter from your merchant account provider / acquirer stating that you must attest to your compliance. MyFBO.com Subscribers using the AHT Gateway can self-certify using the PCI Data Security Standard (DSS) Self-Assessment Questionnaire (SAQ) C.
Many of the requirements in the PCI standard are "check offs" as a result of the work done by MyFBO.com and AHT Gateway. However there are requirements where you must take action or verify compliance as outlined in this document.
Documents You Will Need
PCI DSS Compliance � Completion Steps
Attestation of Compliance, SAQ C
Part 1 - Qualified Security Assessor Company Information (if applicable)
You can leave Part 1 blank.
Part 2. Merchant Organization Information
Part 2 is your name and address.
Part 2a. Type of merchant business (check all that apply):
Check "Others" and then type your business type (ex. Flight School). Also, list your facilities.
Part 2b. Relationships
This section states:
Does your company have a relationship with one or more third-party service providers (for example, gateways, web-hosting companies, airline booking agents, loyalty program agents, etc)?
Answer "Yes" and then list MyFBO.com and AHT Services.
Does your company have a relationship with more than one acquirer?
If this is your only merchant account then check "No". If you have others then check "Yes" and list them. An example may be "Philips 66".
Part 2c. Transaction Processing
Payment Application in use: AHT Services
Payment Application Version: AHT Transaction Manager, version 2.0.2.1.
Part 2d. Eligibility to Complete SAQ C
You will check all 5 boxes in this section. Here is the breakdown:
Merchant has a payment application system and an Internet or public network connection on the same device;
This is true because you are using the Internet to process payments. This is why you are using SAQ C rather than SAQ B or SAQ D.
The payment application system/Internet device is not connected to any other system within the merchant environment;
The payment application is actually provided by AHT Services, which has no connection to your network or systems. Therefore, this is true.
Merchant does not store cardholder data in electronic format;
Assuming you do not maintain any electronic files of consumer cardholder data outside of your MyFBO.com database / AHT card vault, this is true.
If Merchant does store cardholder data, such data is only in paper reports or copies of paper receipts and is not received electronically; and
Again, assuming you do not maintain any electronic files of consumer cardholder data outside of your MyFBO.com database / AHT card vault, this is true.
Merchant�s payment application software vendor uses secure techniques to provide remote support to merchant�s payment application system.
Neither MyFBO.com nor AHT Services provides remote support, as the payment application does not reside on your computers. Because there is no remote support, this is true.
Part 3. PCI DSS Validation
After you have reviewed and completed the requirements below, check "Compliant".
Part 3a. Confirmation of Compliant Status
After you have reviewed and completed the requirements, check all of the boxes.
Part 3b. Merchant Acknowledgement
Sign the questionnaire.
Self-Assessment Questionnaire C
Note: If you answer any of the questions on this form with "Not Applicable" (N/A), you'll also need to fill out Appendix D: Explanation of Non-Applicability to explain why the related requirement is not applicable to your organization.
Requirement 1 - Install and maintain a firewall configuration to protect data
This requirement states:
1.2 Does the firewall configuration restrict connections between untrusted networks and any system in the cardholder data environment as follows: Note: An "untrusted network" is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage.
1.3 Does the firewall configuration prohibit direct public access between the Internet and any system component in the cardholder data environment?
Ensure that your network contains a firewall between your network and the Internet, and internally between computers that process cards and other workstations and public computers. This firewall can be software or hardware, and may be incorporated in other devices. For most of us, this is handled by our network routers and switches already in place. More information about network security is available in the PCI Network Requirements document and from your local network professional.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
This requirement states:
2.1 Are vendor-supplied defaults always changed before installing a system on the network? Examples include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts.
2.1.1 (a) Are defaults* for wireless environments connected to the cardholder data environment or transmitting cardholder data changed before installing a wireless system? * Such wireless environment defaults include but are not limited to default wireless encryption keys, passwords, and SNMP community strings.
(b) Are wireless device security settings enabled for strong encryption technology for authentication and transmissions?2.3 Is all non-console administrative access encrypted? Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.
Make sure your hardware and software do not use vendor supplied passwords. Examples include the passwords on your routers and other network equipment. Also, verify that any wireless access within your protected network uses WPA2 encryption.
Requirement 3: Protect stored cardholder data
Provided you do not store cardholder data outside of the MyFBO.com / AHT environment, these requirements are met by the online system and the AHT gateway.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
This requirement states:
4.1 Are strong cryptography and security protocols, such as SSLTLS or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks?
Provided you do not otherwise transmit cardholder data, and that any wireless access within your protected network uses WPA2 encryption, this requirement is handled by MyFBO.com and AHT Services.
4.1 Are policies, procedures, and practices in place to preclude the sending of unencrypted PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat)?
This requirement is addressed by the Information Security Policy in Requirement 12.
Requirement 5: Use and regularly update anti-virus software or programs
This requirement states:
5.1 Is anti-virus software deployed on all systems, particularly personal computers and servers, commonly affected by malicious software?
5.1.1 Are all anti-virus programs capable of detecting, removing, and protecting against all known types of malicious software?
5.2 Are all anti-virus mechanisms current, actively running, and capable of generating audit logs?
You should be doing this religiously already. It is also addressed by the Information Security Policy in Requirement 12. Verify that anti-virus software is installed on all computers, renewed, and up-to-date.
Requirement 6: Develop and maintain secure systems and applications
This requirement states:
6.1 (a) Do all system components and software have the latest vendor supplied security patches installed? (b) Are critical security patches installed within one month of release?
Provided you operate in a Windows® environment, verify that all computers are configured to automatically download and install Windows® Updates.
Requirement 7: Restrict access to cardholder data by business need-to-know
This requirement states:
7.1 (a) Is access to system components and cardholder data limited to only those individuals whose jobs require such access?
Access to system components is addressed by the Information Security Policy in Requirement 12. Access to cardholder data is restricted by the MyFBO.com / AHT environment.
Requirement 8: Assign a unique ID to each person with computer access
This requirement states:
8.5.6 Are accounts used by vendors for remote maintenance enabled only during the time period needed?
Neither MyFBO.com nor AHT Services require access for remote maintenance. Provided you have no other vendors who perform remote maintenance, this requirement does not apply.
Requirement 9: Restrict physical access to cardholder data
This requirement states:
9.6 Are all paper and electronic media that contain cardholder data physically secure? (a) Is strict control maintained over the internal or external distribution of any kind of media that contains cardholder data?
9.7 (b) Do controls include the following:
9.7.1 Is the media classified so it can be identified as confidential?
9.7.2 Is the media sent by secured courier or other delivery method that can be accurately tracked?
9.8 Are processes and procedures in place to ensure management approval is obtained prior to moving any and all media containing cardholder data from a secured area (especially when media is distributed to individuals)?
9.9 Is strict control maintained over the storage and accessibility of media that contains cardholder data?
9.10 Is media containing cardholder data destroyed when it is no longer needed for business or legal reasons? Destruction should be as follows:
9.10.1 Are hardcopy materials shredded, incinerated, or pulped so that cardholder data cannot be reconstructed?
Please verify the above requirements. They state that you should also not store credit data on paper anywhere! If you do, you must verify that you comply with the procedures above.
Requirement 10: Track and monitor all access to network resources and cardholder data
No questions applicable to SAQ C.
Requirement 11: Regularly test security systems and processes
This requirement states:
11.1 Is the presence of wireless access points tested for by using a wireless analyzer at least quarterly or by deploying a wireless IDS/IPS to identify all wireless devices in use?
11.2 Are internal and external network vulnerability scans run at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades)?
Verification of wireless access points and an external scan of your network are required. Please see the PCI Network Requirements for more information.
Requirement 12: Maintain a policy that addresses information security for employees and contractors
This requirement states:
12.1 Is a security policy established, published, maintained, and disseminated, and does it accomplish the following:
12.1.3 Includes a review at least once a year and updates when the environment changes?
12.3 (a) Are usage policies for critical employee-facing technologies (for example, remote-access technologies, wireless technologies, removable electronic media, laptops, personal data/digital assistants [PDAs], e-mail, and Internet usage) developed to define proper use of these technologies for all employees and contractors?
12.4 Do the security policy and procedures clearly define information security responsibilities for all employees and contractors?
12.5 Are the following information security management responsibilities assigned to an individual or team?
12.5.3 Establishing, documenting, and distributing security incident response and escalation procedures to ensure timely and effective handling of all situations?
12.6 Is a formal security awareness program in place to make all employees aware of the importance of cardholder data security?
12.8 If cardholder data is shared with service providers, are policies and procedures maintained and implemented to manage service providers, and do the policies and procedures include the following?
12.8.1 A list of service providers is maintained.
12.8.2 A written agreement is maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possesses
12.8.3 There is an established process for engaging service providers, including proper due diligence prior to engagement.
12.8.4 A program is maintained to monitor service providers� PCI DSS compliance status.
MyFBO.com has prepared a draft Information Security Policy that you may download and modify to fit the needs your company. Word | PDF
Once your policy is in place, verify that it conforms to the requirements above.
| Copyright © MyFBO.com [email protected] |
01/27/11 cli