AQSA Responsibilities - - Gathering and maintaining evidence
- Documenting reporting sections of the executive summary
- Preparing draft sections of a ROC related to requirements for which the AQSA has gathered the
evidence
- Under QSA supervision or specific criteria provided by a QSA, conduct...
AQSA
AQSA Responsibilities - - Gathering and maintaining evidence
- Documenting reporting sections of the executive summary
- Preparing draft sections of a ROC related to requirements for which the AQSA has gathered the
evidence
- Under QSA supervision or specific criteria provided by a QSA, conducting interviews, reviewing
documented evidence, following up on remediated findings, and conducting data center and site visits
for non-primary locations.
Additional PCI DSS Requirement for Multi-Tenant Service Providers - - Must separate customer
data
- Customer only has access to their own environment
- Penetration test must be conducted every 6 months
- Customers are able to report security incidents and vulnerabilities to the provider
12.10 - Suspected and confirmed security incidents that could impact the CDE are responded to
immediately
3DS Core - Organizations that support 3DS authentication use a 3DS Roc to show their compliance
with this standard
Account Configurations - - Idle accounts inactive after 90 days are to be removed
- Idle sessions over 15 minutes should be locked out
- User Logins must be locked for 30 minutes if there are 10 attempts
- Password lengths must be 12 characters/numbers and different from the last 4 passwords used
- MFA is required if the user is accessing CDE
- Passwords must be changed every 90 days if they do not utilize MFA
Account Data That May Be Stored After Authorization - - Primary Account Number (PAN)
,- Cardholder Name
- Expiration Date
- Service Code
Account Data That May NOT Be Stored After Authorization - - Full Track Data
- Card Verification Code
- Pin / Pin Block
Acquirer - Sends payment transaction data through the payment network to the issuer
Acquirer Role - - Responsible for ensuring their merchants are compliant and following the
compliance programs set forth by the participating payment brands
- Responsible for determining the merchant's reporting method and accepting compensating controls
- Responsible for any necessary actions resulting from merchant data breaches such as passing on
penalties and supporting forensic investigations
- Familiar with each payment brand's compliance validation programs
Appendix A (P2) - Findings and Observations: Additional PCI DSS Requirements
- Appendix A1: Additional PCI DSS Requirements for Multi-Tenant Service PRoviders
- Appendix A2: Additional PCI DSS Requirements for Entities Using SSL/Early TLS for Card-Present POS
POI Terminal Connections
Appendix A2 - Entities using SSL and early TLS must work toward upgrading to a strong
cryptographic protocol. No new systems can contain SSL or early TLS.
, An entity is required to undergo an assessment according to this Appendix ONLY if instructed to do so by
an acquirer or a payment brand.
Appendix C (P2) - Compensating Controls Worksheet
- Use this worksheet to document any instance where a compensating control is used to meet a PCI DSS
defined requirement. Note that compensating controls must also be documented at the corresponding
PCI DSS requirement in Part 2 findings and observations
Approved Scanning Vendor (ASV) - Scan reports and attestations are usually sent by an Approved
Scanning Vendor (ASV) to their client
AQSA DONTS - - Leading a PCI DSS Assessment
- Confirming PCI DSS compliance to customers
- signing attestation of compliance
- Validating the scope of a PCI DSS Assessment
- Selection of systems and systems components where sampling is used
- Evaluating compensating controls
- Evaluating customized controls
- Initiating or leading compliance discussions with payment brands or acquirers
Assessment Planning - - Determine the time and resources needed to complete the assessment
- Will assess activities be on-site, remote, or a combination
- Reviewing Documentation can help prepare for on-site activities
Assessment Process - 1. Assessor
2. Scope
3. Assess
4. Report
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller ACADEMICMATERIALS. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $7.99. You're not tied to anything after your purchase.