AQSA Responsibilities - - Gathering and maintaining evidence
- Documenting reporting sections of the executive summary
- Preparing draft sections of a ROC related to requirements for which the AQSA has gathered the
evidence
- Under QSA supervision or specific criteria provided by a QSA, conduct...
AQSA
AQSA Responsibilities - - Gathering and maintaining evidence
- Documenting reporting sections of the executive summary
- Preparing draft sections of a ROC related to requirements for which the AQSA has gathered the
evidence
- Under QSA supervision or specific criteria provided by a QSA, conducting interviews, reviewing
documented evidence, following up on remediated findings, and conducting data center and site visits
for non-primary locations.
Additional PCI DSS Requirement for Multi-Tenant Service Providers - - Must separate customer
data
- Customer only has access to their own environment
- Penetration test must be conducted every 6 months
- Customers are able to report security incidents and vulnerabilities to the provider
12.10 - Suspected and confirmed security incidents that could impact the CDE are responded to
immediately
3DS Core - Organizations that support 3DS authentication use a 3DS Roc to show their compliance
with this standard
Account Configurations - - Idle accounts inactive after 90 days are to be removed
- Idle sessions over 15 minutes should be locked out
- User Logins must be locked for 30 minutes if there are 10 attempts
- Password lengths must be 12 characters/numbers and different from the last 4 passwords used
- MFA is required if the user is accessing CDE
- Passwords must be changed every 90 days if they do not utilize MFA
Account Data That May Be Stored After Authorization - - Primary Account Number (PAN)
,- Cardholder Name
- Expiration Date
- Service Code
Account Data That May NOT Be Stored After Authorization - - Full Track Data
- Card Verification Code
- Pin / Pin Block
Acquirer - Sends payment transaction data through the payment network to the issuer
Acquirer Role - - Responsible for ensuring their merchants are compliant and following the
compliance programs set forth by the participating payment brands
- Responsible for determining the merchant's reporting method and accepting compensating controls
- Responsible for any necessary actions resulting from merchant data breaches such as passing on
penalties and supporting forensic investigations
- Familiar with each payment brand's compliance validation programs
Appendix A (P2) - Findings and Observations: Additional PCI DSS Requirements
- Appendix A1: Additional PCI DSS Requirements for Multi-Tenant Service PRoviders
- Appendix A2: Additional PCI DSS Requirements for Entities Using SSL/Early TLS for Card-Present POS
POI Terminal Connections
Appendix A2 - Entities using SSL and early TLS must work toward upgrading to a strong
cryptographic protocol. No new systems can contain SSL or early TLS.
, An entity is required to undergo an assessment according to this Appendix ONLY if instructed to do so by
an acquirer or a payment brand.
Appendix C (P2) - Compensating Controls Worksheet
- Use this worksheet to document any instance where a compensating control is used to meet a PCI DSS
defined requirement. Note that compensating controls must also be documented at the corresponding
PCI DSS requirement in Part 2 findings and observations
Approved Scanning Vendor (ASV) - Scan reports and attestations are usually sent by an Approved
Scanning Vendor (ASV) to their client
AQSA DONTS - - Leading a PCI DSS Assessment
- Confirming PCI DSS compliance to customers
- signing attestation of compliance
- Validating the scope of a PCI DSS Assessment
- Selection of systems and systems components where sampling is used
- Evaluating compensating controls
- Evaluating customized controls
- Initiating or leading compliance discussions with payment brands or acquirers
Assessment Planning - - Determine the time and resources needed to complete the assessment
- Will assess activities be on-site, remote, or a combination
- Reviewing Documentation can help prepare for on-site activities
Assessment Process - 1. Assessor
2. Scope
3. Assess
4. Report
Voordelen van het kopen van samenvattingen bij Stuvia op een rij:
Verzekerd van kwaliteit door reviews
Stuvia-klanten hebben meer dan 700.000 samenvattingen beoordeeld. Zo weet je zeker dat je de beste documenten koopt!
Snel en makkelijk kopen
Je betaalt supersnel en eenmalig met iDeal, creditcard of Stuvia-tegoed voor de samenvatting. Zonder lidmaatschap.
Focus op de essentie
Samenvattingen worden geschreven voor en door anderen. Daarom zijn de samenvattingen altijd betrouwbaar en actueel. Zo kom je snel tot de kern!
Veelgestelde vragen
Wat krijg ik als ik dit document koop?
Je krijgt een PDF, die direct beschikbaar is na je aankoop. Het gekochte document is altijd, overal en oneindig toegankelijk via je profiel.
Tevredenheidsgarantie: hoe werkt dat?
Onze tevredenheidsgarantie zorgt ervoor dat je altijd een studiedocument vindt dat goed bij je past. Je vult een formulier in en onze klantenservice regelt de rest.
Van wie koop ik deze samenvatting?
Stuvia is een marktplaats, je koop dit document dus niet van ons, maar van verkoper ACADEMICMATERIALS. Stuvia faciliteert de betaling aan de verkoper.
Zit ik meteen vast aan een abonnement?
Nee, je koopt alleen deze samenvatting voor €7,86. Je zit daarna nergens aan vast.
