Completing Self Assessment Questionnaire B
|
|
|
- Ada Scott
- 5 years ago
- Views:
Transcription
1 Completing Self Assessment Questionnaire B Short course for POS Terminal merchants This presentation will cover: News since January affecting POS merchants PCI DSS Requirements and Reporting Compliance How NCSU POS merchants should complete their Self Assessment Questionnaire (SAQ) B PCI DSS definitions and vocabulary
2 Self Assessment Questionnaire B Short course for POS Terminal merchants PCI DSS Version 3.0 is coming soon Preview version available in September 2013 Final Version and new SAQ documents released in November 7, 2013 Merchants will be required to meet new standard starting January 2015
3 The Push for EMV Visa and MasterCard are taking different approaches to mandating EMV use. Visa Expand its Technology Innovation Program to allow Merchants forego the need to undergo PCI compliance if at least 75% of transactions come from chip-enabled terminals. Require U.S. acquiring banks and sub-processor service providers to support merchant acceptance of chip transactions. institute a U.S. liability shift for domestic and cross-border counterfeit card-present point-of-sale (POS) transactions. MasterCard Extend its existing EMV liability shift program for inter-regional Maestro ATM transactions
4 EMV Timeline APRIL 1, 2013 ACQUIRER AND SUB-PROCESSORS SUPPORT EMV VISA and MasterCard acquirer processors must support EMV transactions. OCTOBER 2013 ADC RELIEF FOR MERCHANTS (50%) MasterCard EMV-ready merchants (75% of POS transactions) receive 50% Account Data Compromise relief. OCTOBER 1, 2015 FRAUD LIABILITY SHIFT VISA and MasterCard shift fraud liability to least secure entity.
5 EMV Timeline OCTOBER 2015 ADC RELIEF FOR MERCHANTS (100%) MasterCard EMV-ready merchants (95% of POS transactions) receive 100% Account Data Compromise relief. OCTOBER 2016 FRAUD LIABILITY SHIFT FOR ATMS MasterCard shifts EMV liability to ATM hosts for inter-regional Maestro ATM transactions. OCTOBER 2017 FRAUD LIABILITY SHIFT FOR AUTOMATED FUEL DISPENSERS Extended liability deadline ends for fuel dispensers. More Details:
6 Self Assessment Questionnaire B Review from Merchant Training Merchant responsibility: -> Complete Self Assessment Questionnaire for each merchant account Cardholder Data - At a minimum, cardholder data consists of the full 16 digit credit card number. Cardholder data may also appear in the form of the full CCN plus any of the following: cardholder name, expiration date and/or CVV number. Service Provider any organization that stores, transmits or processes cardholder data on behalf of merchants or other service providers. Also other organizations that could impact merchant security (even if they don t have direct access to cardholder data) Examples include web hosting providers, Nelnet, Yahoo Storefront, Paypal, Intelipay.
7 What is a SAQ? The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool to allow merchants to self-evaluate compliance with the Payment Card Industry Data Security Standards (PCI DSS). The SAQ consists of two primary components: 1. Questions about your account that correlate with the 12 PCI DSS requirements. 2. An Attestation of Compliance; your self-certification that you have assessed your unit s compliance as required in your SAQ form and identified action plans to address areas of non-compliance. SAQs come in several forms based on how a merchant processes, transmits and stores cardholder data. Most University accounts use an SAQ-A, B or D. SAQ completion is required annually by our acquiring bank and card brands.
8 PCI Data Security Standard v2.0: 6 Sections; 12 Main Requirements Build and Maintain a Secure Network 1: Install and maintain a firewall 2: Do not use vendor defaults Protect Cardholder Data 3: Protect stored data 4: Encrypt transmission of data Maintain a Vulnerability Management Program 5: Use anti-virus software 6: Secure systems and applications Implement Strong Access Control Measures 7: Business need-to-know 8: Assign a unique ID to each person 9: Restrict physical access Regularly Monitor &Test Networks 10: Track and monitor access 11: Regularly test security Information Security Policy 12: Maintain a policy The SAQ-A addresses Requirements 9 & 12 The SAQ-B addresses Requirements 3,4,7,9, & 12 The SAQ-D addresses all 12 Requirements
9 Annual SAQ Process Most Merchants have Already Started 1. Determine the scope of the review. Go over your department operations and systems with regard to accepting payment cards. This assessment of your cardholder data environment helps you to accurately identify the appropriate scope for your review. Document your process to determine scope. Consider, for example: Where do you take cards? (e.g., multiple locations, front desk, internet) How do you take cards? (e.g., swipe terminal, Nelnet, fax, phone, in-person) Who touches cards and cardholder data? Is the data recorded anywhere? Where does it go? 2. Review unit payment card policy & procedures take a look at your business process involving payment cards. Has your business process changed in the last year? Are your policies in agreement with PCI DSS and/or University policy? 3. Complete Your SAQ B and Attestation
10 Self Assessment Questionnaire B Short course for POS Terminal merchants Department/College Name: Contact Name: Title: Telephone: Business Address: Merchant Account Name: Part 1: Merchant Information
11 How to Complete Self Assessment Questionnaire B Mail order / Telephone Order: Event Registration: Retail: Fund Raising: Other: Part 2: Type of Merchant Business List facilities and locations included in PCI DSS review: Short Description of business: Part 2a Does your company have a relationship with one or more third-party agents (for example web hosting companies, card gateways like Nelnet, Cybersource or Authorize.net) Name of Credit Card Processor (example: First Data)
12 How to Complete Self Assessment Questionnaire B Part 2: Type of Merchant Business 2b. Eligibility to Complete SAQ B: Note: You must be able to answer Yes to all of the questions below to be eligible for. If you no longer qualify for SAQ B, send a note explaining that to: merchantservices@ncsu.edu Merchant uses only an imprint machine to imprint customers payment card information and does not transmit cardholder data over either a phone line or the internet; OR Merchant uses only standalone, dial-out terminals; and the standalone, dialout terminals are not connected to the internet or any other systems within the merchant environment Merchant does not store cardholder data in electronic format; and If Merchant does store card holder data, such data is only in paper reports or copies of receipts and is not received electronically.
13 How to Complete Self Assessment Questionnaire B Stand Alone, Dial Out terminal needs to be connected to a POTS analog phone line (not connected to VoIP telephone system) The NCSU campus VoIP system connects to a digital data Network that is not PCI Compliant
14 How to Complete Self Assessment Questionnaire B Part 3: Type of Merchant Business 3a: Eligibility to Complete SAQ B: PCI DSS Self Assessment Questionnaire B, Version 2.0, was completed according to the instructions therein. All Information within the above referenced SAQ and in this attestation fairly represents the results of my assessment. I have confirmed with my payment application vendor that my payment system does not store authentication data after authorization. I have read the PCI DSS and I recognize that I must maintain full PCI DSS compliance at all times. No evidence of magnetic stripe (ie track) data, CAV2, CVC2, CID or CVV2 data, or PIN data storage after transaction authorization was found on ANY systems reviewed during this assessment.
15 How to Complete Self Assessment Questionnaire B Part 3: Type of Merchant Business 3a: Eligibility to Complete SAQ B: No evidence of magnetic stripe (ie track) data, CAV2, CVC2, CID or CVV2 data, or PIN data storage after transaction authorization was found on ANY systems reviewed during this assessment. To meet this requirement, most merchants will need to contact First Data on their support line and ask if their device is running the latest PCI compliant firmware. If your POS runs an application that is the PA-DSS listed version and you follow the implementation guide for setting up the application, then you have met this requirement The list of PA-DSS (Payment Application Data Security Standard) validated software is at: s.php
16 How to Complete Self Assessment Questionnaire B Part 3: Type of Merchant Business 3a: Eligibility to Complete SAQ B: No evidence of magnetic stripe (ie track) data, CAV2, CVC2, CID or CVV2 data, or PIN data storage after transaction authorization was found on ANY systems reviewed during this assessment. If your device uses chip and PIN technology, check that it is PA-PTS approved. It will be listed at: d_pin_transaction_security.php
17 Requirement 3: Protect cardholder data Cardholder Data vs. Sensitive Authentication Data Cardholder Data (Front of Card): PAN (Primary Account Number) Cardholder Name Expiration Date Sensitive Authentication Data (Back of Card): CVC or CVV (Back of Card, except AMEX on Front) Full Magnetic Stripe or Equivalent on a chip PIN or PIN block This data is very valuable to malicious individuals as it allows them to generate counterfeit payment cards and create fraudulent transactions.
18 Requirement 3: Protect cardholder data (b) If sensitive authentication data is received and deleted, are processes in place to securely delete the data to verify that the data is unrecoverable? Merchants can meet this requirement by checking with First Data or your vendor and verifying you have the latest PCI compliant firmware version installed in your device(s). Configure your device NOT to use offline mode where it stores CCN when telephone line not working
19 Requirement 3: Protect cardholder data (b) If sensitive authentication data is received and deleted, are processes in place to securely delete the data to verify that the data is unrecoverable? How to tell if you receive sensitive authentication data? Testing procedures , Check, at least, the following for Sensitive Authentication Data: Incoming transaction data All logs (for example, transaction, history, debugging, error) History files Trace files Several database schemas Database contents Most NCSU POS device merchants will NOT have any of the above data and thus would NOT be receiving sensitive authentication data if no S.A.D., then mark this question Special*
20 Requirement 3: Protect cardholder data 3.2.c: Do all systems adhere to the following requirements regarding non-storage of sensitive authentication data AFTER authorization (even if encrypted)? 3.2.1: The full contents of any track from the magnetic stripe (located on the back of a card, equivalent data contained on a chip, or elsewhere) are not stored under any circumstance? Yes/No / Special This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data. Merchants can answer Yes here once they verify with First Data that their POS device has the latest PCI compliant firmware installed.
21 Requirement 3: Protect cardholder data 3.2.c: Do all systems adhere to the following requirements regarding non-storage of sensitive authentication data AFTER authorization (even if encrypted)? The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored under any circumstance? Yes / No / Special The personal identification number (PIN) or the encrypted PIN block are not stored under any circumstance? Yes/ No / Special
22 Requirement 3: Protect Cardholder Data 3.3 Is the credit card number masked when displayed or printed on a receipt? Yes / No / Special
23 Requirement 4: Encrypt transmission of cardholder data across open, public networks Open, Public network networks that are easily accessed Cell phone data networks, satellite data networks, WiFii hot spots Unprotected PANs = unencrypted PANs End-user messaging , instant message, text message, Skype, Facebook chat, Twitter, Google chat, ichat/facetime, oovoo, etc. 4.2 Are policies in place that state unencrypted credit card numbers are not to be sent via end-user messaging technologies (this includes things like: , instant message, text message, Skype, Facebook chat, twitter, google chat, ichat/facetime, oovoo, etc.) Y / n / Special
24 Req. 4 University Merchant Policy on Requirement 4: Encrypt transmission of cardholder data across open, public networks From PCI DSS Standards Part 2c: End user policy on use the use of encryption for the transmission of PANs over open public networks Do not use or other end-user messaging (EUM) technologies to transmit customer cardholder data,. These EUM technologies include: , do not include cardholder data in the message or in attachments. Instant messaging, or other forms of electronic chat (e.g. Google chat, Facebook, twitter, ichat/facetime, Skype, oovoo) Text messaging (e.g. Short Message Service - SMS on mobile phones) Voic Never send cardholder Personal Account Numbers (PANs) by end-user messaging technologies, neither encrypted nor unprotected (requirement 4.2). Do not encourage customers to use EUM technologies to leave their cardholder PANs. Never process any orders to be charged to PANs received by these technologies. If you receive an instance of customer cardholder data via EUM, follow the procedure below: Do not, under any circumstances, process transactions associated with credit card numbers received in EUM. Doing so even once could make the whole system or other messaging application subject to penalty for non-compliance with PCI-DSS. If you receive a credit card number via EUM, respond to the sender with a standard template advising that the EUM transaction request cannot be processed. Either delete or redact the credit card number from the original message in your response (in other words, do not send the credit card number supplied back to the sender). In your response, if possible refer the sender either to A secure university credit card processing Web page, or to Another means for secure credit card processing for his transaction need.
25 Requirement 7: Restrict access to card holder data by business need to know 7.1 Is access to system components and card holder data limited to only those individuals whose jobs require such access as follows: Are access rights for privileged user IDs restricted to least privileges necessary to perform job responsibilities? Y / n / Special Privileges to change settings in the POS (like debug mode) are restricted to as few people as possible Most stand alone POS terminals don t have user IDs, passwords or access rights functions. If this is the case, answer Special* to this question and explain that the simple POS device doesn t have privileged user IDs
26 Requirement 7: Restrict access to card holder data by business need to know 7.1 Is access to system components and card holder data limited to only those individuals whose jobs require such access as follows: Privileges to change settings in the POS (like debug mode) should be restricted to as few people as possible Are privileges assigned to individuals based on job description and function? Y / n / Special Most stand alone POS terminals don t have privileged IDs or modes. In this case, answer Special* to this question and explain that the simple POS device doesn t have privileged user IDs.
27 Requirement 9.6: Physically secure all Media Req. 9.6: Are all paper documents with credit card numbers on them physically secured in a locked room or enclosure where there are a limited number of people with keys? Locked? Not mixed use enclosure/room (completed order forms and 10 other things) Limited number of keys given only to full time University employees using the payment application Document processes for the handling of keys - issuing new keys - returning keys - procedure for handling lost keys Create a PCI Procedures document if needed
28 Requirement 9.7: Maintain strict control of the distribution of card holder data Req. 9.7(a) Do you have rules and/or procedures that are followed when forms with card numbers on them are moved from your office to another location, department or company? Yes/No Distribution means card holder data leaves your office (premises) and goes to another location, department or company Strict means you have rules or specific procedures that are followed for controlling distribution of media containing card numbers
29 Requirement 9.7: Maintain strict control of the distribution of card holder data Req. 9.7 (b) Do you have a method for labeling paper documents with credit card numbers on them Yes/No Do you have a specific label for forms or reports containing card holder data? Do you keep all forms or reports containing card holder data in a specific location? You must have a method for labeling sensitive credit card data
30 Requirement 9.7.2: Track all media when card holder data is distributed Req : When paper forms with credit card numbers on them are moved/sent to another location, do you use a secured courier OR do you keep a log recording how many were moved/sent, when and who moved it or picked it up? Tracking If you have internal office gopher, keep a log of how many forms, who picked it up and when. OR use a secure courier service If just moving a box to storage, count how many forms are put in the box before you move it and verify you have the same number when you get to the destination
31 Req. 9.8: (1) When media is moved from a secured area, is management approval obtained prior to moving the media (this is especially important when media is distributed to individuals)? Yes/No (2) When media is moved from a secured area, are logs recorded ( what was moved, who and when)? Yes/No Paper log of what was moved (how many forms, boxes, etc.), where, approval with reason, when moved Not stated, but the move should be to another secure location locked with limited keys and access by current employees only
32 Req. 9.9: Is strict control maintained over the stored media? Is access to media with credit card numbers restricted to university employees with a business need? Guidelines for access to card holder data: Have written procedures for issuing keys, returning keys, dealing with lost keys Lock the secure enclosure when not open for business Only open lock when removing or returning an item Try to minimize the amount of card hold data removed at a time Strict: rules or specific procedures for controlling access to stored media containing credit card numbers
33 Req. 9.9: (1) Is strict control maintained over the stored media? Yes / No / Special (2) Is access to media with credit card numbers restricted to university employees with a business need? Y/n/S Guidelines for access to card holder data (continued): Keys are given to only people with a business need to have one Keys are turned in when no longer needed Locked when not open for business Enclosure locked except when taking something out or putting it back Related requirement not in SAQ report conduct periodic media inventory checking to see that it is up to date and accurate check must be done at least annually
34 Req. 9.10: Is media destroyed when no longer needed for business or legal reasons? Yes / No Use a cross cut shredder (use micro cut if possible ~ smaller pieces) 1/8 square is good, less than inch long chads Have a card number retention policy shred at least once a year Destroy paper forms that are older than your retention policy University Record Retention and Disposition policy:
35 Req : (a) Are hardcopy materials crosscut shredded, incinerated or pulped so that card holder data cannot be reconstructed (b) Are containers of paper to be destroyed secured to prevent access to the contents?
36 Requirement 12: Maintain a policy that addresses information security for all personnel Requirement 12.1 NCSU PCI policies are at: University credit card policy: Controller s office policies Req Is a security policy established, published, maintained and disseminated to all relevant personnel? Yes / no Personnel full-time, part-time, temporary employees and personnel, and contractors and consultants who are resident on the entity s site OR otherwise have access to the company s site card holder data environment. Security policy ties everything together. Technically policy may need to go to some vendors providing services as well Policy is not a single document. Policy must be published and distributed to count.
37 Requirement 12.1 Has this policy been disseminated to all relevant personnel working on your POS devices? Yes / no Requirement Is the information security policy reviewed at least once a year and updated as needed to reflect changes to business objectives or the risk environment? Yes / no Merchants can check Yes for and plan to review any merchant specific policies annually. Reviewing University policies annually is a responsibility assigned to OIT (see Security Responsibilities policy).
38 Requirement 12.3 Are usage policies for critical technologies (for example, remote-access technologies, wireless technologies, removable electronic media, laptops, tablets, personal data/digital assistance [PDSs], , and Internet usage) developed to define proper use of these technologies for all personnel, and require the following: Explicit approval by authorized parties to use technologies? Y/N / Special A list of all such devices and personnel with access? Y / n / Special Acceptable uses of the technology? Y / n / Special These usage policies are at:
39 Requirement 12.4: Do the security policy and procedures clearly define information security responsibilities for all personnel? POS merchant security responsibilities are listed at: Have you read and acknowledged these security responsibilities? Keep POS device up to date Check POS devices for tampering and skimmers Label devices with merchant name, contact information and function Secure storage and processing of forms containing credit card numbers Document, and distribute merchant specific security policies and procedures for handling credit card data Monitor and control access to paper forms that contain credit card numbers Update device inventory when it changes Attend PCI security awareness training annually
40 Requirement 12.4 Check POS for tampering and skimmers pdf White/ Label device with merchant name, contact information and function Use tamper evident labels
41 Requirement 12.5 Are the following information security management responsibilities formally assigned to an individual or team? Establishing, documenting, and distributing security incident response and escalation procedures to ensure timely and effective handling of all situations The security management responsibilities are assigned in this policy:
42 Requirement 12.5 Are the following information security management responsibilities formally assigned to an individual or team: Establishing, documenting, and distributing security incident response and escalation procedures is assigned to OIT-ISS. All security incidents should be reported to OIT-ISS using one of the following methods: During business hours, call 515-HELP and ask to speak with security At other times, send page with your phone number and the phrase 'PCI security incident' to OIT Security Group at: Send an description to OIT-ISS is responsible for managing the response to reported security incidents involving payment applications.
43 Example security incidents: Lost or stolen device Skimmer found on device Employee skimming cards Device output noticed to include full credit card # Merchants may be asked to collect evidence take picture of skimmer and cables
44 Requirement 12.6 Is a formal security awareness program in place to make all personnel aware of the importance of cardholder data security? Y/ N / Special The policy for this requirement is listed at:
45 Req : Is your list of service providers up to date? Yes / No Providing and maintaining a list was part of assignment after Demystifying PCI DSS Compliance merchant training
46 Req : In the contract with your service provider, does the service provider specifically accept responsibility for the security of card holder data that the service provider possess or collects? Yes / No / n/a If you use a standalone dial-up terminal, it is unlikely that you are sharing data with a service provider. If that is the case for you, the appropriate response is Special (be sure to add an explanation in Appendix D: Explanation of Non-Applicability)
47 Adding/Changing service providers requires prior approval by the NCSU Controller s Office Req : Are you aware of the NCSU process for using new service providers? When merchants want to add a service provider, they should consult with OIT-ISS and get approval from Controller s office OIT-ISS must assess the security and PCI compliance of the service provider prior to engaging the service provider
48 The security and PCI-DSS compliance of service providers must be checked at least annually. Req : Are you aware of the NCSU process to monitor compliance of your service providers? Merchants will need to work with OIT-ISS to obtain documentation from the service provider including: Executive summary of Report on Compliance (ROC) Certificate of PCI compliance other documentation of PCI compliance. The process is for merchants to work with OIT to get the required documentation.
49 How to Complete Self Assessment Questionnaire B Part 3: PCI-DSS Validation Based on the results noted in the SAQ B dated (completion date), (Merchant company name) asserts the following compliance status: Compliant All sections of the PCI SAQ are complete, and all questions yes or Special* resulting in an overall compliant rating. Thereby demonstrating full compliance with the PCI DSS. Non-compliant Not all sections of the PCI SAQ are complete or some questions are answered No, resulting in an overall Non-compliant rating, thereby not demonstrating full compliance with the PCI DSS. Target date for compliance: An entity submitting this form with a status of Non-Compliant is required to complete the Action plan in Part 4 of this document.
50 How to Complete Self Assessment Questionnaire B What is an Attestation? An attestation clause is frequently found in legal documents that must be witnessed to be valid, such as signatures by those who bear witness to the authenticity of a will or a deed. When a merchant makes an Attestation of Compliance they are, in essence, "bearing witness to the authenticity" of the SAQ - in other words the merchant is affirming the SAQ was completed to the best of the merchant s ability or in collaboration with colleagues who the merchant reasonably believes responded to the best of their ability. It means the merchant thought through each requirement, when needed sought assistance to understand and accurately respond, and believes the SAQ accurately reflects their account. The merchant didn't just check the boxes.
51 How to Complete Self Assessment Questionnaire B Part 3a: Confirmation of Compliant Status Merchant Confirms: PCI DSS Self-Assessment Questionnaire B, Version 2.0, was completed according to the instructions given. All information within the above referenced SAQ and in this attestation fairly represents the results of my assessment. I have read the PCI DSS and I recognize that I must maintain full PCI DSS compliance at all times.
52 How to Complete Self Assessment Questionnaire B Part 3b: Merchant Acknowledgement Signature of Merchant Executive Officer Date Title
53 How to Complete Self Assessment Questionnaire B Appendix D: Appendix D: Explain N/A and Special For each N/A or Special response, you mark in your SAQ, you MUST provide a descriptive reason why the requirement does not apply to your account. The description may be as simple as: - Data is not shared with service providers. - Containers are not used to temporarily store paper to be shredded. Cross-cut shredder is used to immediately shred documents no longer needed. - No media is sent via courier. For Example: If you marked Special for Requirement 9 Then state: Merchant has no order forms or reports that contain credit card data
54 How to Complete Self Assessment Questionnaire B Part 4: Action Plan for Non-Compliant Status If you cannot meet a requirement: - Indicate which requirement is not in place - Indicate a date when requirement 3,4,7,9 or 12 will be in place. Examples: We do not have a cross-cut shredder but will use the one in the office down the hall until we buy our own. We will purchase and install cross-cut shredder, and train staff on use and handling of payment cards and disposal of sensitive information by September 30, Compliance remediation is in process; expect completion by July 31, 2013 Will review current practices to identify & address gaps; will design and deliver training on new procedures by October 31, 2013
55 How to Complete Self Assessment Questionnaire B Glossary Authorization - occurs when a merchant receives transaction approval after the acquirer validates the transaction with the issuer/processor. Cardholder Data - At a minimum, cardholder data consists of the full 16 digit credit card number. Cardholder data may also appear in the form of the full CCN plus any of the following: cardholder name, expiration date and/or CVV number. Dial-out Terminal credit card reader that communicates using plain old telephone system (POTS) with the credit card processor for payment authorization and approval. Distribution - card holder data leaves your office (premises) and goes to another location, department or company. Media Paper documents with full 16 digit credit card numbers on them along with the card holder name and expiration date. Media can also be electronic storage of full 16 digit credit card numbers, card holder name and expiration date.
56 How to Complete Self Assessment Questionnaire B Glossary Merchant Environment - The merchant environment is the hardware, communication networks and software at the merchant location/store Open, Public network networks that are easily accessed Cell phone data networks, satellite data networks, wifi hot spots Personnel full-time, part-time, temporary employees and personnel, and contractors and consultants who are resident on the entity s site OR otherwise have access to the company s site card holder data environment. Policy - Organization-wide rules governing acceptable use of computing resources, security practices, and guiding development of operational procedures for all NCSU merchants. POTS plain old telephone system. An all analog telephone connection using copper wires and RJ-11 phone jack.
57 How to Complete Self Assessment Questionnaire B Glossary Procedure Descriptive narrative for a policy. Procedure is the how to for a policy and describes how the policy is to be implemented. Sensitive Authentication Data (SAD) Data found on the back of a credit/debit card: CVC or CVV (Back of Card, except AMEX on Front), Full Magnetic Stripe or Equivalent data on a chip PIN / PIN block Service Provider any organization that stores, transmits or processes cardholder data on behalf of merchants or other service providers. Also other organizations that could impact merchant security (even if they don t have direct access to cardholder data) Examples include web hosting providers, Nelnet, Yahoo Storefront, Paypal, Intelipay. Standalone operates independently and does not connect to any other POS or digital device.
58 How to Complete Self Assessment Questionnaire B Merchant Assignment Using the instructions given in this presentation, complete a SAQ B form for each merchant account in the next 2 weeks Send completed SAQ B PDF file to: pciservices@ncsu.edu If keeping card numbers on paper forms: Complete your key management document Document your distribution rules/policies Create a method for labeling sensitive credit card data Track when, where, what and who moves credit card data forms in a log Document your rules/policies for accessing stored forms containing credit card data Decide on a data retention policy for paper forms containing credit card data Review PCI Policies in Moodle Check your contracts with service providers that you share card data with to see if they meet Requirement 12.8 If not done already, submit your list of service providers to OIT-ISS Label your POS devices and take photographs for tamper detection
59