Mind Map Gallery PCI DSS V3.0 SAQs Overview
- Page:01
无数据
- 53
- 1
PCI DSS V3.0 SAQs Overview
This mind map is about PCI DSS V3.0 SAQs Overview (including Prioritised Approach). Start to use a mind map to express and organize your ideas and knowledge right now.
Edited at 2020-09-29 03:18:27
- Recommended to you
- Outline
No relevant template
PCI DSS V3.0SAQs Overview(including Prioritised Approach)
Requirement 1Install and maintain a firewall configuration to protect data
SAQ A (14 Controls)
Card-not-present Merchants, All CardholderData Functions Fully Outsourced
SAQ P2PE-HW (35 Controls)
Hardware Payment Terminals in a PCI-Listed P2PE Solution Only – No Electronic Cardholder Data Storage
SAQ B (41 Controls)
Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals— No Electronic Cardholder Data Storage
SAQ C-VT (74 Controls)
Merchants with Web-Based Virtual Payment Terminals—No Electronic Cardholder Data Storage
1.2
1.2.1 (a)(b)
1.2.3
1.3
1.3.4
1.3.5
1.3.6
1.4
1.4 (a)(b)
SAQ B-IP (83 Controls)
Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) Terminals – No Electronic Cardholder Data Storage
1.1
1.1.1 (a)(b)
1.1.4 (a)(b)
1.1.6 (a)(b)
1.2
1.2.1 (a)(b)
1.2.3
1.3
1.3.4
1.3.5
1.3.6
SAQ A-EP (139 Controls)
Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing
1.1
1.1.4 (a)(b)
1.1.6 (a)(b)
1.2
1.2.1 (a)(b)
1.3
1.3.4
1.3.5
1.3.6
1.3.8 (a)(b)
SAQ C(139 Controls)
Merchants with Payment Application Systems Connected to the Internet— No Electronic Cardholder Data Storage
1.2
1.2.1 (a)(b)
1.2.3
1.3
1.3.3
1.3.5
1.3.6
SAQ D-M(330 Controls)
All other SAQ-Eligible Merchants
1.1
1.1.1
1.1.2 (a)(b)
1.1.3 (a)(b)
1.1.4 (a)(b)
1.1.5
1.1.6 (a)(b)
1.1.7 (a)(b)
1.2
1.2.1 (a0(b)
1.2.2
1.2.3
1.3
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8 (a)(b)
1.4
1.4 (a)(b)
1.5
SAQ D-SP(349 Controls)
SAQ-Eligible Service Providers
1.1
1.1.1
1.1.2 (a)(b)
1.1.3 (a)(b)
1.1.4 (a)(b)
1.1.5
1.1.6 (a)(b)
1.1.7 (a)(b)
1.2
1.2.1 (a0(b)
1.2.2
1.2.3
1.3
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8 (a)(b)
1.4
1.4 (a)(b)
1.5
Requirement 2Do not use vendor-supplied defaults for system passwords and other security parameters
SAQ A (14 Controls)
Card-not-present Merchants, All CardholderData Functions Fully Outsourced
SAQ P2PE-HW (35 Controls)
Hardware Payment Terminals in a PCI-Listed P2PE Solution Only – No Electronic Cardholder Data Storage
SAQ B (41 Controls)
Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals— No Electronic Cardholder Data Storage
SAQ C-VT (74 Controls)
Merchants with Web-Based Virtual Payment Terminals—No Electronic Cardholder Data Storage
2.1
2.1 (a)(b)
2.1.1 (a)(b)(c)(d)(e)
2.2
2.2.2 (a)(b)
2.2.3
2.2.4 (a)(b)(c)
2.2.5 (a)(b)(c)
2.3
2.3 (a)(b)(c)(d)(e)
SAQ B-IP (83 Controls)
Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) Terminals – No Electronic Cardholder Data Storage
2.1
2.1 (a)(b)
2.1.1 (a)(b)(c)(d)(e)
2.3
2.3 (a)(b)(c)(d)(e)
SAQ A-EP (139 Controls)
Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing
2.1
2.1 (a)(b)
2.2
2.2 (a)(b)(c)(d)
2.2.1 (a)(b)
2.2.2 (a)(b)
2.2.3
2.2.4 (a)(b)(c)
2.2.5 (a)(b)(c)
2.3
2.3 (a)(b)(c)(d)
SAQ C(139 Controls)
Merchants with Payment Application Systems Connected to the Internet— No Electronic Cardholder Data Storage
2.1
2.1 (a)(b)
2.1.1 (a)(b)(c)(d)(e)
2.2
2.2 (a)(b)(c)(d)
2.2.1 (a)(b)
2.2.2 (a)(b)
2.2.3
2.2.4 (a)(b)(c)
2.2.5 (a)(b)(c)
2.3
2.3 (a)(b)(c)(d)
2.5
SAQ D-M(330 Controls)
All other SAQ-Eligible Merchants
2.1
2.1 (a)(b)
2.1.1 (a)(b)(c)(d)(e)
2.2
2.2 (a)(b)(c)(d)
2.2.1 (a)(b)
2.2.2 (a)(b)
2.2.3
2.2.4 (a)(b)(c)
2.2.5 (a)(b)(c)
2.3
2.3 (a)(b)(c)(d)
2.4
2.4 (a)(b)
2.5
SAQ D-SP(349 Controls)
SAQ-Eligible Service Providers
2.1
2.1 (a)(b)
2.1.1 (a)(b)(c)(d)(e)
2.2
2.2 (a)(b)(c)(d)
2.2.1 (a)(b)
2.2.2 (a)(b)
2.2.3
2.2.4 (a)(b)(c)
2.2.5 (a)(b)(c)
2.3
2.3 (a)(b)(c)(d)
2.4
2.4 (a)(b)
2.5
2.6
Requirement 3Protect stored cardholder data
SAQ A (14 Controls)
Card-not-present Merchants, All CardholderData Functions Fully Outsourced
SAQ P2PE-HW (35 Controls)
Hardware Payment Terminals in a PCI-Listed P2PE Solution Only – No Electronic Cardholder Data Storage
3.3
3.7
3.1
3.1 (a)(b)(c)(d)(e)
3.2
3.2.2
3.3
SAQ B (41 Controls)
Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals— No Electronic Cardholder Data Storage
3.2
3.2 (c)(d)
3.2.1
3.2.2
3.2.3
3.3
SAQ C-VT (74 Controls)
Merchants with Web-Based Virtual Payment Terminals—No Electronic Cardholder Data Storage
3.2
3.2 (c)(d)
3.2.2
3.2.3
SAQ B-IP (83 Controls)
Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) Terminals – No Electronic Cardholder Data Storage
3.2
3.2 (c)(d)
3.2.1
3.2.2
3.2.3
SAQ A-EP (139 Controls)
Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing
3.2
3.2 (c)(d)
3.2.2
3.2.3
SAQ C(139 Controls)
Merchants with Payment Application Systems Connected to the Internet— No Electronic Cardholder Data Storage
3.2
3.2 (c)(d)
3.2.1
3.2.2
3.2.3
3.3
SAQ D-M(330 Controls)
All other SAQ-Eligible Merchants
3.1
3.1 (a)(b)(c)(d)(e)
3.2
3.2 (a)(b)(c)(d)
3.2.1
3.2.2
3.2.3
3.3
3.4
3.4.1 (a)(b)(c)
3.5
3.5.1
3.5.2
3.5.3
3.6
3.6 (a)(b)(c)
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5 (a)(b)(c)
3.6.6
3.6.7
3.6.8
3.7
SAQ D-SP(349 Controls)
SAQ-Eligible Service Providers
3.1
3.1 (a)(b)(c)(d)(e)
3.2
3.2 (a)(b)(c)(d)
3.2.1
3.2.2
3.2.3
3.3
3.4
3.4.1 (a)(b)(c)
3.5
3.5.1
3.5.2
3.5.3
3.6
3.6 (a)(b)(c)
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5 (a)(b)(c)
3.6.6
3.6.7
3.6.8
3.7
Requirement 4Encrypt transmission of cardholder data across open, public networks
SAQ A(14 Controls)
Card-not-present Merchants, All CardholderData Functions Fully Outsourced
SAQ P2PE-HW (35 Controls)
Hardware Payment Terminals in a PCI-Listed P2PE Solution Only – No Electronic Cardholder Data Storage
4.2
4.2 (b)
SAQ B (41 Controls)
Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals— No Electronic Cardholder Data Storage
4.2
4.2 (b)
SAQ C-VT (74 Controls)
Merchants with Web-Based Virtual Payment Terminals—No Electronic Cardholder Data Storage
4.1
4.1 (a)(b)(c)(d)(e)
4.1.1
4.2
4.2 (b)
SAQ B-IP (83 Controls)
Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) Terminals – No Electronic Cardholder Data Storage
4.1
4.1 (a)(b)(c)(d)(e)
4.1.1
4.2
4.2 (b)
SAQ A-EP (139 Controls)
Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing
4.1
4.1 (a)(b)(c)(d)(e)
4.2
4.2 (b)
SAQ C(139 Controls)
Merchants with Payment Application Systems Connected to the Internet— No Electronic Cardholder Data Storage
4.1
4.1 (a)(b)(c)(d)(e)
4.1.1
4.2
4.2 (b)
SAQ D-M(330 Controls)
All other SAQ-Eligible Merchants
4.1
4.1 (a)(b)(c)(d)(e)
4.1.1
4.2
4.2 (a)(b)
4.3
SAQ D-SP(349 Controls)
SAQ-Eligible Service Providers
4.1
4.1 (a)(b)(c)(d)(e)
4.1.1
4.2
4.2 (a)(b)
4.3
Requirement 5Protect all systems against malware and regularly update anti-virus software or programs
SAQ A (14 Controls)
Card-not-present Merchants, All CardholderData Functions Fully Outsourced
SAQ P2PE-HW (35 Controls)
Hardware Payment Terminals in a PCI-Listed P2PE Solution Only – No Electronic Cardholder Data Storage
SAQ B (41 Controls)
Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals— No Electronic Cardholder Data Storage
SAQ C-VT (74 Controls)
Merchants with Web-Based Virtual Payment Terminals—No Electronic Cardholder Data Storage
5.1
5.1.1
5.1.2
5.2
5.2 (a)(b)(c)
5.3
SAQ B-IP (83 Controls)
Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) Terminals – No Electronic Cardholder Data Storage
SAQ A-EP (139 Controls)
Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing
5.1
5.1.1
5.1.2
5.2
5.2 (a)(b)(c)
5.3
SAQ C(139 Controls)
Merchants with Payment Application Systems Connected to the Internet— No Electronic Cardholder Data Storage
5.1
5.1.1
5.1.2
5.2
5.2 (a)(b)(c)
5.3
SAQ D-M(330 Controls)
All other SAQ-Eligible Merchants
5.1
5.1.1
5.1.2
5.2
5.2 (a)(b)(c)
5.3
5.4
SAQ D-SP(349 Controls)
SAQ-Eligible Service Providers
5.1
5.1.1
5.1.2
5.2
5.2 (a)(b)(c)
5.3
5.4
Requirement 6Develop and maintain secure systems and applications
SAQ A (14 Controls)
Card-not-present Merchants, All CardholderData Functions Fully Outsourced
SAQ P2PE-HW (35 Controls)
Hardware Payment Terminals in a PCI-Listed P2PE Solution Only – No Electronic Cardholder Data Storage
SAQ B (41 Controls)
Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals— No Electronic Cardholder Data Storage
SAQ C-VT (74 Controls)
Merchants with Web-Based Virtual Payment Terminals—No Electronic Cardholder Data Storage
6.1
6.2
6.2 (a)(c)
SAQ B-IP (83 Controls)
Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) Terminals – No Electronic Cardholder Data Storage
6.1
6.2
6.2 (a)(b)
SAQ A-EP(139 Controls)
Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing
6.1
6.2
6.2 (a)(b)
6.4
6.4.5 (a)
6.4.5.1
6.4.5.2
6.4.5.3 (a)(b)
6.4.5.4
6.5
6.5 (c)
6.5.1
6.5.2
6.5.7
6.5.8
6.5.9
6.5.10
6.6
SAQ C(139 Controls)
Merchants with Payment Application Systems Connected to the Internet— No Electronic Cardholder Data Storage
6.1
6.2
6.2 (a)(b)
SAQ D-M(330 Controls)
All other SAQ-Eligible Merchants
6.1
6.2
6.2 (a)(b)
6.3
6.3 (a)(b)(c)(d)
6.3.1
6.3.2
6.4
6.4.1 (a)(b)
6.4.2
6.4.3
6.4.4
6.4.5 (a)(b)
6.4.5.1
6.4.5.2
6.4.5.3 (a)(b)
6.4.5.4
6.5
6.5 (a)(b)(c)
6.5.1
6.5.2
6.5.3
6.5.4
6.5.5
6.5.6
6.5.7
6.5.8
6.5.9
6.5.10
6.6
6.7
SAQ D-SP(349 Controls)
SAQ-Eligible Service Providers
6.1
6.2
6.2 (a)(b)
6.3
6.3 (a)(b)(c)(d)
6.3.1
6.3.2
6.4
6.4.1 (a)(b)
6.4.2
6.4.3
6.4.4
6.4.5 (a)(b)
6.4.5.1
6.4.5.2
6.4.5.3 (a)(b)
6.4.5.4
6.5
6.5 (a)(b)(c)
6.5.1
6.5.2
6.5.3
6.5.4
6.5.5
6.5.6
6.5.7
6.5.8
6.5.9
6.5.10
6.6
6.7
Requirement 7Restrict access to cardholder data by business need to know
SAQ A (14 Controls)
Card-not-present Merchants, All CardholderData Functions Fully Outsourced
SAQ P2PE-HW (35 Controls)
Hardware Payment Terminals in a PCI-Listed P2PE Solution Only – No Electronic Cardholder Data Storage
SAQ B (41 Controls)
Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals— No Electronic Cardholder Data Storage
7.1
7.1.2
7.1.3
SAQ C-VT (74 Controls)
Merchants with Web-Based Virtual Payment Terminals—No Electronic Cardholder Data Storage
7.1
7.1.2
7.1.3
SAQ B-IP (83 Controls)
Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) Terminals – No Electronic Cardholder Data Storage
7.1
7.1.2
7.1.3
SAQ A-EP (139 Controls)
Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing
7.1
7.1.2
7.1.3
SAQ C(139 Controls)
Merchants with Payment Application Systems Connected to the Internet— No Electronic Cardholder Data Storage
7.1
7.1.2
7.1.3
SAQ D-M(330 Controls)
All other SAQ-Eligible Merchants
7.1
7.1.1
7.1.2
7.1.3
7.1.4
7.2
7.2.1
7.2.2
7.2.3
7.3
SAQ D-SP(349 Controls)
SAQ-Eligible Service Providers
7.1
7.1.1
7.1.2
7.1.3
7.1.4
7.2
7.2.1
7.2.2
7.2.3
7.3
Requirement 8Identify and authenticate access to system components
SAQ A (14 Controls)
Card-not-present Merchants, All CardholderData Functions Fully Outsourced
SAQ P2PE-HW (35 Controls)
Hardware Payment Terminals in a PCI-Listed P2PE Solution Only – No Electronic Cardholder Data Storage
SAQ B (41 Controls)
Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals— No Electronic Cardholder Data Storage
SAQ C-VT (74 Controls0
Merchants with Web-Based Virtual Payment Terminals—No Electronic Cardholder Data Storage
8.1
8.1.5 (a)(b)
8.3
8.5
SAQ B-IP (83 Controls)
Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) Terminals – No Electronic Cardholder Data Storage
SAQ A-EP (139 Controls)
Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing
8.1
8.1.1
8.1.3
8.1.5
8.1.6
8.1.7
8.2
8.2.1 (a)
8.2.3 (a)
8.2.4 (a)
8.2.5 (a)
8.2.6
8.3
8.5
8.6
SAQ C(139 Controls)
Merchants with Payment Application Systems Connected to the Internet— No Electronic Cardholder Data Storage
8.1
8.1.5 (a)(b)
8.3
SAQ D-M(330 Controls)
All other SAQ-Eligible Merchants
8.1
8.1.1
8.1.2
8.1.3
8.1.4
8.1.5 (a)(b)
8.1.6 (a)(b)
8.1.7
8.1.8
8.2
8.2.1 (a)(b)
8.2.2
8.2.3 (a)(b)
8.2.4 (a)(b)
8.2.5 (a)(b)
8.2.6
8.3
8.4
8.4 (a)(b)
8.5
8.5.1
8.6
8.7
8.7 (a)(b)(c)
8.8
SAQ D-SP(349 Controls)
SAQ-Eligible Service Providers
8.1
8.1.1
8.1.2
8.1.3
8.1.4
8.1.5 (a)(b)
8.1.6 (a)(b)
8.1.7
8.1.8
8.2
8.2.1 (a)(b)
8.2.2
8.2.3 (a)(b)
8.2.4 (a)(b)
8.2.5 (a)(b)
8.2.6
8.3
8.4
8.4 (a)(b)
8.5
8.5.1
8.6
8.7
8.7 (a)(b)(c)
8.8
Requirement 9Restrict physical access to cardholder data
SAQ A (14 Controls)
Card-not-present Merchants, All CardholderData Functions Fully Outsourced
9.6
9.6.1 (a)(b)
9.6.2
9.6.3
9.7
SAQ P2PE-HW (35 Controls)
Hardware Payment Terminals in a PCI-Listed P2PE Solution Only – No Electronic Cardholder Data Storage
9.5
9.8
9.8 (a)(c)
9.8.1 (a)(c)
9.9
9.9 (a)(b)(c)
9.9.1 (a)(b)(c)
9.9.2 (a)(b)(c)
9.9.3 (a)(b)
9.10
SAQ B (41 Controls)
Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals— No Electronic Cardholder Data Storage
9.5
9.6
9.6.1
9.6.2
9.6.3
9.7
9.8
9.8.1 (a)(b)
9.9
9.9 (a)(b)(c)
9.9.1 (a)(b)(c)
9.9.2 (a)(b)
9.9.3 (a)(b)
SAQ C-VT (74 Controls)
Merchants with Web-Based Virtual Payment Terminals—No Electronic Cardholder Data Storage
9.5
9.6
9.6 (a)(d)
9.6.1
9.6.2
9.6.3
9.7
9.8
9.8 (a)(c)
9.8.1 (a)(b)
SAQ B-IP (83 Controls)
Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) Terminals – No Electronic Cardholder Data Storage
9.1
9.1.2
9.5
9.6
9.6 (a)(b)
9.6.1
9.6.2
9.6.3
9.7
9.8
9.8 (a)(c)
9.8.1 (a)(b)
9.9
9.9 (a)(b)(c)
9.9.1 (a)(b)(c)
9.9.2 (a)(b)
9.9.3 (a)(b)
SAQ A-EP (139 Controls)
Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing
9.1
9.5
9.6
9.6 (a)(b)
9.6.1
9.6.2
9.6.3
9.7
9.8
9.8 (a)(c)
9.8.1 (a)(b)
SAQ C(139 Controls)
Merchants with Payment Application Systems Connected to the Internet— No Electronic Cardholder Data Storage
9.1
9.1.2
9.5
9.6
9.6 (a)(b)
9.6.1
9.6.2
9.6.3
9.7
9.8
9.8 (a)(c)
9.8.1 (a)(b)
9.9
9.9 (a)(b)(c)
9.9.1 (a)(b)(c)
9.9.2 (a)(b)
9.9.3 (a)(b)
SAQ D-M(330 Controls)
All other SAQ-Eligible Merchants
9.1
9.1.1 (a)(b)(c)(d)
9.1.2
9.1.3
9.2
9.2 (a)(b)(c)
9.3
9.4
9.4.1
9.4.2 (a)(b)
9.4.3
9.4.4 (a)(b)(c)
9.5
9.5.1 (a)(b)
9.6
9.6 (a)(b)
9.6.1
9.6.2
9.6.3
9.7
9.7.1 (a)(b)
9.8
9.8 (a)(b)(c)
9.8.1 (a)(b)
9.8.2
9.9
9.9 (a)(b)(c)
9.9.1 (a)(b)(c)
9.9.2 (a)(b)
9.9.3 (a)(b)
9.10
SAQ D-SP
SAQ-Eligible Service Providers
9.1
9.1.1 (a)(b)(c)(d)
9.1.2
9.1.3
9.2
9.2 (a)(b)(c)
9.3
9.4
9.4.1
9.4.2 (a)(b)
9.4.3
9.4.4 (a)(b)(c)
9.5
9.5.1 (a)(b)
9.6
9.6 (a)(b)
9.6.1
9.6.2
9.6.3
9.7
9.7.1 (a)(b)
9.8
9.8 (a)(b)(c)
9.8.1 (a)(b)
9.8.2
9.9
9.9 (a)(b)(c)
9.9.1 (a)(b)(c)
9.9.2 (a)(b)
9.9.3 (a)(b)
9.10
Requirement 10Track and monitor all access to network resources and cardholder data
SAQ A (14 Controls)
Card-not-present Merchants, All CardholderData Functions Fully Outsourced
SAQ P2PE-HW (35 Controls)
Hardware Payment Terminals in a PCI-Listed P2PE Solution Only – No Electronic Cardholder Data Storage
SAQ B (41 Controls)
Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals— No Electronic Cardholder Data Storage
SAQ C-VT (74 Controls)
Merchants with Web-Based Virtual Payment Terminals—No Electronic Cardholder Data Storage
SAQ B-IP (83 Controls)
Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) Terminals – No Electronic Cardholder Data Storage
SAQ A-EP (139 Controls)
Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing
10.2
10.2.2
10.2.4
10.2.5
10.3
10.3.1
10.3.2
10.3.2
10.3.3
10.3.4
10.3.5
10.3.6
10.5
10.5.4
10.6
10.6.1 (b)
10.6.2 (b)
10.6.3(b)
10.7
10.7 (b)(c)
SAQ C(139 Controls)
Merchants with Payment Application Systems Connected to the Internet— No Electronic Cardholder Data Storage
10.2
10.2.2
10.2.4
10.2.5
10.3
10.3.1
10.3.2
10.3.3
10.3.4
10.3.5
10.3.6
10.6
10.6.1(b)
10.6.2(b)
10.6.3(b)
10.7
10.7 (b)(c)
SAQ D-M(330 Controls)
All other SAQ-Eligible Merchants
10.1
10.1 (a)(b)
10.2
10.2.1
10.2.2
10.2.3
10.2.4
10.2.5
10.2.6
10.2.7
10.3
10.3.1
10.3.2
10.3.3
10.3.4
10.3.5
10.3.6
10.4
10.4.1 (a)(b)(c)
10.4.2 (a)(b)
10.4.3
10.5
10.5.1
10.5.2
10.5.3
10.5.4
10.5.5
10.6
10.6.1 (a)(b)
10.6.2 (a)(b)
10.6.3 (a)(b)
10.7
10.7 (a)(b)(c)
10.8
SAQ D-SP349 Controls
SAQ-Eligible Service Providers
10.1
10.1 (a)(b)
10.2
10.2.1
10.2.2
10.2.3
10.2.4
10.2.5
10.2.6
10.2.7
10.3
10.3.1
10.3.2
10.3.3
10.3.4
10.3.5
10.3.6
10.4
10.4.1 (a)(b)(c)
10.4.2 (a)(b)
10.4.3
10.5
10.5.1
10.5.2
10.5.3
10.5.4
10.5.5
10.6
10.6.1 (a)(b)
10.6.2 (a)(b)
10.6.3 (a)(b)
10.7
10.7 (a)(b)(c)
10.8
Requirement 11Regularly test security systems and processes
SAQ A (14 Controls)
Card-not-present Merchants, All CardholderData Functions Fully Outsourced
SAQ P2PE-HW (35 Controls)
Hardware Payment Terminals in a PCI-Listed P2PE Solution Only – No Electronic Cardholder Data Storage
SAQ B (41 Controls)
Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals— No Electronic Cardholder Data Storage
SAQ C-VT (74 Controls)
Merchants with Web-Based Virtual Payment Terminals—No Electronic Cardholder Data Storage
SAQ B-IP (83 Controls)
Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) Terminals – No Electronic Cardholder Data Storage
11.2
11.2.2 (a)(b)(c)
SAQ A-EP (139 Controls)
Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing
11.2
11.2.2 (a)(b)(c)
11.2.3 (a)(b)(c)
11.3
11.3.1 (a)(b)
11.3.3
11.3.4 (a)(b)
11.5
11.5 (a)(b)
11.5.1
SAQ C(139 Controls)
Merchants with Payment Application Systems Connected to the Internet— No Electronic Cardholder Data Storage
11.1
11.1 (a)(b)(c)(d)
11.1.1
11.1.2 (a)(b)
11.2
11.2.1 (a)(b)(c)
11.2.3 (a)(b)(c)
11.3
11.3.4 (a)(b)
11.5
11.5 (a)(b)
11.5.1
SAQ D-M(330 Controls)
All other SAQ-Eligible Merchants
11.1
11.1 (a)(b)(c)(d)
11.1.1
11.1.2 (a)(b)
11.2
11.2.1 (a)(b)(c)
11.2.2 (a)(b)(c)
11.2.3 (a)(b)(c)
11.3
11.3.1 (a)(b)
11.3.2 (a)(b)
11.3.3
11.3.4 (a)(b)
11.4
11.4 (a)(b)(c)
11.5
11.5 (a)(b)
11.5.1
11.6
SAQ D-SP(349 Controls)
11.1
11.1 (a)(b)(c)(d)
11.1.1
11.1.2 (a)(b)
11.2
11.2.1 (a)(b)(c)
11.2.2 (a)(b)(c)
11.2.3 (a)(b)(c)
11.3
11.3.1 (a)(b)
11.3.2 (a)(b)
11.3.3
11.3.4 (a)(b)
11.4
11.4 (a)(b)(c)
11.5
11.5 (a)(b)
11.5.1
11.6
Requirement 12Maintain a policy that addresses information security for all personnel
SAQ A (14 Controls)
Card-not-present Merchants, All CardholderData Functions Fully Outsourced
12.8
12.8.1
12.8.2
12.8.3
12.8.4
12.8.5
SAQ P2PE-HW (35 Controls)
Hardware Payment Terminals in a PCI-Listed P2PE Solution Only – No Electronic Cardholder Data Storage
12.1
12.1.1
12.4
12.5
12.5.3
12.6
12.6 (a)
12.8
12.8.1
12.8.2
12.8.3
12.8.4
12.8.5
12.10
12.10.1
SAQ B (41 Controls)
Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals— No Electronic Cardholder Data Storage
12.1
12.1.1
12.3
12.3.1
12.3.3
12.3.5
12.4
12.5
12.5 (b)
12.5.3
12.6
12.6 (a)
12.8
12.8.1
12.8.2
12.8.3
12.8.4
12.8.5
12.10
12.10.1
SAQ C-VT (74 Controls)
Merchants with Web-Based Virtual Payment Terminals—No Electronic Cardholder Data Storage
12.1
12.1.1
12.3
12.3.1
12.3.3
12.3.5
12.4
12.5
12.5 (b)
12.5.3
12.6
12.6 (a)
12.8
12.8.1
12.8.2
12.8.3
12.8.4
12.8.5
SAQ B-IP (83 Controls)
Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) Terminals – No Electronic Cardholder Data Storage
12.1
12.1.1
12.3
12.3.1
12.3.3
12.3.5
12.3.9
12.4
12.5
12.5 (b)
12.5.3
12.6
12.6 (a)
12.8
12.8.1
12.8.2
12.8.3
12.8.4
12.8.5
SAQ A-EP (139 Controls)
Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing
12.1
12.1.1
12.4
12.5
12.5 (b)
12.5.3
12.6
12.6 (a)
12.8
12.8.1
12.8.2
12.8.3
12.8.4
12.8.5
12.10
12.10.1 (a)(b)
SAQ C(139 Controls)
Merchants with Payment Application Systems Connected to the Internet— No Electronic Cardholder Data Storage
12.1
12.1.1
12.3
12.3.1
12.3.2
12.3.3
12.3.5
12.3.6
12.3.8
12.3.9
12.4
12.5
12.5 (b)
12.5.3
12.6
12.6 (a)
12.8
12.8.1
12.8.2
12.8.3
12.8.4
12.8.5
12.10
12.10.1(a)(b)
SAQ D-M(330 Controls)
All other SAQ-Eligible Merchants
12.1
12.1.1
12.2
12.2 (a)(b)(c)
12.3
12.3.1
12.3.2
12.3.3
12.3.4
12.3.5
12.3.6
12.3.7
12.3.8
12.3.9
12.3.10 (a)(b)
12.4
12.5
12.5 (a)(b)
12.5.1
12.5.2
12.5.3
12.5.4
12.5.5
12.6
12.6 (a)(b)
12.6.1 (a)(b)(c)
12.6.2
12.7
12.8
12.8.1
12.8.2
12.8.3
12.8.4
12.8.5
12.10
12.10.1 (a)(b)
12.10.2
12.10.3
12.10.4
12.10.5
12.10.6
SAQ D-SP(349 Controls)
SAQ-Eligible Service Providers
12.1
12.1.1
12.2
12.2 (a)(b)(c)
12.3
12.3.1
12.3.2
12.3.3
12.3.4
12.3.5
12.3.6
12.3.7
12.3.8
12.3.9
12.3.10 (a)(b)
12.4
12.5
12.5 (a)(b)
12.5.1
12.5.2
12.5.3
12.5.4
12.5.5
12.6
12.6 (a)(b)
12.6.1 (a)(b)(c)
12.6.2
12.7
12.8
12.8.1
12.8.2
12.8.3
12.8.4
12.8.5
12.9
12.10
12.10.1 (a)(b)
12.10.2
12.10.3
12.10.4
12.10.5
12.10.6
Appendix A
A.1
A.1.1
A.1.2
A.1.3
A.1.4