Document Comparison
QIR_Implementation_Instructions_September2015.pdf
→
QIR_Implementation_Instuctions_v4.1.1.pdf
27% similar
23 → 19
Pages
8067 → 5525
Words
53
Content Changes
Content Changes
53 content changes. 35 administrative changes (dates, page numbers) hidden.
Added
p. 2
March 2018 4.0 Update to reflect QIR Program Expansion
March 2023 4.1 Update PA-DSS references and added applicable Software Security Framework (SSF) references
March 2023 4.1 Update PA-DSS references and added applicable Software Security Framework (SSF) references
Added
p. 4
The Implementation Statement confirms what the QIR Professional did, what they observed, and what they informed the customer of at the conclusion of the Qualified Installation. The QIR Professional is not performing a PCI DSS assessment. Compliance with PCI DSS remains the responsibility of the customer.
1. If an application being installed or configured is either PCI Validated Software or a PA-DSS Validated Application, Part 2b of the statement should be completed.
2. The customer may request the QIR Professional to complete work beyond the scope of the QIR Program. This work should not be documented as part of the Qualified Installation.
4. This document is written as if Engagements and Qualified Installations are carried out by one QIR Professional. In the event that a larger project involves more than one QIR Professional, one of those individuals should be nominated as the primary or lead.
Where any new applications being installed claim Payment …
1. If an application being installed or configured is either PCI Validated Software or a PA-DSS Validated Application, Part 2b of the statement should be completed.
2. The customer may request the QIR Professional to complete work beyond the scope of the QIR Program. This work should not be documented as part of the Qualified Installation.
4. This document is written as if Engagements and Qualified Installations are carried out by one QIR Professional. In the event that a larger project involves more than one QIR Professional, one of those individuals should be nominated as the primary or lead.
Where any new applications being installed claim Payment …
Added
p. 6
Item for Completion Instruction Customer Details Customer company and contact details:
QIR Details QIR Professional with their company and contact details:
Provide QIR Professional contact name.
Details of Payment Application Payment Application Vendor:
Payment Application Name: Provide the name of the payment application.
Application Version Number: Provide the specific version number for the payment application.
Details of Qualified Installation Address of impacted customer location(s):
List of all addresses where the QIR Professional performed the services of the Qualified Installation as represented by the QIR Implementation Statement. For example, there may be multiple retail locations, corporate offices, or other types of locations where the application was installed as part of the Qualified Installation.
The location of every installation covered by the QIR Implementation Statement must be included in this table. Where a Qualified Installation involves multiple customer locations, the QIR Professional may choose to prepare a number of QIR Implementation Statements that together represent all locations.
If there are a …
QIR Details QIR Professional with their company and contact details:
Provide QIR Professional contact name.
Details of Payment Application Payment Application Vendor:
Payment Application Name: Provide the name of the payment application.
Application Version Number: Provide the specific version number for the payment application.
Details of Qualified Installation Address of impacted customer location(s):
List of all addresses where the QIR Professional performed the services of the Qualified Installation as represented by the QIR Implementation Statement. For example, there may be multiple retail locations, corporate offices, or other types of locations where the application was installed as part of the Qualified Installation.
The location of every installation covered by the QIR Implementation Statement must be included in this table. Where a Qualified Installation involves multiple customer locations, the QIR Professional may choose to prepare a number of QIR Implementation Statements that together represent all locations.
If there are a …
Added
p. 7
• The installation was performed in accordance with the requirements defined in the QIR Qualification Requirements, QIR Program Guide, and these QIR Implementation Instructions.
• All information within the QIR Implementation Statement represents the results of the implementation fairly and accurately in all material respects.
• The QIR Professional has advised the customer of any potential security risks observed, or other relevant observations identified during the Qualified Installation, as documented in Part 3 of the QIR Implementation Statement.
QIR Professional Signature: Signature of the QIR Professional for the Qualified Installation QIR Professional Name: First and last name of the QIR Professional Date: Date the QIR Implementation Statement was signed Customer Acknowledgement of Implementation Statement The customer signs the QIR Implementation Statement to acknowledge the following:
• The QIR Implementation Statement is an accurate record of the work completed by the QIR Professional.
• The customer has read and understands the potential security risks identified in …
• All information within the QIR Implementation Statement represents the results of the implementation fairly and accurately in all material respects.
• The QIR Professional has advised the customer of any potential security risks observed, or other relevant observations identified during the Qualified Installation, as documented in Part 3 of the QIR Implementation Statement.
QIR Professional Signature: Signature of the QIR Professional for the Qualified Installation QIR Professional Name: First and last name of the QIR Professional Date: Date the QIR Implementation Statement was signed Customer Acknowledgement of Implementation Statement The customer signs the QIR Implementation Statement to acknowledge the following:
• The QIR Implementation Statement is an accurate record of the work completed by the QIR Professional.
• The customer has read and understands the potential security risks identified in …
Added
p. 8
Provided the customer with the item(s) indicated in the questiontypically a list, a form, etc. Any such items should be provided in writing so that the QIR Professional and the customer can retain copies.
Discussed with the customer or otherwise gained confidence that the customer is aware and has an understanding of a requirement, technical knowledge, or a process that must be in place. QIR Professional confidence can be achieved in a variety of ways including:
• Reviewing customer documentation
• Interviewing appropriate customer employees
• Conducting training/education sessions Confirmed through the installation/configuration process that the application and configuration is as expected. Evidence should be captured with a screenshot or documentation as part of the QIR Professional’s work papers.
Part 2 is divided into two sections:
Discussed with the customer or otherwise gained confidence that the customer is aware and has an understanding of a requirement, technical knowledge, or a process that must be in place. QIR Professional confidence can be achieved in a variety of ways including:
• Reviewing customer documentation
• Interviewing appropriate customer employees
• Conducting training/education sessions Confirmed through the installation/configuration process that the application and configuration is as expected. Evidence should be captured with a screenshot or documentation as part of the QIR Professional’s work papers.
Part 2 is divided into two sections:
Added
p. 9
Item for completion Instruction PCI DSS Reference Remote Access
1. Is the customer aware that any remote access into their network must be configured as follows:
• Remote access to the payment application requires multi-factor authentication? Select “Yes” or “No” from the drop-down menu.
A response of “Yes” indicates that the QIR Professional has confidence that the customer understands that multi-factor authentication is required for any remote access to the payment application or to the customer’s cardholder data environment.
Multi-factor authentication requires that a minimum of two of the three following authentication methods be used for authentication in addition to a unique user ID:
• A password or passphrase (Something you know)
• A token device or smart card (Something you have)
• A biometric (Something you are) Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication.
PCI DSS Requirements 8.4.1, 8.4.2 and 8.4.3
• Remote access must be activated only when needed, …
1. Is the customer aware that any remote access into their network must be configured as follows:
• Remote access to the payment application requires multi-factor authentication? Select “Yes” or “No” from the drop-down menu.
A response of “Yes” indicates that the QIR Professional has confidence that the customer understands that multi-factor authentication is required for any remote access to the payment application or to the customer’s cardholder data environment.
Multi-factor authentication requires that a minimum of two of the three following authentication methods be used for authentication in addition to a unique user ID:
• A password or passphrase (Something you know)
• A token device or smart card (Something you have)
• A biometric (Something you are) Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication.
PCI DSS Requirements 8.4.1, 8.4.2 and 8.4.3
• Remote access must be activated only when needed, …
Added
p. 10
• Remote access must be implemented securely? Select “Yes” or “No” from the drop-down menu.
A response of “Yes” indicates that the QIR Professional has confidence that the customer understands that any remote access to their network must be implemented in a secure manner, such as:
• Default settings in the remote access software are changedfor example, change default passwords and use unique passwords for each customer.
• Connections are allowed only from specific (known) IP/MAC addresses.
• Strong authentication and complex passwords for logins are used.
• Encrypted data transmission is enabled.
• Account lockout after a certain number of failed login attempts is enabled.
• Virtual Private Network (“VPN”) connections are established via a firewall before access is allowed.
• The logging function is enabled.
• Access to accounts on the customer network is restricted to authorized integrator/reseller personnel.
• Customer passwords are established according to PCI DSS Requirements.
Additionally, any systems used for remote access into the customer …
A response of “Yes” indicates that the QIR Professional has confidence that the customer understands that any remote access to their network must be implemented in a secure manner, such as:
• Default settings in the remote access software are changedfor example, change default passwords and use unique passwords for each customer.
• Connections are allowed only from specific (known) IP/MAC addresses.
• Strong authentication and complex passwords for logins are used.
• Encrypted data transmission is enabled.
• Account lockout after a certain number of failed login attempts is enabled.
• Virtual Private Network (“VPN”) connections are established via a firewall before access is allowed.
• The logging function is enabled.
• Access to accounts on the customer network is restricted to authorized integrator/reseller personnel.
• Customer passwords are established according to PCI DSS Requirements.
Additionally, any systems used for remote access into the customer …
Added
p. 12
3. Have all passwords been changed for all payment application default accounts (including all user and administrative accounts)? Select “Yes” or “No” from the drop-down menu.
• All payment application user default accounts, and
• All payment application administrative default accounts.
Default accounts are accounts or user IDs that are created by the payment application vendor and included in the application when it is delivered to the customer. Some are created for the general user of the application and may not have many privileges or rights; while other default accounts are administrative accounts and may be delivered with all privileges and rights enabled. These default accounts will not be unique per customer so the passwords must be changed, at a minimum. All default account passwords must be changed, irrespective of the type of account or the level of privilege assigned.
If dependent or underlying softwaresuch as databases or operating systemsare provided as part of …
• All payment application user default accounts, and
• All payment application administrative default accounts.
Default accounts are accounts or user IDs that are created by the payment application vendor and included in the application when it is delivered to the customer. Some are created for the general user of the application and may not have many privileges or rights; while other default accounts are administrative accounts and may be delivered with all privileges and rights enabled. These default accounts will not be unique per customer so the passwords must be changed, at a minimum. All default account passwords must be changed, irrespective of the type of account or the level of privilege assigned.
If dependent or underlying softwaresuch as databases or operating systemsare provided as part of …
Added
p. 16
PCI SSC Listing Number: Provide the PCI SSC listing number for the specific version of the validated payment software, as listed on the PCI SSC website.
Payment Software Vendor: Provide the name of the payment vendor company that produced the software. This name should match the company name listed on the PCI SSC website for this payment software.
Payment Software Name: Provide the name of the Validated Payment Software. This name should match the name listed on the PCI SSC website.
Software Version Number: Provide the specific version number for the Validated Payment Software. This version number must match the version number listing on the PCI SSC website, in order for the software to be considered Secure Software validated.
The Validated Payment Software was installed in accordance with vendor implementation guidance. (Yes/No) If “No”, please provide a brief explanation:
“Yes” indicates that all applicable instructions in the guidance provided were followed, and that the QIR …
Payment Software Vendor: Provide the name of the payment vendor company that produced the software. This name should match the company name listed on the PCI SSC website for this payment software.
Payment Software Name: Provide the name of the Validated Payment Software. This name should match the name listed on the PCI SSC website.
Software Version Number: Provide the specific version number for the Validated Payment Software. This version number must match the version number listing on the PCI SSC website, in order for the software to be considered Secure Software validated.
The Validated Payment Software was installed in accordance with vendor implementation guidance. (Yes/No) If “No”, please provide a brief explanation:
“Yes” indicates that all applicable instructions in the guidance provided were followed, and that the QIR …
Added
p. 17
Note that using these QIR Implementation Instructions with the PA- DSS Implementation Guide during a Qualified Installation provides the foundation for a payment application installation that is configured in a manner that supports compliance with PCI DSS. If the customer does not have access to the PA-DSS Implementation Guide, one can be requested from the payment application vendor.
Added
p. 18
Observations included in this section in no way imply that a PCI DSS assessment has been completed.
If the observation relates to a question from Part 2 of the QIR Implementation Statement, record the applicable question number here.
Potential security risks? If the QIR Professional feels that the observation could possibly affect or have an impact on the customer’s security risks, check “Yes.” If the observation is not relevant to any security risk, check “No.”
If the observation relates to a question from Part 2 of the QIR Implementation Statement, record the applicable question number here.
Potential security risks? If the QIR Professional feels that the observation could possibly affect or have an impact on the customer’s security risks, check “Yes.” If the observation is not relevant to any security risk, check “No.”
Added
p. 19
Patching
• Question 9, 10
Remote Access
• Question 2
• Question 9, 10
Remote Access
• Question 2
Removed
p. 4
Use of these QIR Implementation Instructions with the PA-DSS Implementation Guide during a Qualified Installation provides the foundation for ensuring that the payment application will be installed and configured in a manner that supports compliance with PCI DSS. If the customer does not have access to the PA-DSS Implementation Guide, one can be requested from the payment application vendor.
Ensuring personnel performing Qualified Installations are properly trained and screened as appropriate Confirming that any new applications being installed appear on the List of Validated Payment Applications on the PCI SSC website Protecting confidential and sensitive information at all times Providing the customer with a completed QIR Implementation Statement for each Qualified Installation Encouraging the customer to complete and return the QIR Feedback Form to PCI SSC Maintaining records of the Qualified Installation Maintaining a quality assurance program QIR Employees are expected to follow the …
Ensuring personnel performing Qualified Installations are properly trained and screened as appropriate Confirming that any new applications being installed appear on the List of Validated Payment Applications on the PCI SSC website Protecting confidential and sensitive information at all times Providing the customer with a completed QIR Implementation Statement for each Qualified Installation Encouraging the customer to complete and return the QIR Feedback Form to PCI SSC Maintaining records of the Qualified Installation Maintaining a quality assurance program QIR Employees are expected to follow the …
Modified
p. 4
3. By signing the QIR Implementation Statement, the QIR Professional indicates and affirms that all instructions within the QIR Program Guide and these QIR Implementation Instructions have been followed.
Modified
p. 4
QIR Employees must adhere to the QIR Qualification Requirements at all times. Additionally, the QIR Program Guide details the activities that QIR Companies and Employees are required to perform, including those to be performed during Qualified Installations. Examples of these include:
QIR Professionals must adhere to the requirements defined in the QIR Qualification Requirements and QIR Program Guide for all Qualified Installations. Additionally, the QIR Program Guide details the activities that QIR Professionals are required to perform during Qualified Installations. Examples of these include:
Modified
p. 4 → 5
Implementation Statement Details Records details about the activities performed by the QIR Employee during the Qualified Installation.
Part 2: Implementation Statement Details Records details about the activities performed by the QIR Professional during the Qualified Installation.
Modified
p. 4 → 5
QIR Employee Additional Observations Records observations or details that the customer should be aware of. Includes items identified in the Details section that require explanation.
Part 3: QIR Professional Additional Observations Records observations or details that the customer should be aware of. Includes items identified in the Details section that require explanation.
Modified
p. 4 → 5
The QIR Implementation Statement is designed to be completed by the QIR Employee either electronically and then printed for signature capture, or printed out as a hard copy document for manual completion and signature capture. For all Yes/No questions, if Yes is selected, all bulleted questions below the entry must also be answered.
The QIR Implementation Statement is designed to be completed by the QIR Professional, either electronically and then printed for signature by the QIR Professional and Customer Company contact or printed out as a hard-copy document for manual completion and signature by both parties. For all Yes/No questions, if Yes is selected, all bulleted questions below the entry must also be answered.
Removed
p. 5
Item for completion in QIR Implementation Statement Instruction for QIR Employee to complete Customer Details Customer Company and Contact Details: Provide customer company and individual contact name. Complete contact and address details as stated.
QIR Details QIR Company and Contact Details: Provide QIR Company and Employee contact names. Complete contact and address details as stated.
Details of Qualified Installation Address of customer location(s) where application was installed:
List of all addresses where the QIR Employee installed the payment application as represented by the Implementation Statement. For example, there may be multiple retail locations, corporate offices, or other types of locations where the application was installed as part of the Qualified Installation.
The location of every installation covered by the Implementation Statement must be included in this table. Where a Qualified Installation involves multiple customer locations, the QIR Employee may choose to prepare a number of Implementation Statements that together represent all locations.
If there are …
QIR Details QIR Company and Contact Details: Provide QIR Company and Employee contact names. Complete contact and address details as stated.
Details of Qualified Installation Address of customer location(s) where application was installed:
List of all addresses where the QIR Employee installed the payment application as represented by the Implementation Statement. For example, there may be multiple retail locations, corporate offices, or other types of locations where the application was installed as part of the Qualified Installation.
The location of every installation covered by the Implementation Statement must be included in this table. Where a Qualified Installation involves multiple customer locations, the QIR Employee may choose to prepare a number of Implementation Statements that together represent all locations.
If there are …
Modified
p. 5 → 17
Payment Application Vendor: Provide the name of the payment vendor company that produced the application. This name should match the Company name listed on the PCI SSC website for this payment application.
Payment Application Vendor: Provide the name of the payment vendor company that produced the application. This name should match the company name listed on the PCI SSC website for this payment application.
Modified
p. 5 → 17
Application Version Number: Provide the specific version number for the validated payment application. This version number must match the application listing on the PCI SSC website in order for the application to be considered PA-DSS validated.
Application Version Number: Provide the specific version number for the validated payment application. This version number must match the application listing on the PCI SSC website, and the application should be approved for pre-existing deployments only, in order for the application to be considered PA-DSS validated.
Removed
p. 6
Number of systems installed: Provide the number of systems the application was installed on at each location. For example, a single retail location may have 20 POS systems and one server.
Type of Qualified Installation:
Select from the drop-down menu whether the installation is a New Installation or an Upgrade to an Existing Installation. A New Installation is one where the payment application did not previously exist. An Upgrade to an Existing Application can be an update applied to an application already installed, or a new version of an application already installed.
Date Installed: For each address listed, provide the date(s) the application was installed. If the installation occurred over a number of days, the date may be represented as a range
• for example, 10-14 June 2015.
Confirmation of Implementation Approach This Implementation Statement confirms that:
The validated payment application was installed and configured in a manner that supports compliance with PCI DSS (Yes/No) If …
Type of Qualified Installation:
Select from the drop-down menu whether the installation is a New Installation or an Upgrade to an Existing Installation. A New Installation is one where the payment application did not previously exist. An Upgrade to an Existing Application can be an update applied to an application already installed, or a new version of an application already installed.
Date Installed: For each address listed, provide the date(s) the application was installed. If the installation occurred over a number of days, the date may be represented as a range
• for example, 10-14 June 2015.
Confirmation of Implementation Approach This Implementation Statement confirms that:
The validated payment application was installed and configured in a manner that supports compliance with PCI DSS (Yes/No) If …
Modified
p. 6 → 17
“Yes” indicates that all applicable instructions in the PA-DSS Implementation Guide were followed, and that the QIR Employee did not install the application contrary to Implementation Guide instructions.
“Yes” indicates that all applicable instructions in the PA-DSS Implementation Guide were followed, and that the QIR Professional installed the application according to PA-DSS Implementation Guide instructions.
Modified
p. 6 → 17
“No” indicates that QIR Employee did not follow the PA-DSS Implementation Guide for one or more PCI DSS requirements.
“No” indicates that QIR Professional did not follow the PA-DSS Implementation Guide.
Modified
p. 6 → 17
Record the version number and the date of the PA-DSS Implementation Guide that was used during the Qualified Installation.
Modified
p. 6 → 17
For example, the QIR Employee may be unable to use the PA-DSS Implementation Guide if it did not contain the level of instruction necessary to configure the application securely, or if following the Implementation Guide would result in an insecure or non-compliant configuration.
If “No” is selected, the QIR Professional should provide an explanation in the text field provided regarding why they could not use the PA-DSS Implementation Guide for the Qualified Installation. For example, the QIR Professional may be unable to use the PA- DSS Implementation Guide if it did not contain the level of instruction necessary to configure the application securely, or if following the PA-DSS Implementation Guide in the customer’s environment would result in an insecure or non-compliant configuration.
Modified
p. 6 → 18
Where aspects of the installation were performed by parties other than the QIR Professional (for example, the customer or other third party), the QIR Professional should provide relevant details in this section.
Removed
p. 7
The installation was performed in accordance with the requirements defined in the QIR Qualification Requirements, QIR Program Guide and QIR Implementation Instructions.
All information within the Implementation Statement represents the results of the implementation fairly and accurately in all material respects.
The Lead QIR Employee has advised the customer of any potential PCI DSS compliance issues identified during the implementation, as documented in Part 3 of the Implementation Statement.
Lead QIR Employee Signature: Signature of the Lead QIR Employee for the Qualified Installation Lead QIR Employee Name: First and last name of the Lead QIR Employee Date: Date the Implementation Statement was signed Customer Acceptance of Implementation Statement The customer is required to sign the Implementation Statement confirming that they agree with and accept the findings documented therein. By signing the Implementation Statement, the customer acknowledges the following:
The customer accepts the information documented within this Implementation Statement.
The customer …
All information within the Implementation Statement represents the results of the implementation fairly and accurately in all material respects.
The Lead QIR Employee has advised the customer of any potential PCI DSS compliance issues identified during the implementation, as documented in Part 3 of the Implementation Statement.
Lead QIR Employee Signature: Signature of the Lead QIR Employee for the Qualified Installation Lead QIR Employee Name: First and last name of the Lead QIR Employee Date: Date the Implementation Statement was signed Customer Acceptance of Implementation Statement The customer is required to sign the Implementation Statement confirming that they agree with and accept the findings documented therein. By signing the Implementation Statement, the customer acknowledges the following:
The customer accepts the information documented within this Implementation Statement.
The customer …
Removed
p. 8
Provided the customer with the item(s) indicated in the question, typically a list, a form, etc. Any such items should be provided in writing so that copies can be retained by the QIR Company and the customer.
Discussed with the customer or has otherwise gained confidence that the customer is aware and has an understanding of a requirement, technical knowledge or a process that must be in place. QIR confidence can be achieved in a variety of ways including:
Reviewing customer documentation Interviewing appropriate customer employees Conducting training/education sessions Confirmed through the installation/configuration process that the application and configuration is as expected. Evidence should be captured with a screenshot or documentation as part of the QIR Employee’s work papers.
Item for completion in QIR Implementation Statement Instruction for QIR Employee to complete PA-DSS Implementation Guide and Training Materials Used Date and version of the PA-DSS Implementation Guide …
Discussed with the customer or has otherwise gained confidence that the customer is aware and has an understanding of a requirement, technical knowledge or a process that must be in place. QIR confidence can be achieved in a variety of ways including:
Reviewing customer documentation Interviewing appropriate customer employees Conducting training/education sessions Confirmed through the installation/configuration process that the application and configuration is as expected. Evidence should be captured with a screenshot or documentation as part of the QIR Employee’s work papers.
Item for completion in QIR Implementation Statement Instruction for QIR Employee to complete PA-DSS Implementation Guide and Training Materials Used Date and version of the PA-DSS Implementation Guide …
Removed
p. 9
2. Is the customer aware of all accounts set up by or used for QIR personnel access, and have instructions been provided on how to change the passwords and disable or remove those accounts? Select “Yes” or “No” from the drop-down menu.
A response of “Yes” indicates that the QIR Employee has provided the customer with:
A list of all accounts that were created by the QIR Employee, including those for the customer’s use A list of all accounts used by QIR personnel This includes all accounts created for the payment application, any dependent software accounts, any operating system accounts, network access accounts, etc. The QIR Employee has confidence that the customer understands how to change the passwords for all accounts created. The customer also understands how to disable or remove those accounts.
PCI DSS Requirement 2.1 PA-DSS Requirement 3.1 Remote Access
3. Is the customer aware that any remote access into …
A response of “Yes” indicates that the QIR Employee has provided the customer with:
A list of all accounts that were created by the QIR Employee, including those for the customer’s use A list of all accounts used by QIR personnel This includes all accounts created for the payment application, any dependent software accounts, any operating system accounts, network access accounts, etc. The QIR Employee has confidence that the customer understands how to change the passwords for all accounts created. The customer also understands how to disable or remove those accounts.
PCI DSS Requirement 2.1 PA-DSS Requirement 3.1 Remote Access
3. Is the customer aware that any remote access into …
Removed
p. 10
Remote access must be implemented securely? Select “Yes” or “No” from the drop-down menu.
A response of “Yes” indicates that the QIR Employee has confidence that the customer understands that any remote access to their network must be implemented in a secure manner, such as:
Default settings in the remote access software are changed (for example, change default passwords and use unique passwords for each customer) Connections are allowed only from specific (known) IP/MAC addresses Strong authentication and complex passwords for logins are used Encrypted data transmission is enabled Account lockout after a certain number of failed login attempts is enabled Virtual Private Network (“VPN”) connections are established via a firewall before access is allowed The logging function is enabled Access to accounts on the customer network is restricted to authorized integrator/reseller personnel Customer passwords are established according to PCI DSS Requirements …
A response of “Yes” indicates that the QIR Employee has confidence that the customer understands that any remote access to their network must be implemented in a secure manner, such as:
Default settings in the remote access software are changed (for example, change default passwords and use unique passwords for each customer) Connections are allowed only from specific (known) IP/MAC addresses Strong authentication and complex passwords for logins are used Encrypted data transmission is enabled Account lockout after a certain number of failed login attempts is enabled Virtual Private Network (“VPN”) connections are established via a firewall before access is allowed The logging function is enabled Access to accounts on the customer network is restricted to authorized integrator/reseller personnel Customer passwords are established according to PCI DSS Requirements …
Removed
p. 11
PA-DSS Requirement 10.2.1 Is remote access to the customer network implemented securely? Select “Yes” or “No” from the drop-down menu.
Default settings in the remote access software are changed (for example, change default passwords and use unique passwords for each customer) Connections are allowed only from specific (known) IP/MAC addresses Strong authentication and complex passwords for logins are used Encrypted data transmission is enabled Account lockout after a certain number of failed login attempts is enabled Virtual Private Network (“VPN”) connections are established via a firewall before access is allowed The logging function is enabled Access to accounts on the customer network is restricted to authorized integrator/reseller personnel Customer passwords are established according to PCI DSS Requirements Additionally, QIR personnel should only connect to their customers from systems that meet applicable PCI DSS requirements. For example, QIR personnel desktops/laptops must have …
Default settings in the remote access software are changed (for example, change default passwords and use unique passwords for each customer) Connections are allowed only from specific (known) IP/MAC addresses Strong authentication and complex passwords for logins are used Encrypted data transmission is enabled Account lockout after a certain number of failed login attempts is enabled Virtual Private Network (“VPN”) connections are established via a firewall before access is allowed The logging function is enabled Access to accounts on the customer network is restricted to authorized integrator/reseller personnel Customer passwords are established according to PCI DSS Requirements Additionally, QIR personnel should only connect to their customers from systems that meet applicable PCI DSS requirements. For example, QIR personnel desktops/laptops must have …
Removed
p. 12
Yes. The payment application requires external connections: Checking the “Yes” box for question 5 indicates that the QIR Employee is aware that one or more external connections are required by the payment application.
Is the customer aware of all connections required by the payment application? Select “Yes” or “No” from the drop-down menu.
A response of “Yes” indicates that the QIR Employee has confidence that the customer is aware of all external connections to/from the payment application.
For example, the customer should be aware of the following for each external connection to/from the payment application:
The purpose of the connection The external end-point of the connection (for example, the destination of the connection ) Whether any cardholder data is being transmitted over the connection How the connection is secured to protect sensitive data
PCI DSS Requirement 1.1.2 Is the customer aware they must use a firewall that allows only …
Is the customer aware of all connections required by the payment application? Select “Yes” or “No” from the drop-down menu.
A response of “Yes” indicates that the QIR Employee has confidence that the customer is aware of all external connections to/from the payment application.
For example, the customer should be aware of the following for each external connection to/from the payment application:
The purpose of the connection The external end-point of the connection (for example, the destination of the connection ) Whether any cardholder data is being transmitted over the connection How the connection is secured to protect sensitive data
PCI DSS Requirement 1.1.2 Is the customer aware they must use a firewall that allows only …
Removed
p. 13
Sensitive Authentication Data (SAD)
6. Is the application configured to ensure that Sensitive Authentication Data (including full track data, card verification codes/values and PIN or PIN block) is not stored after authorization, even if encrypted? Select “Yes” or “No” from the drop-down menu.
A response of “Yes” indicates that the QIR Employee has confirmed that the application is configured in a manner that prevents any SAD from being retained once authorization of a transaction has been completed.
This may be achieved as follows:
The application does not have any capability to store SAD, and does not provide any configuration option that might result in storage of any SAD post-authorization, or If the application does have an option that permits SAD to be stored post-authorization, all such options are disabled.
PCI DSS Requirement 3.2 PA-DSS Requirement 1.1 Troubleshooting and Maintenance
7. Does the QIR provide services to the customer that could potentially result in the …
6. Is the application configured to ensure that Sensitive Authentication Data (including full track data, card verification codes/values and PIN or PIN block) is not stored after authorization, even if encrypted? Select “Yes” or “No” from the drop-down menu.
A response of “Yes” indicates that the QIR Employee has confirmed that the application is configured in a manner that prevents any SAD from being retained once authorization of a transaction has been completed.
This may be achieved as follows:
The application does not have any capability to store SAD, and does not provide any configuration option that might result in storage of any SAD post-authorization, or If the application does have an option that permits SAD to be stored post-authorization, all such options are disabled.
PCI DSS Requirement 3.2 PA-DSS Requirement 1.1 Troubleshooting and Maintenance
7. Does the QIR provide services to the customer that could potentially result in the …
Removed
p. 14
Is Sensitive Authentication Data stored encrypted in a secure location with limited access? Select “Yes” or “No” from the drop-down menu.
A response of “Yes” indicates that SAD is always handled as follows:
SAD is stored only in specific, known locations Access to the SAD is limited to specific individuals requiring access to solve that specific problem SAD is stored encrypted with strong cryptography
PCI DSS Requirement 3.2 PA-DSS Requirement 1.1.5 Is Sensitive Authentication Data securely deleted immediately after use? Select “Yes” or “No” from the drop-down menu.
A response of “Yes” indicates that SAD is securely deleted immediately once it is no longer needed for that specific problem, and is deleted in accordance with industry-accepted standards for secure deletion. (For example, using a secure wipe program or other method that ensures that the data can never be retrieved.)
PCI DSS Requirement 3.2 PA-DSS Requirement 1.1.5 Is Primary Account …
A response of “Yes” indicates that SAD is always handled as follows:
SAD is stored only in specific, known locations Access to the SAD is limited to specific individuals requiring access to solve that specific problem SAD is stored encrypted with strong cryptography
PCI DSS Requirement 3.2 PA-DSS Requirement 1.1.5 Is Sensitive Authentication Data securely deleted immediately after use? Select “Yes” or “No” from the drop-down menu.
A response of “Yes” indicates that SAD is securely deleted immediately once it is no longer needed for that specific problem, and is deleted in accordance with industry-accepted standards for secure deletion. (For example, using a secure wipe program or other method that ensures that the data can never be retrieved.)
PCI DSS Requirement 3.2 PA-DSS Requirement 1.1.5 Is Primary Account …
Removed
p. 15
8. Does the application store cardholder data? Check either the “Yes” or “No” box. If the “Yes” box is checked, the applicable bullet points must also be answered:
Yes. The application does store cardholder data: Checking the “Yes” box for question 8 indicates that the payment application stores cardholder data (CHD). Cardholder data, as defined in the PCI DSS Glossary of Terms, Abbreviations and Acronyms, consists, at a minimum, of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code.
Is PAN rendered unreadable anywhere it is stored? Select “Yes” or “No” from the drop-down menu.
A response of “Yes” indicates that the QIR Employee has confirmed that the PAN is unreadable anywhere it is stored, including:
Any data repositories created or generated by the application Any files generated by the application for export …
Yes. The application does store cardholder data: Checking the “Yes” box for question 8 indicates that the payment application stores cardholder data (CHD). Cardholder data, as defined in the PCI DSS Glossary of Terms, Abbreviations and Acronyms, consists, at a minimum, of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code.
Is PAN rendered unreadable anywhere it is stored? Select “Yes” or “No” from the drop-down menu.
A response of “Yes” indicates that the QIR Employee has confirmed that the PAN is unreadable anywhere it is stored, including:
Any data repositories created or generated by the application Any files generated by the application for export …
Removed
p. 16
Is the customer aware they must not store cardholder data on Internet-accessible systems? Select “Yes” or “No” from the drop-down menu.
A response of “Yes” indicates that the QIR Employee has confidence that the customer understands that cardholder data should not be stored on Internet- accessible systems and that this understanding includes:
Configuring the payment application to use a DMZ to separate the Internet from systems storing cardholder data Configuring the firewall to open only required ports in order to communicate across two network zones For example, a database containing cardholder data must not be on a web server. Cardholder data should be stored on an internal segment of the network, segregated from the DMZ and any public networks.
PCI DSS Requirement 1.3.7 PA-DSS Requirement 9.1 No. The application does not store cardholder data. Checking the “No” box for question 8 indicates that the payment application does not store cardholder …
A response of “Yes” indicates that the QIR Employee has confidence that the customer understands that cardholder data should not be stored on Internet- accessible systems and that this understanding includes:
Configuring the payment application to use a DMZ to separate the Internet from systems storing cardholder data Configuring the firewall to open only required ports in order to communicate across two network zones For example, a database containing cardholder data must not be on a web server. Cardholder data should be stored on an internal segment of the network, segregated from the DMZ and any public networks.
PCI DSS Requirement 1.3.7 PA-DSS Requirement 9.1 No. The application does not store cardholder data. Checking the “No” box for question 8 indicates that the payment application does not store cardholder …
Removed
p. 17
10. Is the customer aware that, if available, encryption of cardholder data transmissions from the customer to back-end processors and/or acquirer is recommended, even for private connections? Select “Yes” or “No” from the drop-down menu.
A response of “Yes” indicates that the QIR Employee has confidence that the customer understands that, if encryption is available, cardholder data transmissions from the customer to back-end processors or to the acquirer should be encrypted, even when sent over private connections. An example of a private network connection may be a dedicated T-1 line. Encrypting all transmissions of cardholder data, even when sent over private connections, will help to minimize the risk of a cardholder data compromise while in transit.
11. Is the customer aware that any non-console administrative access to systems in their Cardholder Data Environment (CDE), including the payment application, must be secured? Select “Yes” or “No” from the drop-down menu.
A response of “Yes” …
A response of “Yes” indicates that the QIR Employee has confidence that the customer understands that, if encryption is available, cardholder data transmissions from the customer to back-end processors or to the acquirer should be encrypted, even when sent over private connections. An example of a private network connection may be a dedicated T-1 line. Encrypting all transmissions of cardholder data, even when sent over private connections, will help to minimize the risk of a cardholder data compromise while in transit.
11. Is the customer aware that any non-console administrative access to systems in their Cardholder Data Environment (CDE), including the payment application, must be secured? Select “Yes” or “No” from the drop-down menu.
A response of “Yes” …
Removed
p. 18
If dependent or underlying software, such as databases or operating systems, are provided as part of the Qualified Installation, passwords for those default accounts must also be changed.
Default accounts that are not needed should be changed (even if they won’t be used), and then disabled or deactivated.
13. Is strong authentication configured for all application administrative accounts and for all application accounts with access to cardholder data? Select “Yes” or “No” from the drop-down menu.
A response of “Yes” indicates that the QIR Employee has confirmed that strong authentication is configured for:
All application accounts with administrative access, and All application accounts with access to cardholder data.
This includes all credentials which are generated or managed by the payment application. Strong authentication is created in accordance with PCI DSS Requirements 8.5.8 through 8.5.15, and includes:
Not using group, shared, or generic accounts and passwords, or other authentication methods Changing user passwords …
Default accounts that are not needed should be changed (even if they won’t be used), and then disabled or deactivated.
13. Is strong authentication configured for all application administrative accounts and for all application accounts with access to cardholder data? Select “Yes” or “No” from the drop-down menu.
A response of “Yes” indicates that the QIR Employee has confirmed that strong authentication is configured for:
All application accounts with administrative access, and All application accounts with access to cardholder data.
This includes all credentials which are generated or managed by the payment application. Strong authentication is created in accordance with PCI DSS Requirements 8.5.8 through 8.5.15, and includes:
Not using group, shared, or generic accounts and passwords, or other authentication methods Changing user passwords …
Removed
p. 19
14. Is the customer aware that all access to systems containing cardholder data (such as PCs, servers, and databases) should use unique user IDs and strong authentication? Select “Yes” or “No” from the drop-down menu.
A response of “Yes” indicates that the QIR Employee has confidence that the customer understands that all access to any system containing cardholder data should use unique accounts and strong authentication. This includes, for example, user and administrative accounts on PCs, servers, databases, and other system components within the CDE. Strong authentication should be implemented in accordance with the instructions provided in Question 13 above (per PCI DSS Requirements 8.5.8
• 8.5.15).
PCI DSS Requirements 8.1 and 8.2 PA-DSS Requirement 3.2
15. Is the customer aware that, for all accounts used by operating systems, security software, applications, systems, POS terminals, etc.: a. All vendor-supplied defaults should be changed, and b. All unnecessary default accounts should be removed or disabled? …
A response of “Yes” indicates that the QIR Employee has confidence that the customer understands that all access to any system containing cardholder data should use unique accounts and strong authentication. This includes, for example, user and administrative accounts on PCs, servers, databases, and other system components within the CDE. Strong authentication should be implemented in accordance with the instructions provided in Question 13 above (per PCI DSS Requirements 8.5.8
• 8.5.15).
PCI DSS Requirements 8.1 and 8.2 PA-DSS Requirement 3.2
15. Is the customer aware that, for all accounts used by operating systems, security software, applications, systems, POS terminals, etc.: a. All vendor-supplied defaults should be changed, and b. All unnecessary default accounts should be removed or disabled? …
Removed
p. 19
16. Is payment application logging enabled? Select “Yes” or “No” from the drop-down menu.
A response of “Yes” indicates that the QIR Employee has confirmed that payment application logging is enabled and active, and that the payment application audit trails are recording the appropriate events and entries.
Events that must be logged are defined in PCI DSS Requirement 10.2 and 10.3, and include:
All individual accesses to cardholder data from the application All actions taken by any individual with administrative privileges as assigned in the application Access to application audit trails managed by or within the application Invalid logical access attempts Use of and changes to the application’s identification and authentication mechanisms (including but not limited to creation of new accounts, elevation of privileges, etc.) and all changes, additions, deletions to application accounts with root or administrative privileges
A response of “Yes” indicates that the QIR Employee has confirmed that payment application logging is enabled and active, and that the payment application audit trails are recording the appropriate events and entries.
Events that must be logged are defined in PCI DSS Requirement 10.2 and 10.3, and include:
All individual accesses to cardholder data from the application All actions taken by any individual with administrative privileges as assigned in the application Access to application audit trails managed by or within the application Invalid logical access attempts Use of and changes to the application’s identification and authentication mechanisms (including but not limited to creation of new accounts, elevation of privileges, etc.) and all changes, additions, deletions to application accounts with root or administrative privileges
Removed
p. 20
User identification Type of event Date and time Success or failure indication Origination of event Identity or name of affected data, system component or resource If the application is dependent on underlying software, such as databases or operating systems, to perform some or all logging, these logs must also be enabled and configured to record the appropriate events and entries.
All logs should be able to be assimilated into a centralized log server.
17. Is the customer aware that logs should not be disabled and doing so will result in non- compliance with PCI DSS? Select “Yes” or “No” from the drop-down menu.
A response of “Yes” indicates that the QIR Employee has confidence that the customer understands that PCI DSS requires that logs are enabled at all times, and that disabling logs will result in non-compliance.
18. Does the payment application use wireless technology? Check either the …
All logs should be able to be assimilated into a centralized log server.
17. Is the customer aware that logs should not be disabled and doing so will result in non- compliance with PCI DSS? Select “Yes” or “No” from the drop-down menu.
A response of “Yes” indicates that the QIR Employee has confidence that the customer understands that PCI DSS requires that logs are enabled at all times, and that disabling logs will result in non-compliance.
18. Does the payment application use wireless technology? Check either the …
Removed
p. 21
A response of “Yes” indicates that the QIR Employee has confidence that the customer understands they must install and configure a firewall to separate the wireless network from the cardholder environment. The configuration must ensure that traffic between the wireless network and the CDE is limited to that necessary for business purposes.
PCI DSS Requirement 1.2.3 PA-DSS Requirement 6.1 Is the customer aware they must implement strong encryption for authentication and transmission of cardholder data over wireless networks? Select “Yes” or “No” from the drop-down menu.
A response of “Yes” indicates that the QIR Employee has confidence that the customer understands they must ensure wireless networks transmitting cardholder data or connected to the CDE use industry best practices to implement strong encryption for authentication and transmission. An example of an industry best practice for strong encryption is IEEE 802.11.i.
PCI DSS Requirement 4.1.1 PA-DSS Requirement 6.2 No. The payment application does not …
PCI DSS Requirement 1.2.3 PA-DSS Requirement 6.1 Is the customer aware they must implement strong encryption for authentication and transmission of cardholder data over wireless networks? Select “Yes” or “No” from the drop-down menu.
A response of “Yes” indicates that the QIR Employee has confidence that the customer understands they must ensure wireless networks transmitting cardholder data or connected to the CDE use industry best practices to implement strong encryption for authentication and transmission. An example of an industry best practice for strong encryption is IEEE 802.11.i.
PCI DSS Requirement 4.1.1 PA-DSS Requirement 6.2 No. The payment application does not …
Removed
p. 22
If aspects of the installation were performed by parties other than the QIR (for example, the customer or other third party), the QIR Employee should provide relevant details in this section.
Potential PCI DSS compliance issue: If the QIR Employee feels that the observation could possibly effect or have an impact on the customer’s PCI DSS compliance, check “Yes.” If the observation is not relevant to any PCI DSS requirement, check “No.”
Potential PCI DSS compliance issue: If the QIR Employee feels that the observation could possibly effect or have an impact on the customer’s PCI DSS compliance, check “Yes.” If the observation is not relevant to any PCI DSS requirement, check “No.”
Modified
p. 22 → 18
Observation Details: Record any observations that the QIR Employee wishes to bring to a customer’s attention, including any potential PCI DSS compliance issues, and any items from Part 2 with a response of “No
• Details provided in Part 3.” Applicable Subject and Question Number from Part 2:If the observation relates to a question from Part 2 of the Implementation Statement, record the applicable question number here.
• Details provided in Part 3.” Applicable Subject and Question Number from Part 2:
Observation Details: Record any observations that the QIR Professional wishes to bring to a customer’s attention, including any potential security risks and any items from Part 2 with a response of “No
• Details provided in Part 3.” Applicable Subject and Question Number from Part 2:
• Details provided in Part 3.” Applicable Subject and Question Number from Part 2:
Modified
p. 22 → 18
Note: It is not the QIR’s responsibility to determine PCI DSS compliance for their customer. Potential compliance issues may or may not be an indication of an actual compliance issue; however, this is for the customer to determine.
Note: It is not the QIR Professional’s responsibility to determine PCI DSS compliance for their customer. Potential compliance issues may or may not be an indication of an actual compliance issue; however, this is for the customer to determine.
Modified
p. 22 → 18
If the observation has potential relevance to a PCI DSS Requirement, identify the specific PCI DSS Requirement here. Version of PCI DSS referenced must be included.
Modified
p. 23 → 19
Note: The QIR Employee may adjust column width and add/remove rows as needed to record all their observations. However, the QIR Employee must not remove any columns or change column headings.
Note: The QIR Professional may adjust column width and add/remove rows as needed to record all their observations. However, the QIR Professional must not remove any columns or change column headings.
Modified
p. 23 → 19
Observation # Observation Details Applicable subject and question number from Part 2 Potential PCI DSS compliance issue? PCI DSS reference (if applicable) 1 The customer has delayed installation of a recent vendor-supplied security patch for the payment application.
Observation # Observation Applicable subject and question number from Part 2 Potential security risks? PCI DSS reference (if applicable) Yes No 1 The customer has delayed installation of a recent vendor-supplied security patch for the payment application.
Modified
p. 23 → 19
• Question 18
PCI DSS Requirements v4.0 6.3.3 2 There does not appear to be a process in place to ensure that remote access to the customer’s network is activated only when needed.
Modified
p. 23 → 19
• Question 17
PCI DSS Requirements v4.0 3 The underlying operating system has insecure services running and the anti-virus software is out of date.
Modified
p. 23 → 19
N/A PCI DSS Requirements 2 and 5 4 The underlying system contains old stores of cardholder data that are not encrypted.
N/A PCI DSS Requirements v4.0 2 and 5 4 The underlying system contains old stores of cardholder data that are not encrypted.
Modified
p. 23 → 19
N/A PCI DSS Requirements 3.1 and 3.4
N/A PCI DSS Requirements v4.0 3.2.1 and 3.5.1