Contact Information and Report Date

Contact Information

Client

Company Name
Company Address
Company URL
Company contact name
Company phone number
Company email address

Assessor Company

Company Name
Company Address
Company website

Assessor

Lead Assessor Name
Assessor PCI credentials
Assessor phone number
Assessor email address
List all other assessors involved
Assessor Name
Assessor credentials
List all Associate QSAs involved in the assessment.
Assessor QSA name
Assessor QSA mentor name

Assessor Quality Assurance (QA) Primary Reviewer for this specific report

QA Reviewer Name
QA Reviewer Phone
QA Reviewer Email

Date and timeframe of assessment

Date of Report
Timeframe of assessment (start date to completion date)
Identify dates spent onsite at the entity
Describe the time spent onsite at the entity, time spent performing remote assessment activities and time spent on validation of remediation activities

PCI DSS version

Version of the PCI Data Security Standard used for the assessment (should be 3.2.1)

Additional services provided by QSA company

The PCI SSC Qualification Requirements for Qualified Security Assessors (QSA) v3.0 includes content on “Independence,” which specifies requirements for assessor disclosure of services and/or offerings that could reasonably be viewed to affect independence of assessment. Complete the below after review of relevant portions of the Qualification Requirements document(s) to ensure responses are consistent with documented obligations.

Disclose all services offered to the assessed entity by the QSAC, including but not limited to whether the assessed entity uses any security-related devices or security-related applications that have been developed or manufactured by the QSA, or to which the QSA owns the rights or that the QSA has configured or manages:
Describe efforts made to ensure no conflict of interest resulted from the above mentioned services provided by the QSAC:

Summary of findings

PCI DSS Requirement

Summary of Findings

(check one)
Compliant
Non-Compliant
N/A
Not Tested
1. Install and maintain a firewall configuration to protect card holder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored card holder data
4. Encrypt transmission of cardholder data across open, public networks
5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel
Appendix A1: Additional PCI DSS Requirements for Shared Hosting Providers
Appendix A2: Additional PCI DSS Requirements for Entities Using SSL/Early TLS for Card-Present POS POI Terminal Connections
Appendix A3: Designated Entities Supplemental Validation

Summary Overview

Description of the entity’s payment card business

Provide an overview of the entity’s payment card business, including:

Describe the nature of the entity’s business (what kind of work they do, etc.)
Note: This is not intended to be a cut-and-paste from the entity’s website, but should be a tailored description that shows the assessor understands the business of the entity being assessed.
Describe how the entity stores, processes, and/or transmits cardholder data.
Note: This is not intended to be a cut-and-paste from above, but should build on the understanding of the business and the impact this can have upon the security of cardholder data.
Describe why the entity stores, processes, and/or transmits cardholder data.
Note: This is not intended to be a cut-and-paste from above, but should build on the understanding of the business and the impact this can have upon the security of cardholder data.
Identify the types of payment channels the entity serves, such as card-present and card-not-present (for example, mail order/telephone order (MOTO), e-commerce).
Other deatails, if applicable:

High-level network diagram(s)

Provide a high-level network diagram (either obtained from the entity or created by assessor) of the entity’s networking topography, showing the overall architecture of the environment being assessed. This high-level diagram should summarize all locations and key systems, and the boundaries between them and should include the following:
  • Connections into and out of the network including demarcation points between the cardholder data environment (CDE) and other networks/zones
  • Critical components within the cardholder data environment, including POS devices, systems, databases, and web servers, as applicable
  • Other necessary payment components, as applicable

Description of Scope of Work and Approach Taken

Assessor’s validation of defined cardholder data environment and scope accuracy

Document how the assessor validated the accuracy of the defined CDE/PCI DSS scope for the assessment, including:
As noted in PCI DSS, v3.2.1 – “At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data, and identify all systems that are connected to or if compromised could impact the CDE (e.g. authentication servers) to ensure they are included in the PCI DSS scope.”
Note – additional reporting has been added below to emphasize systems that are connected to or if compromised could impact the CDE.
Describe the methods or processes (for example, the specific types of tools, observations, feedback, scans, data flow analysis) used to identify and document all existences of cardholder data (as executed by the assessed entity, assessor or a combination):
Describe the methods or processes (for example, the specific types of tools, observations, feedback, scans, data flow analysis) used to verify that no cardholder data exists outside of the defined CDE (as executed by the assessed entity, assessor or a combination):
Describe how the results of the methods/processes were documented (for example, the results may be a diagram or an inventory of cardholder data locations):
Describe how the results of the methods/processes were evaluated by the assessor to verify that the PCI DSS scope of review is appropriate:
Note – the response must go beyond listing the activities that the assessor performed to evaluate the results of the methods/processes; the assessor must also include details regarding the results of the outcome of those activities that gave the assessor the level of assurance that the scope is appropriate.
Describe why the methods (for example, tools, observations, feedback, scans, data flow analysis, or any environment design decisions that were made to help limit the scope of the environment) used for scope verification are considered by the assessor to be effective and accurate:
Provide the name of the assessor who attests that the defined CDE and scope of the assessment has been verified to be accurate, to the best of the assessor’s ability and with all due diligence:
Other details, if applicable:

Cardholder Data Environment (CDE) overview

Provide an overview of the cardholder data environment encompassing the people, processes, technologies, and locations (for example, client’s Internet access points, internal corporate network, processing connections).
People – such as technical support, management, administrators, operations teams, cashiers, telephone operators, physical security, etc.:
Note – this is not intended to be a list of individuals interviewed, but instead a list of the types of people, teams, etc. who were included in the scope.
Processes – such as payment channels, business functions, etc.:
Technologies – such as e-commerce systems, internal network segments, DMZ segments, processor connections, POS systems, encryption mechanisms, etc.:
Note – this is not intended to be a list of devices but instead a list of the types of technologies, purposes, functions, etc. included in the scope.
Locations/sites/stores – such as retail outlets, data centers, corporate office locations, call centers, etc.:
Other details, if applicable:

Network segmentation