PCI-DSS EVIDENCE REFERENCE

PCI-DSS EVIDENCE
REFERENCE
PCI-DSS EVIDENCE REFERENCE

Version Reviewed/Changed By Date Comments

1.0 Stevie Heong 5 May 2016 First Draft Review
1.1 Anna Shah 2 August 2016 Update

Note:

This is a document for internal distribution for PKF Avant Edge Sdn. Bhd. Reproduction and distribution of this document outside of PKF Avant Edge Sdn.
Bhd. is prohibited.

This document is not endorsed by QSA and all evidences are based only on the experiences of our consultants in PCI-DSS. Evidences required by QSA for an
organisation might change from time to time, and from business to business, therefore these samples should be used as a guidelines only and not actual
reference to what is actually required for an organisation to certify for PCI-DSS.
PCI-DSS EVIDENCE REFERENCE

EXECUTIVE SUMMARY & REQUIREMENT 1

QUESTION 1

Please provide the list of office locations, cloud environments and data centres that store, process or transmit information covered under this
certification.

NOTES

1. Expected Evidence: is the complete list of with detailed address of all the in-scope location, either physical or in cloud, the related business tight to
the business and whether the process is card present or card not present

REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 2

Please provide a list of applications that are involved in storing, processing or transmitting information covered under this certification

NOTES

1. Expected Evidence: a complete list of all the payment application that are in scope
2. Payment applications are applications storing and processing card information, located in CDE
3. Off the shelf systems like Databases, Operating systems are excluded
4. Applications are generally divided as such:
5. If application has different URLs and authentication system, they will be treated as separate app. If one application having different roles but the
login page is same, it is one application. If app has different modules e.g. Admin, supervisor, analyst where these modules have their own
independent login pages, they will be considered as 3 apps.

REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 3

Please provide a high-level network diagram for in-scope environment (See attached templates).

NOTES

Expected Evidence: a high-level network diagram that covers the following:

- All connections into and out of the network, including demarcation points between the cardholder data environment (CDE) and other
networks/zones
- Connectivity type used for data transmission (IPSEC tunnel, SSL, SFTP etc.)
- Internal, External and DMZ network zones with cardholder application and database systems in respective network zone OR PCI scope specific
VLAN’s (as well as their locations and the boundaries between them
- All network devices firewall, IPS, Router, VPN devices, Switches devices as applicable
- Third party connections having cardholder data shared with

REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 4

Please provide your asset list, databases, data storage locations etc.

NOTES

Expected Evidence: inventory list of servers, network devices, software and application
Caas Customer: Ensure that for LINUX servers, the hostname and IP is unique for that project and not having similar IP in different project sending
to caas as the keys cannot be sync correctly having similar IP for LINUX
Includes all network and server systems in CDE and Non CDE In Scope

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 5

Provide a list of all your external IP addresses and their function

NOTES

Expected Evidence: The complete list of ALL external IP that will be scan under the ASV scan, i.e in scope. If company has only one set of external IP
addresses for PCI and Non-PCI, these need to be provided to ASV for scanning.

Ensure that the list of External IP in Q5 is the same as in Q4.

REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 6

Provide 3 sample firewall and router change forms or tickets.

NOTES

Expected Evidence: a change request form that specific the change of firewall and/or router change forms that should include the signoff from the head of
IT

In the form please include the following:

1. Firewall name, brand and IP

2. Reason/description for Change
3. Requestor name, signoff, date
4. Approval name signoff, date
5. Testing after review

Forms can be in tickets as well or in electronic form as long as it fulfils the relevant criteria
PCI-DSS EVIDENCE REFERENCE
REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 7

Provide detailed network diagram(s)

NOTES

Expected Evidence: Ensure that the detail network diagram cover the following

- All boundaries of the in-scope environment

- Any network segmentation point
- Boundaries between trusted and un-trusted networks
- Wireless (if available) and wired networks
- All other connection points applicable to the assessment
- Ensure the diagram(s) include enough detail to clearly understand how each communication point functions and is secured
o The interface that the traffic pass through the firewall and the servers
o The traffic flow of card holder data

REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 8

Provide data flow diagrams that explain storage, processing and transmission of covered information

NOTES

Expected Evidence: please identity the business process of the entity that uses card data in their process, some of the process that may include CHD is:

- Card capturing
- Card acquiring and authorization
- Card issuing
- Charge back
- Settlement
- Fraud management Reconciliation
- Recurring
- etc

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 9

Provide roles and responsibilities for management of firewall and routers.

NOTES

Expected Evidence: An access matrix that specifies the UID and the user that is given permission to access the firewall and/or router and their permission

REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 10

Provide business justification for use of all services, protocols, and ports allowed through firewall and router.

NOTES

Expected Evidence: A document that that contains all the justification for ALL open ports and services that are running in the firewall or router. QSA can
also accept I the form justify Only the insecure services as well. However, these will be dependent on the amount of rule that the company have. These can
be either be in a separate document or be merge together in the firewall hardening / firewall policy document

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 11

Provide two compliant semi-annual firewall and router rule set review reports along with evidence that the team performing the review has the necessary
credentials and knowledge to perform the review.

NOTES

Expected Evidence: A report that outlines the review of All the firewall rules in scope of PCI. The report need to contains the changes made to the firewall
that have been noted down in the Change Request form as well.

The Firewall review is intended to ensure that all the rules are align towards PCI DSS compliance such as

1. Specific destination, sources, ports and services are allowed

2. Any-to-Any Deny
3. There is no direct communication between the CDE Zone and Internet
4. All rule must be properly describe or tag with a description

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 12

Provide system generated configuration showing inbound and outbound access list for all firewall(s)/router(s) in scope.

NOTES

Expected Evidence:

1. A raw system generated configuration file generated by the firewall that outlines all the configuration of the firewall/ router devices
2. A screenshot of every interface of the firewall/router that show all the inbound and outbound rules

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 13

Provide a written explanation of how a firewall/router full configuration backup is done and how are the backups secured.

NOTES

Expected Evidence:

1. A document that outlines the process on how the backup of the firewall config is being done and should contain the following
a. The frequency of backup
b. The destination of the backup
c. The screenshot to show that the backup is stored in the designated place
d. A test report on performing recovery of the backup to show that the backup works perfect

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE

QUESTION 14

For in - scope wireless networks, provide system generated configuration showing inbound and outbound access list between wireless and wired network.

NOTES

Expected Evidence:

1. If the wireless in scope, then please show a screenshot of the firewall to show the ACL between the wired and wireless devices
2. If the wireless is not in scope , these is consider as Not Applicable, However a wireless scan in needed to ensure no wireless access is present

REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 15

Provide explanation/justification for any scenarios where there is a direct connection from Internet to internal network or vice versa.

NOTES

Expected Evidence:

1. Provide a justification why there is a need for internal network to go directly out to the internet.
2. Only Non CDE in scope allowed , CDE cannot go directly out or in from internet
3. DMZ needs to be traversed

REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 16

Provide screenshot for anti - spoofing access list or equivalent settings on external firewall and/or router.

NOTES

Expected Evidence:

1. Provide screenshot in the firewall that anti-spoofing is enabled to detect any incoming IP from external facing to reach the firewall
2. Show that every movement of IP to internet is NAT

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 17

Provide screenshot to show stateful inspection has been enabled on external firewalls in scope.

NOTES

Expected Evidence:

1. Provide screenshot in the firewall that the firewall maintains or permit only “established” connections into the network.
2. Sometime in certain cases, by default the firewall is already a stateful inspection firewall, therefore please get a newsletter or a whitepaper from
the firewall vendor to shot that the firewall be default is stateful

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 18

For a sample of 5 laptops provide the following:

- Evidence of a personal firewall running appropriately
- Evidence that the personal firewall cannot be disabled by the user.

NOTES

Expected Evidence:

1. Provide screenshot from the laptop that is connecting to the PCI environment is protected with personal firewall and cannot be disabled unless by
admin

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 19

If Wireless access point is used provide screenshot that shows the following
- firmware version is the latest
- strong encryption has been implemented
- vendor defaults have been changed

NOTES

Expected Evidence:

1. If the wireless AP In scope: show screenshot from the wireless AP the version, the encryption (WPA2), and the password have been changed
2. If wireless AP not in scope than this will not be applicable, however wireless scan need to be conducted

REFERENCE
PCI-DSS EVIDENCE REFERENCE

REQUIREMENT 2
QUESTION 20

Provide hardening (secure configuration) documents for all system components identified in the asset inventory

NOTES

Expected Evidence:

1. A document that contains AT LEAST the basic hardening configuration for all the components in scope especially
a. Server
b. Firewall
c. Router/Switches
d. Databases
e. Application
2. The basis hardening may contain the following
a. Removal of default username and password supplied by vendors
b. Password policy
c. Audit log policy
d. The removal of unused and insecure services, justification for needed services
e. Etc.

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 21

Provide configuration scan (i.e. authenticated vulnerability scans) results that evidence the list of ports/services running on in - scope systems (servers and
network devices)
OR
In the absence of configuration scan, you may provide results of running ControlCase scripts on in - scope systems.

NOTES

Expected Evidence:

1 Internal Vulnerability Scan Report (IVA).

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 22

For insecure services (such as HTTP, FTP, Telnet, SSL) provide details on what additional controls have been implemented to mitigate the risk of having that
insecure service

NOTES

Expected Evidence:

1. Provide a list of justification of the services that are running in the servers especially the insecure services such as HTTP, FTP, Telnet, etc

REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 23

Provide configuration scan (i.e. authenticated vulnerability scans) results that evidence the list of ports/services running on in - scope systems (servers and
network devices)
OR
In the absence of configuration scan, you may provide results of running ControlCase scripts on in - scope systems.

NOTES

Expected Evidence:

1 Internal Vulnerability Scan Report (IVA).

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 24

For POS devices, provide evidence of strong cryptography being implemented. You must use the attached template to provide us the data.

NOTES

Expected Evidence:

1. If POS in scope: provide screenshot that the POS is having strong cryptography
2. In the event the POS is already PCI PIN PTS Certified, get the screenshot to show the model is certified.

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE

REQUIREMENT 3
QUESTION 25

Provide the following for covered information,

- defined retention period
- process for secure data deletion based on the retention period
- records that evidence process was followed.

NOTES

Expected Evidence:

1. Data retention & deletion policy document

2. CHD Matrix

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 26

Provide results that show card data was searched in all applicable assets. These could be a combination of process interviews, manual reviews of
logs/transaction files and automated scans as long as they cover PAN, Track, CVV and PIN in all locations within cardholder data environment (CDE) and
outside the CDE.

NOTES

Expected Evidence:

1. Clean Card Data Discovery Scan results

REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 27

Provide the following for all physical media and applications

- All screenshots where cardholder data is displayed
- Business justification where full PAN is displayed

NOTES

Expected Evidence:

1. Screenshot where card data is being displayed in clear text

2. Justification on the display of card data

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 28

Provide the following for all filesystems, databases and any backup media
- Details on method (encryption, hashing, truncation, tokenization) being used to protect covered information in storage
- Evidence (screenshots or settings) showing covered information is protected

NOTES

Expected Evidence:

1. The methodology on how the client implement either encryption, truncation, or tokenization method
2. Screenshot showing the number have been encrypted, truncated or tokenize.
3. Provide screenshot showing Algorithm (e.g. AES, 3DES, RSA etc.) in use and key strength (e.g. 128/256/20148 bits). Also, describe process (e.g.
program/HSM etc.) to generate the key.
4. If keys are distributed, describe how key distribution is done.
5. Describe how Secure cryptographic key storage is done and provide screenshot of locations where Key encryption key (KEK) and Data encryption
key (DEK) is stored.
6. Show using screenshots who is having access to Data encryption key (DEK) and Key encryption key (KEK)?

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE

REQUIREMENT 4
QUESTION 29

Provide evidence of encryption being used for transmission of in - scope data over any open or public communication channel (i.e. Internet, Wireless
network, GSM, GPRS, VSAT technology etc.). Encryption must confirm to strong industry standards.

NOTES

Expected Evidence:

1. If data is send via internet: Show that is using strong cryptography such as HTTPS, SSL VPN, etc.
2. If no data is send via the internet: NOT Applicable

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 30

Provide evidence of encryption being used for transmission of in - scope data over messaging technologies such as email, chat and SMS. Encryption must
confirm to strong industry standards.

NOTES

Expected Evidence:

1. If data is send via SMS or social app: Show that is using a secure connection method such as secure email
2. If no data is send via the SMS: NOT Applicable

REFERENCE

(No client are having this at the moment)

PCI-DSS EVIDENCE REFERENCE

REQUIREMENT 5
QUESTION 31

For the selected sample, provide evidence of antivirus software. Provide the following,
- Running in active mode
- Antivirus version and
- Signature version.
- Evidence that user cannot disable or alter the antivirus settings
NOTES

Expected Evidence:

1. Screenshot from antivirus agent from ALL servers that satisfy the following requirement

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 32

Provide Antivirus Server Management Console screenshot that shows the following
- Signature update frequency
- Periodic scan frequency
- Signature version
- Log storage for 3 months online and further 9 months offline
- Three summary scan run reports from the year

NOTES

Expected Evidence:

1. Screenshot from antivirus agent from the Antivirus Server console that satisfy the following requirement

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE

REQUIREMENT 6
QUESTION 33

Provide evidence that any security alerts or threat notifications are analysed against the asset/application inventory and a risk ranking process applied to
the alerts.

NOTES

Expected Evidence:

1. A risk methodology document need to be documented that outlined ANY incident or alerts found is being map into a risk methodology document
based on industry based practices

REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 34

Provide evidence of,

- Current patch levels
- Patches being deployed in a timely manner

NOTES

Expected Evidence:

1. A screenshot from firewall, IDS, switch, Servers, AV, DB and application showing that the patch is keep current and is updated to the latest patch
2. A process on how patching is being done such as the schedule, the frequency , etc.

REFERENCE
PCI-DSS EVIDENCE REFERENCE

QUESTION 35

Provide secure software development process document in accordance with industry best practices

NOTES

Expected Evidence:

1. A document on how the client perform their SDLC procedures

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 36

Provide system generated list of users on all applications that store, process or transmit covered information.

NOTES

Expected Evidence:

1. A screenshot showing the application user ID in the application.

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 37

Provide a recent secure code review report for an application that stores, processes, or transmits covered information.

NOTES

Expected Evidence:

1. A yearly report on code review to ensure that the application is free from the web app vulnerability especially OWASP top 10

REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 38

Provide evidence showing that higher environments (i.e. production) are logically separated from lower environments (such as test/development)

NOTES

Expected Evidence:

1. A document/ screenshot shows that developer and tester are logically separated from the operation

REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 39

Provide evidence that there is segregation of duties between users having access to higher (production) and lower (test/development) environments.

NOTES

Expected Evidence:

1. A document/ screenshot shows that developer and tester are having a segregation of duties
2. If user have both roles, ensure that the username to access development and production is unique only to the respective environment exp: teo_Dev
is only use on development environment and teo_prod or teo_DBA is only use in production

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 40

Provide a document that outlines

- the process for generating test data to be used in lower (test/development) environments

- the process for removing test data and test accounts prior to moving the system to the higher (production) environment.

NOTES

Expected Evidence:

1. A process or document to outlines the process on how the client generate the test card and how the test card is being remove before it goes to
production

REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 41

Provide 4 sample change request (2 for software modification and 2 for security patch implementation) from the last 6 months.

NOTES

Expected Evidence:

1. A sample of change request form for the following

a. Software modification 2x
b. Patch implementation, change to the servers 2x

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 42

Provide the following from a secure code training perspective,

- Material used for training

- Attendee list showing that all developers are covered

NOTES

Expected Evidence:

1. A secure code training module that was attended recently

2. A secure code training attendance list.

REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 43

(Optional) Provide evidence that a web application firewall is in place to protect against well know web based vulnerabilities (such as OWASP).

NOTES

Expected Evidence:

1. A screenshot showing that Web Application Firewall (WAF) is implemented to protect the web application
2. A web application Penetration Test report

If a WAF is already be in place, a web app PT will still need to be conducted to verify that the WAF is functional in protecting the application from
external attacks

REFERENCE
PCI-DSS EVIDENCE REFERENCE

REQUIREMENT 7 & 8
QUESTION 44

Provide the organizational access control policy.

NOTES

Expected Evidence:

1. A document that outlines the policy for user access and privileged. The document must be sign off by the management

REFERENCE

( Access Control Policy)

PCI-DSS EVIDENCE REFERENCE
QUESTION 45

please provide,

- List of users

- Access permission for those users

- Business justification for the level of access permission

NOTES

Expected Evidence:

1. A list of users from server/ active directory and the privileged given to the users.
2. Ensure that the users privileged is given as per need to know basis with least privileged unless there is a business justification why a higher
privileged is needed

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE

QUESTION 46

Provide two forms/tickets per platform (one for general user and one for administrative user) from the last 6 months for,
- User access creation
- User access deletion
- User access modification
NOTES

Expected Evidence:

1. A sample of user form for user creation, deletion, and modification. Each scenario will need around 2-3 sample. If there is no deletion or
modification then 5 sample of creation is needed

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 47

Provide three sample user termination forms/tickets that evidence timely removal of logical and physical access upon termination of an employee or
contractor
NOTES

Expected Evidence:

1. A sample of user termination form and screenshot that the user is remove from the environment

REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 48

Provide procedures that outline the process for monitoring inactive users for 90 days for all platforms in scope. In addition, provide reports showing
inactive users either disabled or removed.
NOTES

Expected Evidence:

1. Based on last active login of a UID. Show that the user that are not active for more than 90 days are removed from the system.
2. In windows, AD stores a user's last logon time in the Last-Logon AD user object attribute
3. In Linux, please run a command lastb where it will show the last log file from /var/log/btmp, which contains all the bad login attempts
4. If there is AD present, capture users from AD and also any local user present in each server
5. If no AD, then only all users that are allowed to access each server need to be captured

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 49

Provide an inventory of vendors that are provided remote access to your organization. For each vendor please provide
- Procedure for providing access only when needed
- Access activity monitoring reports
NOTES

Expected Evidence:

1. An inventory list for all the third party that is involved in PCI environment

REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 50

For all assets identified in the sample provide evidence of logical access account and password features to include,
- Account lockout policy
- Account lockout duration
- Session timeout policy
- Password length
- Password complexity
- Password history
- Password expiry

NOTES

Expected Evidence:

1. If have AD: screenshot from the GPO, screenshot that all server follow GPO, all network device integrate with AD via RADIUS
2. If no AD: Screenshot of password policy from ALL servers, network devices

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 51

Provide evidence that passwords (for platform and/or consumer applications) are encrypted during transmission and storage.

NOTES

Expected Evidence:

1. Screenshot to show that the password for all components is encrypted during storage and transmission

REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 52

Provide one sample per platform of recent password reset requests/forms for users.

NOTES

Expected Evidence:

1. Sample of password reset form for users for access to:

a. Server 1x
b. DB 1x
c. Firewall 1x

REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 53

Provide documented procedures for password change during new user creation or for a password reset for all platforms in scope.

NOTES

Expected Evidence:

1. A documentation on how the password change is being done

2. Screenshot showing that the password need to be change during first time and during password reset

REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 54

Provide the following related to remote access,

- Procedure that outlines the process of granting remote access as well as the description of the two - factor authentication technology used
- List of internal and external users with remote access

NOTES

Expected Evidence:

1. A process on how users are granted remote access and

2. how does the two-factor authentication is being given
3. The list of users that are granted remote access

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 55

This is applicable only to service providers with remote access to multiple customers. Provide user list for up to (but not exceeding) 3 customers to prove
unique credentials are being used per customer.

NOTES

Expected Evidence:

1. If customer have access to merchants, then we will need the list of merchants that are connecting to the client and every customer is having a
unique ID

REFERENCE

(we have never encounter where service provider access the environment)
PCI-DSS EVIDENCE REFERENCE
QUESTION 56

If other authentication mechanisms are used apart from normal passwords (for example, physical or logical security tokens, smart cards, certificates, etc.)
then provide the list of users and that the authentication method assigned to an individual account.

NOTES

Expected Evidence:

1. Show the screenshot or evidence on the users that are having more than one authentication mechanism such as OTP for MFA

REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 57

Provide the output screenshot of current active connections.

NOTES

Expected Evidence:

For each Sampled Database, provide the screenshot for the followings (Please make sure that screenshots are clearly showing IP address/hostname and
command used for displaying the current sessions):-

- On Oracle database Sqlplus command prompt executed query"select * from gv$sessions"

- On SQL database used SQL Query Analyzer and executed query"sp_who 'active'"
- On Sybase database sql command prompt executed query"sp_who"
- For any other type of databases, please check vendor documentation to provide screenshot

1. REFERENCE
PCI-DSS EVIDENCE REFERENCE

REQUIREMENT 9
QUESTION 58

Provide the following for all physical locations in scope:

- Sample records from physical access control system (such as a badge system) and /or video cameras showing 90 days of retention
- List of users created on access control system (such as a badge system) for administrative access

NOTES

1. Provide the access card badge log - latest up to 3 months

2. CCTV log screenshot at DC, make sure each row in DC have CCTV to monitor
3. screenshot of user in access badge control system, system version
4. Make sure there is no username ADMIN, ADMINISTRATOR. Username must be unique

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE

QUESTION 59

Please provide two samples of user access creation and deletion forms/tickets from the last 6 months that evidence,

- physical access allocation to the sensitive area is authorized and as per individual’s job function.
- timely removal of physical access upon termination of user

NOTES

1 3- 5 samples of user access creation to physical

2 3- 5 samples of user deletion

REFERENCE
PCI-DSS EVIDENCE REFERENCE

QUESTION 60

Provide sample records or scanned copies of visitor log (for a 90 day period) for the facility /network rooms / data centers that contains:
- The visitor’s name
- The date and time
- The firm represented, and
- The onsite personnel authorizing physical access.

NOTES

1 either hardcopy/softcopy
2 Make sure latest 3 month

REFERENCE
PCI-DSS EVIDENCE REFERENCE

QUESTION 61

Provide a policy that outlines the following,

- visitors can be distinguished from onsite personnel (employees)
- visitors are escorted during access to sensitive areas
- visitor badges are returned upon departure

NOTES

Physical access control policy or Physical security policy and make sure the points below are including in the document:

visitors can be distinguished from onsite personnel (employees)

visitors are escorted during access to sensitive areas
visitor badges are returned upon departure

QUESTION 62

This question is applicable only if physical media is used for backups of covered information and stored offsite. Provide evidence that a physical security has
been performed of the backup facility.

NOTES

1 Please provide the backup log

2 Media physical annual review

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
-Sample report-
PCI-DSS EVIDENCE REFERENCE
QUESTION 63

This question is applicable only if physical media is used to store covered information. Provide the following,
- Full media inventory
- sample of 5 inbound and outbound media movement records (including information such as date/time of movement, approver name, delivery method)
from last 6 months

NOTES

1 Please provide the tape movement in and out

PCI-DSS EVIDENCE REFERENCE
Sample template
PCI-DSS EVIDENCE REFERENCE
QUESTION 64

Provide the physical media destruction procedure and a sample of media destruction records from within the last year.

NOTES

1 Please provide data retention and disposal policy

REFERENCE

- Full report can be review from the

shared folder-
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 65

Provide up-to-date list of point of sale devices (card-reading devices and terminals) with information that includes:
- Make, model of device.
- Location of device (for example, the address of the site or facility where the device is located).
- Device serial number or other method of unique identification

NOTES

REFERENCE
PCI-DSS EVIDENCE REFERENCE

QUESTION 66

Provide for POS devices,

- documented procedures that outline the process for inspection for tampering.
- material used for training personnel for inspection
- records showing that personnel have been trained
- sample of 3 records from different retail locations showing the schedule of inspection

NOTES

1 Q66.Sample_POS_inspection_training_material

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE

REQUIREMENT 10
QUESTION 67

Please wait on providing this information until assessor provides you with a sample after phase I. For the sample, provide the audit log policy settings.
You may use the attached template or provide the required information in an alternative format.

NOTES

Please ensure that the audit log is setting to send all logs as per PCI requiremt for all server, network devices, application and database

For Linux

REFERENCE

Windows
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
Sample 1: AIX
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
Sample 2: Checkpoint firewall
PCI-DSS EVIDENCE REFERENCE
Sample 3: Cisco ACS
PCI-DSS EVIDENCE REFERENCE
Sample 4: Cisco devices

Sample 5: fortiget firewall

PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
Sample 6: juniper firewall

Sample 7: linux – red hat

PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
Sample 8: oracle
PCI-DSS EVIDENCE REFERENCE
Sample 9: Sophos firewall
PCI-DSS EVIDENCE REFERENCE
Sample 9: windows
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 68

Please wait on providing this information until assessor provides you with a sample after phase I. Provide actual event logs for each of the platforms
identified in the sample.

NOTES

All of these scenario will require screenshot

 All individual access to cardholder data.

 All actions taken by any individual with root or administrative privileges.
 Access to all audit trails.
 All actions taken by any individual with root or administrative privileges.
 Use of identification and authentication mechanisms.
 All elevation of privileges.
 All changes, additions, or deletions to any account with root or administrative privileges.
 Initialization of audit logs.
 Stopping or pausing of audit logs.
 Creation and deletion of system level objects.

Note: Above sample audit logs should show information such as user ID, date & time, type of event, success or failure indication of event, source and
target system IP & hostname

Reference
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 69

Provide the following NTP evidence to show that all devices have a common timestamp within logs,
- Device being used as the central NTP server along with the NTP version number
- Setting/Screenshot showing synch between NTP server and external time source
- Access control list for NTP server - You must use the attached template to provide us the data.

NOTES

1. The version of the NTP used (using the current version which is version 4)

2. The setting up of primary NTP server

3. The setting up of secondary NTP server

4. Ensure that all server is taking the time from secondary NTP server

5. Ensure that the time is having standard time, either GMT or UTC

Central NTP:
1. Central NTP configuration.
<Paste screenshot here>
2. Central NTP Version.
<Paste screenshot here>
3. List of users Created on Central NTP server.
<Paste screenshot here>

Provide NTP Configuration for all flavor of following servers or network device:
1. Firewall (CISCO, Juniper, Nokia, Checkpoint, SonicWALL, Fsecure etc.)
2. Server (Linux, Windows, Solaris, AIX, Redhat etc.)
3. Switch
4. Router
5. IDS/IPS
6. Load Balancer
PCI-DSS EVIDENCE REFERENCE
7. Desktops (if applicable)

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 70

Provide evidence of the following on the central syslog server

- Access list of users with permission type (i.e. read only/modify) and business justification
- Evidence of archived logs being protected by FIM

NOTES

CAAS

REFERENCE

RSA:
PCI-DSS EVIDENCE REFERENCE
QUESTION 71

Provide
- one daily daily log review reports/email for every sample.
- Evidence of follow up to the event
- Evidence of log rention for 12 months

You must use the attached template to provide us the data.

NOTES

1. At least 3 Sample report/email of daily log review

2. Email/Follow up to events
3. Screenshot showing logs stored for 12 Months with DATE clearly visible.

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE

- Full report can be review in shared folder-

PCI-DSS EVIDENCE REFERENCE

REQUIREMENT 11
QUESTION 72

Provide quarterly wireless analyzer reports along with details for authorized/unauthorized nature of the access point.
The attached template is provided as a sample.

NOTES

Wireless scan report every quarter

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 73

Provide one sample incident response report in response to a rogue access point detection.

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 74

Provide quarterly internal vulnerability/configuration assessment reports for 4 last quarters.

NOTES

Each quarter Reports should contain at least following:

1. List of IP scanned in each quarter scan.
2. Date of scan started.
3. Testers Name.
4. Methodology used for testing.

REFERENCE

Internal vulnerability scan report

QUESTION 75

Provide quarterly external vulnerability/ASV scan reports for 4 last quarters.

You must use the attached template to provide us the data.

NOTES

Reports should contain at least following:

1. List of IP scanned in each quarter scan.
2. Date of scan started.
3. Testers Name.
4. Methodology used for testing.

REFERENCE

ASV report
PCI-DSS EVIDENCE REFERENCE
QUESTION 76

Provide a documented methodology being used for penetration testing.

You must use the attached template to provide us the data.

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE

QUESTION 77

Provide external penetration test report. You must use the attached template to provide us the data.
NOTES

Reports should contain at least following:

1. List of IP scanned.
2. Date of scan started.
3. Testers Name.
4. Methodology used for testing.

REFERENCE

External PT report
PCI-DSS EVIDENCE REFERENCE
QUESTION 78

Provide internal penetration test report. You must use the attached template to provide us the data.
NOTES

Reports should contain at least following:

1. List of IP scanned.
2. Date of scan started.
3. Testers Name.
4. Methodology used for testing.

REFERENCE

Internal PT report

QUESTION 79

Provide segmentation test results

NOTES

Reports should contain at least following:

1. List of IP/ Vlan in No-In-Scope.
2. List of IP/ Vlan in Scope and scanned.
3. Date of scan started.
4. Testers Name.
5. Methodology used for testing.

REFERENCE

Refer Segmentation PT report

QUESTION 80

Provide evidence of the following from all IDS/IPS implemented,

- Location on network
PCI-DSS EVIDENCE REFERENCE
- Version number
- Signatures
- Alerting emails
- Follow up to alerts

NOTES

Provide evidence of the following from all IDS/IPS implemented,

- Location on network (must monitor external as well as internal network)

- Version number
- Signatures
- Alerting emails (at least 3 sample)
- Follow up to alerts (at least 3 sample)

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 81

Provide the following evidence for the sample,

- FIM version installed
- Files being monitored by FIM
- Alerting emails
- Follow up to alerts
You must use the attached template to provide us the data.

NOTES

- FIM version installed

- Files being monitored by FIM
- Alerting emails (At least 3 sample email/report)
- Follow up to alerts (At least 3 sample email/report)

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE

REQUIREMENT 12
QUESTION 82

Provide annual user information security policy acknowledgement records for :

- Existing employees (5 sample records)
- Recent new joiner (5 sample records)
- vendors, contractors (at-least 1 sample record)
NOTES

1. Make sure it signs by existing employee and new joiner – annually

REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 83

Provide
- All organizational information security policies and procedures
- Evidence showing those are reviewed and updated on annual basis.

The attached template is provided as a sample.

NOTES

1. Policy must be updated

2. approval/sign

REFERENCE

Information security policy

QUESTION 84

Provide your risk assessment methodology, risk acceptance criteria, formalized risk assessment report, risk treatment plan and a statement of applicability?
(can be based on OCTAVE, ISO 27005 and NIST SP 800-30 guidelines)

REFERENCE

Risk management policy

Risk report details

PCI-DSS EVIDENCE REFERENCE
QUESTION 85

If remote access to organization's network is allowed, provide configuration screenshot for remote access technology (such as Remote VPN) showing
session time-out defined after specific period of inactivity

REFERENCE

Palo alto

Juniper
PCI-DSS EVIDENCE REFERENCE

Cisco ASDM
PCI-DSS EVIDENCE REFERENCE

QUESTION 86

Provide a policy which requires the following for user accesses covered information remotely:
- prohibit copying, moving, or storing of covered information onto local hard drives and removable electronic media unless a valid business justification
exists
- Incase of a business justification, provide evidence that target hard drives or electronic media are adequately protrected
PCI-DSS EVIDENCE REFERENCE

NOTES

1. Remote access policy

QUESTION 87

Provide an organization chart (or equivalent documentation) which clearly outlines the information security roles and responsibility for all personnel. In
addition provide following records in support of assigned security responsibilities:

- recent Information security policy review / approval record

- Information security policy communication to all users
- any security alert email communication to affected parties

REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 88

Provide information security awareness material used for user training. In addition provide 5 sample training attendance records from last one year period
for:
- existing employees
- recent fires
- contractors

The attached template is provided as a sample.

NOTES

1. Security awareness training - i.e. PCI training, ISO training

2. attendance list for new joiner and existing staff - must sign
3. conduct yearly

REFERENCE

PPT slide

Awareness Received status

PCI-DSS EVIDENCE REFERENCE

QUESTION 89

Provide sample of 10 employee background check records from last year.

The attached template is provided as a sample.

NOTES

1.background check must be conducted i.e check with previous employee

PCI-DSS EVIDENCE REFERENCE
REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 90

Provide the list of third party service providers as per the following criterion,

- All third party service providers used by assessed entity to store, process, or transmit covered information on their behalf for business purpose
- All third party service providers used by assessed entity to manage the components such as routers, firewalls, databases, physical security, and/or servers.

NOTES

REFERENCE

Non-Disclosure Agreement
PCIDSS COC expiry 20160924
Declaration-Third Party Management
PCI-DSS EVIDENCE REFERENCE
QUESTION 91

For all identified in-scope third party service providers provide following:
- Current service agreement which covers third party's security responsibilities for handling covered information
- Current compliance status against applicable regulations / data security standards
- List of security requirements which are managed by each third party service provider on your behalf

REFERENCE

Service Agreement and Certificate of Compliance

PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 92

Provide documented process followed to perform due diligence before a new third party service provider engagement. In addition provide sample due
diligence report for any recently contracted third party service provider

REFERENCE

Declaration-Third Party Management

Non-Disclosure Agreement
Q92.Sample Due diligence for Service Providers
Q92.Sample Third Part Management Policy

QUESTION 93

This question applies only to service providers. Provide a sample written acknowledgement that outlines that you are responsible for security of your
customers data.

REFERENCE

Non-Disclosure Agreement
PCI DSS compliance
Declaration-Third Party Management
PCI-DSS EVIDENCE REFERENCE

QUESTION 94

Provide Organization's Incident Response Plan. In addition provide one of the following as evidence to confirm that documented Incident response
procedure was followed:
1. Annual Incident Response plan test report OR
2. Sample report for one recently report security incident

NOTES

1.training agenda
2.incident response plan
3. incident test response plan
PCI-DSS EVIDENCE REFERENCE
4.incident plan training attandance list

REFERENCE

IncidentResponse

InfoSecurity_incident_rpt

Security Incident Report Form

Ticket Number
Dare of Report
Incident Detector’s Information
Date and Time Detected
Employee ID
Employee Name
Business unit
Phone number
Involved staff’s Information
Involved staff Name 1
Involved staff Name 2
Security Incident Information
Security Incident Description
Security Incident Detail
Impact Assessment
Type of Incident
Security Impact Information
Identify the corrective action, action owner, and next action
Resolution Information
PCI-DSS EVIDENCE REFERENCE

Resolution By
Resolution Date
Resolution Detail
Root Cause and Lessons Learnt
Root Cause
Lessons learnt/ Preventive Actions
Managers signature with date
CISO signature with date
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE
QUESTION 95

Provide Incident handling training records for team with security breach response responsibilities

REFERENCE

Sample Training Records:

Incident Handling Training Records

Sr No. Name Of The Employee Date Of Training Signature Comment
1 Ram March 31st 2016 <Signature>
2 Shyam March 31st 2016 <Signature>
3 Krishna March 31st 2016 <Signature>
4
PCI-DSS EVIDENCE REFERENCE
PCI-DSS EVIDENCE REFERENCE