SAQ A Reporting Template - WorldPay Welcome to WorldPay

Document Sample
SAQ A Reporting Template - WorldPay Welcome to WorldPay Powered By Docstoc
					                          RBS WorldPay Merchant Reporting Tool

     This document has been created in order for us to easily track your journey to compliance.

We are required to send quarterly reports to both Visa and MasterCard on our merchants progression
 towards full PCI DSS compliance, going forward these reports will include progression against the
                                        Prioritised Approach.

   Below is a simple guide on how to fill out this report, but if you have any questions please don't
     hesitate to contact your dedicated PCI manager or email the team at .


                       There are two other tabs contained within this document:

1. PCI DSS requirements: This includes all requirements contained in the full PCI DSS, you should
work your way through these using the drop down tabs to choose the right answer from the following:
"compliant", "in progress", "non compliant", "not applicable". If the requirement is not applicable you
                                   should include the reason why.

 2. Summary: The summary page contains fields for you to complete about your organisation and
gives you an overview of your current status against the Prioritised Approach. If you answer that you
are compliant with half of the requirements then the summary page will show you as 50% compliant,
                          and advise you how this fits against the approach.

   This reporting tool should be used by all non compliant merchants in order to send us monthly
                    updates on the progress made towards PCI DSS compliance.

                                   Merchant Responsibilities

 We require merchants to update this tool and send it to us on a monthly basis until compliance has
       been achieved. Once fully compliant a merchant can confirm this to us in several ways:
                     1. A compliant ROC (report on compliance from a QSA)
                             2. A compliant SAQ (only if levels 2-4)
 3. A compliant RBS WorldPay Merchant Reporting Tool and separate attestation of compliance
                                         (only if levels 2-4)

For all of the above options we will also require compliant quarterly external vulnerability scans if your
                       business has any external facing IP addresses in scope.
our journey to compliance.

 d on our merchants progression
nclude progression against the

e any questions please don't
m at .


in the full PCI DSS, you should
 right answer from the following:
quirement is not applicable you

e about your organisation and
pproach. If you answer that you
ill show you as 50% compliant,

 in order to send us monthly

thly basis until compliance has
his to us in several ways:
m a QSA)
arate attestation of compliance

ternal vulnerability scans if your
 in scope.
                                       Requirement                                            Milestone

Requirement 9: Restrict physical access to cardholder data.
9.6 Physically secure all paper and electronic media that contain cardholder data.               5
9.7 Maintain strict control over the internal or external distribution of any kind of media      5
that contains cardholder data, including the following:
9.7.1 Classify the media so it can be identified as confidential.                                5
9.7.2 Send the media by secured courier or other delivery method that can be accurately          5
9.8 Ensure management approves any and all media containing cardholder data that is              5
moved from a secured area (especially when media is distributed to individuals).

9.9 Maintain strict control over the storage and accessibility of media that contains            5
cardholder data.
9.9.1 Properly maintain inventory logs of all media and conduct media inventories at least       5
9.10 Destroy media containing cardholder data when it is no longer needed for business           1
or legal reasons as follows:
9.10.1 Shred, incinerate, or pulp hardcopy materials so that cardholder data cannot be
Requirement 12: Maintain a policy that addresses information security for
employees and contractors.
12.1 Establish, publish, maintain, and disseminate a security policy that accomplishes           6
the following:
12.1.1 Addresses all PCI DSS requirements that sit within milestone 1                            1
12.1.1 Addresses all PCI DSS requirements that sit within milestone 2                            2
12.1.1 Addresses all PCI DSS requirements that sit within milestone 5                            5
12.1.1 Addresses all PCI DSS requirements that sit within milestone 6                            6
12.8 If cardholder data is shared with service providers, maintain and implement policies        2
and procedures to manage service providers, to include the following:
12.8.1 Maintain a list of service providers.
12.8.2 Maintain a written agreement that includes an acknowledgement that the service            2
providers are responsible for the security of cardholder data the service providers
12.8.3 Ensure there is an established process for engaging service providers including           2
proper due diligence prior to engagement.
12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status.               2
            ANSWERING N/A)
                          Name of organisation
 Contact within Organisation                      Phone number

                                         Current QSA (If applicable)
                                     External Validation via:                                                <---- please choose from drop down menu.
   Compliance Validation            Vulnerability  ASV
                                       Scans       Date of last scan
                                                   Result of last scan

                                         Payment Application Vendor
    Payment Application                  Application name and version
                                             PA DSS compliant?                                               <---- please choose from drop down menu.

                                                Face to Face?
Payment Acceptance Methods               Mail Order/ Telephone Order?                                        <---- please choose from drop down menu.

        Milestone                                               Goals                                      Percent Compliant Percent In Progress        Target Date for
                                       Remove sensitive authentication data and limit data
                                  retention. This milestone targets a key area of risk for entities that
                                   have been compromised. Remember – if sensitive authentication
             1                       data and other cardholder data are not stored, the effects of a             0.0%                     0.0%
                                     compromise will be greatly reduced. If you don't need it, don't
                                                                store it

                                   Protect the perimeter, internal, and wireless networks. This
                                       milestone targets controls for points of access to most
             2                         compromises – the network or a wireless access point.                     0.0%                     0.0%

                                     Secure payment card applications. This milestone targets
                                   controls for applications, application processes, and application
                                       servers. Weaknesses in these areas offer easy prey for
             3                     compromising systems and obtaining access to cardholder data.                  N/A                      N/A                N/A

                                  Monitor and control access to your systems. Controls for this
                                    milestone allow you to detect the who, what, when, and how
             4                     concerning who is accessing your network and cardholder data                   N/A                      N/A                N/A

                                   Protect stored cardholder data. For those organizations that
                                  have analyzed their business processes and determined that they
                                  must store Primary Account Numbers, Milestone Five targets key
             5                               protection mechanisms for that stored data.                         0.0%                     0.0%

                                  Finalize remaining compliance efforts, and ensure all controls
                                   are in place. The intent of Milestone Six is to complete PCI DSS
                                      requirements, and to finalize all remaining related policies,
             6                    procedures, and processes needed to protect the cardholder data                0.0%                     0.0%

          Overall                                                                                                0.0%                     0.0%

Shared By: