About this program
Even if you are a SAQ-A merchant, a quick check of CHD scope, segmentation, vendor responsibilities and key PCI controls.
Risks addressed
- Critical Cardholder data stored where you did not expect
- Critical Untested segmentation makes the whole network in-scope
- High Third-party payment page not validated PCI-compliant
Controls (7)
-
Documented scope + data-flow diagram
CriticalDocumented scope + data-flow diagram
How to test + evidence
Testing procedure: Current CHD flow diagram, dated within 12 months.
Evidence to collect: CHD diagram.
-
No storage of full PAN / SAD beyond what is allowed
CriticalNo storage of full PAN / SAD beyond what is allowed
How to test + evidence
Testing procedure: Scan systems for PAN; track-2 / CVV never stored.
Evidence to collect: Scan report.
-
Segmentation tested annually
HighSegmentation tested annually
How to test + evidence
Testing procedure: Segmentation pen-test confirms isolation from non-CDE.
Evidence to collect: Pen-test report.
-
Payment provider attestation on file
HighPayment provider attestation on file
How to test + evidence
Testing procedure: AoC from PSP confirming their PCI compliance.
Evidence to collect: AoC document.
-
MFA on all CDE access
CriticalMFA on all CDE access
How to test + evidence
Testing procedure: MFA for all admin + remote access to CDE.
Evidence to collect: MFA evidence.
-
Critical patches within 30 days for CDE
HighCritical patches within 30 days for CDE
How to test + evidence
Testing procedure: Patch SLA met on every CDE system.
Evidence to collect: Patch report.
-
Quarterly external + internal scans
HighQuarterly external + internal scans
How to test + evidence
Testing procedure: ASV + internal vuln scans run quarterly with rescans on findings.
Evidence to collect: Scan reports.