PCI – SAVE

Audit Question	Select Y/N
Do you use vendor-supplied defaults for system passwords and other security parameters?
Do you Install and maintain a firewall configuration to protect cardholder data?
Do you protect the stored data of the card holder?
If your organization stores PAN, Do you render it unreadable?
Do you Encrypt transmission of cardholder data across open, public networks?
Do you fully document and implement key management processes and procedures for cryptographic keys used for encryption of cardholder data?
Do you develop and maintain secure systems and applications?
Do you develop internal and external software applications including web-based administrative access to applications in accordance with PCI DSS and based on industry best practices?
Do you protect your all systems against malware?
Do you Implement Strong Access Control Measures?
Do you establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed?
Do you restrict physical access to cardholder data?
Do you track and monitor all access to network resources and cardholder data?
Do you implement a process for timely detection and reporting of failures of critical security control systems?
Do you regularly test security systems and processes?
Do you examine the compliance of system components in scope following the testing procedures for each PCI DSS requirement?
Do you have a Qualified Security Assessor (QSA) is a data security firm that is qualified by the PCI Security Standards Council to perform on-site PCI DSS assessments?
Do you identify and authenticate access to system components?
Do you track and monitor all access to network resources and cardholder data?
Do you use a third-party service to store, process, or transmit cardholder data on their behalf, or to manage CDE components?
Do you maintain a policy that addresses information security for all personnel?

Audit Question

Select Y/N

Do you use vendor-supplied defaults for system passwords and other security parameters?

Do you Install and maintain a firewall configuration to protect cardholder data?

Do you protect the stored data of the card holder?

If your organization stores PAN, Do you render it unreadable?

Do you Encrypt transmission of cardholder data across open, public networks?

Do you fully document and implement key management processes and procedures for cryptographic keys used for encryption of cardholder data?

Do you develop and maintain secure systems and applications?

Do you develop internal and external software applications including web-based administrative access to applications in accordance with PCI DSS and based on industry best practices?

Do you protect your all systems against malware?

Do you Implement Strong Access Control Measures?

Do you establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed?

Do you restrict physical access to cardholder data?

Do you track and monitor all access to network resources and cardholder data?

Do you implement a process for timely detection and reporting of failures of critical security control systems?

Do you regularly test security systems and processes?

Do you examine the compliance of system components in scope following the testing procedures for each PCI DSS requirement?

Do you have a Qualified Security Assessor (QSA) is a data security firm that is qualified by the PCI Security Standards Council to perform on-site PCI DSS assessments?

Do you identify and authenticate access to system components?

Do you track and monitor all access to network resources and cardholder data?

Do you use a third-party service to store, process, or transmit cardholder data on their behalf, or to manage CDE components?

Do you maintain a policy that addresses information security for all personnel?