lndustry (pcl) security standard · reason why sub-requirement(s) were not tested or not applicable...
TRANSCRIPT
Security oStandards Council
Payment Card lndustry (PCl)Data Security Standard
Attestation of Compliance forOnsite Assessments - Service ProvidersVersion 3.2
April 2016
I
Security aStandards Council
Section 1: Assessment lnformation
I nstructi ons for S ubm issi on
This Attestation of Compliance must be completed as a declaration of the results of the service provider'sassessment with tne Payment card lndustry Data security standard Requirements and securityAssessmenf Procedures (PCl DSS) Complete all sections: The service provider is responsible forensuring that each section is completed by the relevant parties, as applicable. Contact the requestingpayment brand for reportlng and submission procedures.
Part'1. Service Provider and Qualified Security Assessor lnformation
Part 1a. Service Provider Organization lnformation
Company Name: lnternational Card SystemsAD CaSys lnternational
DBA (doingbusiness as):
Contact Name: Lidija Vucidolova-Bogoevska
Title: lnternal Auditor
Telephone: +389 2 3293 879 E-mail: [email protected]
Business Address: Kuzman Josifovski PituNo1.
City: Skopje
State/Province: Skopje Country: Macedonia Zip: 1000
URL: http://www. casys.com. mld
Part 1b. Qualified Security Assessor Company lnformation (if applicable)
Company Name: Compliance Control Ltd.
Lead QSA Contact Name: Evgeny Babitsky TitIE: Deputy CEO
Telephone: +7 499 136-27-66 E-mail: [email protected]
Business Address: Revoluytcionnaya str., d.3 City: Volokolamsk
State/Province: Moscow region Country: Russia zip: 143600
URL: http://www.compliance-control.ru
PCI DSS v3.2 Attestation of Compliance /or Orsile /ssessments - Seruice providers, Rev. 1.0@ 2006-2016 PCI Secuity Standards Council, LLC. Alt Rights Reserued.
April 2016Page 1
Part 2. Executive Summary
Part 2a. Scope Verification
Services that were INCLUDED in the scope of the PCI DSS Assessment (check all that apply):
Name of service(s) assessed: Processing services for banks
Type of service(s) assessed:
Hosting Provider:
! Applications / software
E Hardware
E lnfrastructure / Network
E Physical space (co-location)
n storage
! wen
E Security services
E 3-D Secure Hosting Provider
! Shared Hosting Provider
n Other Hosting (specify):
Managed Services (specify):
.E Systems security services
E lT support
E Physical security
E Terminal Management System
f] other services (specify):
Payment Processing:
X POS / card present
X lnternet / e-commerce
X Moro / ca center
trI ATM
E Other processing (specify):
! Account Management X Fraud and Chargeback X Payment Gateway/Switch
E Back-Offjce Services I lssuer Processing E Prepaid Services
n Billing Management ! Loyalty Programs n Records Management
X Clearing and Settlement E Merchant Services ! Tar/Government Payments
E Network Provider
I Others (specify):
Note: These categoies are provided for assistance only, and are not intended to limit or predeteminean entityB seNice desciption. lf you feel these categories don't apply to your sevice, complete"Others." lf you're unsure whether a category could apply to your service, consult with the applicablepayment bnnd.
PCl DSS v3.2 Attestation of Compliance for Onslfe .Assessments - Service Providers, Rev. 1.0 Apfl 2016@ 2006-2016 PCI Secuity Standards Council, LLC. A Rights Reserved. page 2
v
Paft 2a. Verification continued)
Services that are provided by the service provider but were NOT INCLUDED in the scope ofthe PCI DSS Assessment (check all that apply):
Name of service(s) not assessed:
Type of service(s) not assessed:
Hosting Provider:
! Applications / software
E Hardware
E lnfrastructure / Network
I Physical space (co-location)
! storage
E weoE Security services
! 3-D Secure Hosting Provider
n Shared Hosting Provider
E Other Hosting (specify):
! Account Management
E Back-Office Services
E Billing Management
! Clearing and Settlement
E Network Provider
Payment Processing:
n PoS / card present
E lnternet / e-commerce
E Moro I calt centern nrnlt! Other processing (specity):
fl Pavment
! Prepaid Services
E Records Management
n Tax/Government Payments
Managed Services (specify):
E Systems security services
! tt support
! Physical security
E Terminal Management System
E Other services (specify):
! Fraud and Chargeback
E Others (specify):
Provide a brief explanation why any checked serviceswere not included in the assessment:
Part 2b. Description of Payment Card Business
Describe how and in what capacity your businessstores, processes, and/or transmits cardholder data.
Describe how and in what capacity your business isotherwise involved in or has the ability to impact the
Casys provides different processing services forseveral banks within the county. During providing
this services the entity deals with CHD storage,transmission and processing.
The amount of transaction for either VISA orMastercard is much more then 300,000 each thalcorresponds to Level 1 service provider.
No other way of being involved into the ability toimpact security of CHD exists except the above.
of cardholder data.
Part 2c. Locations
of locations included in the PCI DSS review.
Type of facility:
Exam pl e : Reta il outl ets
Head office and primary DC
Location(s) of facility (city, country):
Boston, MA, USA
Skopje, l\4acedonia.
List types of facilities (for example, retail outlets, corporate offices, data centers, call centers, etc.) and a
Number of facilitiesof this type
PCl DSS y3.2 ,Atlestation of Compliance for Onslre Assessments - SeNice Providers, Rev. 1.0@ 2006-.2016 PCI Secuity Standards Council, LLC. All Rights ReseNed.
Aptil 2016Page 3
u
Part 2d. Payment Applications
Does the organization use one or more Payment Applications? E yes E No
Provide the following information regarding the Payment Applications your organization uses:
Payment ApplicationName
VersionNumber
ApplicationVendor
ls applicationPA-DSS Listed?
PA-DSS Listing Expirydate (if applicable)
cpay Dais Software E Yes X ttoCMS Comsoft E yes X ttoBase24 ACI X ves E tto
E Yes E ttoE Yes ! tto
EYes lNo! Yes E ttoEYes ENo
Part 2e. Description of Environment
Ptovide a hiqhJevel description of the environmentcovered by this assessment.
For example:. Connections into and out of the cardholder data
environment (CDE).
Critical system components within the CDE such as POSdevices, databases, web seNers, etc., and any othernecessary payment components, as applicable.
Does your business use network segmentation to affect the scope of your PCI DSSenvironment?(Refer to "Netwotu Segmentation" section of PCI DSS for guidance on networksegmentation)
The internal network is properly segmented andCDE consist of:
- Shared segment for users{o-CDE access
- Perso segment
- Several servers segment based on the serviceprovided
- DMZ for external-facing services
- Connections to external parties
XYes ENo
PCI DSS v3.2 Attestation of Compliance for Onslle Assessments - Service Providers, Rev. 1.0@ 2006-2016 PCI Secuity Standards Council, LLC. All Rights ReseNed.
Apnl 2016Page 4
Part 2f. Third-Party Service Provide6
Does your company have a relationship with a Oualified lntegrator & Reseller (elR) forthe purpose of the services being validated?
lf Yes:
Name of QIR Company:
QIR lndividual Name:
Description of services provided by QIR:
Does your company have a relationship wjth one or more third-party service providers (forexample, Qualified lntegrator Resellers (QlR), gateways, payment processors, paymentservice providers (PSP), web-hosting companies, airline booking agents, loyalty programagents, etc.) for the purpose of the services being validated?
Name of service provider: Description of services
DAIS Software Software development
n ves Elruo
X yes ! t'to
lf Yes:
Note: Requirement 12.8 applies to all entities in this list.
PCI DSS v3.2 Attestation of Compliance for Onsite Assessments - Sevice providers, Rev. 1.0@ 2006-2016 PCI Secuity Standards Council, LLC. All Rights Reseved.
Apfl 2016Page 5
V
Part 29. Summary of Requirements Tested
For each PCI DSS Requirement, select one of the following:
. Full - The requirement and all sub-requirements ofthat requirement were assessed, and no sub-requirements were marked as "Not Tested" or "Not Applicable" in the ROC.
. Partial - One or more sub-requirements of that requirement were marked as "Not Tested" or.NotApplicable" in the ROC.
. None - All sub-requirements of that requirement were marked as "Not Tested' and/or "Not Applicable"in the ROC.
For all requirements identified as either "Partial" or "None," provide details in the "Justiflcation for Approach"column, including:
. Details of speciflc sub-requirements that were marked as either "Not Tested" and/or "Not Applicable" inthe ROC
. Reason why sub-requirement(s) were not tested or not applicable
Note: One table to be combleted for each sevice covered by this AOC. Additional copies of this section a,eavailable on the PCl SSC l,vebsile.
PCI DSS v3.2 Attestation of Compliance fol. Onslle Assessments - SeNice Providers, Rev. 1.0 Ap 2016@2006-2016 PCI Secuity Standards Council, LLC. All Rights Reseved. page 6
Name of Service Assessed: Processing services for banks
Details of Requirements Assessed
PCI DSSRequirement Full Partial None
Justification for Approach(Required for all "Partial" and "None" responses. ldentify which
sub-requirements were not tested and the reason.)
Requirement 1 : tr x tr 1.2.3 - No wireless networks are used.
1.4 - No employee-owned PCs are in use.
Requirement 2: n x n 2,'1.'l - No wireless networks are used.
2.2.3 - No unsecure protocols are in use,
2.6 - Bank is not a shared hosting provider.
Requirement 3: tr x tr 3.4.1 - No full-disk encryption is used.
Requirement 4: tr x tr 4.1.1 - No wireless networks are used.
4.2 - PANS are not sent via end-user messageservices.
Requirement 5: x tr trRequirement 6: x n trRequirement 7: x n trRequirement 8: tr x tr 8.5.1 - No remote access to customers is used.
Requirement 9: tr x n 9.6.2 and 9.6.3 - No media with CHD are sent outsidethe facility.
9.9 - No POS terminals management services areprovided to clients.
Requirement 10: X n D
Requirement 1 '1 : x tr nRequirement 12: x n nAppendix Al: n tr x The entity is not a shared hosting provider.
Appendix A2: tr tr x No isecure protocols are in use.
PCI DSS v3.2 Att$tation of Compliance fororsite Assessments - SeNice Providers, Rev. 1.0@ 2006-2016 PCI Security Standards Council, LLC. A Rights Rese/yed
Apnt 2016Page 7
\9'**""'"'Section 2: Report on Compliance
This Attestation of Compliance reflects the results of an onsite assessment, which is documented in anaccompanying Report on Compliance (ROC).
The assessment documented in this attestation and in the ROC was completedon:
27, June 2018
Have compensating controls been used to meet any requirement in the ROC? I yes E t,to
Were any requirements in the ROC identified as being not applicable (N/A)? E Yes nNo
Were any requirements not tested? ! Yes X tto
Were any requirements in the ROC unable to be met due to a legal constraint? n Yes Xuo
PCl DSS y3.2 Aftestation of Compliance for Onsde Assessments - Service Providers, Rev. 1.0A 2006-2016 PCI Secuity Standards Council, LLC. All Rights ReseNed.
Apfl 2016Page 8
u
Section 3: Validation and Attestation Details
Part 3. PCI DSS Validation
This AOC is based on results noted in the ROC daled 27, June 2018.
Based on the results documented in the ROC noted above, the signatoriesapplicable, assert(s) the following compliance status for the entity identilied(check one):
identified in Parts 3b-3d, asin Part 2 of this document
Compliant: All sections of the PCI DSS ROC are complete, all questions answered affirmatively,resulting in an overall COMPLIANT ratin g, thercby lntemational Card Systems AD Casys lntemationalhas demonstrated full compliance with the PCI DSS.
tr Non-Compliant: Notall sections of the PCI DSS ROC are complete, or not all questions areanswered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby has notdemonskated full compliance with the PCI DSS.
Target Date for Compliance:
An entity submitting this form with a status of Non-Compliant may be required to complete the ActionPlan in Part 4 of this document. Check with the payment brand(s) before completing Patt 4.
Compliant but with Legal exception: One or more requirements are marked "Not in Place" due to alegal restriction that prevents the requirement from being met. This option requires additional reviewfrom acquirer or payment brand.
lf checked. complete the following.
Details of how legal constraint prevents requirement belng met
Part 3a, Acknowledgement of Status
Signatory(s) confirms:
(Check all that apply)
x The ROC was completed according to the PCI DSS Requirements and Security AssessmenlProcedures, Version 3.2, and was completed according to the instructions therein.
All informatjon within the above-referenced ROC and in this attestation fairly represents the results ofmy assessment in all material respects.
I have confirmed with my payment application vendor that my payment system does not storesensitive authentication data after authorization.
I have read the PCI DSS and I recognize that I must maintain PCI DSS compliance, as applicable tomy environment, at all times.
lf my environment changes, I recognize I must reassess my environment and implement anyadditional PCI DSS requirements that apply.
x
El
x
x
PCI DSS v3.2 Attestation of Compliance fol" Orsite Assessments - Service Providers, Rev. 1.0A 2006-2016 PCI Security Standards Council, LLC. A Rights Reserved.
Apnl 2016Page I
\\
Part 3a. Acknowledgement of Status (continued)
No evidence of full track data1, CAV2, CVC2, ClD, or CW2 data', or PIN data3 storage aftertransaction authorization was found on ANY system reviewed during this assessment.
x
tr
ASV scans are being completed by Approved Scanning Vendor Qua/ys.
Part 3b. Service
Signature of Executive Date : 27 , June 2018
SeNice Provider Executive Officer Namer Biljana DonovskaGecheva
Iitle: Board of Director President andExecutive Director
Part 3c. Qualified Security Assessor (QSA) Acknowledgement (if applicable)
lf a QSA was involved or assisted with this i lhe QSA was pertoming the assessmentassessment, describe the role performed:
Signature ot Duly Aulhorized Officer ol QSA Company 4 Date: 27, June 2018
Duly Authorized Officer Namer Evgeny Babitsky QSA Conpany: Compliance Control Ltd.
Part 3d. lnternal Security Assessor (lSA) lnvolvement (if applicable)
lf an ISA(s) was involved or assisted withthis assessment, identify the ISA personneland describe the role performed:
' Data encoded in the magnetic slripe or equivaleni data on a chip used for authorizalion during a card-present transaction. Entitiesmay not retain full track data after transaction authorization. The only elemenis ofkack data that may be retained are primary
account number (PAN), expiration date, and cardholder name.2 The three- or four-digit value printed by the signature panelor on the Iace ofa payment card used to verify card-nol-present
transactions.3 Personal identirlcation number entered by cardholder during a card-presenl transaction, and/or encrypted PIN block present
wilhin lhe lransaction message.
O 200&2016 PCI Security Standards Council, LLC. All Rights Reserved. Page 10
Part 4. Action Plan for Non-Compliant Requirements
Select the appropriate response for "Compliant to PCI DSS Requirements" for each requirement. lf youanswer "No" to any of the requirements, you may be required to provide the date your Company expects to becompliant with the requirement and a brief description of the actions being taken to meet the requirement.
Check with the applicable payment brand(s) before completing Part 4.
Remediation Dato andPCr DSS
Requirement Description of Requirement
lnstall and maintain a firewallcon{iguration to protect cardholder data
Do nol use vendor-supplied defaults forsystem passwords and other securityparameters
Actions(lf .NO" selecled tor any
Requirement)
Protect stored cardholder data
tr
tr
tr
xxEncrypt transmission ot carOnotder data
- data
. - I rack and monitor all access ," i"*"*'10 .J"r."" ""i *roi"ia", 0",
across open, public networks
Protect all systems against malwareand regularly update anli-virus softwareor programs
Develop and maintain secure systemsand applications
Restrict access to carOnotOer data by
Restrict physical access to cardholder
x
xX
xRegularly test security systems andprocesses
l\ilaintain a policy that addressesinformation security for all personnel
Additional PCI DSS Requirements forShared Hosting Providers
Additional PCI DSS Requirements forEntities using SSUearly TLS
tr
tr
Appendix 42
!IIa],,l vrsAMaite[Ca]d
PCI DSS v3.2 Attestation of Compliance fol. Onslte Assessments - Sevice Providers, Rev. 1.0@ 2006-2016 PCI Secudty Standards Council, LLC. All Rights Reseved.
Apfl 2016Page 11