Daly Realism Logo
Quote for the Day
He not busy being born is busy dying.
-- Bob Dylan

Payment Card Industry (PCI)
Data Security Standard

Self Assessment Questionnaire

All merchants levels 2-4 (learn more) are requried to annually fill out a self assessment questionnaire. The questionnaire that is used is determined by the merchant's validation type (learn more).

This basic questionnaire is provided to help merchants identify typical areas of problems. It is oriented towards ecommerce merchants with a validation type of "C".

Note: This is not an official PCI DSS Questionnaire. It is extracted from the self assessment "C" questionnaire. Passing this questionnaire does not mean that you are PCI DSS compliant. It is used to identify typical problem areas.

PCI DSS # Requirement True False
02.03 Encrypt all administrative access
03.02 The CCVC or PIN is only kept to process the transaction.
03.03 The Credit Card Number is masked when displayed (allow first 6 or last 4 (not both) digits of card), except when processing the transaction or otherwise conducting specific business.
04.01 Use SSL/TLS to encrypt all Internet communications involving cardholder data
04.02 Do not use email for CC numbers
05.01 Deploy anti-virus software on all non-Unix (or non-Linux) systems with access to cardholder data
07.01 Limit access to cardholder information to those individuals whose job requires access
08.05 Maintain secure and proper user authentication (including password management) for all non-consumer accounts.
09.06 Physically secure all paper and electronic media that contain cardholder data
09.07 Maintain strict control over distribution of any media that contains cardholder data
09.08 Management approves all media transfers out of a secure area
09.09 Maintain strict control of stores and accessibility of media containing cardholder data
09.10 Destroy media that contains cardholder data when it is no longer needed
10.01 Establish a process for unambiguously determining who accessed system components
12.01 Establish, publish, maintain, and disseminate a security policy
12.08 Include these requirements in contracts with other service provides if they have access to cardholder data

Daly Realism can help you fill out your self-validation form and design and implement your remediation efforts. Please Contact us for assistance.

© 1996-2008, Daly Realism, Inc.