Fab estan Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Card-not-prosent Merchants, All Cardholder Data Functions Fully Outsourced For use with PCI DSS Version 3.2.1 June 2018Document Changes Date | Gorion Revision Description | Ton content wth new PCIDSS v1.2 ara io ome eee | implement minor changes noted since orginal v1 alias To align cortant wih new PCIDSS V20 requremenis os sndwaingprocesuen ‘To algncortnt wih PCI OSS v3.0 equremenis and Febmuary204 | 30 testing procedures andincoporte actions response options ‘apnt2018 a Upto to afgn with PCL DSS v8.1. For deta of Pcl (5S changes, see PC/DSS~ Summary af Ghanges 5 tram PCIOSS Version 3.010 31 shy 2018 31 | 14 | Updated version numbering oan wih other SAO: ‘npn2016 32 10 Usted io aign wit PCI DSS va2. For deals of PCI ‘DGS changes, see PC/OSS Summary of hanges | ‘nom PCIDSS Version 3.110 32. Requirements adied tom PCIDSS v3.2 Reaurements 2.8.an0 2 January 2017 | 82 1.4 Upeted Document Changos to cary requirments ‘edd inthe Apri 2018 update ‘Ades net o Before YouBege section t cary tant lindusion of PCL OSS Requtements 2 an 8. ‘kine 2018 «3211.0 Ulaled to algn wih PCIDSS v82.1. Fo dela of PCL 1S charges, se PCIOSS ~ Summary of Changes ‘rom PCIOSS Version 3.21032. ‘ses Requirement 2 fom PCIOSS V3.2. FEIDS SEER Pg 18 {© 200820181 Sant Stndate Coun LLG AU Rohs RacedTable of Contents Document Changs Before You BOG enone C1DSS Self-Assessment Completion Steps Understanding the Set Assessment Questionnale. Expected Testing w uidanco for Non-Applicabilty of Cera, Specific Requirement. Legal Exeapton rn Section: Assessment Information ‘Section 2: Self-Assessment Ques ui and Maintain a Secure Network ad SysteMs. nner Requirement 2 Oo ret use vendor sipoiad deft fost paramour, 5 Maintain a Vuloerability Managoment Pr09?@R ec nemnnen enn Requiement § Oevelop and maintain sacue systems and appcatons 6 Implement Strong Access Control Measures ee 7 Requirement 8 ently nde access tyson components 7 Requirement 9 Restct psa acess fo cco daa s Maintain an information Sect Pll rrmemvnnnnnnenenn : 10 equiromont 12: Mein apoley thet adessesmtermation seer fr i prec 0 ‘Appendix A: Adtional PCIDSS Requirements nnn send ‘Apvendic At: Aatenal CI DSS Requirement for Shared Hosting Provits 2 ‘Appendix #2 Actonal ACI OSS Requrement for Ente using SSL TL fr Cad Present (P08 PO! termina eonnactons 12 ‘ovens AS Designated Enties Supplemental Vaktion(OESV) 2 ‘Appendix: Compensating Controls Worksheet veneer 3 ‘AppandxC: Explanation of Non-Appieallty onnnvnmnnnnnnnnn _) Section 3: Validation and Attestation Detar sent PEIOSSW21SHOA Ror 10 220082018 21 Secuty StndateSoual LLC AI Rg ResonBefore You Begin ‘SAG Aha been developed io acres requlamentsappicabeto merchants whose cardholie data Tunaions are completely ousoured to valiated thr pares, where he morchat retains ony paper ‘epee orrecegts win carchote data, ‘SAG A merchants may te eer ecommerce 0 maieleghone order merchants (car. pretent), ad > ot te, process, tant any cardholder dats in eectonc format on thee systems or premises, SAGA merchants confi tha, fr his payment chant + Your company scoot ony crt-ot present e-commerce or maitelephone-rde) Wansacons + Atprocessing of carcholer data i entirely utsourced toPC|OSS valdated thet-pary service providers: + You company dos nt electronical sore. process. of tanemt any cardholder data on your yale or promises bul ees ene on a thie party(sfo handel these uncon: + Your company nas corte that thes party) handivg sora, processing, andor leanemision of carole eat are PCI DSS compliant and 1 Any cardhoter data your company retains is on paper (exam ‘2nd these dociments are ot received etcroncaly ‘Actktonaly, for e-commerce channels Al cloments fhe payment page(s) delivered tthe consumer’ browser vpinae ot ae decty ftom aPCIDSS valle thea-paty serves provises). This SA0 is not applicable to face-o-fce channels ‘This sortanad version ofthe SAA incudes questons that appl t a specie type of small merchant ‘nvrormeni as datined nthe above aliy era tere are PCr OSS requrements apbcble to {your endtcrment ta are not covered inthis SAO, tmay oe anncaton tat he SAQ ent ube for you emskcomentAdionaly, you must sil comply wth al appieabie PC! DSS requirements in oder 6 bePCIDSS compl. Note: Fortis SAO, PC! DSS Requirements ha actress tho polacton of comer sstoms or ‘vamp, Requirements 2 6 and} eppy lo e-commerce mechs thal reed customers fm hr webste oa this party fr paymant processing, and spectoalyto the merchant webserver oan whi {ne ecirection mechanism is octed Wail ocertelophone order (MOTO) or e-commerce merchanis tht ‘have completely cusourcd all operations where there sno reaction mechanism ron Oe merchant ‘ote thi pry) and therefore do ot have any systems 22030 for his SAO, would condor thse ‘equemants 0b "rot sgpicsti.” Rafer to guance on he flowing page fr Row 0 repo ‘requirements hat are net apoteatie Print reports receipt), ‘FOOSS aT I SIOA Pw 10 a (200820182) Secu Sandee Coun LLC Ae Resend PorePCI DSS Self-Assessment Completion Steps 41. denty the appcable SAQ for your enirnment—teer othe SaAssassmont Cuestionnake Insinetons end Guidelines document on PC\ SSC webster ntrmaton 2. Confirm at your envronmert is propetly scoped and mess he eligi citeriaforthe SAQ you a7 ung as date in Par 29 of the Asian of Campane). 3. Assess your envionment or compkance wih applicable PC DSS requrements 4. Compiate al sections ofthis document: 1+ Section (Pats 1&2 the AOC) ~Assastmort formation and Executive Summary ‘+ Secon 2-PCIDSS Set-Assossment Guesionnaie (SA A) ‘+ Secon (Pats 3&4 of the AOG) ~ Validation and AtestatonDetals and Action Plan for Non-Compliant Requtemerts(fapleable) ‘5. Submit he SAG and Atesiton of Cmpllance (AOC) alg wih any ober requested ‘cumertation-—such a ASV scan reports—to your acquirer, payment bang or her requester Understanding the Self-Assessment Questionnaire “The questions cortsnedin the ‘PC1DSS Question column in thie ste assessmert questionnaire ae ‘Adora resources that provi guance on PCI DSS requremerts and how to compl thes ‘saosamert quaalenrare Mave been povided to asia wih te asessment process fn oveve of ‘ome of tee resources sprovied belo PoIDSS ‘Guidance on Scoping (PCI Data Socurty Standard “+ Guidance onthe tat ofa PC1 DEE Requemants janis ad Secunty Assessment Dela of exingprocedues Procedures) + Guidance on Compensating Contos ‘SAO Inductons and Guidelines + efoaton about al SXOs and ther igi eer socuments + How to detemine which SAQ sitter your crganzston ‘PCIDSS and PA.DSS Gbssaryof + _Deserplons and defintions ef terms seed inthe PC Teme, Abbreuatons, ad Aernyme SS an sat-asesamentquetionnates “These an cher resurces can be found onthe PCI SSC webste (mow pcisocuntystandards. op). Organon are encouraged to rev the PCIDSS and oher supporting documents delorebepning Expected Testing “The nsructons provided nthe “Expetad Testing" cokenn are based nth esing procedure inthe PCIDSS, en provide a higheveldesein ol he types of testing stv that shoud be perlomadin ‘der to ven that arequrement hes been mal, Full ease of tesing procedaes foreach requirement ‘an be found inthe PCI DSS. ‘FRB ET RE Re ri © 2005-2014 PC Sau Sands Couek LLC Ata Rasariod Pooe‘Completing the Self-Assessment Questionnaire FFor each quosion hare ea chic of responses to indicat your company’s salu regardng that requrement Onlyone response should be slectedfor each question. A deseripion of tn meaning for each sponte is provided in tho table below ‘Te expected testing hasbeen perormes, and al elerent ofthe requremert have been melo sisted ‘Yeswith CCW The expect testing hs been performed, andthe egurement has a been met wit the assistance of a compensating con CcorrotWorshoet) All rspensos inthis con requre conplton of @ Cmpensating Contra Werksheet (CCW) mn Appendix of the SA. Irfomaton onthe use of comparsating controls and guidance on how {o complete the worksheets provided in he PCIOSS. No Some oa elerert fe requterert have not beer mt oF ae in the process of beng knplemanted, or requre father ting before wl be kan they aren pace NWA The equrerert doesnot apply to he organizations ewirorment (See ieraepas) srs nA Crtain Sea ornate -Allrasponses in this columa requre a supporting explanation ‘Appendix C ofthe SAO, Guidance forNon-Applicability of Certain, Specific Requirements any requirement re deemed no pplcable lo your envronment, sole the “NA opon for tht Specie requrement and complete Ie Expanaion of Non-Appicablly worksheet in AppereC for een 'NiA ony Legal Exception your organization is subject to algal scion that prevents th ergarization Yom meeting 2 PC! DSS requoment, check the "No" column fr that requterent and complet the relevant atetason in Part 3 PODSS a2 SADA Rov 10 ‘Sona aniA Pe ely Ses Cone 1A Rips Rese!Bio — Section 1: Assessment Information Instructions for Submission “Tis document must be completed a a declaration ofthe resus of he marhant’s sol assessmat win he Pajmant Card incuy Data Secu StnderdRapuvemant and Sacry Asesamen Proce (PC) 35) compel sets The metas tenpunabey emanate ston Compaen Oy fovan partes es aplzase Contact aque’ (mechan ban) a the payment range fo deine fering Bed submission procecires Pert fa. Merchent Organization Information ‘Company Nae ‘lassan Coprston PLC OBA ding lsssion epadenly. te business a) va, Convenes Bruce nd Leambet sods) to ane oy aan Tee Aare nt Teron Ema" prrbengtnnin con Sire Ais {oe rion cy SanFancrn SuteProvnce ca any USK Zo [se oR iss ann occa ps tar assianconvsobwarlconhrce ps asssanconvsotwarertbcket ps atassancon/sobwarafearnet Part 1b. Qualified Security Assessor Company information (if applicable) ‘Company Nane Ht ty ts ‘ead OSA Conc Name: Craig Sere Tite hit Apia Tetphone 791 1900733000 Email esigthicon Busnes Ales Level, 196 Lite Cains St Cy Maboune ‘StalaProvnce vie County Aaa 2p [00 uae = vow ant om ci Part 23 Type of Merchant Busiose (chock al that apply) Create — SC) Telecommuniction Grocery and Supermariets CPetrseur BEConmece Dia erereeenone err MOTO) (Clones (ease speci) ‘Wiattyes of payment cerns dos your business | Which paynel channels re covered by thi SAG? (Cat orderetgrone rer (MOTO) {lot ersenteprone eer MOTO) ecommerce Becomerce PEIOSS 921 SAGA ov 10” Sicton | Acosaren normale © 2008-2018 Cl Secuiy Stoés Counc ULC Al Pgs Raced Page 1Bx —_ icra present tace1otace) [[Ccareesen vaceioinea) we: your organization has 9 payment channel or proces that eno covered by ths SA. consult your sequror or payman bran mut vlan or ‘Part 2b. Description of Payment Card Businoss How andin nel eapciy does your business Slre process anor wansmtcarehoksr Ge? ‘ne Alasian scot cet ead payments vin 8 td Day prover = TNS. Payments se submited vis an 50 Meomplon Frame. No cred card dle are eed proesead rans by Alasian st types of facie for example, etal outlets, corporate offices, date cones, call enters, ee) snd a mena oeabane incised ne PCI OSS rove Nomber of fine : Type ot cy ore ype Lozano (ey, count) Exar Reta ovis 3 Beste MA US| oeesan Ja, Convene, Gauche, 4 A. Cones ory ‘earl aire paymert potas Part 2d Payment Application oes the xgsizaon use onear more Payment Agpeatons? C] Yee El No rove the folowing information rearing the Payment Appleston your epeiation ses Paymont Appeaton Version Appcation —_inappcaton _-PA.DSS Listing Expy Nae NNumter “Vendor” PaOSSListog? "ate (appeabe) Oves Gwe Dyes Cine Cves One Ove: One ‘Over Cine Provide flgheve descisuen fhe envronment covered ty Alassio aking oueomer sore is aceseret| ‘scudeg m-ppieaon purcnates fr Peaeee ‘te cormence, Bote ana + Comectns ino and out of hecerchki dle envtcoment LEO Area ccd payments ae (coe) procesaedby a ear procs {INS.va 380 Aeomalan Frome ‘zoe 201 PI Secnty Standards Come LLG A Pts Rosa Pave?Be _— + Gia jie copaners win the COE, such as FOS | embeded win he elie usta sevens, clsbesen wad Sever, 6,0 any aver Store No creat card daa sore, necessary poymentcongorens @seppesbl rcosres or ranma by Aesen ‘A pment pages delivered the Ccarsumers browser agate sy trom, ‘Does your business us network segmeriaion to alec the scope your PCIDSS | ves No (ser to"Netwark Sepmentaian”secton of PC! OSS fr guidance en netwark Ssegmetaton) a Part 26 ThinPoriy Sorvice Providers Does your company use a Oued ltgtr& Rel (CIR)? Dye ue wre: OO lnciviual Name. Deszrptin of senicas proved by GIR ‘ote your company share carole et with any hid party sence powders (or | Yes ONo ‘example. Quaid Ing’ & Restos (QI), gatenay, payment processor, payment Seen (PSP, webtsigcansans, are bse hy owen rene yes Name of service provider: Description of services provided Ts re ‘ret ad process vi an Frame rbd nite ee: Requirement 128 pole al nities nis st ‘Part 2g, Eiigibiity to Complete GAGA, ‘Merchant certfes eighty to complete ris shorened version of the Sal-Assessment Questionnaire because fortis payient crane | Merchant accepts ony cara not resent ecommerce cr malltleshone- ode) ransactons) Bl Aprocessing of aha alas enely outsources o PCI OSS vate Net party saree pronaes: PIGS SAQA Rov 10” Sacer 7 eseamentIiamaion ‘2m 18 CI Sawaya ac 11 A gs Pet1 | Meran does rt eectnicaly sore process. ce ware any carole data on merchant systems «premises bu rales erty cra tit party] t0 handle al these uncon, {| Mecha has cones rata tir pry) Ransing storae, processing enor vansmssion of {carder data 6 PCI OSS compan. and 1 | Any cached dat the merchant cetans ion paper example. printed reports recite). and | Ines documents are at rected eleceicaly B | Addon ‘Al lene of he payment popes) dere othe consumers browse orga ony and ecy | tom a PCI DSS vateted re pany serie roves) or ecommerce chamel ‘FEIDSS a7 TSIGA Rav TO Seon Aazreeren TEN 29006-2018 1 Say Sat me 16 AP Rh ocaksate avosey Sut 27) ine Scpuns harass at 02-2002 & ‘102 ue voivopienp usessyes 2 somos 01 Nu V OVS 2 EN SSO od ‘soyowesed fyanoes so4yo pue spronssed wo4s/s 10} synejep paddns-sopuaA an jou og :z jueweynbay ‘swieyshg pue roman ounaag e ureqUIeW pue PUNE, 02/618 sep uopeyduo> woureseSsE eg maunsop sempacois peunseesy kung pue suowasnboy ‘$80 fod oyu paupop se ‘sanpsoasd Buys pue swwowaynbar $30 oe 0} BupseR paOqUMY are SuEnSeNE aye) BU ON ~y euyeuuopseno iwewssessy jes 7 wanes ee mgpees ses wy 977 foes Aros 8102 006 9 reunion hourosevins 20a “01 feel ¥ OFS! 2" S80 ‘384d opr espera ‘suoneondde puw swoysks aunsos weyureui pus dojexog :0 uowornbow urmiBiorg wuawaBeunyy Ahog eto sus ay 2770 somes hiraes ‘zm erowsorneno noustomsy pes Zuees “01 1 Y O¥S see porate sue auoiuojenbe ieee nae ‘umpusied ponsed iach sy pow sareadusedspiorsee ono sSenscuoreABpte wale ue + vawoued mane + ‘swouedwe> woyeks 0} ssease ojpanuayane pue Ayquopy “9 ueWwe,inboe sainsea [onung seacay Buons juawo}dusy ababes aves sues oy O71 Youn same Auras 8102 000 9 Sou rournseno woursossyies Z uses “01 foul VOFS 12 6% S80 Od cganaos polasep a9 wneusn ees a Yeu Sena npn sme aE ay (9) 8 6 sanpeooi ue saps BD | D | OB _ commiap apn apated my + oe ealoloio somos pie seowadnany + ‘isaneprsp = apsu vouneo2350) 2s 1 onsurouer md poveioteasise mousse} 96 epsgen haenace aque jo pasos ‘amop sno ins pastot Kon opal) |Z 98abe outs se ny O71 Youen snopes AumaeS ed BL 000 @ ‘hee one areursano omursstvins 200 01 Mul VOWS! 2 E8660 ‘esemunoop Bane oereurcop Ea a ieseirccant pie seed mmo = a nud easy ap dou pa wap oo ole sessaped aussag + sauna Geb sree pause Ue aha CZLi eg ‘poursay snes ay 97) Younes Spans Ae oe 802 9002 8 ‘tae aie areunisonp neusessyyes Z uae D1 AY OWS 1 08 S80 Edx... _ ‘Appendix A: Additional PCI DSS Requirements Appendix At: Additional PCI DSS Requirements for Shared Hosting Providers: Appendix A2: Additional PC! DSS Requirements for Entities using SSL/eary TLS for (Card-Present POS PO! Terminal Connections “This appendix isnot used for SACLA merchant assassments . Appendix A3: Designated Entities Supplemental Validation (DESV) Tis Appen apotes onto erties designated by a payment brensls or acquirer as requing atonal vaiation of eesing PCIDSS requremerds Ents requred 10 valle otis Appendix should use the DESV Supplemeral Reporting Terplate and SuppiemenalAtesiation of Compliance for ‘epoting. nd consul wan he appcsbe payment brand adler aeqerfer submission procedures. IDS ¥321SAQA Rov 10. Secion? Su Assssnant Quesfonare se 208 1230082018 2) Seca Stat Crit LUC a8 Rpt ron ‘pay 12‘Appendix B: Compensating Controls Worksheet Use this worksheet fo define compensating contol lr any rquiremen wher "YES with COW" was checked, Note: Ony companies that have undertaken a Sk analy ad have logitech oF ecumented business constants car conse he use of compensating contol fo achieve compliance Fofarto Appendices B,C, and D of PC! DSS fr inermaton about compenseing contol end gitance ‘now to complet this workshaet Requirement Number and Definition: 1. Comsrainte —_Listcorsiaints precluding compliance wih the eugealrquemen. 2 Objective Define he objective of he original contol deity te cbjecave met by 3. Identified Risk dent any addional risk posed by the lack ofthe gal contrat. 4. Defiritionof etn he compensating contol and Compensating expla how they adres tho Controle tjectvesof the orignal contol and | '& Validation of Define now he compensating controls Compensating were vadaed and tested, Convols | Maintenance Dein process and controls place 6 PCIOSS v3.21 SAQA Rev 10. Sicion 2 Sai-Assassnan Gusennake Jw 2018 © 25082018 C1 Sect Stndore Couns ILE A RigheRaroned age 3Baw _ Appendix C: Explanation of Non-Applicabi {te "WA" Net Applicable) column was checked in the questionaire. use his worksheet fo explain why the rtatec requirement sot apolesbef your organization ‘Scamp 34 Caraholer data ever stored elactonicaly OLDSSvA2.1 SAO. Rex 10— Seaton? Sat-Aseeesnen Questo 06 2016 2) Sect Stade Cero, Le a8 ig PornoPart 3, PCIDSS Validation This AOC Ie bated on resus noted In SAG A (Secon 2), dated! 2809/2078, Based onthe reuts documented in he SAQ A noes above, the signe identifies in Pars 2-36 at ‘sppicable, asset) the ollowngcomplance status fr the enily ened n Pat oe dorset (cheek on) | compliant: A secons of he PCI DSS AQ sre complet, all questions erswered afmatvel, ‘enutng nan overal COMPLIANT rating thereby Alesion Coperaton PLC hes demens ae tl ‘Smstance wth ne PCI OSS Non-Compliant: Not at sections ofthe PCI DSS SAQ are complete, or nat ll questions are anewered sifemabely, esuingin an cverall NON-COMPLIANT rang. thereby (Merchant Company Name) es ot derionrated fal cemplance wth he PCI DSS. 5 Target Date or Compliance ‘An ently submit fom wh satu of Non-Compliant maybe request complete the Action Pann Pan 4th document Check wah jour agurer rhe peymant ran) befor competi 1D Comptant but with Lega exception: One or more equrements se marke No to gal reson mat prevent he egutement rom bang me Ths option reques edo evew fm sequreror payment tran \Yenecke, complete fowing. [Acted Requirement _Detalls of how lua contrat prevents requirement being met Pa 3a Acknowledgement of Status ‘Signatory conti: (heck that api) _PCIDSS Se-Assessmart Qustonare A Veson 32 1, was complete econo he neutions ‘Aintormaten within the abveveleences SAQ and in that fniy presen the results my setessmontn a mterl rrp. a {Chae cnfmea with ny payentapleaton vensortha my payment stam does lave sesve ‘uhanicaton deta ater euatarzaion a {have read the PCI OSS and I recognize hal must mein PC DSS conpiance, as applcabe to Imyemarontert, aa es ifm envtonmart chang, ecagnie | mos ressees my enwerment nd implement ary aeionel PPCIDSS requremenis hat apt POIDSS¥vA.21 SAQA, Rov 1.0 Sscion 3 Valet and Asien Deo une 18 © 2008-2018 1 Sect Stanaore Coun LLC Ai Fights Rasen oye 18“arts Ackrowldooment of tt eines = Nose of tila CAVE CVC2, CI. GW2 d'or PN dat verage reason autre snd a AY sym ret gs ene Pert 3h Merchant Ategtaion op cate: Outobe, 4, 2018 eat ice iene mm Chock Leg Ocen art 3c Qualifed Security Assessor (QSA) Acknowledgement if applicable) lve or asad with 8s Review PC eneronnent ene alignment wih PCOS SAO Aveouteerts, “Ginetdr of Duly Authorized Officer of GGA Company ate 20082078 ‘uly Auoraed Ofer Name Craig Searle | 084 Company Hit Pay id art 24 Internal Security Assessor (8A) Involvement (f appieable) sn SAL was ioe eid wth ths scene ety Sh peeone! ore (este rel permed ‘ort ta ti ar ssn aero Tony omens @ ts a al a de SY ‘Tio nano Pa, ron 9 -ane' rane ‘Tha mve: cout tie pity fee don ec cpanel car ad wcrc eet Fel natn rn we rig pt ono nyt ck ee E1085221 SOA Rav 1.0- Sclon 3 Van and Alston a nm 20 5008-208 PC! Sect Strands Count LLC Ai pls Posed ‘Boe 18mpilant Requirement ‘Sot he appropriate rspenss for Camplin o PCI DSS Requrament each equremant. you answer ‘No' oan the recutemenis. you may be equred ie provse he dle our Company expects 0 BE ‘ama’ wit the requenent and a bret deacrpton athe aces bing taken to meat he eguremen (Check wan your acqurer ote payment brands before completing Par & ‘Gompland io PE el Dee MagUneReam Remediation Oate and Acton Deseripton of Ragulrement WN sector Requirement” Sexson OR Sea 2, Dasot ee ven poieg — us er oytm pwd and ‘oer eer praetrs Dest ara mania secure le an peatone ently ae ahaa acoso 9 Reset pyscal acess Caeahoder la. a aoa ag Mahiain poly tat adresses 32 nlrmaton eet fora peronnel obogoo a =PCIDSS Requiemerts indicated here refer tothe questions in Sacton 2 he SAQ EIDE SRT BAGA Pe. 10= Basin 3: Valin and Atel Dale ve 218 © 20082018 CI Sect Sundae Cone LLC AV esered Paoe £35 @@ visa