Moneris Standalone PCI DSS Checklist

This guide provides an easy to follow checklist that helps ensure you are meeting Payment Card
Industry Data Security Standards (PCI DSS) requirements. PCI DSS compliance helps limit you
businesses’ risk of potential card data compromises.

This reference guide covers the PCI requirements that apply to merchants using standalone devices
provided directly from Moneris only. This guide will help to assist you in completing your PCI Self-
Assessment Questionnaires (SAQs). Moneris’ devices cover all other PCI requirements not listed in
this guide, but all other requirements in the SAQs should still be marked as Yes (and not as Not
Applicable). Please note that this guide is for reference purposes only, and does not guarantee PCI
DSS compliance.

This document does not amend your obligations in your Moneris merchant agreements, including,
but not limited to adherence to the Card Brand Rules and Regulations, Data Security Standards, the
Operating Manual and all applicable laws.

Applicable Standalone Payment Terminals

Dial Up Wireless IP
SAQ B SAQ B-IP SAQ B-IP
DSS Requirements
 Ingenico iCT250  Ingenico iWL255  Ingenico iCT250
Terminal Models  Ingenico iWL220  Ingenico iWL220
 Verifone VX820  Verifone VX820 Duet
Duet  Verifone VX520
 Verifone VX520

Standalone Device PCI DSS Checklist

# Requirement Completed?
Requirement 1 – Install and maintain a firewall configuration to protect data
Is there a current network diagram that documents all connections between the
1.1.2a*
cardholder data environment & other networks, including any wireless network?

1.1.2b* Is there a process to ensure the diagram is kept current?

*Requirements 1.1.2a, 1.1.2b are not required for Dial-UP terminals. For IP terminals, firewall requirements are not measured
against PCI DSS requirements, however, Moneris recommends Merchants still meet these requirements as a best practice.
Requirement 4 – Encrypt transmission of cardholder data across open, public networks
4.2b Are policies in place that state that unprotected PANs are not to be sent via end-user
messaging technologies?
 Requirement 9 – Restrict physical access to cardholder data
Are physical and/or logical controls in place to restrict access to publicly accessible
9.1.2
network jacks?

9.5 Are all media physically secured?

Is strict control maintained over the internal or external distribution of any kind of
9.6a
media?

9.6.1 Is media classified so the sensitivity of the data can be determined?

Is media sent by secured courier or other delivery method that can be accurately
9.6.2
tracked?

9.6.3 Is management approval obtained prior to moving the media?

9.7 Is strict control maintained over the storage and accessibility of media?

9.8a Is all media destroyed when it is no longer needed for business or legal reasons?

Are all hardcopy materials cross-cut shredded, incinerated or pulped so that cardholder
9.8.1a
data cannot be reconstructed?
Are storage containers used for materials that contain information to be destroyed
9.8.1b
secured to prevent access to content?

9.9a Do policies and procedures require that a list of such devices be maintained?

Do policies and procedures require that devices are periodically inspected to look for
9.9b
tempering or substitution?
Do policies and procedures require that personnel are trained to be aware of suspicious
9.9c
behaviour and to report tampering or substitution?
Does the list of devices include the following?
 Make, model of device
9.9.1a
 Location of device
 Device serial number or other method of unique identification

9.9.1b Is the list accurate and up to date?

9.9.1c Is the list of devices updated when devices are added, relocated, decommissioned?

Are device surfaces periodically inspected to detect tempering or substitution as

9.9.2a
follows?

9.9.2b Are personnel aware of procedures for inspecting devices?

2 [File name]
 Do training materials for personnel at point-of-sale locations include the following?
 Verify the identity of any third-party person claiming to be repair or
maintenance personnel, prior to granting them access to modify or
troubleshoot devices
9.9.3a
 Do not install replace, or return devices without verification
 Be aware of suspicious behavior around devices
 Report suspicious behavior and indications of device tempering or substitution
to appropriate personnel

Have personnel at point of sale locations received training and are they aware of
9.9.3b
procedures to detect and report attempted tempering or replacement of devices?
Requirement 12 – Maintain a policy that addresses information security for all personnel
Is a security policy established, published, maintained and disseminated to all relevant
12.1
personnel?
Is the security policy reviewed at least annually and updated when the environment
12.1.1
changes?

12.3.1 Explicit Approval by authorized parties to use the technologies?

12.3.3 A list of all such devices and personnel with access?

12.3.5 Acceptable uses of the technologies?

Do security policy and procedures clearly define information security responsibilities for
12.4
all personnel?
Establishing, documenting and distributing security incident response and escalation
12.5.3
procedures to ensure timely and effective handling of all situations?
Is all formal security awareness program in place to make all personnel aware of the
12.6a
importance of cardholder security?

12.8.1 Is a list of service provider maintained?

Is a written agreement maintained that includes an acknowledgment that the service

providers are responsible for security of cardholder data the service providers possess
12.8.2
or otherwise store process or transmit on behalf of the customer or to the extent that
they could impact the security of the customer’s cardholder data environment?
Is there an established process for engaging service providers including proper due
12.8.3
diligence prior to engagement?
Is there a program maintained to monitor service providers’ PCI DSS compliance status
12.8.4
at least annually?
Is there information maintained about which PCI DSS requirements are managed by
12.8.5
each service provider and which are managed by the entity?
Has an incident response plan been created to be implemented in the event of a system
12.10.1a
breach?

3 [File name]