Professional Documents
Culture Documents
Moneris PCI DSS Checklist 100716
Moneris PCI DSS Checklist 100716
This guide provides an easy to follow checklist that helps ensure you are meeting Payment Card
Industry Data Security Standards (PCI DSS) requirements. PCI DSS compliance helps limit you
businesses’ risk of potential card data compromises.
This reference guide covers the PCI requirements that apply to merchants using standalone devices
provided directly from Moneris only. This guide will help to assist you in completing your PCI Self-
Assessment Questionnaires (SAQs). Moneris’ devices cover all other PCI requirements not listed in
this guide, but all other requirements in the SAQs should still be marked as Yes (and not as Not
Applicable). Please note that this guide is for reference purposes only, and does not guarantee PCI
DSS compliance.
This document does not amend your obligations in your Moneris merchant agreements, including,
but not limited to adherence to the Card Brand Rules and Regulations, Data Security Standards, the
Operating Manual and all applicable laws.
*Requirements 1.1.2a, 1.1.2b are not required for Dial-UP terminals. For IP terminals, firewall requirements are not measured
against PCI DSS requirements, however, Moneris recommends Merchants still meet these requirements as a best practice.
Requirement 4 – Encrypt transmission of cardholder data across open, public networks
4.2b Are policies in place that state that unprotected PANs are not to be sent via end-user
messaging technologies?
Requirement 9 – Restrict physical access to cardholder data
Are physical and/or logical controls in place to restrict access to publicly accessible
9.1.2
network jacks?
Is strict control maintained over the internal or external distribution of any kind of
9.6a
media?
Is media sent by secured courier or other delivery method that can be accurately
9.6.2
tracked?
9.7 Is strict control maintained over the storage and accessibility of media?
9.8a Is all media destroyed when it is no longer needed for business or legal reasons?
Are all hardcopy materials cross-cut shredded, incinerated or pulped so that cardholder
9.8.1a
data cannot be reconstructed?
Are storage containers used for materials that contain information to be destroyed
9.8.1b
secured to prevent access to content?
9.9a Do policies and procedures require that a list of such devices be maintained?
Do policies and procedures require that devices are periodically inspected to look for
9.9b
tempering or substitution?
Do policies and procedures require that personnel are trained to be aware of suspicious
9.9c
behaviour and to report tampering or substitution?
Does the list of devices include the following?
Make, model of device
9.9.1a
Location of device
Device serial number or other method of unique identification
9.9.1c Is the list of devices updated when devices are added, relocated, decommissioned?
2 [File name]
Do training materials for personnel at point-of-sale locations include the following?
Verify the identity of any third-party person claiming to be repair or
maintenance personnel, prior to granting them access to modify or
troubleshoot devices
9.9.3a
Do not install replace, or return devices without verification
Be aware of suspicious behavior around devices
Report suspicious behavior and indications of device tempering or substitution
to appropriate personnel
Have personnel at point of sale locations received training and are they aware of
9.9.3b
procedures to detect and report attempted tempering or replacement of devices?
Requirement 12 – Maintain a policy that addresses information security for all personnel
Is a security policy established, published, maintained and disseminated to all relevant
12.1
personnel?
Is the security policy reviewed at least annually and updated when the environment
12.1.1
changes?
Do security policy and procedures clearly define information security responsibilities for
12.4
all personnel?
Establishing, documenting and distributing security incident response and escalation
12.5.3
procedures to ensure timely and effective handling of all situations?
Is all formal security awareness program in place to make all personnel aware of the
12.6a
importance of cardholder security?
3 [File name]