*PCI QSA信息获取* *PCI QSA* *Request for Information*
该表用于指导您收集我们所需要的基本信息,以便于为您提供PCI QSA的相关信息。 This form guides you in gathering the basic information that we needs in order to provide you with information about PCI QSA .
请填写该表格,并通过邮件或传真提交。如果您对分享私密信息有疑问,请联系我们,以便在提交给我们该表格之前签署保密协议,并实施必要的传输安全措施。 Please complete this form and submit it via email or fax. If you have concerns about sharing proprietary information, please contact us to set up an NDA and appropriate transaction security before submitting the form to us.
如需了解PCI QSA的更多信息,以及本表中提及的品牌和术语,请参见:https://www.pcisecuritystandards.org/ 及其相关卡品牌。 For more information on PCI QSA and the brands and terminology used in this form, see: https://www.pcisecuritystandards.org/ and the various card brands.
*联系信息**Contact Information*
公司名称Company name:
联系人Contact name:
地址Address:
城市City:
省State:
国家Country:
邮编Zip/Postal code:
邮箱Email:
电话Phone:
*一般了解**General Considerations*
您期望评估在何时能完成?When do you want the assessment to be completed?
在此之前贵公司是否执行过独立的评估?Have you had an independent assessment before?
是Yes
否No
如是,QSA是谁?If yes, who was the QSA?
您是否完成了PCI的自评估 Have you completed a PCI self-assessment?
是 Yes
否 No
贵公司与哪些卡品牌具有业务往来? Which card brands do you work with?
Visa MasterCard Discover
American Express JCB
贵公司在行业中的角色是? Which are your roles in the industry?
商户Merchant
服务提供商 Service Provider
VisaNet处理机构VisaNet processor
发卡银行Issuing Bank
收单机构Acquiring Institution
不知道/不确定Don’t know / Not sure
贵公司每年处理的交易数量是多少?How many transactions do you deal with each year?
Visa: MasterCard: Discover:
American Express: JCB:
不知道/不确定Don’t know / Not sure
贵公司考虑PCI评估的原因是?Why are you considering PCI assessment?
我们是处于第一或第二级别的商户We are a merchant in the level 1 or level 2 categories
我们是服务供应商We are a service provider
卡品牌之一要求我们执行PCI评估 One of the card brands demanded that we have a PCI assessment
我们不必执行PCI评估,但我们希望确保达到合规要求 We are not required to have PCI assessment, but we want to be sure that we comply
我们需要获取准备评估的支持 We need some support in getting ready for assessment
我们存在数据泄露的情况We had a data breach
*Scope* *范围*
如果贵公司是支付服务提供商,请选择提供了何种服务(勾选所有适用)?** **If you are a payment service provider, which services you provide (check all that apply)?
| *Hosting Provider:* Applications / software Hardware Infrastructure / Network Physical space (co-location) Storage Web Security services 3-D Secure Hosting Provider Shared Hosting Provider Other Hosting (specify): | *Managed Services (specify):* Systems security services IT support Physical security Terminal Management System Other services (specify): | *Payment Processing:* POS / card present Internet / e-commerce MOTO / Call Center ATM Other processing (specify): |
|---|---|---|
| Account Management | Fraud and Chargeback | Payment Gateway/Switch |
| Back-Office Services | Issuer Processing | Prepaid Services |
| Billing Management | Loyalty Programs | Records Management |
| Clearing and Settlement | Merchant Services | Tax/Government Payments |
| Network Provider | ||
| Others (specify): |
如果贵公司在支付产业内作为商户,请选择业务类型(勾选所有适用)?** **If you are a merchant in payment industry, which types of your business (check all that apply)?
| Retailer | Telecommunication | Grocery and Supermarkets |
|---|---|---|
| Petroleum | E-Commerce | Mail order/telephone order (MOTO) |
| Others (please specify): | ||
| What types of payment channels does your business serve? Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face) | Which payment channels are covered by this assessment? Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face) |
简要描述贵司支付业务:Please briefly describe your payment business:
涉及存储、处理和/或传输信用卡数据的系统组件(包括但不限于网络设备、安全设备、服务器等)有多少个?** **How many systems components (including but not limited to network devices, security devices, servers, etc) are involved with storing, processing and/or transmitting credit card data?
网络设备(如路由器、交换机) Network devices (e.g. routers, switches):
安全设备(如防火墙、入侵检测/入侵防护系统) Security devices (e.g. firewalls, IDS/IPS):
服务器(如应用、数据库、日志服务器) Servers (e.g. application, database, log server):
其他系统组件 Other system components:
位置Locations
有多少业务地点(包括办公场所和数据中心)涉及持卡人数据?** **How many business locations (including office locations and data centers) are involved with holding card data?
办公场所个数 Number of offices 数据中心个数 Number of data centers
这些位置都在哪?Where are they located?
办公场所地址 Office addresses 数据中心地址 Addresses of data centers
为使我们更好地理解贵公司PCI的当前状态,大约涉及多少人员(比如,IT、物理安全、信息安全、法律、人力资源)?** **Roughly how many personnel are involved in order for us to understand the current state of PCI across your company? (for example, IT, Physical security, Information security, Legal, HR)?
关系Relationships
贵公司是否与一个或多个第三方供应商(比如,支付网关公司、托管公司、航空订票代理机构、忠诚项目代理机构)有关系?** **Does your company have a relationship with one or more third-party providers (for example, gateways, web-hosting companies, airline booking agents, loyalty program agents)?
是 Yes
否 No
请简要描述涉及持卡人数据的不同的PCI处理流程和数据流?** **Briefly describe the different PCI processes/dataflows that involve credit card data?
*交易处理**Transaction Processing*
请描述贵公司支付卡交易的数据流向(包括电子信息和纸质信息)。** **Describe the payment card transaction flow within your company, both electronic and paper.
贵公司的支付应用系统是否自主开发?** **Whether the payment application was developed by your organization?
是 Yes
否 No
如否,请列出使用的支付应用及其版本** **If no, please list the Payment Application(s) in use and their version numbers:
\1. 3rd Party (not in house), version number: 第三方应用(非自主开发)名称: ,版本号:
\2. 3rd Party (not in house), version number: 第三方应用(非自主开发)名称: ,版本号:
\3. 3rd Party (not in house), version number: 第三方应用(非自主开发)名称: ,版本号:
以上应用是否是销售给其它机构,或者由应用服务供应商(ASP)环境使用?** **Are any of these applications either sold by you to others or used in an Application Service provider (ASP) context?
是 Yes
否 No
用于永久或临时存储信用卡数据的数据库系统是什么?** **Which database systems are used for either permanent or temporary storage of credit card data.
涉及存储、处理和/或传输信用卡数据的应用和系统有多少个?** **How many systems/applications are involved with storing, processing and/or transmitting credit card data?
贵公司是否使用针对这些系统的标准配置?** **Do you use a standard build for these systems?
是 Yes
否 No
*网络**Network*
存储、处理和/或传输信用卡数据的应用和系统是否与其它网络进行了隔离?** **Are systems that store, process and/or transmit cardholder data segregated from the rest of the network?
是 Yes
否 No
如是,请说明使用的方法(比如,状态检测防火墙、路由器) If yes, please explain the method used (for example, stateful inspection firewall, router):
处于同一物理网络的其它系统是否可以访问涉及持卡人数据存储、处理和/或传输的系统?** **Are there other systems on the same physically connected network to the systems that store, process and/or transmit cardholder data?
是 Yes
否 No
如是,请描述其资产编号、操作系统以及平台的类型: If yes, please describe the number, OS, and platform type:
用于互联网、防火墙/路由器隔离的规则大约有多少?** **Approximately, how many rules are in the rule-base for the Internet and segmentation firewalls/routers?
涉及面向公网IP地址有多少个?** **How many public-facing IP address are involved in this scope?
是否使用了任何无线技术作为持卡人数据交易处理的一部分或者连接到持卡人数据网络?** **Is any wireless technology being used that is either a part of the cardholder data transaction flow or is connected to the cardholder data network?
请描述销售点(POS)环境(不包括仅用于拨号的终端):** **Describe any Point of Sale (POS) environment(s) (do not include dial-up only terminals):
*文档**Documentation*
是否有详细描述当前处于持卡人环境范围内的系统和应用的网络图?** **Is there a current detailed network diagram showing the systems and applications in scope for the cardholder data environment?
是 Yes
否 No
是否有当前持卡人数据处理的流程图?** **Is there a current cardholder data process flow diagram?
是 Yes
否 No
是否有文档化的策略、流程和标准?** **Are there documented policies, procedures and standards?
是 Yes
否 No
*其它信息**Miscellaneous*
贵公司是否需要授权扫描服务商(ASV)提供的每季度扫描?** **Do you require quarterly scanning by an Approved Scanning Vendor (ASV)?
是Yes
否No
贵公司是否需要要求11.3所涉及的渗透测试服务?** **Do you require services in regard to requirement 11.3 Penetration Testing?
是Yes
否No
贵公司是否需要生成PCI所需文档的支持?** **Do you require support in producing required documentation?
是Yes
否No
*评价**Comments*
附加评价:Additional comments:
如有任何疑问,可发邮件到abc@abc.com或致电 +86 12345678。** **If you have any questions, please contact us at abc@abc.com or by telephone +86 12345678.