bmad-plus 0.7.4 → 0.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +450 -407
- package/LICENSE +21 -0
- package/README.md +555 -446
- package/osint-agent-package/README.md +88 -88
- package/osint-agent-package/SETUP_KEYS.md +108 -108
- package/osint-agent-package/agents/osint-investigator.md +80 -80
- package/osint-agent-package/install.ps1 +87 -87
- package/osint-agent-package/install.sh +76 -76
- package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
- package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
- package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
- package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
- package/package.json +62 -57
- package/readme-international/README.de.md +576 -426
- package/readme-international/README.es.md +578 -518
- package/readme-international/README.fr.md +576 -516
- package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
- package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
- package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
- package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
- package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
- package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
- package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +325 -325
- package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +55 -55
- package/src/bmad-plus/agents/pack-backup/backup-agent.md +71 -71
- package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +51 -51
- package/src/bmad-plus/agents/pack-seo/SKILL.md +171 -171
- package/src/bmad-plus/agents/pack-seo/checklist.md +140 -140
- package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +320 -320
- package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +187 -187
- package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +87 -87
- package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +123 -123
- package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +167 -167
- package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +153 -153
- package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +133 -133
- package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +91 -91
- package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +356 -356
- package/src/bmad-plus/agents/pack-seo/seo-chief.md +294 -294
- package/src/bmad-plus/agents/pack-seo/seo-judge.md +241 -241
- package/src/bmad-plus/agents/pack-seo/seo-scout.md +171 -171
- package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +241 -241
- package/src/bmad-plus/data/role-triggers.yaml +209 -209
- package/src/bmad-plus/module-help.csv +10 -10
- package/src/bmad-plus/module.yaml +283 -280
- package/src/bmad-plus/packs/pack-animated/animated-website-agent.md +325 -0
- package/src/bmad-plus/packs/pack-animated/templates/animated-website-workflow.md +55 -0
- package/src/bmad-plus/packs/pack-backup/backup-agent.md +71 -0
- package/src/bmad-plus/packs/pack-backup/templates/backup-workflow.md +51 -0
- package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
- package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
- package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
- package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
- package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
- package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
- package/src/bmad-plus/packs/pack-memory/README.md +106 -106
- package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
- package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
- package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
- package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
- package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
- package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
- package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
- package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
- package/src/bmad-plus/packs/pack-seo/SKILL.md +171 -0
- package/src/bmad-plus/packs/pack-seo/checklist.md +140 -0
- package/src/bmad-plus/packs/pack-seo/pagespeed-playbook.md +320 -0
- package/src/bmad-plus/packs/pack-seo/ref/audit-schema.json +187 -0
- package/src/bmad-plus/packs/pack-seo/ref/cwv-thresholds.md +87 -0
- package/src/bmad-plus/packs/pack-seo/ref/eeat-criteria.md +123 -0
- package/src/bmad-plus/packs/pack-seo/ref/geo-signals.md +167 -0
- package/src/bmad-plus/packs/pack-seo/ref/hreflang-rules.md +153 -0
- package/src/bmad-plus/packs/pack-seo/ref/quality-gates.md +133 -0
- package/src/bmad-plus/packs/pack-seo/ref/schema-catalog.md +91 -0
- package/src/bmad-plus/packs/pack-seo/ref/schema-templates.json +356 -0
- package/src/bmad-plus/packs/pack-seo/seo-chief.md +294 -0
- package/src/bmad-plus/packs/pack-seo/seo-judge.md +241 -0
- package/src/bmad-plus/packs/pack-seo/seo-scout.md +171 -0
- package/src/bmad-plus/packs/pack-seo/templates/seo-audit-workflow.md +241 -0
- package/src/bmad-plus/packs/pack-shield/README.md +110 -110
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
- package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
- package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
- package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
- package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
- package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
- package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
- package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
- package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
- package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
- package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
- package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
- package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
- package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
- package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
- package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
- package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
- package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
- package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
- package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
- package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
- package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
- package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
- package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
- package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
- package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
- package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
- package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
- package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
- package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
- package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
- package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
- package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
- package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
- package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
- package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
- package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
- package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
- package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
- package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
- package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
- package/tools/cli/commands/autoconfig.js +498 -489
- package/tools/cli/commands/doctor.js +222 -175
- package/tools/cli/commands/install.js +739 -739
- package/tools/cli/commands/memory.js +194 -194
- package/tools/cli/commands/scan.js +360 -350
- package/tools/cli/commands/uninstall.js +96 -96
- package/tools/cli/commands/update.js +174 -174
- package/tools/cli/i18n.js +763 -763
|
@@ -1,217 +1,217 @@
|
|
|
1
|
-
# PCI DSS v4.0.1 — SAQ Selection Guide
|
|
2
|
-
|
|
3
|
-
Source: PCI DSS v4.0 SAQ documents (PCI Security Standards Council)
|
|
4
|
-
https://www.pcisecuritystandards.org/document_library/
|
|
5
|
-
|
|
6
|
-
---
|
|
7
|
-
|
|
8
|
-
## What is a Self-Assessment Questionnaire (SAQ)?
|
|
9
|
-
|
|
10
|
-
An SAQ is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with PCI DSS. There are multiple SAQ types — each designed for a specific payment channel and cardholder data environment profile. The correct SAQ type depends on **how** your organisation accepts payments and **who** handles cardholder data.
|
|
11
|
-
|
|
12
|
-
Level 1 merchants and Level 1 service providers are **not eligible** for SAQs — they require an on-site Report on Compliance (ROC) completed by a Qualified Security Assessor (QSA).
|
|
13
|
-
|
|
14
|
-
---
|
|
15
|
-
|
|
16
|
-
## SAQ Selection Decision Tree
|
|
17
|
-
|
|
18
|
-
**Step 1: Are you a Level 1 Merchant or Level 1 Service Provider?**
|
|
19
|
-
- Yes → ROC required (not an SAQ). Stop here.
|
|
20
|
-
- No → Continue to Step 2.
|
|
21
|
-
|
|
22
|
-
**Step 2: Are you a Service Provider (not a merchant)?**
|
|
23
|
-
- Yes → **SAQ D for Service Providers** (unless Level 1)
|
|
24
|
-
- No (Merchant) → Continue to Step 3.
|
|
25
|
-
|
|
26
|
-
**Step 3: Do you accept card-present (face-to-face) transactions?**
|
|
27
|
-
- Yes, using ONLY imprint machines (no electronic transactions) → **SAQ B**
|
|
28
|
-
- Yes, using ONLY standalone dial-out terminals (no IP connectivity) → **SAQ B**
|
|
29
|
-
- Yes, using standalone IP-connected PTS POI devices only → **SAQ B-IP**
|
|
30
|
-
- Yes, using a validated P2PE solution only (PCI-listed) → **SAQ P2PE**
|
|
31
|
-
- Yes, using virtual payment terminals (isolated device, web-based) → **SAQ C-VT**
|
|
32
|
-
- Yes, using payment application systems connected to internet → **SAQ C**
|
|
33
|
-
- Yes, with any other scenario → **SAQ D for Merchants**
|
|
34
|
-
|
|
35
|
-
**Step 4: Do you accept card-not-present (CNP) — e-commerce or MOTO — only?**
|
|
36
|
-
- Yes, and ALL cardholder data functions fully outsourced, no redirect control → **SAQ A**
|
|
37
|
-
- Yes, e-commerce only, but you control the customer redirect to the payment page → **SAQ A-EP**
|
|
38
|
-
- Yes, MOTO only with virtual payment terminals (web-based, isolated device) → **SAQ C-VT**
|
|
39
|
-
- Any other CNP scenario → **SAQ D for Merchants**
|
|
40
|
-
|
|
41
|
-
---
|
|
42
|
-
|
|
43
|
-
## SAQ Types — Full Reference
|
|
44
|
-
|
|
45
|
-
### SAQ A — Fully Outsourced Card-Not-Present
|
|
46
|
-
**Applies to**: E-commerce and/or MOTO (mail order/telephone order) merchants only. No card-present transactions. All cardholder data functions (storage, processing, transmission) fully outsourced to PCI DSS-compliant third-party service providers. Merchant retains no electronic cardholder data.
|
|
47
|
-
|
|
48
|
-
**Requirements covered**: Subset of Req 2, 6, 8, 9, 10, 11, 12 (~22 controls)
|
|
49
|
-
|
|
50
|
-
**Eligibility criteria**:
|
|
51
|
-
- Cards not present at any time during the transaction
|
|
52
|
-
- All payment processing delegated to a PCI-compliant third party
|
|
53
|
-
- Merchant website does not directly receive cardholder data
|
|
54
|
-
- No cardholder data stored, processed, or transmitted by merchant systems or premises
|
|
55
|
-
|
|
56
|
-
**Examples**: Merchant uses a payment link or hosted payment page (Stripe, PayPal, Square Checkout). Customer is redirected completely to the provider's hosted page.
|
|
57
|
-
|
|
58
|
-
---
|
|
59
|
-
|
|
60
|
-
### SAQ A-EP — E-commerce with Partial Outsourcing
|
|
61
|
-
**Applies to**: E-commerce merchants ONLY. Merchant outsources payment processing but controls/influences how the customer is directed to the payment service. No card-present transactions.
|
|
62
|
-
|
|
63
|
-
**Requirements covered**: Subset of Req 2, 6, 8, 9, 10, 11, 12 (~191 controls)
|
|
64
|
-
|
|
65
|
-
**Eligibility criteria**:
|
|
66
|
-
- E-commerce only; no card-present
|
|
67
|
-
- Merchant's website includes payment page elements or partially controls redirect
|
|
68
|
-
- All cardholder data capture outsourced to compliant third party
|
|
69
|
-
- Merchant systems do not receive, store, process, or transmit CHD
|
|
70
|
-
|
|
71
|
-
**Examples**: Merchant website uses JavaScript-based payment widgets or iFrames that embed third-party payment capture within the merchant's own page.
|
|
72
|
-
|
|
73
|
-
**Key distinction from SAQ A**: SAQ A-EP requires script integrity controls (Req 6.4.3, 11.6.1) because the merchant controls the page hosting the widget.
|
|
74
|
-
|
|
75
|
-
---
|
|
76
|
-
|
|
77
|
-
### SAQ B — Imprint Machines or Standalone Dial-Out Terminals
|
|
78
|
-
**Applies to**: Merchants using ONLY imprint machines (knuckle-busters) OR standalone, dial-out (non-IP) terminals. No e-commerce.
|
|
79
|
-
|
|
80
|
-
**Requirements covered**: Subset of Req 2, 8, 9, 10, 11, 12 (~41 controls)
|
|
81
|
-
|
|
82
|
-
**Eligibility criteria**:
|
|
83
|
-
- Transactions processed only via imprint machines or dial-out (telephone-line) terminals
|
|
84
|
-
- Terminals not IP-connected and not connected to any other system in the environment
|
|
85
|
-
- No electronic cardholder data stored on any computer system
|
|
86
|
-
- No e-commerce
|
|
87
|
-
|
|
88
|
-
**Examples**: Small retail using a standalone Dial-Up terminal or old knuckle-buster imprinter.
|
|
89
|
-
|
|
90
|
-
---
|
|
91
|
-
|
|
92
|
-
### SAQ B-IP — Standalone IP-Connected PTS POI Devices
|
|
93
|
-
**Applies to**: Merchants using ONLY standalone PTS (PIN Transaction Security) POI devices with IP connectivity. Devices must be PCI-listed PTS POI devices. No e-commerce.
|
|
94
|
-
|
|
95
|
-
**Requirements covered**: Subset of Req 1, 2, 6, 8, 9, 10, 11, 12 (~83 controls)
|
|
96
|
-
|
|
97
|
-
**Eligibility criteria**:
|
|
98
|
-
- ONLY standalone PCI-listed PTS POI devices with IP connection used
|
|
99
|
-
- Devices not connected to any other system in the merchant environment
|
|
100
|
-
- No e-commerce
|
|
101
|
-
|
|
102
|
-
**Examples**: Merchant using a certified IP-connected payment terminal (e.g., Ingenico, Verifone) with an IP connection but isolated from other systems.
|
|
103
|
-
|
|
104
|
-
---
|
|
105
|
-
|
|
106
|
-
### SAQ C-VT — Virtual Payment Terminals (Web-Based)
|
|
107
|
-
**Applies to**: Merchants using only web-based virtual payment terminal solutions accessed via a web browser on an isolated computing device. No e-commerce; no cardholder data electronically stored.
|
|
108
|
-
|
|
109
|
-
**Requirements covered**: Subset of Req 1, 2, 6, 8, 9, 10, 11, 12 (~90 controls)
|
|
110
|
-
|
|
111
|
-
**Eligibility criteria**:
|
|
112
|
-
- Payment processing via web-browser virtual terminal only
|
|
113
|
-
- Device used for virtual terminal is isolated and dedicated to payment processing
|
|
114
|
-
- No cardholder data storage on any system
|
|
115
|
-
- No card-present (physical card swiped) via this method
|
|
116
|
-
- Device not connected to other systems in the environment
|
|
117
|
-
|
|
118
|
-
**Examples**: MOTO merchant logs into a hosted virtual terminal (e.g., PayPal Virtual Terminal, Authorize.Net) on a dedicated PC to key-enter card details.
|
|
119
|
-
|
|
120
|
-
---
|
|
121
|
-
|
|
122
|
-
### SAQ C — Payment Application Systems Connected to Internet
|
|
123
|
-
**Applies to**: Merchants with payment application systems connected to the internet. No e-commerce. Device/application(s) not connected to other systems in the environment.
|
|
124
|
-
|
|
125
|
-
**Requirements covered**: Subset of Req 1, 2, 5, 6, 8, 9, 10, 11, 12 (~160 controls)
|
|
126
|
-
|
|
127
|
-
**Eligibility criteria**:
|
|
128
|
-
- Payment application connected to internet (e.g., point-of-sale system with internet connectivity)
|
|
129
|
-
- Not an e-commerce channel
|
|
130
|
-
- Payment application not connected to other systems within the facility (segmented)
|
|
131
|
-
- No electronic storage of CHD after authorisation
|
|
132
|
-
|
|
133
|
-
**Examples**: Retail merchant using an internet-connected POS application (e.g., Square POS, Lightspeed) on a device isolated from other business systems.
|
|
134
|
-
|
|
135
|
-
---
|
|
136
|
-
|
|
137
|
-
### SAQ P2PE — Validated P2PE Solution
|
|
138
|
-
**Applies to**: Merchants using ONLY hardware payment terminals in a PCI-validated, PCI-listed P2PE solution. No e-commerce.
|
|
139
|
-
|
|
140
|
-
**Requirements covered**: Very small subset of Req 9, 12 (~33 controls)
|
|
141
|
-
|
|
142
|
-
**Eligibility criteria**:
|
|
143
|
-
- ALL cardholder data captured via terminals included in a PCI-validated P2PE solution
|
|
144
|
-
- P2PE solution is on the PCI SSC list of validated P2PE solutions
|
|
145
|
-
- No e-commerce
|
|
146
|
-
- Merchant has no access to clear-text CHD
|
|
147
|
-
|
|
148
|
-
**Examples**: Merchant using a Verifone or Ingenico terminal within a certified P2PE solution (e.g., Bluefin PayConex P2PE, Worldpay Total P2PE).
|
|
149
|
-
|
|
150
|
-
**Key benefit**: Dramatically reduces PCI DSS scope — merchants only attest to physical security of terminals and selecting a compliant P2PE provider.
|
|
151
|
-
|
|
152
|
-
---
|
|
153
|
-
|
|
154
|
-
### SAQ D — All Other Merchants and Service Providers
|
|
155
|
-
|
|
156
|
-
**SAQ D for Merchants**
|
|
157
|
-
**Applies to**: All merchants who do not meet criteria for SAQ A, A-EP, B, B-IP, C, C-VT, or P2PE. Covers all 12 PCI DSS requirements.
|
|
158
|
-
|
|
159
|
-
**Requirements covered**: All 12 requirements (~340+ controls)
|
|
160
|
-
|
|
161
|
-
**Examples**: Merchants that store CHD, have complex multi-channel environments, or don't qualify for a simpler SAQ.
|
|
162
|
-
|
|
163
|
-
---
|
|
164
|
-
|
|
165
|
-
**SAQ D for Service Providers**
|
|
166
|
-
**Applies to**: All service providers eligible for SAQ validation (Level 2 service providers). Covers all 12 PCI DSS requirements.
|
|
167
|
-
|
|
168
|
-
**Requirements covered**: All 12 requirements (~340+ controls, service-provider-specific questions)
|
|
169
|
-
|
|
170
|
-
**Note**: Service providers have additional requirements vs merchants, particularly around Req 12.8 (TPSP management), Req 12.9 (TPSP acknowledgement), and Req 3.3.2 (SAD protection).
|
|
171
|
-
|
|
172
|
-
---
|
|
173
|
-
|
|
174
|
-
## Report on Compliance (ROC)
|
|
175
|
-
|
|
176
|
-
An ROC is required for:
|
|
177
|
-
- **Level 1 Merchants**: >6 million Visa/MC transactions per year, OR any merchant that has suffered a breach that resulted in account data compromise
|
|
178
|
-
- **Level 1 Service Providers**: >300,000 transactions per year OR designated by a card brand
|
|
179
|
-
|
|
180
|
-
**ROC process**:
|
|
181
|
-
1. Engage a Qualified Security Assessor (QSA) from the PCI SSC's list
|
|
182
|
-
2. QSA performs on-site assessment against all applicable PCI DSS controls
|
|
183
|
-
3. QSA completes the ROC Template (v4.0.1 template released 2024)
|
|
184
|
-
4. Organisation completes the Attestation of Compliance (AOC) signed by QSA and officer
|
|
185
|
-
5. Submit ROC + AOC to acquiring bank or card brand
|
|
186
|
-
|
|
187
|
-
---
|
|
188
|
-
|
|
189
|
-
## Attestation of Compliance (AOC)
|
|
190
|
-
|
|
191
|
-
The AOC is a declaration of the organisation's PCI DSS compliance status. It is:
|
|
192
|
-
- Completed alongside the ROC (Level 1) or SAQ (Levels 2–4)
|
|
193
|
-
- Signed by both the organisation's officer and the QSA (for ROC) or responsible officer (for SAQ)
|
|
194
|
-
- Submitted annually to the acquiring bank or card brand
|
|
195
|
-
- A merchant-specific or service provider-specific version exists
|
|
196
|
-
|
|
197
|
-
---
|
|
198
|
-
|
|
199
|
-
## Approved Scanning Vendor (ASV) Scans
|
|
200
|
-
|
|
201
|
-
Quarterly external vulnerability scans by an ASV are required for all merchants and service providers. An ASV is a company approved by PCI SSC to perform external network vulnerability scanning services.
|
|
202
|
-
|
|
203
|
-
- Scans must result in a **passing scan** (no unresolved high-severity vulnerabilities)
|
|
204
|
-
- If a scan fails, remediate and re-scan until a passing result is achieved
|
|
205
|
-
- Passing scan reports must be retained for compliance evidence
|
|
206
|
-
- Internal scans (Req 11.3.1) may be performed by internal staff
|
|
207
|
-
|
|
208
|
-
---
|
|
209
|
-
|
|
210
|
-
## Qualified Security Assessor (QSA) vs Internal Security Assessor (ISA)
|
|
211
|
-
|
|
212
|
-
| Role | Who | Used For |
|
|
213
|
-
|------|-----|---------|
|
|
214
|
-
| **QSA** | External PCI SSC-approved company | Required for ROC (Level 1); optional for SAQs to guide/verify |
|
|
215
|
-
| **ISA** | Internal employee trained and certified by PCI SSC | Can perform internal assessments; cannot sign ROC for Level 1 |
|
|
216
|
-
|
|
217
|
-
ISAs are useful for ongoing internal compliance monitoring and SAQ validation for Levels 2–4.
|
|
1
|
+
# PCI DSS v4.0.1 — SAQ Selection Guide
|
|
2
|
+
|
|
3
|
+
Source: PCI DSS v4.0 SAQ documents (PCI Security Standards Council)
|
|
4
|
+
https://www.pcisecuritystandards.org/document_library/
|
|
5
|
+
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## What is a Self-Assessment Questionnaire (SAQ)?
|
|
9
|
+
|
|
10
|
+
An SAQ is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with PCI DSS. There are multiple SAQ types — each designed for a specific payment channel and cardholder data environment profile. The correct SAQ type depends on **how** your organisation accepts payments and **who** handles cardholder data.
|
|
11
|
+
|
|
12
|
+
Level 1 merchants and Level 1 service providers are **not eligible** for SAQs — they require an on-site Report on Compliance (ROC) completed by a Qualified Security Assessor (QSA).
|
|
13
|
+
|
|
14
|
+
---
|
|
15
|
+
|
|
16
|
+
## SAQ Selection Decision Tree
|
|
17
|
+
|
|
18
|
+
**Step 1: Are you a Level 1 Merchant or Level 1 Service Provider?**
|
|
19
|
+
- Yes → ROC required (not an SAQ). Stop here.
|
|
20
|
+
- No → Continue to Step 2.
|
|
21
|
+
|
|
22
|
+
**Step 2: Are you a Service Provider (not a merchant)?**
|
|
23
|
+
- Yes → **SAQ D for Service Providers** (unless Level 1)
|
|
24
|
+
- No (Merchant) → Continue to Step 3.
|
|
25
|
+
|
|
26
|
+
**Step 3: Do you accept card-present (face-to-face) transactions?**
|
|
27
|
+
- Yes, using ONLY imprint machines (no electronic transactions) → **SAQ B**
|
|
28
|
+
- Yes, using ONLY standalone dial-out terminals (no IP connectivity) → **SAQ B**
|
|
29
|
+
- Yes, using standalone IP-connected PTS POI devices only → **SAQ B-IP**
|
|
30
|
+
- Yes, using a validated P2PE solution only (PCI-listed) → **SAQ P2PE**
|
|
31
|
+
- Yes, using virtual payment terminals (isolated device, web-based) → **SAQ C-VT**
|
|
32
|
+
- Yes, using payment application systems connected to internet → **SAQ C**
|
|
33
|
+
- Yes, with any other scenario → **SAQ D for Merchants**
|
|
34
|
+
|
|
35
|
+
**Step 4: Do you accept card-not-present (CNP) — e-commerce or MOTO — only?**
|
|
36
|
+
- Yes, and ALL cardholder data functions fully outsourced, no redirect control → **SAQ A**
|
|
37
|
+
- Yes, e-commerce only, but you control the customer redirect to the payment page → **SAQ A-EP**
|
|
38
|
+
- Yes, MOTO only with virtual payment terminals (web-based, isolated device) → **SAQ C-VT**
|
|
39
|
+
- Any other CNP scenario → **SAQ D for Merchants**
|
|
40
|
+
|
|
41
|
+
---
|
|
42
|
+
|
|
43
|
+
## SAQ Types — Full Reference
|
|
44
|
+
|
|
45
|
+
### SAQ A — Fully Outsourced Card-Not-Present
|
|
46
|
+
**Applies to**: E-commerce and/or MOTO (mail order/telephone order) merchants only. No card-present transactions. All cardholder data functions (storage, processing, transmission) fully outsourced to PCI DSS-compliant third-party service providers. Merchant retains no electronic cardholder data.
|
|
47
|
+
|
|
48
|
+
**Requirements covered**: Subset of Req 2, 6, 8, 9, 10, 11, 12 (~22 controls)
|
|
49
|
+
|
|
50
|
+
**Eligibility criteria**:
|
|
51
|
+
- Cards not present at any time during the transaction
|
|
52
|
+
- All payment processing delegated to a PCI-compliant third party
|
|
53
|
+
- Merchant website does not directly receive cardholder data
|
|
54
|
+
- No cardholder data stored, processed, or transmitted by merchant systems or premises
|
|
55
|
+
|
|
56
|
+
**Examples**: Merchant uses a payment link or hosted payment page (Stripe, PayPal, Square Checkout). Customer is redirected completely to the provider's hosted page.
|
|
57
|
+
|
|
58
|
+
---
|
|
59
|
+
|
|
60
|
+
### SAQ A-EP — E-commerce with Partial Outsourcing
|
|
61
|
+
**Applies to**: E-commerce merchants ONLY. Merchant outsources payment processing but controls/influences how the customer is directed to the payment service. No card-present transactions.
|
|
62
|
+
|
|
63
|
+
**Requirements covered**: Subset of Req 2, 6, 8, 9, 10, 11, 12 (~191 controls)
|
|
64
|
+
|
|
65
|
+
**Eligibility criteria**:
|
|
66
|
+
- E-commerce only; no card-present
|
|
67
|
+
- Merchant's website includes payment page elements or partially controls redirect
|
|
68
|
+
- All cardholder data capture outsourced to compliant third party
|
|
69
|
+
- Merchant systems do not receive, store, process, or transmit CHD
|
|
70
|
+
|
|
71
|
+
**Examples**: Merchant website uses JavaScript-based payment widgets or iFrames that embed third-party payment capture within the merchant's own page.
|
|
72
|
+
|
|
73
|
+
**Key distinction from SAQ A**: SAQ A-EP requires script integrity controls (Req 6.4.3, 11.6.1) because the merchant controls the page hosting the widget.
|
|
74
|
+
|
|
75
|
+
---
|
|
76
|
+
|
|
77
|
+
### SAQ B — Imprint Machines or Standalone Dial-Out Terminals
|
|
78
|
+
**Applies to**: Merchants using ONLY imprint machines (knuckle-busters) OR standalone, dial-out (non-IP) terminals. No e-commerce.
|
|
79
|
+
|
|
80
|
+
**Requirements covered**: Subset of Req 2, 8, 9, 10, 11, 12 (~41 controls)
|
|
81
|
+
|
|
82
|
+
**Eligibility criteria**:
|
|
83
|
+
- Transactions processed only via imprint machines or dial-out (telephone-line) terminals
|
|
84
|
+
- Terminals not IP-connected and not connected to any other system in the environment
|
|
85
|
+
- No electronic cardholder data stored on any computer system
|
|
86
|
+
- No e-commerce
|
|
87
|
+
|
|
88
|
+
**Examples**: Small retail using a standalone Dial-Up terminal or old knuckle-buster imprinter.
|
|
89
|
+
|
|
90
|
+
---
|
|
91
|
+
|
|
92
|
+
### SAQ B-IP — Standalone IP-Connected PTS POI Devices
|
|
93
|
+
**Applies to**: Merchants using ONLY standalone PTS (PIN Transaction Security) POI devices with IP connectivity. Devices must be PCI-listed PTS POI devices. No e-commerce.
|
|
94
|
+
|
|
95
|
+
**Requirements covered**: Subset of Req 1, 2, 6, 8, 9, 10, 11, 12 (~83 controls)
|
|
96
|
+
|
|
97
|
+
**Eligibility criteria**:
|
|
98
|
+
- ONLY standalone PCI-listed PTS POI devices with IP connection used
|
|
99
|
+
- Devices not connected to any other system in the merchant environment
|
|
100
|
+
- No e-commerce
|
|
101
|
+
|
|
102
|
+
**Examples**: Merchant using a certified IP-connected payment terminal (e.g., Ingenico, Verifone) with an IP connection but isolated from other systems.
|
|
103
|
+
|
|
104
|
+
---
|
|
105
|
+
|
|
106
|
+
### SAQ C-VT — Virtual Payment Terminals (Web-Based)
|
|
107
|
+
**Applies to**: Merchants using only web-based virtual payment terminal solutions accessed via a web browser on an isolated computing device. No e-commerce; no cardholder data electronically stored.
|
|
108
|
+
|
|
109
|
+
**Requirements covered**: Subset of Req 1, 2, 6, 8, 9, 10, 11, 12 (~90 controls)
|
|
110
|
+
|
|
111
|
+
**Eligibility criteria**:
|
|
112
|
+
- Payment processing via web-browser virtual terminal only
|
|
113
|
+
- Device used for virtual terminal is isolated and dedicated to payment processing
|
|
114
|
+
- No cardholder data storage on any system
|
|
115
|
+
- No card-present (physical card swiped) via this method
|
|
116
|
+
- Device not connected to other systems in the environment
|
|
117
|
+
|
|
118
|
+
**Examples**: MOTO merchant logs into a hosted virtual terminal (e.g., PayPal Virtual Terminal, Authorize.Net) on a dedicated PC to key-enter card details.
|
|
119
|
+
|
|
120
|
+
---
|
|
121
|
+
|
|
122
|
+
### SAQ C — Payment Application Systems Connected to Internet
|
|
123
|
+
**Applies to**: Merchants with payment application systems connected to the internet. No e-commerce. Device/application(s) not connected to other systems in the environment.
|
|
124
|
+
|
|
125
|
+
**Requirements covered**: Subset of Req 1, 2, 5, 6, 8, 9, 10, 11, 12 (~160 controls)
|
|
126
|
+
|
|
127
|
+
**Eligibility criteria**:
|
|
128
|
+
- Payment application connected to internet (e.g., point-of-sale system with internet connectivity)
|
|
129
|
+
- Not an e-commerce channel
|
|
130
|
+
- Payment application not connected to other systems within the facility (segmented)
|
|
131
|
+
- No electronic storage of CHD after authorisation
|
|
132
|
+
|
|
133
|
+
**Examples**: Retail merchant using an internet-connected POS application (e.g., Square POS, Lightspeed) on a device isolated from other business systems.
|
|
134
|
+
|
|
135
|
+
---
|
|
136
|
+
|
|
137
|
+
### SAQ P2PE — Validated P2PE Solution
|
|
138
|
+
**Applies to**: Merchants using ONLY hardware payment terminals in a PCI-validated, PCI-listed P2PE solution. No e-commerce.
|
|
139
|
+
|
|
140
|
+
**Requirements covered**: Very small subset of Req 9, 12 (~33 controls)
|
|
141
|
+
|
|
142
|
+
**Eligibility criteria**:
|
|
143
|
+
- ALL cardholder data captured via terminals included in a PCI-validated P2PE solution
|
|
144
|
+
- P2PE solution is on the PCI SSC list of validated P2PE solutions
|
|
145
|
+
- No e-commerce
|
|
146
|
+
- Merchant has no access to clear-text CHD
|
|
147
|
+
|
|
148
|
+
**Examples**: Merchant using a Verifone or Ingenico terminal within a certified P2PE solution (e.g., Bluefin PayConex P2PE, Worldpay Total P2PE).
|
|
149
|
+
|
|
150
|
+
**Key benefit**: Dramatically reduces PCI DSS scope — merchants only attest to physical security of terminals and selecting a compliant P2PE provider.
|
|
151
|
+
|
|
152
|
+
---
|
|
153
|
+
|
|
154
|
+
### SAQ D — All Other Merchants and Service Providers
|
|
155
|
+
|
|
156
|
+
**SAQ D for Merchants**
|
|
157
|
+
**Applies to**: All merchants who do not meet criteria for SAQ A, A-EP, B, B-IP, C, C-VT, or P2PE. Covers all 12 PCI DSS requirements.
|
|
158
|
+
|
|
159
|
+
**Requirements covered**: All 12 requirements (~340+ controls)
|
|
160
|
+
|
|
161
|
+
**Examples**: Merchants that store CHD, have complex multi-channel environments, or don't qualify for a simpler SAQ.
|
|
162
|
+
|
|
163
|
+
---
|
|
164
|
+
|
|
165
|
+
**SAQ D for Service Providers**
|
|
166
|
+
**Applies to**: All service providers eligible for SAQ validation (Level 2 service providers). Covers all 12 PCI DSS requirements.
|
|
167
|
+
|
|
168
|
+
**Requirements covered**: All 12 requirements (~340+ controls, service-provider-specific questions)
|
|
169
|
+
|
|
170
|
+
**Note**: Service providers have additional requirements vs merchants, particularly around Req 12.8 (TPSP management), Req 12.9 (TPSP acknowledgement), and Req 3.3.2 (SAD protection).
|
|
171
|
+
|
|
172
|
+
---
|
|
173
|
+
|
|
174
|
+
## Report on Compliance (ROC)
|
|
175
|
+
|
|
176
|
+
An ROC is required for:
|
|
177
|
+
- **Level 1 Merchants**: >6 million Visa/MC transactions per year, OR any merchant that has suffered a breach that resulted in account data compromise
|
|
178
|
+
- **Level 1 Service Providers**: >300,000 transactions per year OR designated by a card brand
|
|
179
|
+
|
|
180
|
+
**ROC process**:
|
|
181
|
+
1. Engage a Qualified Security Assessor (QSA) from the PCI SSC's list
|
|
182
|
+
2. QSA performs on-site assessment against all applicable PCI DSS controls
|
|
183
|
+
3. QSA completes the ROC Template (v4.0.1 template released 2024)
|
|
184
|
+
4. Organisation completes the Attestation of Compliance (AOC) signed by QSA and officer
|
|
185
|
+
5. Submit ROC + AOC to acquiring bank or card brand
|
|
186
|
+
|
|
187
|
+
---
|
|
188
|
+
|
|
189
|
+
## Attestation of Compliance (AOC)
|
|
190
|
+
|
|
191
|
+
The AOC is a declaration of the organisation's PCI DSS compliance status. It is:
|
|
192
|
+
- Completed alongside the ROC (Level 1) or SAQ (Levels 2–4)
|
|
193
|
+
- Signed by both the organisation's officer and the QSA (for ROC) or responsible officer (for SAQ)
|
|
194
|
+
- Submitted annually to the acquiring bank or card brand
|
|
195
|
+
- A merchant-specific or service provider-specific version exists
|
|
196
|
+
|
|
197
|
+
---
|
|
198
|
+
|
|
199
|
+
## Approved Scanning Vendor (ASV) Scans
|
|
200
|
+
|
|
201
|
+
Quarterly external vulnerability scans by an ASV are required for all merchants and service providers. An ASV is a company approved by PCI SSC to perform external network vulnerability scanning services.
|
|
202
|
+
|
|
203
|
+
- Scans must result in a **passing scan** (no unresolved high-severity vulnerabilities)
|
|
204
|
+
- If a scan fails, remediate and re-scan until a passing result is achieved
|
|
205
|
+
- Passing scan reports must be retained for compliance evidence
|
|
206
|
+
- Internal scans (Req 11.3.1) may be performed by internal staff
|
|
207
|
+
|
|
208
|
+
---
|
|
209
|
+
|
|
210
|
+
## Qualified Security Assessor (QSA) vs Internal Security Assessor (ISA)
|
|
211
|
+
|
|
212
|
+
| Role | Who | Used For |
|
|
213
|
+
|------|-----|---------|
|
|
214
|
+
| **QSA** | External PCI SSC-approved company | Required for ROC (Level 1); optional for SAQs to guide/verify |
|
|
215
|
+
| **ISA** | Internal employee trained and certified by PCI SSC | Can perform internal assessments; cannot sign ROC for Level 1 |
|
|
216
|
+
|
|
217
|
+
ISAs are useful for ongoing internal compliance monitoring and SAQ validation for Levels 2–4.
|