New PCI Self-Assessment Questionnaire – What Has Changed?

67 %
33 %
Information about New PCI Self-Assessment Questionnaire – What Has Changed?
Retail

Published on March 28, 2014

Author: Protiviti

Source: slideshare.net

Description

On March 10, 2014, the Payment Card Industry Security Standards Council (PCI SSC) released new PCI Self-Assessment Questionnaires (SAQs). These new SAQs are designed to align with the PCI Data Security Standards, version 3.0 (PCI DSS 3.0), released last November. The PCI DSS is the widely accepted set of policies and procedures used to optimize security of credit, debit and cash card transactions and protect cardholders from misuse of their personal information.

This release of new SAQs follows PCI SSC practice. Previous versions of the PCI DSS also were accompanied by a set of SAQs to assist companies in satisfying the PCI DSS requirements under the guidance of the payment brands (Visa, MasterCard, American Express, Discover and JCB). The new SAQs reflect some important changes specific to version 3.0 compliance.

. INFORMATION TECHNOLOGY FLASH REPORT New PCI Self-Assessment Questionnaire – What Has Changed? March 28, 2014 On March 10, 2014, the Payment Card Industry Security Standards Council (PCI SSC) released new PCI Self-Assessment Questionnaires (SAQs). These new SAQs are designed to align with the PCI Data Security Standards, version 3.0 (PCI DSS 3.0), released last November. The PCI DSS is the widely accepted set of policies and procedures used to optimize security of credit, debit and cash card transactions and protect cardholders from misuse of their personal information. This release of new SAQs follows PCI SSC practice. Previous versions of the PCI DSS also were accompanied by a set of SAQs to assist companies in satisfying the PCI DSS requirements under the guidance of the payment brands (Visa, MasterCard, American Express, Discover and JCB). The new SAQs reflect some important changes specific to version 3.0 compliance. SAQs A, B, C, AND D – EXPANDED REQUIREMENTS These four SAQs that existed under version 2.0 have migrated to 3.0 without major changes. The difference is an expansion in the requirements for each updated SAQ, similar to the expansion of PCI DSS version 3.0 over version 2.0. In addition, the PCI SSC has created two new SAQs that did not exist previously, SAQ A-EP and SAQ B-IP. SAQ A-EP – Expanded Requirements for E-commerce Merchants The most significant change from the earlier set of SAQs is the addition of SAQ A-EP. For merchants who use hosted payment pages, iFrames, or other technologies to outsource their e- commerce payment pages, this SAQ introduces dramatic new requirements. “SAQ A-EP has been developed to address requirements applicable to e-commerce merchants with a website(s) that does not itself receive cardholder data but which does affect the security of the payment transaction and/or the integrity of the page that accepts the consumer’s cardholder data.”1 While e-commerce merchants who completely outsource their website(s) to a third-party service provider can still complete the SAQ A for PCI DSS compliance, e-commerce merchants that partially outsource their website(s) will now have to complete the new SAQ A-EP. 1 www.pcisecuritystandards.org/documents/SAQ_A-EP_v3.docx.

Protiviti | 2 SAQ A-EP’s Impact on E-Commerce Merchants Under PCI DSS 2.0, it was possible for online merchants to de-scope their Internet-facing web systems from PCI DSS validation if they outsourced the online payment processing to a third party. This followed the logic that the presence of cardholder data establishes the scope for PCI obligations. However, PCI DSS 3.0 offers a new definition of system components going forward, which brings Internet-facing e-commerce systems back into scope for compliance. Under the new standard, web servers that use these hosted payment page technologies and the systems connected to them fall in scope. Additionally, new rules for system isolation (rather than segmentation) likely bring the rest of a company’s network into scope as well. The only “out” for companies that lack the ability to ensure the security of web servers is to fully outsource the web infrastructure to a third party. SAQ A-EP expands SAQ A from 14 requirements in two sections (8 and 12) to 139 requirements covering all 12 sections. This will significantly impact the level of effort merchants will have to go through to complete their assessment. Some of the major changes, and the ones that may take the most amount of effort to implement, include the following: • Firewalls restricting inbound/outbound traffic have to be in place, along with a process for reviewing the rules on a semi-annual basis (Requirements 1.1.x, 1.2.x., and 1.3.x) • System configuration standards have to be in place for all in-scope systems (Requirement 2.2.x) • Vulnerability Management and Patch Management have to be in place for all in- scope systems (Requirements 6.1 and 6.2) • Change management and software development processes have to be in place for all in-scope systems (Requirements 6.4.x and 6.5.x) • System audit trails along with a central log server have to be in place for all in-scope systems (Requirement 10.2.x) • External vulnerability scans must be completed (passing scan must be achieved) quarterly by a PCI Approved Scanning Vendor (Requirement 11.2.2) • Internal vulnerability scans must be completed (passing scan must be achieved) quarterly and after any significant changes in the cardholder data environment (Requirement 11.2.3) • An external penetration test must be completed at least annually (Requirement 11.3) Additionally, merchants need to remember that any system that can influence the security of the in-scope system is also in-scope. This will expand the scope of SAQ A-EP beyond just the web server and to other systems that connect to or administer the web server. SAQ B-IP – Good News for PTS Device Processing Prior to PCI DSS 3.0, merchants who processed payment cards through a stand-alone PIN Transaction Security (PTS) device were required to complete and submit the SAQ C for PCI DSS validation. With PCI DSS 3.0, these merchants are now able to complete the new SAQ B- IP and benefit from the reduction in requirements – 83, instead of 134. It is important to note that this new SAQ only applies to stand-alone devices. PTS-validated devices that connect to the POS system or to other computers mostly likely will still require use of SAQ C or SAQ D.

© 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. . The reduction in requirements in SAQ B-IP helps align the requirements to the risks of the technical environment. The greatest reductions are in the following major areas: • Anti-virus (Requirement 5) • System audit trails with a central log server (Requirement 10) • Internal vulnerability scans (Requirement 11) SUMMARY Companies still working to gain compliance with PCI DSS 2.0 should realign their efforts to PCI DSS 3.0 as soon as possible. For companies making use of third-party-hosted payment pages, the realignment is even more urgent. Such companies must consider steps to enhance security controls on their e-commerce web servers to align to PCI DSS 3.0 requirements as soon as possible. The simplest approach would be to outsource the full e-commerce environment to a PCI-validated hosting and management provider. If this approach doesn’t work, isolation of the web infrastructure is the most likely approach. Without making these improvements, merchants will find themselves non-compliant and without enough time to remediate. ABOUT PROTIVITI Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 35 percent of FORTUNE 1000® and FORTUNE Global 500® companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index. Contacts Rocco Grillo Managing Director +1.212.603.8381 rocco.grillo@protiviti.com Scott Laliberte Managing Director +1.267.256.8825 scott.laliberte@protiviti.com Mark Lippman Managing Director +1.571.382.7807 mark.lippman@protiviti.com Ryan Rubin Managing Director +44.207.389.0436 ryan.rubin@protiviti.co.uk Jeff Sanchez Managing Director +1.213.327.1433 jeffrey.sanchez@protiviti.com Cal Slemp Managing Director +1.203.905.2926 cal.slemp@protiviti.com Michael Walter Managing Director +1.404.926.4301 michael.walter@protiviti.com Jeff Weber Managing Director +1.412.402.1712 jeffrey.weber@protiviti.com

Add a comment

Related presentations

Bennet novembre 2014 (2)

Bennet novembre 2014 (2)

November 9, 2014

Bennet novembre 2014 (2)

Immocoach recommends STRANOS for HOME COLLECTION and LUXURY LINEN. A french brand ...

Software Advice analyzed interactions with thousands of point-of-sale (POS) softwa...

Ponencia realizada para Ziving, retailer especializado en tratamientos dentales pa...

Stocking and tights make the perfect gift. Luxury hosiery brings out the best i...

IperCoop Sicilia novembre 2014 (1)

Related pages

INFORMATION TECHNOLOGY FLASH REPORT - Protiviti - United ...

INFORMATION TECHNOLOGY FLASH REPORT . New PCI Self-Assessment Questionnaire – What Has Changed? ... New PCI Self-Assessment Questionnaire What Has ...
Read more

New PCI Self-Assessment Questionnaire – What Has Changed ...

Home > Publications > Regulatory Updates > New PCI Self-Assessment Questionnaire – What Has Changed ... New PCI Self-Assessment Questionnaire – What ...
Read more

New PCI Self-Assessment Questionnaire – What Has

New PCI Self-Assessment Questionnaire – What Has. INFORMATION TECHNOLOGY FLASH REPORT New PCI Self-Assessment Questionnaire ... • Change management and ...
Read more

Official PCI Security Standards Council Site - Verify PCI ...

Change Your Language . ... Completing Self Assessment; Educational Resources; ... NEW! PCI Awareness Training; PCI Professional; P2PE Assessors;
Read more

Payment Card Industry (PCI) Data Security Standard Self ...

Self-Assessment Questionnaire Instructions and Guidelines ... PCI DSS Self-Assessment Questionnaire ... specified in PCI DSS but has other ...
Read more

PCI 3.0 - What's New? (Infographic) | The State of Security

The State of Security. News. Trends. ... PCI 3.0 – What’s New? [Infographic] ... Here’s what has changed: Also, watch Jeff Hall, ...
Read more

PCI DSS v3 SAQ Workshop - IT Governance - Governance, Risk ...

... a Self Assessment Questionnaire (SAQ). The new version of the standard has introduced both new ... PCI DSS standard. The PCI DSS v3 SAQ Workshop ...
Read more

What about PCI DSS 3.1? : Stripe: Help & Support

What about PCI DSS 3.1? ... you may be curious about the new Self Assessment Questionnaire ... the CSP situation has not changed.
Read more