New PCI Self-Assessment Questionnaire – What Has Changed?

386 views

Published on

On March 10, 2014, the Payment Card Industry Security Standards Council (PCI SSC) released new PCI Self-Assessment Questionnaires (SAQs). These new SAQs are designed to align with the PCI Data Security Standards, version 3.0 (PCI DSS 3.0), released last November. The PCI DSS is the widely accepted set of policies and procedures used to optimize security of credit, debit and cash card transactions and protect cardholders from misuse of their personal information.

This release of new SAQs follows PCI SSC practice. Previous versions of the PCI DSS also were accompanied by a set of SAQs to assist companies in satisfying the PCI DSS requirements under the guidance of the payment brands (Visa, MasterCard, American Express, Discover and JCB). The new SAQs reflect some important changes specific to version 3.0 compliance.

Published in: Retail
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
386
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

New PCI Self-Assessment Questionnaire – What Has Changed?

  1. 1. . INFORMATION TECHNOLOGY FLASH REPORT New PCI Self-Assessment Questionnaire – What Has Changed? March 28, 2014 On March 10, 2014, the Payment Card Industry Security Standards Council (PCI SSC) released new PCI Self-Assessment Questionnaires (SAQs). These new SAQs are designed to align with the PCI Data Security Standards, version 3.0 (PCI DSS 3.0), released last November. The PCI DSS is the widely accepted set of policies and procedures used to optimize security of credit, debit and cash card transactions and protect cardholders from misuse of their personal information. This release of new SAQs follows PCI SSC practice. Previous versions of the PCI DSS also were accompanied by a set of SAQs to assist companies in satisfying the PCI DSS requirements under the guidance of the payment brands (Visa, MasterCard, American Express, Discover and JCB). The new SAQs reflect some important changes specific to version 3.0 compliance. SAQs A, B, C, AND D – EXPANDED REQUIREMENTS These four SAQs that existed under version 2.0 have migrated to 3.0 without major changes. The difference is an expansion in the requirements for each updated SAQ, similar to the expansion of PCI DSS version 3.0 over version 2.0. In addition, the PCI SSC has created two new SAQs that did not exist previously, SAQ A-EP and SAQ B-IP. SAQ A-EP – Expanded Requirements for E-commerce Merchants The most significant change from the earlier set of SAQs is the addition of SAQ A-EP. For merchants who use hosted payment pages, iFrames, or other technologies to outsource their e- commerce payment pages, this SAQ introduces dramatic new requirements. “SAQ A-EP has been developed to address requirements applicable to e-commerce merchants with a website(s) that does not itself receive cardholder data but which does affect the security of the payment transaction and/or the integrity of the page that accepts the consumer’s cardholder data.”1 While e-commerce merchants who completely outsource their website(s) to a third-party service provider can still complete the SAQ A for PCI DSS compliance, e-commerce merchants that partially outsource their website(s) will now have to complete the new SAQ A-EP. 1 www.pcisecuritystandards.org/documents/SAQ_A-EP_v3.docx.
  2. 2. Protiviti | 2 SAQ A-EP’s Impact on E-Commerce Merchants Under PCI DSS 2.0, it was possible for online merchants to de-scope their Internet-facing web systems from PCI DSS validation if they outsourced the online payment processing to a third party. This followed the logic that the presence of cardholder data establishes the scope for PCI obligations. However, PCI DSS 3.0 offers a new definition of system components going forward, which brings Internet-facing e-commerce systems back into scope for compliance. Under the new standard, web servers that use these hosted payment page technologies and the systems connected to them fall in scope. Additionally, new rules for system isolation (rather than segmentation) likely bring the rest of a company’s network into scope as well. The only “out” for companies that lack the ability to ensure the security of web servers is to fully outsource the web infrastructure to a third party. SAQ A-EP expands SAQ A from 14 requirements in two sections (8 and 12) to 139 requirements covering all 12 sections. This will significantly impact the level of effort merchants will have to go through to complete their assessment. Some of the major changes, and the ones that may take the most amount of effort to implement, include the following: • Firewalls restricting inbound/outbound traffic have to be in place, along with a process for reviewing the rules on a semi-annual basis (Requirements 1.1.x, 1.2.x., and 1.3.x) • System configuration standards have to be in place for all in-scope systems (Requirement 2.2.x) • Vulnerability Management and Patch Management have to be in place for all in- scope systems (Requirements 6.1 and 6.2) • Change management and software development processes have to be in place for all in-scope systems (Requirements 6.4.x and 6.5.x) • System audit trails along with a central log server have to be in place for all in-scope systems (Requirement 10.2.x) • External vulnerability scans must be completed (passing scan must be achieved) quarterly by a PCI Approved Scanning Vendor (Requirement 11.2.2) • Internal vulnerability scans must be completed (passing scan must be achieved) quarterly and after any significant changes in the cardholder data environment (Requirement 11.2.3) • An external penetration test must be completed at least annually (Requirement 11.3) Additionally, merchants need to remember that any system that can influence the security of the in-scope system is also in-scope. This will expand the scope of SAQ A-EP beyond just the web server and to other systems that connect to or administer the web server. SAQ B-IP – Good News for PTS Device Processing Prior to PCI DSS 3.0, merchants who processed payment cards through a stand-alone PIN Transaction Security (PTS) device were required to complete and submit the SAQ C for PCI DSS validation. With PCI DSS 3.0, these merchants are now able to complete the new SAQ B- IP and benefit from the reduction in requirements – 83, instead of 134. It is important to note that this new SAQ only applies to stand-alone devices. PTS-validated devices that connect to the POS system or to other computers mostly likely will still require use of SAQ C or SAQ D.
  3. 3. © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. . The reduction in requirements in SAQ B-IP helps align the requirements to the risks of the technical environment. The greatest reductions are in the following major areas: • Anti-virus (Requirement 5) • System audit trails with a central log server (Requirement 10) • Internal vulnerability scans (Requirement 11) SUMMARY Companies still working to gain compliance with PCI DSS 2.0 should realign their efforts to PCI DSS 3.0 as soon as possible. For companies making use of third-party-hosted payment pages, the realignment is even more urgent. Such companies must consider steps to enhance security controls on their e-commerce web servers to align to PCI DSS 3.0 requirements as soon as possible. The simplest approach would be to outsource the full e-commerce environment to a PCI-validated hosting and management provider. If this approach doesn’t work, isolation of the web infrastructure is the most likely approach. Without making these improvements, merchants will find themselves non-compliant and without enough time to remediate. ABOUT PROTIVITI Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 35 percent of FORTUNE 1000® and FORTUNE Global 500® companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index. Contacts Rocco Grillo Managing Director +1.212.603.8381 rocco.grillo@protiviti.com Scott Laliberte Managing Director +1.267.256.8825 scott.laliberte@protiviti.com Mark Lippman Managing Director +1.571.382.7807 mark.lippman@protiviti.com Ryan Rubin Managing Director +44.207.389.0436 ryan.rubin@protiviti.co.uk Jeff Sanchez Managing Director +1.213.327.1433 jeffrey.sanchez@protiviti.com Cal Slemp Managing Director +1.203.905.2926 cal.slemp@protiviti.com Michael Walter Managing Director +1.404.926.4301 michael.walter@protiviti.com Jeff Weber Managing Director +1.412.402.1712 jeffrey.weber@protiviti.com

×