Upload
tamia-caples
View
224
Download
1
Tags:
Embed Size (px)
Citation preview
Navigating the New SAQs(Helping the 99% validate PCI compliance)
Agenda• Introduction• Presenter Background• The New Self-Assessment Questionnaires
o New Categorieso Selection Criteriao New Expectationso New Requirements
• The Biggest Impacto SAQ-EPo Implications
• Tenable Solutions• Questions
Introduction• 99% of merchants do not retain a QSA for PCI DSS compliance validation – they self assess
• Self-Assessment Questionnaires are the ticket• Any guidance is provided by vendors (easy, simple)• Overview of new SAQ options• Highlighting the Changes• How do you know which one to use?• What other activities (like ASV scanning) are required?
Presenter
Jeffrey Man
PCI SME/Product Manager
(former QSA)
T: 443-545-2102 ext. 366
Straight Talk about PCI (Moderator):
https://discussions.nessus.org/community/pci
Background
30+ years experience in Information Securityo 13 years with the Department of Defense
• Certified Cryptanalyst• Designed Cryptosystems and Cryptologic Aids• Founding Member of Systems & Network Attack Center
o 17 years in commercial Professional Services• Penetration Testing• Vulnerability Assessments• Security Architecture
o 10 years as a QSA• Lead Assessor/Assessment Team Member• Trusted Advisor
Self-Assessment QuestionnairesPCI DSS Version 3
The New PCI DSS V3 SAQ OptionsSAQ Version Qualification Criteria
SAQ AMerchants that entirely outsource their e-commerce websites (including the payment processing) and only paper copy of cardholder data is retained from mail/telephone orders; no electronic storage of cardholder data
SAQ A-EP (NEW)Merchants with e-commerce websites that redirect the payment processing to a third party and the website is segmented from the rest of the corporate network; no electronic storage of cardholder data
SAQ BFace-to-face merchants with only imprint machines (knuckle busters) or standalone, dial-out payment terminals; no electronic storage of cardholder data
SAQ B-IP (NEW)Face-to-face merchants with only standalone payment terminals IP-connected to the payment processor; no electronic storage of cardholder data
The New SAQ Options - continuedSAQ Version Qualification Criteria
SAQ C Merchants with payment application systems connected to the Internet; no electronic storage of cardholder data
SAQ C-VT Merchants with Web-based virtual payment terminals (not eCommerce though); no electronic storage of cardholder data
SAQ D-Merchant (NEW) Every other merchant (if you don't fit in one of the previous categories - this is what you fill out)
SAQ D-Service Provider (NEW)
Service Providers stop here. Period. This is the one you fill out. (Don't bother filling out another version
SAQ-P2PE-HWHardware payment terminals using a PCI-approved P2PE solution Only (did I mention it needs to be a hardware solution) ; no electronic storage of cardholder data
Expected Testing (more than a checkbox)
Which SAQs Require ASV ScanningSAQ Version ASV Scanning Required
SAQ-A: Card-not present; all cardholder functions outsourced NO
SAQ-A-EP: Partially outsourced e-commerce; payment processing by third party YES
SAQ-B: Imprint or Stand-alone or dial-out terminals NO
SAQ-B-IP: Stand-alone, IP-connected PTS POI terminals YES
SAQ-C: Payment application systems connected to the Internet YES
SAQ-C-VT: Web-based virtual payment terminals NO
SAQ-D (Merchant/Service Provider): YES
SAQ-P2PE-HW: HW-based PCI-listed P2PE solution NO
Validate Compliance with an ASV•External Vulnerability Scanning
o Must be performed by ASVo Quarterly Scan Reports that show “PASS”o Entire Internet presence – not just the ecommerce
app or payment/checkout page
•Provide Attestation signed by an Officer of the company
New SAQ CategoriesHighlighting the SAQs with the biggest impact
The New SAQ D – Service Providers
Biggest Impact
Merchants that have been completing SAQ A because they redirect the payment processing from their e-commerce site to a PCI compliant third party are now going to have to determine which of the new SAQs applies to them.
The goal is to bring PCI DSS requirements to the e-commerce site that controls the redirection of the consumer to the payment processor.
E-commerce w/Payment Processor
CONSUMER
E-COMMERCE SITE
SHOPPING CART CHECKOUT (REDIRECT)
PAYMENT PROCESSOR
CONSUMER BANK
SAQ A-EP Applicability
SAQ A-EP has been developed to address requirements applicable to e-commerce merchants with a website(s) that does not itself receive cardholder data but which does affect the security of the payment transaction and/or the integrity of the page that accepts the consumer’s cardholder data.
SAQ A-EP merchants are e-commerce merchants who partially outsource their e-commerce payment channel to PCI DSS validated third parties and do not electronically store, process, or transmit any cardholder data on their systems or premises
Leading Payment Gateways
SAQ A-EP Qualifications
Validating PCI DSS ComplianceTenable can help you validate PCI DSS
Tenable Solutions• Nessus Vulnerability Scanner (Nessus)
o Internal (CDE) vulnerability scanning solutiono Configuration and compliance auditing (Credentialed)o Monitor and maintain numerous technical PCI controls
• Nessus Perimeter Service (PS)o ASV-certified External vulnerability scanning solutiono Multi-Scanner feature allows management of all internal and external PCI scans
• Passive Vulnerability Scanner (PVS)o Identify/confirm data flows; maintain integrity of CDEo Detect unintentional/unknown data flows
• SecurityCenter Continuous View (SC CV)o Provides real-time compliance monitoring to maintain a compliant state.o Identifies problems with sustaining secure business processes
• Log Correlation Engine (LCE)o Centralized event logging, analysis, and correlationo File integrity monitoring capabilities
Have More Questions about PCI? Tenable hosts a PCI Discussion Forum where anyone can ask questions related to all aspects of PCI. If your question is a little too sensitive for a public forum, feel free to contact me directly.
Jeff Man
T: 443-545-2102 ext. 366
Straight Talk about PCI (Moderator):
https://discussions.nessus.org/community/pci
Questions?