Navigating the New SAQs (Helping the 99% validate PCI compliance) Agenda • Introduction • Presenter Background • The New Self-Assessment Questionnaires o o o o New Categories Selection Criteria New Expectations New Requirements • The Biggest Impact o o SAQ-EP Implications • Tenable Solutions • Questions Introduction • 99% of merchants do not retain a QSA for PCI DSS compliance validation – they self assess • Self-Assessment Questionnaires are the ticket • Any guidance is provided by vendors (easy, simple) • Overview of new SAQ options • Highlighting the Changes • How do you know which one to use? • What other activities (like ASV scanning) are required? Presenter Jeffrey Man PCI SME/Product Manager (former QSA) T: 443-545-2102 ext. 366 [email protected] Straight Talk about PCI (Moderator): https://discussions.nessus.org/community/pci Background 30+ years experience in Information Security o 13 years with the Department of Defense • Certified Cryptanalyst • Designed Cryptosystems and Cryptologic Aids • Founding Member of Systems & Network Attack Center o 17 years in commercial Professional Services • Penetration Testing • Vulnerability Assessments • Security Architecture o 10 years as a QSA • Lead Assessor/Assessment Team Member • Trusted Advisor Self-Assessment Questionnaires PCI DSS Version 3 The New PCI DSS V3 SAQ Options SAQ Version Qualification Criteria SAQ A Merchants that entirely outsource their e-commerce websites (including the payment processing) and only paper copy of cardholder data is retained from mail/telephone orders; no electronic storage of cardholder data SAQ A-EP (NEW) Merchants with e-commerce websites that redirect the payment processing to a third party and the website is segmented from the rest of the corporate network; no electronic storage of cardholder data SAQ B SAQ B-IP (NEW) Face-to-face merchants with only imprint machines (knuckle busters) or standalone, dial-out payment terminals; no electronic storage of cardholder data Face-to-face merchants with only standalone payment terminals IPconnected to the payment processor; no electronic storage of cardholder data The New SAQ Options - continued SAQ Version Qualification Criteria SAQ C Merchants with payment application systems connected to the Internet; no electronic storage of cardholder data SAQ C-VT Merchants with Web-based virtual payment terminals (not eCommerce though); no electronic storage of cardholder data SAQ D-Merchant (NEW) Every other merchant (if you don't fit in one of the previous categories - this is what you fill out) SAQ D-Service Provider (NEW) Service Providers stop here. Period. This is the one you fill out. (Don't bother filling out another version SAQ-P2PE-HW Hardware payment terminals using a PCI-approved P2PE solution Only (did I mention it needs to be a hardware solution) ; no electronic storage of cardholder data Expected Testing (more than a checkbox) Which SAQs Require ASV Scanning SAQ Version ASV Scanning Required SAQ-A: Card-not present; all cardholder functions outsourced NO SAQ-A-EP: Partially outsourced e-commerce; payment processing by third party YES SAQ-B: Imprint or Stand-alone or dial-out terminals NO SAQ-B-IP: Stand-alone, IP-connected PTS POI terminals YES SAQ-C: Payment application systems connected to the Internet YES SAQ-C-VT: Web-based virtual payment terminals NO SAQ-D (Merchant/Service Provider): YES SAQ-P2PE-HW: HW-based PCI-listed P2PE solution NO Validate Compliance with an ASV • External Vulnerability Scanning Must be performed by ASV o Quarterly Scan Reports that show “PASS” o Entire Internet presence – not just the ecommerce app or payment/checkout page o • Provide Attestation signed by an Officer of the company New SAQ Categories Highlighting the SAQs with the biggest impact The New SAQ D – Service Providers Biggest Impact Merchants that have been completing SAQ A because they redirect the payment processing from their e-commerce site to a PCI compliant third party are now going to have to determine which of the new SAQs applies to them. The goal is to bring PCI DSS requirements to the e-commerce site that controls the redirection of the consumer to the payment processor. E-commerce w/Payment Processor SHOPPING CART CHECKOUT (REDIRECT) E-COMMERCE SITE PAYMENT PROCESSOR CONSUMER CONSUMER BANK SAQ A-EP Applicability SAQ A-EP has been developed to address requirements applicable to e-commerce merchants with a website(s) that does not itself receive cardholder data but which does affect the security of the payment transaction and/or the integrity of the page that accepts the consumer’s cardholder data. SAQ A-EP merchants are e-commerce merchants who partially outsource their e-commerce payment channel to PCI DSS validated third parties and do not electronically store, process, or transmit any cardholder data on their systems or premises Leading Payment Gateways SAQ A-EP Qualifications Validating PCI DSS Compliance Tenable can help you validate PCI DSS Tenable Solutions • Nessus Vulnerability Scanner (Nessus) o o o Internal (CDE) vulnerability scanning solution Configuration and compliance auditing (Credentialed) Monitor and maintain numerous technical PCI controls • Nessus Perimeter Service (PS) o o ASV-certified External vulnerability scanning solution Multi-Scanner feature allows management of all internal and external PCI scans • Passive Vulnerability Scanner (PVS) o o Identify/confirm data flows; maintain integrity of CDE Detect unintentional/unknown data flows • SecurityCenter Continuous View (SC CV) o o Provides real-time compliance monitoring to maintain a compliant state. Identifies problems with sustaining secure business processes • Log Correlation Engine (LCE) o o Centralized event logging, analysis, and correlation File integrity monitoring capabilities Have More Questions about PCI? Tenable hosts a PCI Discussion Forum where anyone can ask questions related to all aspects of PCI. If your question is a little too sensitive for a public forum, feel free to contact me directly. Jeff Man T: 443-545-2102 ext. 366 [email protected] Straight Talk about PCI (Moderator): https://discussions.nessus.org/community/pci Questions?