View - Tenable Discussions Forum

Report
Navigating the New SAQs
(Helping the 99% validate PCI compliance)
Agenda
• Introduction
• Presenter Background
• The New Self-Assessment Questionnaires
o
o
o
o
New Categories
Selection Criteria
New Expectations
New Requirements
• The Biggest Impact
o
o
SAQ-EP
Implications
• Tenable Solutions
• Questions
Introduction
• 99% of merchants do not retain a QSA for PCI DSS
compliance validation – they self assess
• Self-Assessment Questionnaires are the ticket
• Any guidance is provided by vendors (easy, simple)
• Overview of new SAQ options
• Highlighting the Changes
• How do you know which one to use?
• What other activities (like ASV scanning) are
required?
Presenter
Jeffrey Man
PCI SME/Product Manager
(former QSA)
T: 443-545-2102 ext. 366
[email protected]
Straight Talk about PCI (Moderator):
https://discussions.nessus.org/community/pci
Background
30+ years experience in Information Security
o
13 years with the Department of Defense
• Certified Cryptanalyst
• Designed Cryptosystems and Cryptologic Aids
• Founding Member of Systems & Network Attack Center
o
17 years in commercial Professional Services
• Penetration Testing
• Vulnerability Assessments
• Security Architecture
o
10 years as a QSA
• Lead Assessor/Assessment Team Member
• Trusted Advisor
Self-Assessment Questionnaires
PCI DSS Version 3
The New PCI DSS V3 SAQ Options
SAQ Version
Qualification Criteria
SAQ A
Merchants that entirely outsource their e-commerce websites (including
the payment processing) and only paper copy of cardholder data is
retained from mail/telephone orders; no electronic storage of cardholder
data
SAQ A-EP (NEW)
Merchants with e-commerce websites that redirect the payment
processing to a third party and the website is segmented from the rest of
the corporate network; no electronic storage of cardholder data
SAQ B
SAQ B-IP (NEW)
Face-to-face merchants with only imprint machines (knuckle busters) or
standalone, dial-out payment terminals; no electronic storage of
cardholder data
Face-to-face merchants with only standalone payment terminals IPconnected to the payment processor; no electronic storage of cardholder
data
The New SAQ Options - continued
SAQ Version
Qualification Criteria
SAQ C
Merchants with payment application systems connected to the
Internet; no electronic storage of cardholder data
SAQ C-VT
Merchants with Web-based virtual payment terminals (not
eCommerce though); no electronic storage of cardholder data
SAQ D-Merchant
(NEW)
Every other merchant (if you don't fit in one of the previous categories
- this is what you fill out)
SAQ D-Service Provider
(NEW)
Service Providers stop here. Period. This is the one you fill out. (Don't
bother filling out another version
SAQ-P2PE-HW
Hardware payment terminals using a PCI-approved P2PE solution Only
(did I mention it needs to be a hardware solution) ; no electronic
storage of cardholder data
Expected Testing (more than a checkbox)
Which SAQs Require ASV Scanning
SAQ Version
ASV Scanning Required
SAQ-A: Card-not present; all cardholder functions outsourced
NO
SAQ-A-EP: Partially outsourced e-commerce; payment processing by
third party
YES
SAQ-B: Imprint or Stand-alone or dial-out terminals
NO
SAQ-B-IP: Stand-alone, IP-connected PTS POI terminals
YES
SAQ-C: Payment application systems connected to the Internet
YES
SAQ-C-VT: Web-based virtual payment terminals
NO
SAQ-D (Merchant/Service Provider):
YES
SAQ-P2PE-HW: HW-based PCI-listed P2PE solution
NO
Validate Compliance with an ASV
• External Vulnerability Scanning
Must be performed by ASV
o Quarterly Scan Reports that show “PASS”
o Entire Internet presence – not just the ecommerce
app or payment/checkout page
o
• Provide Attestation signed by an Officer of the
company
New SAQ Categories
Highlighting the SAQs with the biggest impact
The New SAQ D – Service Providers
Biggest Impact
Merchants that have been completing SAQ A
because they redirect the payment processing
from their e-commerce site to a PCI compliant
third party are now going to have to determine
which of the new SAQs applies to them.
The goal is to bring PCI DSS requirements to the
e-commerce site that controls the redirection of
the consumer to the payment processor.
E-commerce w/Payment Processor
SHOPPING CART
CHECKOUT (REDIRECT)
E-COMMERCE SITE
PAYMENT PROCESSOR
CONSUMER
CONSUMER BANK
SAQ A-EP Applicability
SAQ A-EP has been developed to address requirements
applicable to e-commerce merchants with a website(s)
that does not itself receive cardholder data but which
does affect the security of the payment transaction and/or
the integrity of the page that accepts the consumer’s
cardholder data.
SAQ A-EP merchants are e-commerce merchants who
partially outsource their e-commerce payment channel to
PCI DSS validated third parties and do not electronically
store, process, or transmit any cardholder data on their
systems or premises
Leading Payment Gateways
SAQ A-EP Qualifications
Validating PCI DSS Compliance
Tenable can help you validate PCI DSS
Tenable Solutions
• Nessus Vulnerability Scanner (Nessus)
o
o
o
Internal (CDE) vulnerability scanning solution
Configuration and compliance auditing (Credentialed)
Monitor and maintain numerous technical PCI controls
• Nessus Perimeter Service (PS)
o
o
ASV-certified External vulnerability scanning solution
Multi-Scanner feature allows management of all internal and external PCI scans
• Passive Vulnerability Scanner (PVS)
o
o
Identify/confirm data flows; maintain integrity of CDE
Detect unintentional/unknown data flows
• SecurityCenter Continuous View (SC CV)
o
o
Provides real-time compliance monitoring to maintain a compliant state.
Identifies problems with sustaining secure business processes
• Log Correlation Engine (LCE)
o
o
Centralized event logging, analysis, and correlation
File integrity monitoring capabilities
Have More Questions about PCI?
Tenable hosts a PCI Discussion Forum where anyone can ask
questions related to all aspects of PCI. If your question is a little
too sensitive for a public forum, feel free to contact me directly.
Jeff Man
T: 443-545-2102 ext. 366
[email protected]
Straight Talk about PCI (Moderator):
https://discussions.nessus.org/community/pci
Questions?

similar documents