Presentation is loading. Please wait.

Presentation is loading. Please wait.

Navigating the New SAQs (Helping the 99% validate PCI compliance)

Published byTamia Caples Modified over 9 years ago

Similar presentations

Presentation on theme: "Navigating the New SAQs (Helping the 99% validate PCI compliance)"— Presentation transcript:

1 Navigating the New SAQs (Helping the 99% validate PCI compliance)

2 Agenda Introduction Presenter Background The New Self-Assessment Questionnaires o New Categories o Selection Criteria o New Expectations o New Requirements The Biggest Impact o SAQ-EP o Implications Tenable Solutions Questions

3 Introduction 99% of merchants do not retain a QSA for PCI DSS compliance validation – they self assess Self-Assessment Questionnaires are the ticket Any guidance is provided by vendors (easy, simple) Overview of new SAQ options Highlighting the Changes How do you know which one to use? What other activities (like ASV scanning) are required?

4 Presenter Jeffrey Man PCI SME/Product Manager (former QSA) T: 443-545-2102 ext. 366 jman@tenable.com Straight Talk about PCI (Moderator): https://discussions.nessus.org/community/pci

5 Background 30+ years experience in Information Security o 13 years with the Department of Defense Certified Cryptanalyst Designed Cryptosystems and Cryptologic Aids Founding Member of Systems & Network Attack Center o 17 years in commercial Professional Services Penetration Testing Vulnerability Assessments Security Architecture o 10 years as a QSA Lead Assessor/Assessment Team Member Trusted Advisor

6 Self-Assessment Questionnaires PCI DSS Version 3

7 The New PCI DSS V3 SAQ Options SAQ VersionQualification Criteria SAQ A Merchants that entirely outsource their e-commerce websites (including the payment processing) and only paper copy of cardholder data is retained from mail/telephone orders; no electronic storage of cardholder data SAQ A-EP (NEW) Merchants with e-commerce websites that redirect the payment processing to a third party and the website is segmented from the rest of the corporate network; no electronic storage of cardholder data SAQ B Face-to-face merchants with only imprint machines (knuckle busters) or standalone, dial-out payment terminals; no electronic storage of cardholder data SAQ B-IP (NEW) Face-to-face merchants with only standalone payment terminals IP- connected to the payment processor; no electronic storage of cardholder data

8 The New SAQ Options - continued SAQ VersionQualification Criteria SAQ C Merchants with payment application systems connected to the Internet; no electronic storage of cardholder data SAQ C-VT Merchants with Web-based virtual payment terminals (not eCommerce though); no electronic storage of cardholder data SAQ D-Merchant (NEW) Every other merchant (if you don't fit in one of the previous categories - this is what you fill out) SAQ D-Service Provider (NEW) Service Providers stop here. Period. This is the one you fill out. (Don't bother filling out another version SAQ-P2PE-HW Hardware payment terminals using a PCI-approved P2PE solution Only (did I mention it needs to be a hardware solution) ; no electronic storage of cardholder data

9 Expected Testing (more than a checkbox)

10 Which SAQs Require ASV Scanning SAQ VersionASV Scanning Required SAQ-A: Card-not present; all cardholder functions outsourcedNO SAQ-A-EP: Partially outsourced e-commerce; payment processing by third party YES SAQ-B: Imprint or Stand-alone or dial-out terminalsNO SAQ-B-IP: Stand-alone, IP-connected PTS POI terminalsYES SAQ-C: Payment application systems connected to the InternetYES SAQ-C-VT: Web-based virtual payment terminalsNO SAQ-D (Merchant/Service Provider):YES SAQ-P2PE-HW: HW-based PCI-listed P2PE solutionNO

11 Validate Compliance with an ASV External Vulnerability Scanning o Must be performed by ASV o Quarterly Scan Reports that show “PASS” o Entire Internet presence – not just the ecommerce app or payment/checkout page Provide Attestation signed by an Officer of the company

12 New SAQ Categories Highlighting the SAQs with the biggest impact

13 The New SAQ D – Service Providers

14 Biggest Impact Merchants that have been completing SAQ A because they redirect the payment processing from their e-commerce site to a PCI compliant third party are now going to have to determine which of the new SAQs applies to them. The goal is to bring PCI DSS requirements to the e-commerce site that controls the redirection of the consumer to the payment processor.

15 E-commerce w/Payment Processor CONSUMER E-COMMERCE SITE SHOPPING CART CHECKOUT (REDIRECT) PAYMENT PROCESSOR CONSUMER BANK

16 SAQ A-EP Applicability SAQ A-EP has been developed to address requirements applicable to e-commerce merchants with a website(s) that does not itself receive cardholder data but which does affect the security of the payment transaction and/or the integrity of the page that accepts the consumer’s cardholder data. SAQ A-EP merchants are e-commerce merchants who partially outsource their e-commerce payment channel to PCI DSS validated third parties and do not electronically store, process, or transmit any cardholder data on their systems or premises

17 Leading Payment Gateways

18 SAQ A-EP Qualifications

19 Validating PCI DSS Compliance Tenable can help you validate PCI DSS

20 Tenable Solutions Nessus Vulnerability Scanner (Nessus) o Internal (CDE) vulnerability scanning solution o Configuration and compliance auditing (Credentialed) o Monitor and maintain numerous technical PCI controls Nessus Perimeter Service (PS) o ASV-certified External vulnerability scanning solution o Multi-Scanner feature allows management of all internal and external PCI scans Passive Vulnerability Scanner (PVS) o Identify/confirm data flows; maintain integrity of CDE o Detect unintentional/unknown data flows SecurityCenter Continuous View (SC CV) o Provides real-time compliance monitoring to maintain a compliant state. o Identifies problems with sustaining secure business processes Log Correlation Engine (LCE) o Centralized event logging, analysis, and correlation o File integrity monitoring capabilities

21 Have More Questions about PCI? Tenable hosts a PCI Discussion Forum where anyone can ask questions related to all aspects of PCI. If your question is a little too sensitive for a public forum, feel free to contact me directly. Jeff Man T: 443-545-2102 ext. 366 jman@tenable.com Straight Talk about PCI (Moderator): https://discussions.nessus.org/community/pci

22 Questions?

Download ppt "Navigating the New SAQs (Helping the 99% validate PCI compliance)"

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
CONFIDENTIAL 1 Preparing for & Maintaining PCI Compliance.

CONFIDENTIAL 1 Preparing for & Maintaining PCI Compliance.
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
UCSB Credit Card Processing and PCI Compliance

UCSB Credit Card Processing and PCI Compliance
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
MARTAs Road to PCI Compliance 1 Presenter: Yolanda Curtis, PMP AFC Project Manager.

MARTAs Road to PCI Compliance 1 Presenter: Yolanda Curtis, PMP AFC Project Manager.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.

Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.
PCI DSS Version 3.0 For Controllers and Business Users Luke Harris, Office of State the Controller David Reavis, UNC General Administration November 10,

PCI DSS Version 3.0 For Controllers and Business Users Luke Harris, Office of State the Controller David Reavis, UNC General Administration November 10,
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Similar presentations

Ads by Google