This questionnaire was created for smaller merchants who are not required to comply through an on-site data security assessment with a Qualified Security Assessor
2. Agenda
• Introduction
• Presenter Background
• The New Self-Assessment Questionnaires
o New Categories
o Selection Criteria
o New Expectations
o New Requirements
• The Biggest Impact
o SAQ-EP
o Implications
• Tenable Solutions
• Questions
3. Introduction
•99% of merchants do not retain a QSA for PCI DSS
compliance validation – they self assess
•Self-Assessment Questionnaires are the ticket
•Any guidance is provided by vendors (easy, simple)
•Overview of new SAQ options
•Highlighting the Changes
•How do you know which one to use?
•What other activities (like ASV scanning) are
required?
4. Presenter
Jeffrey Man
PCI SME/Product Manager
(former QSA)
T: 443-545-2102 ext. 366
jman@tenable.com
Straight Talk about PCI (Moderator):
https://discussions.nessus.org/community/pci
5. Background
30+ years experience in Information Security
o 13 years with the Department of Defense
• Certified Cryptanalyst
• Designed Cryptosystems and Cryptologic Aids
• Founding Member of Systems & Network Attack Center
o 17 years in commercial Professional Services
• Penetration Testing
• Vulnerability Assessments
• Security Architecture
o 10 years as a QSA
• Lead Assessor/Assessment Team Member
• Trusted Advisor
7. The New PCI DSS V3 SAQ Options
SAQ Version Qualification Criteria
SAQ A
Merchants that entirely outsource their e-commerce websites (including
the payment processing) and only paper copy of cardholder data is
retained from mail/telephone orders; no electronic storage of cardholder
data
SAQ A-EP (NEW)
Merchants with e-commerce websites that redirect the payment
processing to a third party and the website is segmented from the rest of
the corporate network; no electronic storage of cardholder data
SAQ B
Face-to-face merchants with only imprint machines (knuckle busters) or
standalone, dial-out payment terminals; no electronic storage of
cardholder data
SAQ B-IP (NEW)
Face-to-face merchants with only standalone payment terminals IP-
connected to the payment processor; no electronic storage of cardholder
data
8. The New SAQ Options - continued
SAQ Version Qualification Criteria
SAQ C
Merchants with payment application systems connected to the
Internet; no electronic storage of cardholder data
SAQ C-VT
Merchants with Web-based virtual payment terminals (not
eCommerce though); no electronic storage of cardholder data
SAQ D-Merchant
(NEW)
Every other merchant (if you don't fit in one of the previous categories
- this is what you fill out)
SAQ D-Service Provider
(NEW)
Service Providers stop here. Period. This is the one you fill out. (Don't
bother filling out another version
SAQ-P2PE-HW
Hardware payment terminals using a PCI-approved P2PE solution Only
(did I mention it needs to be a hardware solution) ; no electronic
storage of cardholder data
10. Which SAQs Require ASV Scanning
SAQ Version ASV Scanning Required
SAQ-A: Card-not present; all cardholder functions outsourced NO
SAQ-A-EP: Partially outsourced e-commerce; payment processing by
third party
YES
SAQ-B: Imprint or Stand-alone or dial-out terminals NO
SAQ-B-IP: Stand-alone, IP-connected PTS POI terminals YES
SAQ-C: Payment application systems connected to the Internet YES
SAQ-C-VT: Web-based virtual payment terminals NO
SAQ-D (Merchant/Service Provider): YES
SAQ-P2PE-HW: HW-based PCI-listed P2PE solution NO
11. Validate Compliance with an ASV
•External Vulnerability Scanning
o Must be performed by ASV
o Quarterly Scan Reports that show “PASS”
o Entire Internet presence – not just the ecommerce
app or payment/checkout page
•Provide Attestation signed by an Officer of the
company
14. Biggest Impact
Merchants that have been completing SAQ A
because they redirect the payment processing
from their e-commerce site to a PCI compliant
third party are now going to have to determine
which of the new SAQs applies to them.
The goal is to bring PCI DSS requirements to the
e-commerce site that controls the redirection of
the consumer to the payment processor.
16. SAQ A-EP Applicability
SAQ A-EP has been developed to address requirements
applicable to e-commerce merchants with a website(s)
that does not itself receive cardholder data but which
does affect the security of the payment transaction and/or
the integrity of the page that accepts the consumer’s
cardholder data.
SAQ A-EP merchants are e-commerce merchants who
partially outsource their e-commerce payment channel to
PCI DSS validated third parties and do not electronically
store, process, or transmit any cardholder data on their
systems or premises
20. Tenable Solutions
• Nessus Vulnerability Scanner (Nessus)
o Internal (CDE) vulnerability scanning solution
o Configuration and compliance auditing (Credentialed)
o Monitor and maintain numerous technical PCI controls
• Nessus Perimeter Service (PS)
o ASV-certified External vulnerability scanning solution
o Multi-Scanner feature allows management of all internal and external PCI scans
• Passive Vulnerability Scanner (PVS)
o Identify/confirm data flows; maintain integrity of CDE
o Detect unintentional/unknown data flows
• SecurityCenter Continuous View (SC CV)
o Provides real-time compliance monitoring to maintain a compliant state.
o Identifies problems with sustaining secure business processes
• Log Correlation Engine (LCE)
o Centralized event logging, analysis, and correlation
o File integrity monitoring capabilities
21. Have More Questions about PCI?
Tenable hosts a PCI Discussion Forum where anyone can ask
questions related to all aspects of PCI. If your question is a little
too sensitive for a public forum, feel free to contact me directly.
Jeff Man
T: 443-545-2102 ext. 366
jman@tenable.com
Straight Talk about PCI (Moderator):
https://discussions.nessus.org/community/pci
Intro/BackgroundLearning to speak “PCI”The Compliance ProcessClassification (Who are you?)Data Flows/Process Flows/Data Discovery (What [data] are you trying to protect?)Scoping the Environment (Where is the data?)Validation of controls (where the rubber hits the road)Tenable – how we can help throughout the processQuestions?
“It’s Complicated!”Many vendors who claim “PCI made simple” are not making you compliant, they are shifting responsibility for compliance away from you or claiming to assume responsibility. There are NO “silver bullet” single solutions that satisfy all facets of the PCI DSS. There are NO “silver bullets” single solutions that satisfy all facets of the PCI DSS Technology is not the solution – it’s the problem.
13 years with the Department of DefenseCryptanalyst“In 1991, while on a trip to the CIA, a group of NSA cryptanalysis “interns” diligently scribbled all the letters from the sculpture onto sheets of paper and brought them back to the NSA so curious analysts there could take a crack at it. In December 1991 a group of NSA analysts met in a conference room at the NSA to discuss the sculpture and what methods of decryption they might apply, including classified methods used internally by the NSA.” – “Documents Reveal How the NSA Cracked the Kryptos Sculpture Years Before the CIA”, Wired, July 2013Project ManagerFielded the first software-based encryption system ever produced by NSADesigned, produced, and provided a cryptographic aid that has been used by U.S. Special Forces and Foreign Service for over 20 yearsInformation Security AnalystDeveloped penetration testing and vulnerability assessment methodologies for review of DoD Classified systems and networksAt the request of the Attorney General, and with the cooperation of the National Institutute of Standards & Tehcnoloy (NIST) began to develop a program for conducting Vulnerability Assessments of Unclassified systems and networks in the DoD and Civilian government agenciesParticipated in a program to train other Gov’t agencies in penetration testing, ethical hacking, vulnerability assessment techniques 17 years in commercial professional servicesPenetration Testing/Vulnerability AssessmentsProject ManagerPractice Director/Lead10 years as a QSAAssessorTrusted AdvisorRemediation of breached merchants and service providers
The instructions provided in the “Expected Testing” column are based on the testing procedures in the PCI DSS, and provide a high-level description of the types of testing activities that should be performed in order to verify that a requirement has been met. Full details of testing procedures for each requirement can be found in the PCI DSS.
Validate Compliance with the PCI DSSTwelve major requirements cover ALL systems in your cardholder data environmentExternal Vulnerability ScanningOne common requirement no matter size/type of companyMust be performed by ASVQuarterly Scan Reports that show “PASS”Entire Internet presence – not just the ecommerce app or payment/checkout page
PVS - what you know and what you DON’T KNOWAdd summary discussion here:Adhering to PCI compliance requirements is complicatedProperly scoping your cardholder data environment is the first step – and where most companies miss the markTechnology tools are a great help – but not a solutionUnderstanding PCI DSS and interpreting the requirements for your environment are keyWe can help!