SlideShare une entreprise Scribd logo
1  sur  22
Télécharger pour lire hors ligne
Navigating the New SAQs
(Helping the 99% validate PCI compliance)
Agenda
• Introduction
• Presenter Background
• The New Self-Assessment Questionnaires
o New Categories
o Selection Criteria
o New Expectations
o New Requirements
• The Biggest Impact
o SAQ-EP
o Implications
• Tenable Solutions
• Questions
Introduction
•99% of merchants do not retain a QSA for PCI DSS
compliance validation – they self assess
•Self-Assessment Questionnaires are the ticket
•Any guidance is provided by vendors (easy, simple)
•Overview of new SAQ options
•Highlighting the Changes
•How do you know which one to use?
•What other activities (like ASV scanning) are
required?
Presenter
Jeffrey Man
PCI SME/Product Manager
(former QSA)
T: 443-545-2102 ext. 366
jman@tenable.com
Straight Talk about PCI (Moderator):
https://discussions.nessus.org/community/pci
Background
30+ years experience in Information Security
o 13 years with the Department of Defense
• Certified Cryptanalyst
• Designed Cryptosystems and Cryptologic Aids
• Founding Member of Systems & Network Attack Center
o 17 years in commercial Professional Services
• Penetration Testing
• Vulnerability Assessments
• Security Architecture
o 10 years as a QSA
• Lead Assessor/Assessment Team Member
• Trusted Advisor
Self-Assessment Questionnaires
PCI DSS Version 3
The New PCI DSS V3 SAQ Options
SAQ Version Qualification Criteria
SAQ A
Merchants that entirely outsource their e-commerce websites (including
the payment processing) and only paper copy of cardholder data is
retained from mail/telephone orders; no electronic storage of cardholder
data
SAQ A-EP (NEW)
Merchants with e-commerce websites that redirect the payment
processing to a third party and the website is segmented from the rest of
the corporate network; no electronic storage of cardholder data
SAQ B
Face-to-face merchants with only imprint machines (knuckle busters) or
standalone, dial-out payment terminals; no electronic storage of
cardholder data
SAQ B-IP (NEW)
Face-to-face merchants with only standalone payment terminals IP-
connected to the payment processor; no electronic storage of cardholder
data
The New SAQ Options - continued
SAQ Version Qualification Criteria
SAQ C
Merchants with payment application systems connected to the
Internet; no electronic storage of cardholder data
SAQ C-VT
Merchants with Web-based virtual payment terminals (not
eCommerce though); no electronic storage of cardholder data
SAQ D-Merchant
(NEW)
Every other merchant (if you don't fit in one of the previous categories
- this is what you fill out)
SAQ D-Service Provider
(NEW)
Service Providers stop here. Period. This is the one you fill out. (Don't
bother filling out another version
SAQ-P2PE-HW
Hardware payment terminals using a PCI-approved P2PE solution Only
(did I mention it needs to be a hardware solution) ; no electronic
storage of cardholder data
Expected Testing (more than a checkbox)
Which SAQs Require ASV Scanning
SAQ Version ASV Scanning Required
SAQ-A: Card-not present; all cardholder functions outsourced NO
SAQ-A-EP: Partially outsourced e-commerce; payment processing by
third party
YES
SAQ-B: Imprint or Stand-alone or dial-out terminals NO
SAQ-B-IP: Stand-alone, IP-connected PTS POI terminals YES
SAQ-C: Payment application systems connected to the Internet YES
SAQ-C-VT: Web-based virtual payment terminals NO
SAQ-D (Merchant/Service Provider): YES
SAQ-P2PE-HW: HW-based PCI-listed P2PE solution NO
Validate Compliance with an ASV
•External Vulnerability Scanning
o Must be performed by ASV
o Quarterly Scan Reports that show “PASS”
o Entire Internet presence – not just the ecommerce
app or payment/checkout page
•Provide Attestation signed by an Officer of the
company
New SAQ Categories
Highlighting the SAQs with the biggest impact
The New SAQ D – Service Providers
Biggest Impact
Merchants that have been completing SAQ A
because they redirect the payment processing
from their e-commerce site to a PCI compliant
third party are now going to have to determine
which of the new SAQs applies to them.
The goal is to bring PCI DSS requirements to the
e-commerce site that controls the redirection of
the consumer to the payment processor.
E-commerce w/Payment Processor
CONSUMER
E-COMMERCE SITE
SHOPPING CART CHECKOUT (REDIRECT)
PAYMENT PROCESSOR
CONSUMER BANK
SAQ A-EP Applicability
SAQ A-EP has been developed to address requirements
applicable to e-commerce merchants with a website(s)
that does not itself receive cardholder data but which
does affect the security of the payment transaction and/or
the integrity of the page that accepts the consumer’s
cardholder data.
SAQ A-EP merchants are e-commerce merchants who
partially outsource their e-commerce payment channel to
PCI DSS validated third parties and do not electronically
store, process, or transmit any cardholder data on their
systems or premises
Leading Payment Gateways
SAQ A-EP Qualifications
Validating PCI DSS Compliance
Tenable can help you validate PCI DSS
Tenable Solutions
• Nessus Vulnerability Scanner (Nessus)
o Internal (CDE) vulnerability scanning solution
o Configuration and compliance auditing (Credentialed)
o Monitor and maintain numerous technical PCI controls
• Nessus Perimeter Service (PS)
o ASV-certified External vulnerability scanning solution
o Multi-Scanner feature allows management of all internal and external PCI scans
• Passive Vulnerability Scanner (PVS)
o Identify/confirm data flows; maintain integrity of CDE
o Detect unintentional/unknown data flows
• SecurityCenter Continuous View (SC CV)
o Provides real-time compliance monitoring to maintain a compliant state.
o Identifies problems with sustaining secure business processes
• Log Correlation Engine (LCE)
o Centralized event logging, analysis, and correlation
o File integrity monitoring capabilities
Have More Questions about PCI?
Tenable hosts a PCI Discussion Forum where anyone can ask
questions related to all aspects of PCI. If your question is a little
too sensitive for a public forum, feel free to contact me directly.
Jeff Man
T: 443-545-2102 ext. 366
jman@tenable.com
Straight Talk about PCI (Moderator):
https://discussions.nessus.org/community/pci
Questions?

Contenu connexe

Tendances

Compliance Services Solutions
Compliance Services SolutionsCompliance Services Solutions
Compliance Services SolutionsSWIFT
 
Cards Center Project Approach May 24 2008
Cards Center Project Approach May 24 2008Cards Center Project Approach May 24 2008
Cards Center Project Approach May 24 2008Saeed A Siddiki
 
ARC 2013 - Work session - SWIFT Services
ARC 2013 - Work session - SWIFT ServicesARC 2013 - Work session - SWIFT Services
ARC 2013 - Work session - SWIFT ServicesSWIFT
 
MonitorIT Solution Overview - Webinar 9th December 2014
MonitorIT Solution Overview - Webinar 9th December 2014MonitorIT Solution Overview - Webinar 9th December 2014
MonitorIT Solution Overview - Webinar 9th December 2014MonitorIT Ltd
 
Blinde la seguridad de su empresa
Blinde la seguridad de su empresaBlinde la seguridad de su empresa
Blinde la seguridad de su empresaSAP Latinoamérica
 
Telcase Presentation Oct 2007
Telcase Presentation Oct 2007Telcase Presentation Oct 2007
Telcase Presentation Oct 2007akivi
 
The Digital Insurer Award - Tata AIG (Netra App)
The Digital Insurer Award - Tata AIG (Netra App)The Digital Insurer Award - Tata AIG (Netra App)
The Digital Insurer Award - Tata AIG (Netra App)The Digital Insurer
 
Ram Card Manager - the secure delivery solution
Ram Card Manager - the secure delivery solutionRam Card Manager - the secure delivery solution
Ram Card Manager - the secure delivery solutionMike Shraga
 
Feature Sheet - channelPay
Feature Sheet - channelPayFeature Sheet - channelPay
Feature Sheet - channelPayAnna Walczak
 
Athena-Mobile-Banking-Solution-AMBS
Athena-Mobile-Banking-Solution-AMBSAthena-Mobile-Banking-Solution-AMBS
Athena-Mobile-Banking-Solution-AMBSTajul Islam
 
Procure to-pay (p2 p) process automation with nividous rpa bots
Procure to-pay (p2 p) process automation with nividous rpa botsProcure to-pay (p2 p) process automation with nividous rpa bots
Procure to-pay (p2 p) process automation with nividous rpa botsSwapnil Kanage
 
Clik finance lending suite v1.4
Clik finance lending suite v1.4Clik finance lending suite v1.4
Clik finance lending suite v1.4Mohamed Nabil
 
TACS - A Dell Service Offering
TACS - A Dell  Service OfferingTACS - A Dell  Service Offering
TACS - A Dell Service OfferingSiddharth Rai
 

Tendances (16)

Compliance Services Solutions
Compliance Services SolutionsCompliance Services Solutions
Compliance Services Solutions
 
Cards Center Project Approach May 24 2008
Cards Center Project Approach May 24 2008Cards Center Project Approach May 24 2008
Cards Center Project Approach May 24 2008
 
ARC 2013 - Work session - SWIFT Services
ARC 2013 - Work session - SWIFT ServicesARC 2013 - Work session - SWIFT Services
ARC 2013 - Work session - SWIFT Services
 
MonitorIT Solution Overview - Webinar 9th December 2014
MonitorIT Solution Overview - Webinar 9th December 2014MonitorIT Solution Overview - Webinar 9th December 2014
MonitorIT Solution Overview - Webinar 9th December 2014
 
Mini Billboard
Mini BillboardMini Billboard
Mini Billboard
 
PaySur
PaySurPaySur
PaySur
 
Blinde la seguridad de su empresa
Blinde la seguridad de su empresaBlinde la seguridad de su empresa
Blinde la seguridad de su empresa
 
Telcase Presentation Oct 2007
Telcase Presentation Oct 2007Telcase Presentation Oct 2007
Telcase Presentation Oct 2007
 
The Digital Insurer Award - Tata AIG (Netra App)
The Digital Insurer Award - Tata AIG (Netra App)The Digital Insurer Award - Tata AIG (Netra App)
The Digital Insurer Award - Tata AIG (Netra App)
 
Ram Card Manager - the secure delivery solution
Ram Card Manager - the secure delivery solutionRam Card Manager - the secure delivery solution
Ram Card Manager - the secure delivery solution
 
Feature Sheet - channelPay
Feature Sheet - channelPayFeature Sheet - channelPay
Feature Sheet - channelPay
 
Athena-Mobile-Banking-Solution-AMBS
Athena-Mobile-Banking-Solution-AMBSAthena-Mobile-Banking-Solution-AMBS
Athena-Mobile-Banking-Solution-AMBS
 
Procure to-pay (p2 p) process automation with nividous rpa bots
Procure to-pay (p2 p) process automation with nividous rpa botsProcure to-pay (p2 p) process automation with nividous rpa bots
Procure to-pay (p2 p) process automation with nividous rpa bots
 
Clik finance lending suite v1.4
Clik finance lending suite v1.4Clik finance lending suite v1.4
Clik finance lending suite v1.4
 
TACS - A Dell Service Offering
TACS - A Dell  Service OfferingTACS - A Dell  Service Offering
TACS - A Dell Service Offering
 
Accounts Payable Outsourcing
Accounts Payable Outsourcing Accounts Payable Outsourcing
Accounts Payable Outsourcing
 

En vedette

Essentials of PCI Assessment
Essentials of PCI AssessmentEssentials of PCI Assessment
Essentials of PCI Assessment Gazzang
 
Présentation NUTANIX EVENEMENT Le Datacenter "Next-Generation" - NUTANIX - AC...
Présentation NUTANIX EVENEMENT Le Datacenter "Next-Generation" - NUTANIX - AC...Présentation NUTANIX EVENEMENT Le Datacenter "Next-Generation" - NUTANIX - AC...
Présentation NUTANIX EVENEMENT Le Datacenter "Next-Generation" - NUTANIX - AC...Acropolis Telecom
 
What's your advice for users of Ashley Madison?
What's your advice for users of Ashley Madison?What's your advice for users of Ashley Madison?
What's your advice for users of Ashley Madison?Tenable Network Security
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Ulf Mattsson
 
When your CEO asks, "Are we secure?" what do you say?
When your CEO asks, "Are we secure?" what do you say?When your CEO asks, "Are we secure?" what do you say?
When your CEO asks, "Are we secure?" what do you say?Tenable Network Security
 
Nutanix and microsoft_webinar_oct_28
Nutanix and microsoft_webinar_oct_28Nutanix and microsoft_webinar_oct_28
Nutanix and microsoft_webinar_oct_28groberts52
 
ISO 27001-Manage IT Risks and Build Customer Confidence
ISO 27001-Manage IT Risks and Build Customer ConfidenceISO 27001-Manage IT Risks and Build Customer Confidence
ISO 27001-Manage IT Risks and Build Customer ConfidenceAl Abbas, PMP, CISSP, MBA, MSc
 
Technical debt in cyber ark [agile practitioners-2015]
Technical debt in cyber ark [agile practitioners-2015]Technical debt in cyber ark [agile practitioners-2015]
Technical debt in cyber ark [agile practitioners-2015]AgilePractitionersIL
 
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...Smart Assessment
 
Managing privileged account security
Managing privileged account securityManaging privileged account security
Managing privileged account securityRaleigh ISSA
 

En vedette (18)

Essentials of PCI Assessment
Essentials of PCI AssessmentEssentials of PCI Assessment
Essentials of PCI Assessment
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
Novinky QualysGuard 2010
Novinky QualysGuard 2010Novinky QualysGuard 2010
Novinky QualysGuard 2010
 
Présentation NUTANIX EVENEMENT Le Datacenter "Next-Generation" - NUTANIX - AC...
Présentation NUTANIX EVENEMENT Le Datacenter "Next-Generation" - NUTANIX - AC...Présentation NUTANIX EVENEMENT Le Datacenter "Next-Generation" - NUTANIX - AC...
Présentation NUTANIX EVENEMENT Le Datacenter "Next-Generation" - NUTANIX - AC...
 
What's your advice for users of Ashley Madison?
What's your advice for users of Ashley Madison?What's your advice for users of Ashley Madison?
What's your advice for users of Ashley Madison?
 
What should I be scared about today?
What should I be scared about today?What should I be scared about today?
What should I be scared about today?
 
How can we work smarter in security?
How can we work smarter in security?How can we work smarter in security?
How can we work smarter in security?
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0
 
Unwelcome Network Surprises
Unwelcome Network SurprisesUnwelcome Network Surprises
Unwelcome Network Surprises
 
When your CEO asks, "Are we secure?" what do you say?
When your CEO asks, "Are we secure?" what do you say?When your CEO asks, "Are we secure?" what do you say?
When your CEO asks, "Are we secure?" what do you say?
 
Nutanix and microsoft_webinar_oct_28
Nutanix and microsoft_webinar_oct_28Nutanix and microsoft_webinar_oct_28
Nutanix and microsoft_webinar_oct_28
 
ISO 27001-Manage IT Risks and Build Customer Confidence
ISO 27001-Manage IT Risks and Build Customer ConfidenceISO 27001-Manage IT Risks and Build Customer Confidence
ISO 27001-Manage IT Risks and Build Customer Confidence
 
Shadow IT
Shadow ITShadow IT
Shadow IT
 
Technical debt in cyber ark [agile practitioners-2015]
Technical debt in cyber ark [agile practitioners-2015]Technical debt in cyber ark [agile practitioners-2015]
Technical debt in cyber ark [agile practitioners-2015]
 
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
 
CyberArk
CyberArkCyberArk
CyberArk
 
Managing privileged account security
Managing privileged account securityManaging privileged account security
Managing privileged account security
 
What was your worst day in IT?
What was your worst day in IT?What was your worst day in IT?
What was your worst day in IT?
 

Similaire à Navigating the PCI Self-Assessment questionaire

Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Stephanie Gutowski
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI complianceJisc
 
PCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsPCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsNetSquared Vancouver
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should careSean D. Goodwin
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Merchants
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI WonderlandMichele Chubirka
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Crew
 
PCI DSS Scoping and Applicability
PCI DSS Scoping and ApplicabilityPCI DSS Scoping and Applicability
PCI DSS Scoping and ApplicabilityManish Mahapatra
 
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and SecureHow To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and SecurePaymetric, Inc.
 
PCI Compliance: What You Need to Know
PCI Compliance: What You Need to KnowPCI Compliance: What You Need to Know
PCI Compliance: What You Need to KnowSasha Nunke
 
Ccavenue presentation
Ccavenue presentationCcavenue presentation
Ccavenue presentationAnurag Vikram
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)Miminten
 

Similaire à Navigating the PCI Self-Assessment questionaire (20)

Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
PCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsPCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profits
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should care
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
E commerce overview
E commerce overviewE commerce overview
E commerce overview
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI Wonderland
 
2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_data2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_data
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
PCI DSS Scoping and Applicability
PCI DSS Scoping and ApplicabilityPCI DSS Scoping and Applicability
PCI DSS Scoping and Applicability
 
Evolution Pci For Pod1
Evolution Pci For Pod1Evolution Pci For Pod1
Evolution Pci For Pod1
 
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and SecureHow To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
PCI Compliance: What You Need to Know
PCI Compliance: What You Need to KnowPCI Compliance: What You Need to Know
PCI Compliance: What You Need to Know
 
Ccavenue presentation
Ccavenue presentationCcavenue presentation
Ccavenue presentation
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
 

Plus de David Strom

Spark Twitter fails Mar2023
Spark Twitter fails Mar2023Spark Twitter fails Mar2023
Spark Twitter fails Mar2023David Strom
 
Getting Your First Cybersecurity Job
Getting Your First Cybersecurity JobGetting Your First Cybersecurity Job
Getting Your First Cybersecurity JobDavid Strom
 
Understanding passwordless technologies
Understanding passwordless technologiesUnderstanding passwordless technologies
Understanding passwordless technologiesDavid Strom
 
What endpoint protection solutions are available on the market today?
What endpoint protection solutions are available on the market today?What endpoint protection solutions are available on the market today?
What endpoint protection solutions are available on the market today?David Strom
 
Fears and fulfillment with IT security
Fears and fulfillment with IT securityFears and fulfillment with IT security
Fears and fulfillment with IT securityDavid Strom
 
Protecting your digital and online privacy
Protecting your digital and online privacyProtecting your digital and online privacy
Protecting your digital and online privacyDavid Strom
 
AI and cyber security: new directions, old fears
AI and cyber security: new directions, old fearsAI and cyber security: new directions, old fears
AI and cyber security: new directions, old fearsDavid Strom
 
The legalities of hacking back
The legalities of  hacking backThe legalities of  hacking back
The legalities of hacking backDavid Strom
 
How to market your book in today's social media world
How to market your book in today's social media worldHow to market your book in today's social media world
How to market your book in today's social media worldDavid Strom
 
​Understanding the Internet of Things
​Understanding the Internet of Things​Understanding the Internet of Things
​Understanding the Internet of ThingsDavid Strom
 
How to make your mobile phone safe from hackers
How to make your mobile phone safe from hackersHow to make your mobile phone safe from hackers
How to make your mobile phone safe from hackersDavid Strom
 
Implications and response to large security breaches
Implications and response to large security breaches Implications and response to large security breaches
Implications and response to large security breaches David Strom
 
Using social networks to find your next job (2017)
Using social networks to find your next job (2017)Using social networks to find your next job (2017)
Using social networks to find your next job (2017)David Strom
 
Security v. Privacy: the great debate
Security v. Privacy: the great debateSecurity v. Privacy: the great debate
Security v. Privacy: the great debateDavid Strom
 
Using OpenStack to Control VM Chaos
Using OpenStack to Control VM ChaosUsing OpenStack to Control VM Chaos
Using OpenStack to Control VM ChaosDavid Strom
 
Notable Twitter fails
Notable Twitter failsNotable Twitter fails
Notable Twitter failsDavid Strom
 
How to make the move towards hybrid cloud computing
How to make the move towards hybrid cloud computingHow to make the move towards hybrid cloud computing
How to make the move towards hybrid cloud computingDavid Strom
 
Listen to Your Customers: How IT Can Provide Better Support
Listen to Your Customers: How IT Can Provide Better SupportListen to Your Customers: How IT Can Provide Better Support
Listen to Your Customers: How IT Can Provide Better SupportDavid Strom
 
Network security practice: then and now
Network security practice: then and nowNetwork security practice: then and now
Network security practice: then and nowDavid Strom
 
Biggest startup mistakes
Biggest startup mistakesBiggest startup mistakes
Biggest startup mistakesDavid Strom
 

Plus de David Strom (20)

Spark Twitter fails Mar2023
Spark Twitter fails Mar2023Spark Twitter fails Mar2023
Spark Twitter fails Mar2023
 
Getting Your First Cybersecurity Job
Getting Your First Cybersecurity JobGetting Your First Cybersecurity Job
Getting Your First Cybersecurity Job
 
Understanding passwordless technologies
Understanding passwordless technologiesUnderstanding passwordless technologies
Understanding passwordless technologies
 
What endpoint protection solutions are available on the market today?
What endpoint protection solutions are available on the market today?What endpoint protection solutions are available on the market today?
What endpoint protection solutions are available on the market today?
 
Fears and fulfillment with IT security
Fears and fulfillment with IT securityFears and fulfillment with IT security
Fears and fulfillment with IT security
 
Protecting your digital and online privacy
Protecting your digital and online privacyProtecting your digital and online privacy
Protecting your digital and online privacy
 
AI and cyber security: new directions, old fears
AI and cyber security: new directions, old fearsAI and cyber security: new directions, old fears
AI and cyber security: new directions, old fears
 
The legalities of hacking back
The legalities of  hacking backThe legalities of  hacking back
The legalities of hacking back
 
How to market your book in today's social media world
How to market your book in today's social media worldHow to market your book in today's social media world
How to market your book in today's social media world
 
​Understanding the Internet of Things
​Understanding the Internet of Things​Understanding the Internet of Things
​Understanding the Internet of Things
 
How to make your mobile phone safe from hackers
How to make your mobile phone safe from hackersHow to make your mobile phone safe from hackers
How to make your mobile phone safe from hackers
 
Implications and response to large security breaches
Implications and response to large security breaches Implications and response to large security breaches
Implications and response to large security breaches
 
Using social networks to find your next job (2017)
Using social networks to find your next job (2017)Using social networks to find your next job (2017)
Using social networks to find your next job (2017)
 
Security v. Privacy: the great debate
Security v. Privacy: the great debateSecurity v. Privacy: the great debate
Security v. Privacy: the great debate
 
Using OpenStack to Control VM Chaos
Using OpenStack to Control VM ChaosUsing OpenStack to Control VM Chaos
Using OpenStack to Control VM Chaos
 
Notable Twitter fails
Notable Twitter failsNotable Twitter fails
Notable Twitter fails
 
How to make the move towards hybrid cloud computing
How to make the move towards hybrid cloud computingHow to make the move towards hybrid cloud computing
How to make the move towards hybrid cloud computing
 
Listen to Your Customers: How IT Can Provide Better Support
Listen to Your Customers: How IT Can Provide Better SupportListen to Your Customers: How IT Can Provide Better Support
Listen to Your Customers: How IT Can Provide Better Support
 
Network security practice: then and now
Network security practice: then and nowNetwork security practice: then and now
Network security practice: then and now
 
Biggest startup mistakes
Biggest startup mistakesBiggest startup mistakes
Biggest startup mistakes
 

Dernier

How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 

Dernier (20)

How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 

Navigating the PCI Self-Assessment questionaire

  • 1. Navigating the New SAQs (Helping the 99% validate PCI compliance)
  • 2. Agenda • Introduction • Presenter Background • The New Self-Assessment Questionnaires o New Categories o Selection Criteria o New Expectations o New Requirements • The Biggest Impact o SAQ-EP o Implications • Tenable Solutions • Questions
  • 3. Introduction •99% of merchants do not retain a QSA for PCI DSS compliance validation – they self assess •Self-Assessment Questionnaires are the ticket •Any guidance is provided by vendors (easy, simple) •Overview of new SAQ options •Highlighting the Changes •How do you know which one to use? •What other activities (like ASV scanning) are required?
  • 4. Presenter Jeffrey Man PCI SME/Product Manager (former QSA) T: 443-545-2102 ext. 366 jman@tenable.com Straight Talk about PCI (Moderator): https://discussions.nessus.org/community/pci
  • 5. Background 30+ years experience in Information Security o 13 years with the Department of Defense • Certified Cryptanalyst • Designed Cryptosystems and Cryptologic Aids • Founding Member of Systems & Network Attack Center o 17 years in commercial Professional Services • Penetration Testing • Vulnerability Assessments • Security Architecture o 10 years as a QSA • Lead Assessor/Assessment Team Member • Trusted Advisor
  • 7. The New PCI DSS V3 SAQ Options SAQ Version Qualification Criteria SAQ A Merchants that entirely outsource their e-commerce websites (including the payment processing) and only paper copy of cardholder data is retained from mail/telephone orders; no electronic storage of cardholder data SAQ A-EP (NEW) Merchants with e-commerce websites that redirect the payment processing to a third party and the website is segmented from the rest of the corporate network; no electronic storage of cardholder data SAQ B Face-to-face merchants with only imprint machines (knuckle busters) or standalone, dial-out payment terminals; no electronic storage of cardholder data SAQ B-IP (NEW) Face-to-face merchants with only standalone payment terminals IP- connected to the payment processor; no electronic storage of cardholder data
  • 8. The New SAQ Options - continued SAQ Version Qualification Criteria SAQ C Merchants with payment application systems connected to the Internet; no electronic storage of cardholder data SAQ C-VT Merchants with Web-based virtual payment terminals (not eCommerce though); no electronic storage of cardholder data SAQ D-Merchant (NEW) Every other merchant (if you don't fit in one of the previous categories - this is what you fill out) SAQ D-Service Provider (NEW) Service Providers stop here. Period. This is the one you fill out. (Don't bother filling out another version SAQ-P2PE-HW Hardware payment terminals using a PCI-approved P2PE solution Only (did I mention it needs to be a hardware solution) ; no electronic storage of cardholder data
  • 9. Expected Testing (more than a checkbox)
  • 10. Which SAQs Require ASV Scanning SAQ Version ASV Scanning Required SAQ-A: Card-not present; all cardholder functions outsourced NO SAQ-A-EP: Partially outsourced e-commerce; payment processing by third party YES SAQ-B: Imprint or Stand-alone or dial-out terminals NO SAQ-B-IP: Stand-alone, IP-connected PTS POI terminals YES SAQ-C: Payment application systems connected to the Internet YES SAQ-C-VT: Web-based virtual payment terminals NO SAQ-D (Merchant/Service Provider): YES SAQ-P2PE-HW: HW-based PCI-listed P2PE solution NO
  • 11. Validate Compliance with an ASV •External Vulnerability Scanning o Must be performed by ASV o Quarterly Scan Reports that show “PASS” o Entire Internet presence – not just the ecommerce app or payment/checkout page •Provide Attestation signed by an Officer of the company
  • 12. New SAQ Categories Highlighting the SAQs with the biggest impact
  • 13. The New SAQ D – Service Providers
  • 14. Biggest Impact Merchants that have been completing SAQ A because they redirect the payment processing from their e-commerce site to a PCI compliant third party are now going to have to determine which of the new SAQs applies to them. The goal is to bring PCI DSS requirements to the e-commerce site that controls the redirection of the consumer to the payment processor.
  • 15. E-commerce w/Payment Processor CONSUMER E-COMMERCE SITE SHOPPING CART CHECKOUT (REDIRECT) PAYMENT PROCESSOR CONSUMER BANK
  • 16. SAQ A-EP Applicability SAQ A-EP has been developed to address requirements applicable to e-commerce merchants with a website(s) that does not itself receive cardholder data but which does affect the security of the payment transaction and/or the integrity of the page that accepts the consumer’s cardholder data. SAQ A-EP merchants are e-commerce merchants who partially outsource their e-commerce payment channel to PCI DSS validated third parties and do not electronically store, process, or transmit any cardholder data on their systems or premises
  • 19. Validating PCI DSS Compliance Tenable can help you validate PCI DSS
  • 20. Tenable Solutions • Nessus Vulnerability Scanner (Nessus) o Internal (CDE) vulnerability scanning solution o Configuration and compliance auditing (Credentialed) o Monitor and maintain numerous technical PCI controls • Nessus Perimeter Service (PS) o ASV-certified External vulnerability scanning solution o Multi-Scanner feature allows management of all internal and external PCI scans • Passive Vulnerability Scanner (PVS) o Identify/confirm data flows; maintain integrity of CDE o Detect unintentional/unknown data flows • SecurityCenter Continuous View (SC CV) o Provides real-time compliance monitoring to maintain a compliant state. o Identifies problems with sustaining secure business processes • Log Correlation Engine (LCE) o Centralized event logging, analysis, and correlation o File integrity monitoring capabilities
  • 21. Have More Questions about PCI? Tenable hosts a PCI Discussion Forum where anyone can ask questions related to all aspects of PCI. If your question is a little too sensitive for a public forum, feel free to contact me directly. Jeff Man T: 443-545-2102 ext. 366 jman@tenable.com Straight Talk about PCI (Moderator): https://discussions.nessus.org/community/pci

Notes de l'éditeur

  1. Intro/BackgroundLearning to speak “PCI”The Compliance ProcessClassification (Who are you?)Data Flows/Process Flows/Data Discovery (What [data] are you trying to protect?)Scoping the Environment (Where is the data?)Validation of controls (where the rubber hits the road)Tenable – how we can help throughout the processQuestions?
  2. “It’s Complicated!”Many vendors who claim “PCI made simple” are not making you compliant, they are shifting responsibility for compliance away from you or claiming to assume responsibility. There are NO “silver bullet” single solutions that satisfy all facets of the PCI DSS. There are NO “silver bullets” single solutions that satisfy all facets of the PCI DSS Technology is not the solution – it’s the problem.
  3. 13 years with the Department of DefenseCryptanalyst“In 1991, while on a trip to the CIA, a group of NSA cryptanalysis “interns” diligently scribbled all the letters from the sculpture onto sheets of paper and brought them back to the NSA so curious analysts there could take a crack at it. In December 1991 a group of NSA analysts met in a conference room at the NSA to discuss the sculpture and what methods of decryption they might apply, including classified methods used internally by the NSA.” – “Documents Reveal How the NSA Cracked the Kryptos Sculpture Years Before the CIA”, Wired, July 2013Project ManagerFielded the first software-based encryption system ever produced by NSADesigned, produced, and provided a cryptographic aid that has been used by U.S. Special Forces and Foreign Service for over 20 yearsInformation Security AnalystDeveloped penetration testing and vulnerability assessment methodologies for review of DoD Classified systems and networksAt the request of the Attorney General, and with the cooperation of the National Institutute of Standards & Tehcnoloy (NIST) began to develop a program for conducting Vulnerability Assessments of Unclassified systems and networks in the DoD and Civilian government agenciesParticipated in a program to train other Gov’t agencies in penetration testing, ethical hacking, vulnerability assessment techniques 17 years in commercial professional servicesPenetration Testing/Vulnerability AssessmentsProject ManagerPractice Director/Lead10 years as a QSAAssessorTrusted AdvisorRemediation of breached merchants and service providers
  4. The instructions provided in the “Expected Testing” column are based on the testing procedures in the PCI DSS, and provide a high-level description of the types of testing activities that should be performed in order to verify that a requirement has been met. Full details of testing procedures for each requirement can be found in the PCI DSS.
  5. Validate Compliance with the PCI DSSTwelve major requirements cover ALL systems in your cardholder data environmentExternal Vulnerability ScanningOne common requirement no matter size/type of companyMust be performed by ASVQuarterly Scan Reports that show “PASS”Entire Internet presence – not just the ecommerce app or payment/checkout page
  6. PVS - what you know and what you DON’T KNOWAdd summary discussion here:Adhering to PCI compliance requirements is complicatedProperly scoping your cardholder data environment is the first step – and where most companies miss the markTechnology tools are a great help – but not a solutionUnderstanding PCI DSS and interpreting the requirements for your environment are keyWe can help!