New PCI Self-Assessment Questionnaire – What Has

INFORMATION TECHNOLOGY FLASH REPORT
New PCI Self-Assessment Questionnaire – What Has Changed?
Updated as of July 22, 2014
On March 10, 2014, the Payment Card Industry Security Standards Council (PCI SSC) released
new PCI Self-Assessment Questionnaires (SAQs). These new SAQs are designed to align with
the PCI Data Security Standards, version 3.0 (PCI DSS 3.0), released last November. The PCI
DSS is the widely accepted set of policies and procedures used to optimize security of credit,
debit and cash card transactions and protect cardholders from misuse of their personal
information.
This release of new SAQs follows PCI SSC practice. Previous versions of the PCI DSS also
were accompanied by a set of SAQs to assist companies in satisfying the PCI DSS
requirements under the guidance of the payment brands (Visa, MasterCard, American Express,
Discover and JCB). The new SAQs reflect some important changes specific to version 3.0
compliance.
SAQs A, B, C, AND D – EXPANDED REQUIREMENTS
These four SAQs that existed under version 2.0 have migrated to 3.0 without major changes.
The difference is an expansion in the requirements for each updated SAQ, similar to the
expansion of PCI DSS version 3.0 over version 2.0.
In addition, the PCI SSC has created two new SAQs that did not exist previously, SAQ A-EP
and SAQ B-IP.
SAQ A-EP – Expanded Requirements for E-commerce Merchants
The most significant change from the earlier set of SAQs is the addition of SAQ A-EP. For
merchants who use some types of hosted payment pages, this SAQ introduces dramatic new
requirements.
“SAQ A-EP has been developed to address requirements applicable to e-commerce
merchants with a website(s) that does not itself receive cardholder data but which does
affect the security of the payment transaction and/or the integrity of the page that
accepts the consumer’s cardholder data.” 1
While e-commerce merchants who completely outsource their website(s) to a third-party service
provider can still complete the SAQ A for PCI DSS compliance, e-commerce merchants that
partially outsource their website(s) may now have to complete the new SAQ A-EP.
In a May 2014, the PCI SSC released “Understanding SAQs for PCI DSS v3.” In this document,
the council distinguished between different technologies that can be used to create hosted
payment pages. Specifically, the use of iFrames does not require SAQ A-EP and can still use
SAQ A, while Direct Post and Java script-based technologies do require use of SAQ A-EP. The
1
.
www.pcisecuritystandards.org/documents/SAQ_A-EP_v3.docx.
council further describes the rationale for this distinction in FAQ 1292: Why is there a different
approach for Direct Post implementations than for iFrame and URL redirect – what are the
technical differences and how do they impact the security of e-commerce transactions?
SAQ A-EP’s Impact on E-Commerce Merchants
Under PCI DSS 2.0, it was possible for online merchants to de-scope their Internet-facing web
systems from PCI DSS validation if they outsourced the online payment processing to a third
party. This followed the logic that the presence of cardholder data establishes the scope for PCI
obligations. However, PCI DSS 3.0 offers a new definition of system components going forward,
which brings Internet-facing e-commerce systems back into scope for compliance.
Under the new standard, web servers that use these hosted payment page technologies and
the systems connected to them fall in scope. Additionally, new rules for system isolation (rather
than segmentation) likely bring the rest of a company’s network into scope as well. The only
“out” for companies that lack the ability to ensure the security of web servers is to fully
outsource the web infrastructure to a third party.
SAQ A-EP expands SAQ A from 14 requirements in two sections (8 and 12) to 139
requirements covering all 12 sections. This will significantly impact the level of effort merchants
will have to go through to complete their assessment. Some of the major changes, and the ones
that may take the most amount of effort to implement, include the following:
•
Firewalls restricting inbound/outbound traffic have to be in place, along with a
process for reviewing the rules on a semi-annual basis (Requirements 1.1.x, 1.2.x.,
and 1.3.x)
•
System configuration standards have to be in place for all in-scope systems
(Requirement 2.2.x)
•
Vulnerability Management and Patch Management have to be in place for all inscope systems (Requirements 6.1 and 6.2)
•
Change management and software development processes have to be in place for
all in-scope systems (Requirements 6.4.x and 6.5.x)
•
System audit trails along with a central log server have to be in place for all in-scope
systems (Requirement 10.2.x)
•
External vulnerability scans must be completed (passing scan must be achieved)
quarterly by a PCI Approved Scanning Vendor (Requirement 11.2.2)
•
Internal vulnerability scans must be completed (passing scan must be achieved)
quarterly and after any significant changes in the cardholder data environment
(Requirement 11.2.3)
•
An external penetration test must be completed at least annually (Requirement 11.3)
Additionally, merchants need to remember that any system that can influence the security of the
in-scope system is also in-scope. This will expand the scope of SAQ A-EP beyond just the web
server and to other systems that connect to or administer the web server.
SAQ B-IP – Good News for PTS Device Processing
Prior to PCI DSS 3.0, merchants who processed payment cards through a stand-alone PIN
Transaction Security (PTS) device were required to complete and submit the SAQ C for PCI
Protiviti | 2
DSS validation. With PCI DSS 3.0, these merchants are now able to complete the new SAQ BIP and benefit from the reduction in requirements – 83, instead of 134. It is important to note
that this new SAQ only applies to stand-alone devices. PTS-validated devices that connect to
the POS system or to other computers mostly likely will still require use of SAQ C or SAQ D.
The reduction in requirements in SAQ B-IP helps align the requirements to the risks of the
technical environment. The greatest reductions are in the following major areas:
•
Anti-virus (Requirement 5)
•
System audit trails with a central log server (Requirement 10)
•
Internal vulnerability scans (Requirement 11)
SUMMARY
Companies still working to gain compliance with PCI DSS 2.0 should realign their efforts to PCI
DSS 3.0 as soon as possible. For companies making use of third-party-hosted payment pages,
the realignment is even more urgent. Such companies must consider steps to enhance security
controls on their e-commerce web servers to align to PCI DSS 3.0 requirements as soon as
possible. The simplest approach would be to outsource the full e-commerce environment to a
PCI-validated hosting and management provider. If this approach doesn’t work, isolation of the
web infrastructure is the most likely approach. Without making these improvements, merchants
will find themselves non-compliant and without enough time to remediate.
ABOUT PROTIVITI
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in
finance, technology, operations, governance, risk and internal audit, and has served more than
35 percent of FORTUNE 1000® and FORTUNE Global 500® companies. Protiviti and its
independently owned Member Firms serve clients through a network of more than 70 locations
in over 20 countries. The firm also works with smaller, growing companies, including those
looking to go public, as well as with government agencies.
Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half
is a member of the S&P 500 index.
Contacts
Rocco Grillo
Managing Director
+1.212.603.8381
[email protected]
Scott Laliberte
Managing Director
+1.267.256.8825
[email protected]
Mark Lippman
Managing Director
+1.571.382.7807
[email protected]
Ryan Rubin
Managing Director
+44.207.389.0436
[email protected]
Jeff Sanchez
Managing Director
+1.213.327.1433
[email protected]
Cal Slemp
Managing Director
+1.203.905.2926
[email protected]
Michael Walter
Managing Director
+1.404.926.4301
[email protected]
Jeff Weber
Managing Director
+1.412.402.1712
[email protected]
© 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services.