1 / 22

Navigating the New SAQs

(Helping the 99% validate PCI compliance). Navigating the New SAQs. Agenda. Introduction Presenter Background The New Self-Assessment Questionnaires New Categories Selection Criteria New Expectations New Requirements The Biggest Impact SAQ-EP Implications Tenable Solutions Questions.

cale
Download Presentation

Navigating the New SAQs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. (Helping the 99% validate PCI compliance) Navigating the New SAQs

  2. Agenda • Introduction • Presenter Background • The New Self-Assessment Questionnaires • New Categories • Selection Criteria • New Expectations • New Requirements • The Biggest Impact • SAQ-EP • Implications • Tenable Solutions • Questions

  3. Introduction • 99% of merchants do not retain a QSA for PCI DSS compliance validation – they self assess • Self-Assessment Questionnaires are the ticket • Any guidance is provided by vendors (easy, simple) • Overview of new SAQ options • Highlighting the Changes • How do you know which one to use? • What other activities (like ASV scanning) are required?

  4. Presenter Jeffrey Man PCI SME/Product Manager (former QSA) T: 443-545-2102 ext. 366 jman@tenable.com Straight Talk about PCI (Moderator): https://discussions.nessus.org/community/pci

  5. Background 30+ years experience in Information Security • 13 years with the Department of Defense • Certified Cryptanalyst • Designed Cryptosystems and Cryptologic Aids • Founding Member of Systems & Network Attack Center • 17 years in commercial Professional Services • Penetration Testing • Vulnerability Assessments • Security Architecture • 10 years as a QSA • Lead Assessor/Assessment Team Member • Trusted Advisor

  6. Self-Assessment Questionnaires PCI DSS Version 3

  7. The New PCI DSS V3 SAQ Options

  8. The New SAQ Options - continued

  9. Expected Testing (more than a checkbox)

  10. Which SAQs Require ASV Scanning

  11. Validate Compliance with an ASV • External Vulnerability Scanning • Must be performed by ASV • Quarterly Scan Reports that show “PASS” • Entire Internet presence – not just the ecommerce app or payment/checkout page • Provide Attestation signed by an Officer of the company

  12. New SAQ Categories Highlighting the SAQs with the biggest impact

  13. The New SAQ D – Service Providers

  14. Biggest Impact Merchants that have been completing SAQ A because they redirect the payment processing from their e-commerce site to a PCI compliant third party are now going to have to determine which of the new SAQs applies to them. The goal is to bring PCI DSS requirements to the e-commerce site that controls the redirection of the consumer to the payment processor.

  15. E-commerce w/Payment Processor SHOPPING CART CHECKOUT (REDIRECT) E-COMMERCE SITE PAYMENT PROCESSOR CONSUMER CONSUMER BANK

  16. SAQ A-EP Applicability SAQ A-EP has been developed to address requirements applicable to e-commerce merchants with a website(s) that does not itself receive cardholder data but which does affect the security of the payment transaction and/or the integrity of the page that accepts the consumer’s cardholder data. SAQ A-EP merchants are e-commerce merchants who partially outsource their e-commerce payment channel to PCI DSS validated third parties and do not electronically store, process, or transmit any cardholder data on their systems or premises

  17. Leading Payment Gateways

  18. SAQ A-EP Qualifications

  19. Validating PCI DSS Compliance Tenable can help you validate PCI DSS

  20. Tenable Solutions • Nessus Vulnerability Scanner (Nessus) • Internal (CDE) vulnerability scanning solution • Configuration and compliance auditing (Credentialed) • Monitor and maintain numerous technical PCI controls • Nessus Perimeter Service (PS) • ASV-certified External vulnerability scanning solution • Multi-Scanner feature allows management of all internal and external PCI scans • Passive Vulnerability Scanner (PVS) • Identify/confirm data flows; maintain integrity of CDE • Detect unintentional/unknown data flows • SecurityCenter Continuous View (SC CV) • Provides real-time compliance monitoring to maintain a compliant state. • Identifies problems with sustaining secure business processes • Log Correlation Engine (LCE) • Centralized event logging, analysis, and correlation • File integrity monitoring capabilities

  21. Have More Questions about PCI? Tenable hosts a PCI Discussion Forum where anyone can ask questions related to all aspects of PCI. If your question is a little too sensitive for a public forum, feel free to contact me directly. Jeff Man T: 443-545-2102 ext. 366 jman@tenable.com Straight Talk about PCI (Moderator): https://discussions.nessus.org/community/pci

  22. Questions?

More Related