News_PCI-3.2-Review-1.1.png

Zwei neue PCI DSS Anforderungen in den SAQs B-IP und C-VT

Mit der ab dem 01.Oktober 2017 verpflichtenden Revision 1.1 des PCI DSS Standards 3.2, haben sich Änderungen für Händler mit folgenden Zahlungsprozessen ergeben:

1) Händler mit Web-Based Virtual Payment Terminals – Keine elektronische Kartendatenspeicherung (SAQ C-VT)

2) Händler mit Standalone, IP-Connected PTS Point-of-Interaction (POI) Terminals – Keine elektronische Kartendatenspeicherung (SAQ B-IP)

Neu hinzugeführt wurden die beiden Anforderungen 8.3.1 Multi-Faktor-Authentifizierung und 11.3.4 Prüfung der Segmentierungsmaßnahmen. Sie sind nun Bestandteil der SAQs B-IP und C-VT. Die Anforderung 8.3.1 wird bis zum 31. Januar 2018 als Best Practice gehandhabt. Danach wird sie eine verpflichtende Anforderung.

Nachfolgend im Original Wortlaut:

Added Requirement 8.3.1

Is multi-factor authentication incorporated for all nonconsole access into the CDE for personnel with administrative access? Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.

Eine sofortige Auswirkung stellt die hinzugekommene Anforderung 11.3.4 dar. Ist die Kreditkartendatenumgebung, d.h. das Bezahlterminal (SAQ B-IP) oder der Computer, von dem aus das virtuelle Terminal aufgerufen wird (SAQ C-VT), von der restlichen Infrastruktur netzwerkseitig isoliert, sind diese logischen Segmentierungsmaßnahmen mindestens jährlich oder nach Änderungen durch einen Penetrationstest auf ihre Wirksamkeit zu prüfen.

Nachfolgend im Original Wortlaut:

Added Requirement 11.3.4
If segmentation is used to isolate the CDE (Cardholder Data Environment) from other networks:

(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE?

(b) Does penetration testing to verify segmentation controls meet the following?
• Performed at least annually and after any change to segmentation controls/methods
• Covers all segmentation controls/methods in use
• Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
• Examine results from the most recent penetration test

(c) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?

Sie haben Fragen dazu? Unsere Kolleginnen und Kollegen helfen Ihnen gerne weiter. Melden Sie sich einfach unter +49 6102 8631-90. E-Mail: pci@usd.de

————–

Two added Requirements for SAQ B-IP and C-VT

Within Revision 1.1 of the PCI DSS 3.2 (obligatory 01st October 2017) some requirements have been added for Merchants with the following payment processes:

1) Merchants with Web-Based Virtual Payment Terminals – No Electronic Cardholder Data Storage (SAQ C-VT)

2) Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) Terminals – No Electronic Cardholder Data (SAQ B-IP)

The two added requirements are 8.3.1 multi-factor authentication and 11.3.4 test of segmentation methods. There are now part of the SAQs B-IP and C-VT. Requirement 8.3.1 is handled as Best Practice till January the 31th, after that it is going to be obligatory.

In the original text:

Added Requirement 8.3.1

Is multi-factor authentication incorporated for all nonconsole access into the CDE for personnel with administrative access? Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.

In the original text:

Added Requirement 11.3.4
If segmentation is used to isolate the CDE (Cardholder Data Environment) from other networks:

(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE?

(b) Does penetration testing to verify segmentation controls meet the following?
• Performed at least annually and after any change to segmentation controls/methods
• Covers all segmentation controls/methods in use
• Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
• Examine results from the most recent penetration test

(c) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?

Any questions? Talk to us. We‘ll be happy to help you. +49 6102 8631-90. E-mail: pci@usd.de.