Within Revision 1.1 of the PCI DSS 3.2 (obligatory 01st October 2017) some requirements have been added for Merchants with the following payment processes:
1) Merchants with Web-Based Virtual Payment Terminals – No Electronic Cardholder Data Storage (SAQ C-VT)
2) Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) Terminals – No Electronic Cardholder Data (SAQ B-IP)
The two added requirements are 8.3.1 multi-factor authentication and 11.3.4 test of segmentation methods. There are now part of the SAQs B-IP and C-VT. Requirement 8.3.1 is handled as Best Practice till January the 31th, after that it is going to be obligatory.
In the original text:
Added Requirement 8.3.1
Is multi-factor authentication incorporated for all nonconsole access into the CDE for personnel with administrative access? Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
In the original text:
Added Requirement 11.3.4
If segmentation is used to isolate the CDE (Cardholder Data Environment) from other networks:
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE?
(b) Does penetration testing to verify segmentation controls meet the following?
• Performed at least annually and after any change to segmentation controls/methods
• Covers all segmentation controls/methods in use
• Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
• Examine results from the most recent penetration test
(c) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?
Any questions? Talk to us. We‘ll be happy to help you. +49 6102 8631-90. E-mail: pci@usd.de.
Regulations as a Booster for Transformation: usd on Stage at ISF World Congress 2024 in Orlando
The ISF World Congress is one of the leading events for information security and risk management. With this annual event, the ISF offers its members an opportunity to share solutions, best practices and advice with leading industry experts from around the world. This...