Two added Requirements for SAQ B-IP and C-VT

6. February 2017

Within Revision 1.1 of the PCI DSS 3.2 (obligatory 01st October 2017) some requirements have been added for Merchants with the following payment processes:
1) Merchants with Web-Based Virtual Payment Terminals – No Electronic Cardholder Data Storage (SAQ C-VT)
2) Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) Terminals – No Electronic Cardholder Data (SAQ B-IP)
The two added requirements are 8.3.1 multi-factor authentication and 11.3.4 test of segmentation methods. There are now part of the SAQs B-IP and C-VT. Requirement 8.3.1 is handled as Best Practice till January the 31th, after that it is going to be obligatory.
In the original text:
Added Requirement 8.3.1
Is multi-factor authentication incorporated for all nonconsole access into the CDE for personnel with administrative access? Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
In the original text:
Added Requirement 11.3.4
If segmentation is used to isolate the CDE (Cardholder Data Environment) from other networks:
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE?
(b) Does penetration testing to verify segmentation controls meet the following?
• Performed at least annually and after any change to segmentation controls/methods
• Covers all segmentation controls/methods in use
• Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
• Examine results from the most recent penetration test
(c) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?
Any questions? Talk to us. We‘ll be happy to help you. +49 6102 8631-90. E-mail: pci@usd.de.

Also interesting:

DORA Countdown: One Month Left Until the Deadline

DORA Countdown: One Month Left Until the Deadline

DORA, the Digital Operational Resilience Act, will fully apply as of 17 January 2025. We have summarized everything you need to know about the EU regulation, preparation and best practices from our news blog.

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

PCI DSS v4.0: In March 2024, version 4.0 of the Payment Card Industry Data Security Standard became mandatory after a two-year transition phase. Just a few months later, version 4.0.1 was released as a minor update of the standard, which will become mandatory on...

Top 3 Vulnerabilities in SSO Pentests

Top 3 Vulnerabilities in SSO Pentests

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents...

Categories

Categories