Mit der ab dem 01.Oktober 2017 verpflichtenden Revision 1.1 des PCI DSS Standards 3.2, haben sich Änderungen für Händler mit folgenden Zahlungsprozessen ergeben:
1) Händler mit Web-Based Virtual Payment Terminals – Keine elektronische Kartendatenspeicherung (SAQ C-VT)
2) Händler mit Standalone, IP-Connected PTS Point-of-Interaction (POI) Terminals – Keine elektronische Kartendatenspeicherung (SAQ B-IP)
Neu hinzugeführt wurden die beiden Anforderungen 8.3.1 Multi-Faktor-Authentifizierung und 11.3.4 Prüfung der Segmentierungsmaßnahmen. Sie sind nun Bestandteil der SAQs B-IP und C-VT. Die Anforderung 8.3.1 wird bis zum 31. Januar 2018 als Best Practice gehandhabt. Danach wird sie eine verpflichtende Anforderung.
Nachfolgend im Original Wortlaut:
Added Requirement 8.3.1
Is multi-factor authentication incorporated for all nonconsole access into the CDE for personnel with administrative access? Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
Eine sofortige Auswirkung stellt die hinzugekommene Anforderung 11.3.4 dar. Ist die Kreditkartendatenumgebung, d.h. das Bezahlterminal (SAQ B-IP) oder der Computer, von dem aus das virtuelle Terminal aufgerufen wird (SAQ C-VT), von der restlichen Infrastruktur netzwerkseitig isoliert, sind diese logischen Segmentierungsmaßnahmen mindestens jährlich oder nach Änderungen durch einen Penetrationstest auf ihre Wirksamkeit zu prüfen.
Nachfolgend im Original Wortlaut:
Added Requirement 11.3.4
If segmentation is used to isolate the CDE (Cardholder Data Environment) from other networks:
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE?
(b) Does penetration testing to verify segmentation controls meet the following?
• Performed at least annually and after any change to segmentation controls/methods
• Covers all segmentation controls/methods in use
• Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
• Examine results from the most recent penetration test
(c) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?
Sie haben Fragen dazu? Unsere Kolleginnen und Kollegen helfen Ihnen gerne weiter. Melden Sie sich einfach unter +49 6102 8631-90. E-Mail: pci@usd.de
————–
Two added Requirements for SAQ B-IP and C-VT
Within Revision 1.1 of the PCI DSS 3.2 (obligatory 01st October 2017) some requirements have been added for Merchants with the following payment processes:
1) Merchants with Web-Based Virtual Payment Terminals – No Electronic Cardholder Data Storage (SAQ C-VT)
2) Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) Terminals – No Electronic Cardholder Data (SAQ B-IP)
The two added requirements are 8.3.1 multi-factor authentication and 11.3.4 test of segmentation methods. There are now part of the SAQs B-IP and C-VT. Requirement 8.3.1 is handled as Best Practice till January the 31th, after that it is going to be obligatory.
In the original text:
Added Requirement 8.3.1
Is multi-factor authentication incorporated for all nonconsole access into the CDE for personnel with administrative access? Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
In the original text:
Added Requirement 11.3.4
If segmentation is used to isolate the CDE (Cardholder Data Environment) from other networks:
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE?
(b) Does penetration testing to verify segmentation controls meet the following?
• Performed at least annually and after any change to segmentation controls/methods
• Covers all segmentation controls/methods in use
• Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
• Examine results from the most recent penetration test
(c) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?
Any questions? Talk to us. We‘ll be happy to help you. +49 6102 8631-90. E-mail: pci@usd.de.
