Two added Requirements for SAQ B-IP and C-VT

6. February 2017

Within Revision 1.1 of the PCI DSS 3.2 (obligatory 01st October 2017) some requirements have been added for Merchants with the following payment processes:
1) Merchants with Web-Based Virtual Payment Terminals – No Electronic Cardholder Data Storage (SAQ C-VT)
2) Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) Terminals – No Electronic Cardholder Data (SAQ B-IP)
The two added requirements are 8.3.1 multi-factor authentication and 11.3.4 test of segmentation methods. There are now part of the SAQs B-IP and C-VT. Requirement 8.3.1 is handled as Best Practice till January the 31th, after that it is going to be obligatory.
In the original text:
Added Requirement 8.3.1
Is multi-factor authentication incorporated for all nonconsole access into the CDE for personnel with administrative access? Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
In the original text:
Added Requirement 11.3.4
If segmentation is used to isolate the CDE (Cardholder Data Environment) from other networks:
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE?
(b) Does penetration testing to verify segmentation controls meet the following?
• Performed at least annually and after any change to segmentation controls/methods
• Covers all segmentation controls/methods in use
• Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
• Examine results from the most recent penetration test
(c) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?
Any questions? Talk to us. We‘ll be happy to help you. +49 6102 8631-90. E-mail: pci@usd.de.

Also interesting:

SWIFT CSCFv2025 - The Three Most Important Questions About the Update

SWIFT CSCFv2025 - The Three Most Important Questions About the Update

Users of the SWIFT network are required to demonstrate compliance with the mandatory security controls through an annual independent audit in accordance with the Customer Security Control Framework (CSCF). As part of this SWIFT Assessment, the security of an...

From Unicode to Exploit: The Security Risks of Overlong UTF-8 Encodings

From Unicode to Exploit: The Security Risks of Overlong UTF-8 Encodings

In the dynamic field of cybersecurity, it is often the obscure and long-forgotten vulnerabilities that pose a hidden threat to otherwise hardened systems. One such vulnerability lies in invalid character encodings that violate the UTF-8 standard. While overlong UTF-8...

Categories

Categories