Two added Requirements for SAQ B-IP and C-VT

Within Revision 1.1 of the PCI DSS 3.2 (obligatory 01st October 2017) some requirements have been added for Merchants with the following payment processes:
1) Merchants with Web-Based Virtual Payment Terminals – No Electronic Cardholder Data Storage (SAQ C-VT)
2) Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) Terminals – No Electronic Cardholder Data (SAQ B-IP)
The two added requirements are 8.3.1 multi-factor authentication and 11.3.4 test of segmentation methods. There are now part of the SAQs B-IP and C-VT. Requirement 8.3.1 is handled as Best Practice till January the 31th, after that it is going to be obligatory.
In the original text:
Added Requirement 8.3.1
Is multi-factor authentication incorporated for all nonconsole access into the CDE for personnel with administrative access? Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
In the original text:
Added Requirement 11.3.4
If segmentation is used to isolate the CDE (Cardholder Data Environment) from other networks:
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE?
(b) Does penetration testing to verify segmentation controls meet the following?
• Performed at least annually and after any change to segmentation controls/methods
• Covers all segmentation controls/methods in use
• Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
• Examine results from the most recent penetration test
(c) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?
Any questions? Talk to us. We‘ll be happy to help you. +49 6102 8631-90. E-mail: pci@usd.de.