Are You Ready for Next March’s New Merchant PCI Requirements

The simplest form of PCI compliance is a self assessment and most companies qualify. The simplest form of a self assessment is a SAQ-A or -A-EP. This assessment form is for merchants that do not collect or store payment card information and outsource the payment process pretty much completely. If you capture the card info and then send it to the processor, you don’t qualify for this form; you need to complete a much more complicated version.

Assuming you are doing this right, here are some of the requirements that come into play in March and will be part of your next assessment.

This list is specifically for the SAQ-A-EP; other self assessment forms may have different requirements in March.

Requirement 3.2.1 – Storage of account data is kept to a minimum and there are processes and procedures for protecting account data stored prior to the completion of a transaction. There SHOULD be zero sensitive account data (SAD) ever stored, so this should be a check.

Requirement 4.2.1 – Strong encryption is in place during transmission of card data and insecure methods (like general email) are blocked from receiving card data.

Requirement 5.2.3.1 – The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. This is part of your risk assessment.

Requirement 5.3.3 – Anti-malware software scans devices for malware when plugged in. This should be a no brainer.

Requirement 5.4.1 – Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks. This should be in place from your endpoint protection software, but may not be.

Requirement 6.3.2 – An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software is maintained to facilitate vulnerability and patch management.

Requirement 6.4.2 – For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks. This requirement is a heavy lift and is designed to protect in real time.

Requirement 6.4.3 – All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows: A method is implemented to confirm that each script is authorized., A method is implemented to assure the integrity of each script, An inventory of all scripts is maintained with written justification as to why each is necessary. This one also is a big challenge.

Requirement 7.2.5 – All application and system accounts and related access privileges are assigned and managed as follows: Access is limited to the systems, applications, or processes that specifically require their use and based on the least privileges necessary for the operability of the system or application.

Requirement 8.3.6 – If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity: Contain both numeric and alphabetic characters and a minimum length of 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters).

Requirement 8.4.2 – MFA is implemented for ALL access into the card data environment.

Requirement 8.5.1 – MFA solutions are implements securely (no replay allowed, cannot be bypassed, are actually MFA and must be enforced.

Requirement 8.6.1 – If accounts used by applications can also be used to interactively log in, that is explicitly controlled, documented and approved.

Requirement 8.6.2 – Passwords/passphrases for any application and system accounts that can be used for interactive login are not hard coded in scripts, configuration/ property files, or bespoke and custom source code.

Requirement 8.6.3 – Passwords/passphrases for any application and system accounts are protected against misuse

Requirement 10.4.1.1 – Automated mechanisms are used to perform audit log reviews. If you are not using an automated tool, you fail this control.

Requirement 10.4.2.1 – The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.

Requirement 11.6.1 – A change and tamper detection mechanism is deployed to detect unauthorized modifications to the host’s payment page. This is also a complex requirement

Requirement 12.3.1 – Each PCI DSS requirement that provides flexibility for how frequently it is performed (for example, requirements to be performed periodically) is supported by a targeted risk analysis that is documented

Requirement 12.6.3.1 – Security awareness training includes awareness of threats and vulnerabilities that could impact the security of the CDE.

As I said above, this is for one specific self assessment form, the SAQ-A-EP, which is a little more restrictive that the SQA-A.

If you need help determining your compliance or assessing your compliance – or getting into compliance – please contact us for assistance. Compliance is not easy, but your liability (and possibly your insurance coverage) hangs in the balance.

by