The PCI Security Standards Council today released several important documents today. Every Merchant, Service Provider, and risk manager should review these publications. The official Press Release “PCI Security Standards Council Issues Updated Self Assessment Questionnaire“. A quick overview of each:
A Guidance document – “Understanding the Intent of the Requirements, v1.1“
- This document provides much needed elaboration in the form of “Guidance” for every PCI DSS control requirement. For instance, the standard requires a quarterly review of the firewall and router rule sets (1.1.8), and the new guidance now expands on what this opportunity allows – clean up, removal of incorrect rules, sufficient time to balance rules with business.
- The guidance document is 45 pages in length and available at the PCI site
An updated SAQ Package has been released. The Self Assessment Questionnaire originally was a single questionnaire list where companies of all types (Merchants, Service Providers, etc…) were required to complete. The new release of documents today provides greater explanation of how SAQ is part of the PCI DSS, and provides unique SAQs depending on the organizations business structure. There are now five types of questionnaires that may be completed:
- SAQ Validation Type 1 Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
- SAQ Validation Type 2 Imprint-only merchants with no electronic cardholder data storage
- SAQ Validation Type 3 Stand-alone terminal merchants, no electronic cardholder data storage
- SAQ Validation Type 4 Merchants with POS systems connected to the Internet, no electronic cardholder data storage
- SAQ Validation Type 5 All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ.
In the SAQ Instruction Guide pages 6-7 provide a nice common-sense approach to minimizing the impact of credit card processing and simple means of reducing the risks.
As in all new releases, read each document yourself and then prepare a distilled version for internal parties and your business partners. In addition, all SLA and contractual agreements should be reviewed and any necessary communications should occur to update the business operation thresholds. These documents contain important clarification and have been tuned to be more reflective of the business itself, so it is important to leverage these improvements and provide feedback to the Council.
Michael and others have some good tid bits posted about the new standard. Definitely check them out (Especially check out pcianswers to find out a good nugget on Compensating controls) Thanks to everyone out there making a better transaction environment!
Update: Book Release is now March 19th 2008!! Pre-Order Today