New changes to PCI DSS Self Assessment Questionnaire

As well, every organization should fill out and follow the PCI DSS Self-Assessment Questionnaire, in order to spot breaches, and to serve as a guideline and checklist of everything that should be covered before or after a data breach.

The PCI Security Council just released an updated questionnaire that splits the original requirements among the following organization types:

• SAQ Validation Type 1 Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
  
  
• SAQ Validation Type 2 Imprint-only merchants with no electronic cardholder data storage
  
  
• SAQ Validation Type 3 Stand-alone terminal merchants, no electronic cardholder data storage
  
  
• SAQ Validation Type 4 Merchants with POS systems connected to the Internet, no electronic cardholder data storage
  
  
• SAQ Validation Type 5 All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ.

Here is a brief recap of the original PCI DSS Self Assessment Questionnaire: Build and Maintain a Secure Network:

• Requirement 1: Install and maintain a firewall configuration to protect data.
• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

• Requirement 3: Protect stored data.
• Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks.

Maintain a Vulnerability Management Program

• Requirement 5: Use and regularly update anti-virus software
• Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

• Requirement 7: Restrict access to data by business need-to-know.
• Requirement 8: Assign a unique ID to each person with computer access
• Requirement 9: Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

• Requirement 10: Track and monitor all access to network resources and cardholder data.
• Requirement 11: Regularly test security systems and processces.

Maintain a policy that addresses information security

• Requirement 12: Maintain a policy that addresses information security

After the data breach: PCI DSS and data breaches
If your organization processes money transactions, via credit cards, then the word PCI DSS is no stranger to you.
No longer is it considered "best practices" to follow the 12 requirements, it's now mandatory, or your organization could spend millions in fines. Depending on whether you are considered a Level 1, Level 2, Level 3 or Level 4 organization, determines your deadline to be PCI compliant.

If you have been certified as PCI compliant, and a breach occurs, Visa and MasterCard require a forensic investigation into the breach, before fines are levied.

For a 2007 article written for SearchSecurity.com, entitled "PCI DSS auditors see lessons in TJX breach," Senior News Writer Bill Brenner interviewed several PCI DSS auditors concerning the status of their clients.

He found out that most PCI DSS auditors report that their clients are achieving PCI compliance, but that there are big problems along the way to compliance.

The auditors he interviewed reported the following:

• Unpredictable encryption - Data is encrypted and protected in some instances, but in others there is no encryption present.
  
  
• Unnecessary data storage - Organizations store data that they don't need to store and then allow this data to be available across unsecured parts of their network.
  
  
• Failure to log activity - Some IT departments fail to keep a log of network activity, which makes finding a breach and who is attempting to access systems impossible.
  
  
• Failures to scan software - Some organizations don't conduct regular scans for software vulnerabilities and abnormal activity.
  
  
• Controls are not PCI compliant - Many organizations thought that rules from regulatory acts like Sarbanes-Oxley and HIPAA also covered their controls, with or without PCI DSS. Organizations are quickly finding out that even with those controls in place, they are not PCI compliant.

By addressing the areas listed above, working in conjunction with a certified PCI auditor, and by taking the following steps, the aftermath of a data breach may not be as devastating as previously reported data breaches.

                    

Print this page

Send this page to a friend

Data Breaches Part I - Is it possible to prevent the inevitable? Introduction Step 1: A Good Defense is an Offense Step 2: Perform a company-wide risk assessment/inventory Step 3: Educate employees on breach/data security Step 4: Create a pre-breach containment and communication plan Step 5: Create a rapid response and internal audit/compliance team Epilogue: Spend now or pay later Data Breaches Part II Five Steps to manage a data breach Introduction New changes to PCI DSS Self Assessment Questionnaire Step 1: Spot/investigate the breach Step 2: Circle the wagons: Deploy the rapid response team Step 3: Create a Notification Plan Step 4: Implement the Notification/Communications Plan Step 5: Perform a response audit after the event Navigating state disclosure laws Outsourcing data breach response to a third-party Recommended reading PCI Compliance Polls Are you currently PCI Compliant? Yes No Working towards compliance Why are you looking at PCI Compliance Required By Credit Card Processor Required By Bank Want to meet industry standards Looking to secure network What merchant level do you fall under for PCI Compliance? Level 1 Level 2 Level 3 Level 4 I have no idea View PCI Merchant Level Results View All PCI Compliance Poll Results EV SSL Certificate Guide Sponsored Listing: