NOTE: There have been updates to the PCI DSS 3.0 standard since this post was published. The current revision is 3.2r1.1; however, the only significant changes to the SAQ B-IP have been the additions of segmentation testing and multifactor authentication for all remote access.
The new PCI DSS version 3.0 Self Assessment Questionnaires (SAQs) are out, and after our initial look, there are some notable differences. This article focuses on the brand new “SAQ B-IP” for “Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) Terminals – No Electronic Cardholder Data Storage.”
To translate, the SAQ B-IP is a more specific set of PCI DSS questions for merchants that process through a standalone terminal (typically about the size of a brick and equipped with a card reader, display and keypad) that is connected to the Internet. Because the terminal accesses the Internet (as opposed to terminals that dial into a bank of modems at the processor), it is more vulnerable to hackers that are out trolling cyberspace for poorly protected payment applications. Therefore, it must be better protected.
Under PCI DSS version 2.0, merchants fitting the above criteria were required to complete an SAQ C. While the 3.0 SAQ B-IP has three more requirements than the version 2.0 SAQ C, the good news is it has 59 fewer requirements than the brand new version 3.0 SAQ C.
Why the new SAQ B-IP?
IP terminals are typically standalone units and are built for one purpose: processing card payments. As a result, they tend to be less vulnerable than multi-function POS systems that are the more typical target for SAQ Cs. Because of the embedded operating system in these devices, you also cannot implement many of the SAQ C-required controls on an IP terminal, such as maintaining anti-virus software (requirement 5.1 in the PCI DSS). The fact is, if the payment terminals are operating in a locked down network segment (i.e., communications can only take place with the payment processor), the merchant simply doesn’t have access to the devices at a level where anti-virus software can be maintained.
IP terminals are deployed broadly in large numbers out in the market, so it makes sense to target them with a more specific SAQ that includes appropriate questions and controls that can be clearly implemented. Kudos to the PCI Security Standards Council (SSC) for recognizing that payment applications that make up large segments of the market deserve their own focused SAQ.
Who has to use the new SAQ B-IP?
Again, the new SAQ B-IP is specifically designed for merchants who use a standalone payment terminal (not a POS system) that is Internet-connected to the payment processor. It is an extension of the version 3.0 SAQ B, which contains 12 new controls (10 of which focus on physical tampering).
The version 3.0 SAQ B-IP goes well beyond the SAQ B to add requirements for the following controls:
- Quarterly external vulnerability scans must be conducted by a qualified ASV;
- Anti-skimming policies and procedures must be in place and communicated;
- Incident response policies must be developed and in place;
- A firewall must be maintained with the network segmented to isolate the payment acceptance terminals and limit their access to only the card processor;
- Strong passwords and security parameters must be utilized; NEVER use default or weak credentials;
- All systems associated with the terminal must be kept up to date (patched) to eliminate known vulnerabilities; and
- Any access to system components in the card data environment must be fully authenticated.
Incidentally, merchants who use the new SAQ B and SAQ B-IP will find that they are required to implement some new processes and training.
SAQ B Changes
In addition to the new SAQ B-IP, version 3.0 of SAQ B contains 12 new controls:
- 10 focus on preventing the possibility of someone physically tampering with the terminal;
- 1 ensures that information is maintained regarding which PCI DSS requirements are managed by each service provider and which are managed by the merchant; and
- 1 requires that an incident response plan (IRP) be in place that can be implemented in the event of a suspected system breach.
The changes to SAQ B are primarily administrative and require additional process and training. For example, in the case of physical tampering, merchants are now required to maintain a list of the make, model and location of all card-reading devices, to inspect those devices regularly for tampering, and to train personnel to be vigilant.
Of course change is never easy, but the PCI SSC continues to refine the PCI DSS and its accompanying SAQs in order to make requirements crystal clear for the millions of merchants out there that use thousands of different methods and applications to take payments every day. The PCI SSC has published their process for reviewing and updating the PCI DSS on a three year cycle, and invites feedback from everyone in the market. Become part of the process to make the payments industry a safer place to do business by visiting www.pcisecuritystandards.org.
Want more info on the PCI DSS 3.0 and its related SAQs? Check out our related articles here.