This week, the PCI Security Standards Council (SSC) announced their release of Revision 1.1 to SAQ 3.2.
The SSC characterizes this revision as “errata,” and after careful examination, it is truly mostly “errata.” That is, there are small language changes, some corrected misspellings and a few instances of clarified wording.
While the SSC notes that four SAQs have been impacted by the SAQ 3.2 revisions, two SAQs in particular have undergone a couple of what I’d call “non-trivial” changes. In some cases these changes could have expensive implications.
SAQ 3.2 Revisions Include New Requirements for SAQ B-IP and SAQ C-VT
If your business validates its PCI compliance using SAQ B-IP or SAQ C-VT, then you should note the following:
- Requirement 8.3.1 requires multi-factor authentication for remote access into the cardholder data environment (CDE). This has been a requirement for other SAQ types since the introduction of version 3.2, but is being added for merchants who have standalone, IP-connected payment terminals (SAQ B-IP) or virtual terminals (SAQ C-VT).
- Requirement 11.3.4 requires you to complete at least annual penetration testing to validate network segmentation, if network segmentation is utilized to isolate the CDE.
Insecure Remote Access Continues As Leading Cause of Breach
Cyber criminals have been capitalizing on insecure remote access practices for years, and the SSC has been addressing the problem with systematic updates to the PCI DSS and its corresponding SAQs. They are now catching up with SAQ B-IP and SAQ C-VT merchants.
In an environment where there are only IP-connected payment terminals, merchants often allow remote access, especially for outside vendors to maintain and support their terminals. Adding this layer of protection is something that most vendors should already be familiar with, since it’s been a requirement for all other card data environments since the introduction of SAQ 3.2 in April of 2016.
For businesses utilizing only a virtual terminal, the remote access requirement may seem odd. The fact is, remote access is becoming increasingly common, even if it is only conducted by your own IT resources. Securing this remote access is essential to the security of your cardholder data environment.
Network Segmentation is Also Critical
Isolating your cardholder data environment is a must, so if your business has something else connected to the Internet other than the payment terminals or computers used to access virtual terminals, then you must segment your CDE into its own network. In other words, guest WiFi, Internet-connected security cameras, IP phones, and any of the many other devices that can now be connected to the Internet, should not be connected to the network your payment processes run through.
SAQ version 3.2, rev 1.1 ensures that in all cases where network segmentation is used, that segmentation is validated through penetration testing done at least annually and when any changes are made to the network.
The documents reflecting the SAQ 3.2 revisions are now available on the PCI SSC website. And while the changes are not mandatory until October 1, 2017, it’s always a best practice to begin reviewing and implementing the new requirements early.