Re: Budget for PCI DSS SAQ D for Bookstore Operations

["Carson, Larry" <larry.carson () UBC CA>]

The de-scoping exercise starts with a review of your business processes to
determine if you truly need to store PAN data. Should you determine that
it's not necessary, then you need to redesign your business processes and
then sanitize your DBs, systems and backups of all stored PAN data.

We started with 15 merchants all certain that they needed to store PAN data
and all categorised as SAQ-D; when we discussed costs of compliance as a
SAQ-D merchant, and what each would be responsible for, 13 of the merchants
found ways to de-scope (with assistance from our QSA) to SAQ-C or lower. In
the end we had only two merchants that had a strong business case to be
SAQ-D and those 2 went through major architectural redesigns of their
business processes and technological solutions, in order to further limit
which components would be in-scope for their SAQ-D process. By doing that
they were able to segment sections of their processes to SAQ-C, with the
approval of the QSA and the acquirer. At the end of the day you will always
need sign-off from your acquirer on these scope-reduction and/or limitation
exercises and it is in this capacity that your QSA should help you craft the
email request to the acquirer (as well as the underlying process) in order
to give you the highest chance of obtaining their approval in writing. 


Regards,
Larry Carson
Associate Director, Information Security Management, UBC

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John Ladwig
Sent: August-08-11 12:50 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations

A good point.  Perhaps an example would be helpful.

We've had a number of campus bookstore merchants move from val-type-5
(SAQ-D) to val-type-3 (SAQ-B) by changing operational practice from swiping
cards through a bookstore POS which would otherwise store PANs after
authorization, and instead install and use dialout POTS terminals (on
Centrex lines, not internal PBX lines), changing the bookstore's PCI
compliance obligations.

It seems like (and several QSAs have opined that) tokenization-enabled POS
systems should qualify for val-type 4, SAQ-C, notably less onerous than
SAQ-D, as they do not store PANs after authorization.  

Larry Carlson's recommendations about sanitization of PANs in your
cardholder data environment (CDE) would be good practice post-conversion,
but not sufficient unless the behavior or use of the POS system was *also*
changed.

   -jml

> > > Blake Penn <BPenn () TRUSTWAVE COM> 2011-08-08 13:06 >>>
It is important to keep in mind that the different SAQs correspond to
different levels of VALIDATION (as opposed to compliance).  Your advice
sounds reasonable, but some in this audience might mis-interpret
"de-scoping" as applying to compliance rather than validation.  De-scoping
compliance requirements and de-scoping validation requirements are two
completely different things.


Blake Penn
CISSP, MCSE, MCSD, MCDBA, QSA
Principal Consultant
Trustwave
bpenn () trustwave com 
+1 (678) 685-1277
http://www.trustwave.com 

DISCLAIMER: The views represented in this message reflect the personal
opinions of the author alone and do not neccessarily reflect the opinions of
Trustwave.


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Carson, Larry
Sent: Friday, August 05, 2011 10:52 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations

I would recommend descoping to SAQ C, if at all possible. This may mean
updating data stores in a DB, sanitising (possibly even destroying) backups
and logs, Santising email stores, etc. Just keep a record of all items
sanitised, as it is a good record of your descoping exercise.

WRT tracking compliance: spreadsheets, lots of them but we're considering a
GRC solution to keep our sanity.


Larry

---
Larry Carson
Associate Director, Information Security Management Information Technology |
Engage. Envision. Enable.
The University of British Columbia
Tel: 604.822.0773 | Twitter: @L4rryC4rson


----- Original Message -----
From: The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Fri Aug 05 05:18:21 2011
Subject: Re: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations

A 340 row Lovecraftian spreadsheet which causes those who stare into its
depths to gibber in unholy madness.  We call it The  Beast.

The 40+ columns track a lot of things, none of which are on any SAQ;
vendors, manufacturers, contracts language status, versions, validation
types, concessionnaires, CDE segmentation status, SAQ completion dates...
About row 200 I realized this was a database problem, but our development
staff is limited.

    -jml


-----Original Message-----
From: Doug Markiewicz - EDUCAUSE
Sent: 2011-08-05 06:48:02
To: Doug Markiewicz - EDUCAUSE;The EDUCAUSE Security Constituent Group
Listserv
Cc:
Subject: Re: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations


> We are working with Trustwave to provide an online portal to track all 
> information, scans, provide and track training, do external scans, fill
out SAQs, etc.

I'm curious how others are organizing all their PCI compliance data,
tracking training, etc. Manually?  Through a software package or service
provider?

This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the
intended recipient, you are hereby notified that any disclosure, copying,
distribution, or use of the information contained herein (including any
reliance thereon) is STRICTLY PROHIBITED. If you received this transmission
in error, please immediately contact the sender and destroy the material in
its entirety, whether in electronic or hard copy format.

Attachment: smime.p7s
Description: