Re: PCI 3.0 compliance - resources

[David Schreiber <dschreiber () TENABLE COM>]

Howdy, noticed this thread on PCI 3.0 compliance and have some input you all may find useful:

Webcast, “Navigating the New PCI 3 Self-Assessment Questionnaires (SAQs)”
https://discussions.nessus.org/docs/DOC-1124

Jeff Man, a former QSA who’s focused on PCI issues moderates “Straight Talk about PCI” a form open to anyone with PCI 
questions: https://discussions.nessus.org/community/pci

Regarding this ListServ’s recent PCI queries, Jeff offered the following input:

Using a cloud solution or not has no bearing on which SAQ to use – the selection of SAQ is determined by the method of 
payment acceptance.

IF you are eCommerce ONLY – you use either SAQ A or SAQ A-EP). This is also referred to as CARD NOT PRESENT.

IF you are a face-to-face (brick and mortar) type merchant and you either have a POS (separate device or web-based 
application) that directly contacts the payment processor (dialup or Internet) then you might use  SAQ B/SAQ B-IP/SAQ 
C/SAQ C-VT. This is also referred to as CARD PRESENT.

Every other payment acceptance method (like having your own networked payment systems that includes routing the 
electronic payment traffic out to ta payment processor) requires the use of SAQ D-Merchant.

If your business is providing services/support/solutions to a merchant that makes you a SERVICE PROVIDER – which means 
SAQ D-Service Provider.

Finally, if you have a fully-qualified and certified P2PE solution you may use SAQ P2PE.


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chris 
Green
Sent: Monday, February 09, 2015 1:03 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI 3.0 compliance

Has anyone looked into or implemented a PCI compliant cloud infrastructure as a solution? I have a call tomorrow with 
someone from FireHost to get more information on their service. Given the extreme cost and man hours it will take to 
get us up from SAQ B to SAQ C, I’m hoping they can provide a much more cost effective solution that will be infinitely 
easier for us to implement.

Thanks,

-C.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ben 
Marsden
Sent: Friday, February 06, 2015 1:54 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] PCI 3.0 compliance

Alex,  We're (slowly) starting a project as well, so I'd welcome any insights you might glean from your query.

We're (only) a level 3 merchant institutionally, picking the right SAQ(s) is befuddling...

Under v.2.x we'd point everyone at TouchNet and kind of ostriched any business process details.  I got buy-in from the 
Controller's office to use v.3 as a reason to take a better look at some of our on-campus merchants, at least to get 
and keep them aware of risks and best practices.  (The Controller's office are the "we" in this project -- small school 
tribulations.)

-- Ben

On Thu, Feb 5, 2015 at 3:01 PM, Alex Jalso <ACJalso () mail wvu edu<mailto:ACJalso () mail wvu edu>> wrote:
Hello Everyone,

Has anyone started or completed a project regarding PCI 3.0 compliance?  If so, would you be willing to answer a few 
questions and / or have a conversation about it?  Thanks.

Alex

Alex Jalso, PMP, CISM
Director Information Security Services
West Virginia University
p: 304-293-4457<tel:304-293-4457>




--
============================================
Ben Marsden : Information Security Director, CISSP/GISP
ITS, Stoddard Hall, Smith College, Northampton, MA 01063
bmarsden [at] smith [.] edu     413 [.] 585 [.] 4479
---------------------------------------------------------------------
=--> Any request to reveal your Smith password via email is fraudulent!