12
Navigating PCI DSS 3.0
Navigating PCI DSS 3.0
MAC is an organization comprised of members from Banks, Acquirers,
ISOs, Card Associations, Law Enforcement and others involved in risk
management and compliance of the electronic payment processing
industry. The purpose of MAC is to educate members in the electronic
payment industries regarding the compliance with electronic
payments regulations along with the detection, prevention and
prosecution of those involved in electronic payment fraud. In the
context of fulfilling MAC’s ongoing educational obligations to its
members, this webinar is being presented by the MAC Education
Committee in support of the MAC mission regarding the exchange of
information and continuous education of its’ members.
AGENDA • Panel Introduction
• Why PCI DSS 3.0
• Summary of Changes in PCI 3.0
• Things that will cause merchants problems?
• How Will Changes Impact Merchant Compliance
• Portfolio Risk Mitigation Strategies
Meet the Panel
Deana Rich (Moderator) - Rich Consulting
Gary Glover – Security Metrics
Greg Rosenberg – Trustwave
Jim Bibles – Aperia Solutions
Why PCI DSS 3.0?
• Allows for smooth transition from
one version to the next
• Provides feedback process for
existing standard
• Ensures the new threats and
technologies are addressed
• No mix and Match
PCI DSS and PA DSS Lifecycle
Summary of Changes in PCI DSS 3.0
Summary of changes to The PCI DSS
5 Areas of Additional Guidance Explanation, definition and/or instruction to increase understanding or provide further information or guidance on a particular topic.
74 Clarifications Clarifies intent of requirement. Ensures that concise wording in the standard portrays the desired intent of requirements.
14 Evolving Requirements – Immediate Impact
Changes to ensure that the standards are up to date with emerging threats and changes in the market.
5 Evolving Requirements – Phased in
These requirements are considered “best practices only” until June 30, 2015 at which time they become mandatory for all 3.0 assessments
Things That Will Cause Merchants Problems
Requirement 11.3.4
• Requires penetration tests to verify that the
segmentation methods are operational and
effective.
• Shows up now in SAQ C
Things That Will Cause Merchants Problems
Requirement 12.8.5 and 12.9
• 12.8.5 – Requires merchants to document PCI
DSS requirements that are managed by their
service providers
• 12.9 – Requires merchants to get written
agreement/acknowledgment from their
service providers (as specified in requirement
12.8.5) **Effective July 1, 2015**
Things That Will Cause Merchants Problems
Changes to SAQs
• Qualification for New SAQ A-EP is not clearly
defined
• eCommerce merchants may no longer use
SAQ C
• No clear direction for merchants that use
mobile solutions
How Will Changes Impact Merchant Compliance?
Will I see a decrease portfolio compliance rate?
• Enhanced validation requirements for merchants using same SAQs
• Increase in merchants changing SAQ’s
• New “vendor management” requirements
• Better understanding of testing requirements
Increase in Portfolio Risk?
• Merchant security practices did not change
• The threat environment has evolved
• New technologies will impact risk
Portfolio Risk Mitigation Strategies
How do I manage my risk?
• Educate all merchants
• Provide secure processing solutions
• Concentrate on “high risk” merchants
Risk Drivers
• Transaction type (CP vs. CNP)
• POS type
• MCC
• Volume
Know your Card Brands qualification thresholds!
About Merchant Acquirers' Committee
MAC is an organization of Bankcard professionals involved in the risk management side of Card Processing. We have members from Banks, ISOs, Card Associations and others related to the risk management side of the industry. MAC is
dedicated to providing universal risk management solutions through ongoing communication and cooperation among acquirers and card associations.
Who we serve: Acquiring Bank
Acquiring Savings & Loan
Acquiring Credit Union
Gateway Provider
Internet Service Provider
ISO/MSP
Merchant Acquirer
Processor
Risk Management Professional
Your membership in MAC is an investment that should not be overlooked.
If you are not a member of MAC… JOIN TODAY!
https://www.macmember.org/
