This is hot off the presses from the PCI SSC.
I’m not sure I necessarily like this decision, but I can appreciate what is driving it. That said, I think the better approach would have been to have organizations do compensating controls for keeping SSL around.
http://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls
I was on a call with our person who coordinates and does most of our quality assurance (QA) reviews for the firm. They were asked if they had any updates to provide the team regarding PCI. They took over the meeting and had us go to Part 2g of the Service Provider Attestation Of Compliance (AOC). The topic of the discussion was that we needed to make sure that we followed the Note in that section that states:
“Note: One table to be completed for each service covered by this AOC. Additional copies of this section are available on the PCI SSC website.”
They said that in conversations with other QA people in the PCI arena, this had come up in the discussions as to how he was dealing with the requirement. They said that, until it had been pointed out, they really had not thought about it until just recently when one of our Service Provider clients needed their AOC created and their multiple services necessitated multiple 2g tables.
But that brought up the concern as to how many QSAs and their QA people have noticed this requirement, let alone are doing it correctly? Likely only a few.
However, it is important that the Service Provider AOC gets properly filled out as the service providers’ customers are relying on the AOC to fill out their own matrices based on the service provided by the service provider.
As a result, for every check box checked below in Part 2a, there needs to be a corresponding table filled out in Part 2g.
If you are doing service provider assessments and are not following that process expect a big black checkmark in your next PCI SSC AQM review. The question is, will it cause any QSACs to go into remediation?
Happy holidays.
There seems to be a lot of confusion over SAQ C and when it can and should be used. SAQ C was developed for the franchise industry, particularly the fast food and small retailer. The idea was that the franchisee would implement the franchise preferred point of sale (POS) solution, connect that POS solution to the Internet and start processing transactions.
Before going any further I must add the following caveat to this post. While I have based this post on all of the training and discussion over the years with the PCI SSC regarding SAQ C, this post is only my opinion and does not mean I am correct. The only official answer is the one you get from your acquiring bank. It is up to your acquiring bank to determine what SAQ your organization should use for your PCI assessment.
To refresh everyone’s memory about SAQ C, the criteria for using SAQ C are as follows.
“Your company has a payment application system and an Internet connection on the same device and/or same local area network (LAN);
The payment application system/Internet device is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate payment application system/Internet device from all other systems);
The physical location of the POS environment is not connected to other premises or locations, and any LAN is for a single location only;
Your company retains only paper reports or paper copies of receipts, and these documents are not received electronically; and
Your company does not store cardholder data in electronic format.”
The key to understanding SAQ C are the second and third bullets. The third bullet indicates that the POS application cannot be connected to any other locations. The second bullet indicates that the payment application cannot be connected to any other systems within the organization’s processing environment. The bottom line is that the solution must be stand alone and fully segmented away from any other applications and systems.
These criteria can be easily met by solutions such as the MICROS e7 POS solution but can run afoul of integrated systems such as the MICROS RES or other similar fully integrated solutions that offer accounting, timekeeping, order management, inventory and other applications in addition to POS.
The MICROS RES solution can use SAQ C if and only if the POS application can be logically or physically segmented from the rest of the MICROS RES applications. However, in my experience, the MICROS RES and similar applications must operate as a single, integrated solution and segmentation is not possible and therefore SAQ C cannot be used.
Another place where SAQ C cannot be used is where the franchisee is linking all of their locations together back to a corporate office. I encounter this a lot where the franchisee has multiple locations and all of those locations are on a wide area network (WAN) connected to their corporate office. Transactions may be flowing directly out from the retail locations or funneled back to corporate and then out to the transaction processor. Corporate may also be monitoring the local location networks and managing the local locations’ systems and applications.
I also encounter situations where the franchisee is connected to the franchise corporate office for the ordering of inventory and the collection of sales information. The most common occurrences of this situation is with fast food franchise operations and in the lodging industry where locations are connected to the franchise corporate networks for passing information to/from the local systems. The corporate franchise may also be managing and maintaining the franchisee systems as well as part of the franchise agreement. All of these situations also preclude the use of SAQ C.
The bottom line is that SAQ C can only be used in situations where you have a LAN-based POS and no other applications or network connectivity other than to the Internet for the sole purpose of processing transactions.
So what does a merchant do when SAQ C is not an option? Sorry, but in my humble opinion, the merchant version of SAQ D is your only option when you have an integrated POS solution on a network.
Again, as a final reminder, it really does not matter what I think as all of this is up to your acquiring bank to officially approve. I am just giving my thoughts as to how I think things should work based on my training.
PCI Guru 