New PCI Self Assessment Questionnaire 1.2 Brings More Clarity for Level 4 Merchants  
  SEARCH: Sign In | Register | Contact Us | Site Map | Home  

FFIEC News

New PCI Self Assessment Questionnaire 1.2 Brings More Clarity for Level 4 Merchants

(Oct 31, 2008)-- ControlScan, a full-service PCI compliance and security solutions provider, focused exclusively on small- to medium-sized merchants, announces its support of the PCI Security Standards Council's October 27, 2008 release of the Self Assessment Questionnaire (SAQ) version 1.2.

"We are very encouraged by the PCI Council's release of SAQ version 1.2.," said Joan Herbig, chief executive office, ControlScan. "Because our business has always been focused on Level 4 merchants, we are pleased that the latest version of the SAQ provides more clarity and flexibility in its questioning. While making the SAQ more suitable for the smaller merchants is still a work in progress, this is a great step."

Through careful analysis of the SAQ version 1.2, ControlScan finds that the following updates, by SAQ form type, will help provide clarity for smaller merchants as they complete their questionnaires:
SAQ Forms A-C:
-- Merchants now have the ability to answer a question with "N/A," but must complete Appendix D "Explanation of "Non-Applicability" if this option is selected
-- "Compensating Control Used" can now be considered for most PCI DSS requirements when an entity cannot meet requirement explicitly as stated, due to legitimate technical or business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other, or compensating controls. Merchants must also complete the Appendix C "Compensating Controls Worksheet" if this option is selected.

SAQ Form B:

-- Requirement 4 (Encrypt transmissions of cardholder data across open, public networks) - Expands the scope of sending sensitive data via encrypted emails to include all end-user messaging technologies such as email, instant messenger and chat.
-- Requirement 9 (Restrict physical access to cardholder data) - Qualifies that destruction of cardholder data must ensure that the information cannot be reconstructed.
-- Requirement 12 (Maintain a policy that addresses information security for employees and contractors) - Changed the list of critical employee media to include email and Internet usage, laptops and personal
data/digital assistants (e.g., PDAs).

SAQ Form C:

-- Requirement 1 (Install and maintain a firewall configuration to protect data) - Provides clarification around firewall requirements.
-- Requirement 2 (Do not use vendor-supplied defaults for system passwords and other security parameters) - Modifies setting requirements around wireless devices.
-- Requirement 5 (Use and regularly update anti-virus software or programs) - Clarifies that anti-virus software must be capable of detecting, removing and protecting against all know forms of malicious
software.
-- Requirement 6 (Develop and maintain secure systems and applications) -Changes patching requirement from 30 days to one month and now allows for risk-based patching approach.
-- Requirement 11 (Regularly test security systems and processes) - Allows for the use of wireless IDS/IPS to identify wireless devices in use.

SAQ Form D:

-- SAQ Form D is the most affected variant in version 1.2. While there are no sea changes, version 1.2 refines and clarifies many of the questions from the D form.

Several years ago when the PCI Data Security Standards (PCI DSS) launched, the main focus was to drive PCI compliance among the large merchant community (typically Level 1 as specified by VISA). Now that approximately 80% of these large merchants are in or nearing compliance, the focus has shifted to smaller merchants, which represent 98% of all merchants (Level 4 as specified by VISA).

"We understand the challenges smaller merchants face every day when it comes to PCI compliance and security -- we're the only company that has been on their side from the beginning," said Herbig, "Smaller merchants often lack the understanding and technical resources to comply with the standard, which is why the PCI compliance solutions we've built anticipated the specific needs of the small merchant, and we provide one-on-one support (essentially holding their hands) throughout the entire process."

For more information about ControlScan visit www.controlscan.com



Share or bookmarklet this web page at:



Google
Privacy Policy | Terms & Conditions | Support | Directory Links | Contact Us | Site Map | Home
Copyright © 2007-2010 ComplianceHome.com. A SUPREMUS GROUP venture. All rights reserved.