Not rendering correctly? View this email as a web page here.
PCI-Monitor-Banner-1.png

Assessors and Solutions | Document Library | Training and Qualification | Newsroom | Special Interest Groups
 In this issue: 30 November 2016
  • P2PE: Understanding new guidance on assessing non-listed encryption solutions
  • 2017 SIG: Vote by 1 December
  • Tell us how Singapore went
  • 2017 training schedule now available
  • QIRs help reduce risk

As always, if you have questions, concerns, or suggestions on how to improve this weekly communication for POs, please email us at: pcimonitor@pcissc.org.
PCI News & Program Updates

P2PE: Understanding new guidance on assessing non-listed encryption solutions
Point-to-Point Encryption (P2PE) technology makes data unreadable so it has no value to criminals even if stolen in a breach. Merchants can take advantage of this technology with a P2PE solution, a combination of secure devices, applications, and processes that encrypt payment card data from the point where a merchant accepts the payment card to the secure point of decryption. Only PCI P2PE Solutions are validated by a specially-trained P2PE QSA as meeting the rigorous security requirements of the PCI P2PE Standard and are listed on the PCI Security Standards Council (PCI SSC) website. These solutions can greatly simplify merchant efforts to comply with the PCI Data Security Standard (PCI DSS), by reducing where and how PCI DSS requirements apply. 

The Council continues to encourage merchants and acquirers to use the PCI SSC listing in selecting a PCI P2PE Solution. At the same time, it’s recognized that many solutions currently being used by merchants are not PCI-listed, which creates a challenge for assessors in how to complete PCI DSS assessments for these merchants. To help with this challenge, the Council recently issued Assessment Guidance for Non-listed Encryption Solutions to assist security assessors in evaluating non-listed encryption solutions and their impact on merchants’ PCI DSS compliance. The guidance is not meant to encourage the use of non-listed solutions. Instead, it’s meant to inform all parties involved in a merchant PCI DSS assessment how the use of a non-listed encryption solution impacts the merchant’s PCI DSS compliance responsibilities, compared to the use of a PCI P2PE Solution. It underscores the security and PCI DSS compliance benefits that PCI P2PE Solutions ensure and the assurance that comes with knowing these solutions are independently tested and validated as meeting the requirements of the PCI P2PE Standard.

Point-to-point encryption is a critical technology for devaluing payment data. With this guidance and our growing PCI P2PE Solution listing, we hope to encourage merchant adoption of P2PE for the strongest protection for payment card data.

For more information on this guidance, please read PCI Perspectives blog post, “P2PE: Assessing Non-Listed Encryption Solutions”.

 > Read the blog

 
p2pe-blogpost.jpg

2017 SIG: Vote by 1 December
This is your last chance to choose next year’s Special Interest Group (SIG) project!

SIG initiatives focus on specific payment security challenges that the PCI community wants guidance on addressing.

For 2017, instead of choosing new Special Interest Group topics, we’re asking you to vote on which existing SIG guidance you’d like the PCI community to update:

  • Please log in to the Participating Organization portal today to review your choices and take a few minutes to cast your vote.
  • Note: The voting period closes on 1 December, and we’ll announce the results in early January with information on how you can join the Special Interest Group.

Involvement in Special Interest Groups is a great way to provide your expertise to the Council and develop practical payment security resources for the industry.

 > Vote now

 
december1.jpg

SMB security tips for the holiday shopping season
Just in time for the holiday shopping season, the Council created a new resource to provide small and mid-sized businesses quick tips to protect their online business. The one-page visual resource outlines three ways to protect payment card data. Additionally, take a look at the latest post on the PCI Perspectives blog with more payment security insights for small and mid-sized merchants.

Before the holiday break Council General Manager Stephen Orfei authored a post with Ann Beauchesne of the National Security & Emergency Preparedness Department for the National Chamber of Commerce blog, "Above the Fold". The post, entitled "Cyber Monday and How to Protect Your Business", aims to help small and mid-sized businesses protect cardholder data during the busy holiday season. Finally, to help small businesses prior to Small Business Saturday, the Council authored a guest post on the National Cyber Security Alliance blog entitled, "Security Checklist for Small Business Saturday".

 > View the blog series
holiday-sm-biz.jpg
Participation Opportunities

Feedback Requested
A big thanks to all of you who attended the 2016 Asia-Pacific Community Meeting in Singapore. We hope you found the sessions, speakers and networking opportunities to be of great value to you and your organization. Please take just five minutes to complete this short survey about your experience.

You have the option of completing the survey directly from the mobile app – or by clicking this link– you do NOT need to do both! If you’ve already completed the survey on the mobile app – thank you. If you haven’t, please take a moment to complete whichever format is most convenient for you. We appreciate your input.

 > Take the survey
survey-new.jpg
Training

2017 training schedule posted
Have you seen the instructor-led training schedule? Mark your calendars. Below are dates and locations for instructor-led ISA classes worldwide. For other courses, please consult the website.

Dates ISA Locations
23-24 January Miami, FL
6-7 February Amsterdam
27-28 March Austin, TX
27-28 March Cape Town
18-19 April London
15-16 May Denver, CO
15-16 May Bangkok
12-13 June Toronto
3-4 July Nice
17-18 July Boston, MA
7-8 August Seattle, WA
9-10 September Orlando, FL
19-20 October Barcelona
6-7 November Washington, DC
6-7 November Melbourne

Please plan to attend one of these sessions led by PCI expert trainers – and encourage merchants, members, and others in your network to enroll and learn how to play a role in securing payment card data globally.  

 > Check out ISA training
isa.gif

QIRs help merchants reduce risk
Attacks on merchant payment systems take advantage of improper network configuration, inadequate remote access security, and use of easily-guessed or default passwords. Qualified Integrators and Resellers (QIRs) are professionals trained in secure installation and maintenance of Point-of-Sale (POS) systems and are available to help merchants address these security weaknesses. The PCI Council has now trained close to 700 QIR’s representing 300 companies. Read this infographic for more on the QIR program.

To find a QIR, click here.
To apply to become a QIR, click here. 
qir.jpg
 

News

Data protection key to securing APAC's cashless payments
29 November 2016

Security Checklist for Small Business Saturday
23 November 2016

Cyber Monday and How to Protect Your Business
21 November 2016
 

Events

 Waterloo Security and Compliance Event
Presenter: John Markh
6-8 December – Waterloo, Ontario

 US Payments Forum
Presenter: Elizabeth Terryo
8 December – Miami, FL

 HPE 4º Financial Security Summit – Brazil
Presenter: Carlos Caetano
14 December – Sao Paulo, Brazil
 

Archive

16 November 2016
9 November 2016
2 November 2016
26 October 2016

Stay up to date with PCI Security Standards Council! Follow us today.

linkedin-rounded.png twitter-rounded.png blog-rounded.png