Not rendering correctly? View this email as a web page here.
 In This Issue: 1 February 2017
  • New SAQ updates
  • Defend against ransomware with new PCI resource guide
  • Version 3 ASV program documentation now available
  • Provide feedback on P2PE standard
  • New Best Practices for Securing E-commerce
  • Board of Advisors nomination period open through 27 February
  • Middle East and Africa Forum agenda available
  • Registration open for Asia-Pacific Community Meeting
  • Welcome new POs
  • Fulfill your 2017 educational goals

As always, if you have questions, concerns, or suggestions on how to improve this weekly communication for POs, please email us at:


New SAQ Updates
The PCI SSC has published minor updates to Self-Assessment Questionnaires (SAQs), the validation tools that eligible merchants and service providers use to report the results of their PCI Data Security Standard (PCI DSS) self-assessment. The changes clarify points of confusion we have heard from industry stakeholders since the SAQs were updated to align with PCI DSS version 3.2 in April 2016.

There is a transition period to allow merchants time to review changes to applicable SAQs and prepare to adopt them. Merchants may continue to use the SAQs published in April 2016 until 30 September 2017. Starting on 1 October 2017, merchants will need to use the updated SAQs. Prior to 1 October 2017, merchants can use either the April 2016 or the January 2017 version of the SAQs.

The PCI Council encourages you to review the key changes to these SAQs to understand and prepare for how you and/or your merchant customers may be impacted by these.

 > Review the SAQ changes


Defend Against Ransomware with New PCI Resource Guide
Help your customers and partners reduce the risk of data theft with new Defending Against Ransomware Resource Guide.

Ransomware costs SMBs an average of $2500 per attack. According to a recent survey, more than 50 percent of small and midsized businesses (SMB) have been victims of ransomware. Cybercriminals use this nasty type of malware to hold business-critical systems and data hostage until a sum of money is received.

Businesses using outdated software are just one click away from being infected by ransomware. 99% of computers use software that is vulnerable to ransomware attacks if not updated. Criminals bank on the fact that users are not regularly updating their software with patches they receive from vendors. They plant ransomware on websites and take advantage of software vulnerabilities to launch attacks on visitors using outdated software.

 > Download Defending Against Ransomware Resource Guide


Updated ASV Program Documentation Now Available
Version 3.0 of the Approved Scanning Vendor (ASV) Program Guide and Qualification Requirements documents are now available. The updates are in response to feedback from the ASV, merchant/service provider and acquirer communities and focus on clarifying points of confusion in the ASV program documentation and aligning it more closely with PCI DSS v3.2 and other PCI SSC programs.

The ASV Program Guide describes the details and requirements for the ASV program, and applies to all Approved Scanning Vendors as well as all merchants/service providers obligated to comply with PCI DSS Requirement 11.2.2.

The ASV Qualification Requirements define the requirements and agreement to which all scanning companies must meet and adhere to in order to qualify (and remain in good standing) as Approved Scanning Vendors and to perform ASV scans for PCI Program purposes.

 > Download Version 3.0 of the ASV Program Guide and Qualification Requirements


Feedback Requested on PCI P2PE Standard
PCI Standards are updated based on industry feedback.

The PCI Council is evaluating a potential update to the PCI Point-to-Point Encryption (P2PE) Standard in 2018, or sooner if necessary.

As a Participating Organization, your company has the opportunity to provide comments on changes you’d like to see made to the PCI P2PE standard and supporting program in the next revision.

Based on market response to PCI P2PE version 2.0, the PCI Council is exploring minor modifications to make the standard more flexible and easier to use, such as adding more flexibility for component providers (e.g., Domains 1 and 6), and fine-tuning the listing process.

The 60-day PCI Point-to-Point Encryption version 2.0 comment period begins on 3 February 2017. Please visit the PO Portal to provide specific feedback on PCI Point-to-Point Encryption (P2PE) Standard version 2.0 and the supporting PCI P2PE Program.



New Best Practices for Securing E-commerce
Exponential online sales growth paired with the EMV chip migration in the US makes e-commerce payment security for merchants more important than ever before. Yesterday, the Council published Best Practices for Securing E-commerce which educates merchants on accepting payments securely through online platforms. This Special Interest Group guidance is an update to existing guidance originally published in 2013.

The Best Practices for Securing E-commerce information supplement includes practical recommendations and case studies to help merchants identify the best solution for their specific cardholder data environment. In addition to educating merchants, this latest resource from the Council also provides guidance for third party e-commerce service providers and assessors that support the ongoing security of e-commerce environments.

Read a Q&A with CTO Troy Leach on the guidance on the PCI Perspectives blog.

Visit the Special Interest Group page to learn how your organization can provide expertise and develop practical payment security resources for the industry.

 > Download Best Practices for Securing E-commerce



Ready to Run for the Board of Advisors?
You have 27 days left to nominate your organization for a seat on the Board of Advisors. So if you believe the best way to thwart cyber threats and improve payment security worldwide is to collaborate, share information and let industry drive solutions – submit your nomination.

If your company is tackling payment security in a new or innovative way; if your company sees payment security as a business project, not just an IT project – submit your nomination.

The Nomination period is open through 27 February 2017.

 > More information


Looking for a Reason to go to Cape Town?
Join us for the PCI Middle East and Africa Forum - a day focused on making payments safer. Engaging presentations will arm you with practical strategies for securing payment data. Networking opportunities will allow you to connect with industry leaders in the region. Mark your calendar for 29 March.

> Check out the agenda
> Register here
> Book your hotel room




Registration Open for the Asia-Pacific Community Meeting
This year the regional conference will be held 17-18 May in Bangkok, Thailand. We are building an exciting agenda and if you’d like to be considered for speaking role, please submit your topic and outline here. If you’re looking to reach decision makers in the region, consider a sponsorship or a booth space in the Vendor Showcase.

 > Register here
 > Call for Speakers


Welcome These New POs
In the past month, seven new companies have joined forces with the Council to secure payments. We hope to see you at an upcoming Community Meeting!

Direct Line Insurance Group  UK
Dreamlab Technologies  Chile
Innervation Value Added Services South Africa
Iraq Electronic Gate for Financial Services  Iraq
TwistLock  California, USA
Western Washington University    Washington, USA


Do You Have Educational Goals for 2017?
Corporate Group Training helps you equip your team to build a more secure payment environment. Whether you have a group of industry veterans or are looking for basic awareness education, we can offer you a variety of classes to choose from:

  • One-day Awareness or PCI Professional training
  • Two-day Internal Security Assessor training

With Corporate Group Training, your organization gets a volume discount plus all the benefits of an instructor-led training class – at a time and place most convenient for you and your staff or customers.

But don’t take our word for it. Take a moment to read this case study featuring a former PCI Board member on the benefits of hosting an on-site training for your employees or your clients. 

 > More information



Merchant Payments Ecosystem 2017
16 Feb – Berlin, Germany
Presenter: Jeremy King

Travel Technology Europe Show
22 Feb – Olympia, London
Presenter: Jeremy King

14 March – Buenos Aires, Argentina
Presenter: Carlos Caetano

MAC Conference
22 March – Las Vegas, NV
Presenter: Troy Leach

PCI Middle East & Africa Forum
29 March – Cape Town, South Africa

Stay up to date with PCI Security Standards Council! Follow us today.

linkedin-rounded.png twitter-rounded.png blog-rounded.png