Defend against ransomware with new PCI resource guide
Version 3 ASV program documentation now available
Provide feedback on P2PE standard
New Best Practices for Securing E-commerce
Board of Advisors nomination period open through 27 February
Middle East and Africa Forum agenda available
Registration open for Asia-Pacific Community Meeting
Welcome new POs
Fulfill your 2017 educational goals
As always, if you have questions, concerns, or suggestions on how to improve this weekly communication for POs, please email us at: pcimonitor@pcissc.org.
PCI NEWS & PROGRAM UPDATES
New SAQ Updates The PCI SSC has published minor updates to Self-Assessment Questionnaires(SAQs), the validation tools that eligible merchants and service providers use to report the results of their PCI Data Security Standard (PCI DSS) self-assessment. The changes clarify points of confusion we have heard from industry stakeholders since the SAQs were updated to align with PCI DSS version 3.2 in April 2016.
There is a transition period to allow merchants time to review changes to applicable SAQs and prepare to adopt them. Merchants may continue to use the SAQs published in April 2016 until 30 September 2017. Starting on 1 October 2017, merchants will need to use the updated SAQs. Prior to 1 October 2017, merchants can use either the April 2016 or the January 2017 version of the SAQs.
The PCI Council encourages you to review the key changes to these SAQs to understand and prepare for how you and/or your merchant customers may be impacted by these.
Ransomware costs SMBs an average of $2500 per attack. According to a recent survey, more than 50 percent of small and midsized businesses (SMB) have been victims of ransomware. Cybercriminals use this nasty type of malware to hold business-critical systems and data hostage until a sum of money is received.
Businesses using outdated software are just one click away from being infected by ransomware. 99% of computers use software that is vulnerable to ransomware attacks if not updated. Criminals bank on the fact that users are not regularly updating their software with patches they receive from vendors. They plant ransomware on websites and take advantage of software vulnerabilities to launch attacks on visitors using outdated software.
Updated ASV Program Documentation Now Available Version 3.0 of the Approved Scanning Vendor (ASV) Program Guide and Qualification Requirements documents are now available. The updates are in response to feedback from the ASV, merchant/service provider and acquirer communities and focus on clarifying points of confusion in the ASV program documentation and aligning it more closely with PCI DSS v3.2 and other PCI SSC programs.
The ASV Program Guide describes the details and requirements for the ASV program, and applies to all Approved Scanning Vendors as well as all merchants/service providers obligated to comply with PCI DSS Requirement 11.2.2.
The ASV Qualification Requirements define the requirements and agreement to which all scanning companies must meet and adhere to in order to qualify (and remain in good standing) as Approved Scanning Vendors and to perform ASV scans for PCI Program purposes.
Feedback Requested on PCI P2PE Standard PCI Standards are updated based on industry feedback.
The PCI Council is evaluating a potential update to the PCI Point-to-Point Encryption (P2PE) Standard in 2018, or sooner if necessary.
As a Participating Organization, your company has the opportunity to provide comments on changes you’d like to see made to the PCI P2PE standard and supporting program in the next revision.
Based on market response to PCI P2PE version 2.0, the PCI Council is exploring minor modifications to make the standard more flexible and easier to use, such as adding more flexibility for component providers (e.g., Domains 1 and 6), and fine-tuning the listing process.
The 60-day PCI Point-to-Point Encryption version 2.0 comment period begins on 3 February 2017. Please visit the PO Portal to provide specific feedback on PCI Point-to-Point Encryption (P2PE) Standard version 2.0 and the supporting PCI P2PE Program.
New Best Practices for Securing E-commerce Exponential online sales growth paired with the EMV chip migration in the US makes e-commerce payment security for merchants more important than ever before. Yesterday, the Council published Best Practices for Securing E-commerce which educates merchants on accepting payments securely through online platforms. This Special Interest Group guidance is an update to existing guidance originally published in 2013.
The Best Practices for Securing E-commerce information supplement includes practical recommendations and case studies to help merchants identify the best solution for their specific cardholder data environment. In addition to educating merchants, this latest resource from the Council also provides guidance for third party e-commerce service providers and assessors that support the ongoing security of e-commerce environments.
Visit the Special Interest Group page to learn how your organization can provide expertise and develop practical payment security resources for the industry.
Ready to Run for the Board of Advisors? You have 27 days left to nominate your organization for a seat on the Board of Advisors. So if you believe the best way to thwart cyber threats and improve payment security worldwide is to collaborate, share information and let industry drive solutions – submit your nomination.
If your company is tackling payment security in a new or innovative way; if your company sees payment security as a business project, not just an IT project – submit your nomination.
The Nomination period is open through 27 February 2017.
Looking for a Reason to go to Cape Town? Join us for the PCI Middle East and Africa Forum - a day focused on making payments safer. Engaging presentations will arm you with practical strategies for securing payment data. Networking opportunities will allow you to connect with industry leaders in the region. Mark your calendar for 29 March.
Registration Open for the Asia-Pacific Community Meeting This year the regional conference will be held 17-18 May in Bangkok, Thailand. We are building an exciting agenda and if you’d like to be considered for speaking role, please submit your topic and outline here. If you’re looking to reach decision makers in the region, consider a sponsorship or a booth space in the Vendor Showcase.
Welcome These New POs In the past month, seven new companies have joined forces with the Council to secure payments. We hope to see you at an upcoming Community Meeting!
Direct Line Insurance Group
UK
Dreamlab Technologies
Chile
Innervation Value Added Services
South Africa
Iraq Electronic Gate for Financial Services
Iraq
THECLOUD LIMITED
UK
TwistLock
California, USA
Western Washington University
Washington, USA
TRAINING
Do You Have Educational Goals for 2017? Corporate Group Training helps you equip your team to build a more secure payment environment. Whether you have a group of industry veterans or are looking for basic awareness education, we can offer you a variety of classes to choose from:
One-day Awareness or PCI Professional training
Two-day Internal Security Assessor training
With Corporate Group Training, your organization gets a volume discount plus all the benefits of an instructor-led training class – at a time and place most convenient for you and your staff or customers.
But don’t take our word for it. Take a moment to read this case study featuring a former PCI Board member on the benefits of hosting an on-site training for your employees or your clients.