Security Metrics Flashcards
(18 cards)
What does PCI mean?
Payment Card Industry
What does DSS mean?
Data Security Standard
SSC
Security Standards Council
System components that are likely in scope for your environment.
- Networking devices
- Servers
- Switches
- Routers
- Computing devices
- Applications
CDE
Cardholder Data Environment
SAQ
Self Assessment Questionnaire
How many different SAQ Types are there and what is the overriding distinction between them?
Nine.
It’s determined by the methods you use to accept, process, store payments and card data.
What are some reasons I can use for the increase in PCI fee?
PCI DSS 4.0
- Enhanced to meet the security needs of the payments industry
- **as technology progresses we reap benefits but this is one of the drawbacks amongst all the benefits
- Enhance validation measures and procedures
- Authentication info is now required to be encrypted (pre-authorization). Before it was merely recommended
PAN
Primary Account Number
SAQ-A
- Card not present only
- Entirely outsourced
- No storage on site
- All handled by PCI DSS compliant 3rd party
- Card payments are via a re-direct to 3rd-party
SAQ A-EP
- Merchant only accept E-commerce transactions
- All cardholder data, except the payment page, is outsourced to 3rd party
- Your e-commerce website does not receive cardholder data but does direct them to 3rd party
- Your company does not store, process, or transmit cardholder data on your systems or premises
- Any cardholder data your company retains is on paper, and not received electronically
SAQ B
- company only uses a knucklebuster or standalone dial-out terminals to take payment information
- the standalone, dial-out terminals are not connected to any other systems
- the standalone, dial-out terminals are not connected to the Internet
- CHD is stored on paper, not electronically
SAQ B-IP
- Standalone IP devices
- Standalone IP devices are not connected to any other systems in your environment
- Standalone IP device does not rely on any other device to connect to payment processor
- Your company does not store cardholder data electronically
- Paper receipts, no electronic receipts
SAQ C
- Your business has a payment app system and an internet connection on the same device
- The payment application isn’t connected to any other systems in your environment
- Paper only cardholder data storage and not electronic storage
SAQ C-VT
- Your company only processes payments through a virtual payment terminal accessed by an internet-connected web browser
- Your company’s virtual terminal is hosted by a PCI DSS 3rd-party service provider
- Your computer is not connected to other locations or systems within your environment
- Your computer does not store cardholder data
- There is not attached hardware that captures or stores CHD
- Paper only storage and not received electronically
- Your company does not store cardholder data in electronic format
SAQ P2PE
- All payments processed through a PCI P2PE solution approved and listed by the PCI SSC
- The POI (Point of Interaction) is the only device in the environment that holds electronic CHD
- No other device can hold cardholder data (paper storage okay)
- Receipts held are paper only, not electronic
- Your business has implemented all controls in P2PE Instruction Manual provided by P2PE Solution Provider
SAQ D (Merchants - there is also a “Service Providers” version)
- This is for merchants who don’t meet the criteria for any other SAQ type
- For merchants who store card info electronically and don’t use a P2PE certified POS systems
- May have elements of other SAQ types but also store data
PCI DSS 4.0
Upgraded from PCI DSS 3.2 to ensure standard continues to meet security needs of payment industry, promote security as a continuous process and enhance validation methods and procedures.
