The PCI Council held the first of two “open mic” webinars today (Wednesday) for Participating Organizations. Since NACUBO is a Participating Organization, I was able to listen. There were a number of interesting questions (and answers) which I’ll try and summarize.
SAQ C-VT
The first question concerned the new SAQ C-VT for virtual terminals. It was noted that this SAQ is intended for merchants with a single laptop key-entering one transaction at a time. The Council reiterated that these merchants do not need external vulnerability scanning since their laptop is likely to move around and there would not be a static IP address. Also, these merchants are perceived as low risk. What was news was that if a merchant uses a stationary workstation, they would need vulnerability scanning.
A follow-up question picked up on this point, asking whether a merchant using a stationary terminal (not a portable, movable laptop) should instead use the regular SAQ C. Unfortunately the only answer we got was that the merchant needs to “ask your acquirer.” Since most acquirers (even when you find the right person) won’t be very familiar with the new SAQ C-VT, merchants will likely end up using their best judgment or ask their QSA (who quite possibly will be equally baffled). My recommendation for any campus in this situation is to use SAQ C or if you use C-VT get quarterly scanning, too.
Training
There will be a new “PCI Awareness Training” program providing a high level introduction to PCI. This program is in addition to the current ISA and QSA training offered currently. This is a good idea, and reinforces the Treasury Institute’s own program to provide PCI training to a wide audience.
The Council has posted the schedule for the first part of 2011 on its website. If you want to know about future dates, the only advice offered (unfortunately) was to keep checking the PCI COuncil website for updates.
PA-DSS
The Council reinforced that PA-DSS only applies to applications that meet all of the following: (1) store, process, or transmit cardholder data; (2) are used to perform authorization or settlement; and (3) are sold to third parties. That is, back office and other applications are not eligible for PA-DSS validation and should be included in your PCI assessment.
Bob Russo addressed the current backlog of PA-DSS approvals and promised that the turnaround time for approving new applications will be 3-4 weeks in 2011.
Miscellaneous
Bob and his colleagues addressed a number of other topics including:
· The Council has no plans to test or qualify Penetration Testers
· All PCI v2.0 documents are online and available for download
· Special Interest Groups (SIGs) are still looking for members to join
· Yes, Issuers are subject to PCI DSS, and the clarification mainly dealt with their need to retain sensitive authentication data such as security codes and PIN data
· If you use a QSA for an assessment, be sure to complete a QSA feedback form
· The Council will continue to update its Frequently Asked Questions (FAQ) list
There will be a recording of the session on the Council’s website soon. You might want to have a listen.