Not rendering correctly? View this email as a web page here.

PCI Qualified Professionals | Products & Solutions Listings | Training | Resources | Newsroom | Events | Get Involved

October 2023
In this Issue:

PCI News & Program Updates

• Join Us at the Upcoming 2023 PCI SSC Asia-Pacific Community Meeting

• Connect on the PCI Community Job Board
• Help Improve the PCI SSC Mobile App by Taking a Quick Survey!
• Paving the Way: Inspiring Women in Payments Featuring Ruth Barra
• Coffee with the Council Podcast: A Panel Discussion from India featuring Nitin Bhatnagar
• PFI Appendix A Submission to Payment Brands
• Secure Software Lifecycle Standard RFC
• Europe Community Meeting SSF Assessor Roundtable Recap
• PCI DSS v4.0: Document Updates
• Common Misses Detected During Pre-Screening
• Eligibility Criteria for Self-Assessment Questionnaires

FAQ of the Month

• FAQ #1331: Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments
documented in a Report on Compliance?

Participation Opportunities

• Upcoming Nomination Period - PCI SSC Brazil Regional Engagement Board

• 5 Great Reasons to Attend a 2023 PCI SSC Community Meeting
• Limited Space Left to Sponsor or Exhibit at the 2023 PCI SSC Community Meetings

Training

• Upcoming In-Person Training Opportunities in the Asia-Pacific Region

• Register for PCI SSC Knowledge Training
• Take Work From Home Security Awareness Training
• Instructor-led Corporate Group Training Available for Your Team

This newsletter is an estimated 17 minute read.

A Message from Wen Free, VP, North America

Hello, Assessors!
The Assessors and the Participants of the PCI community are among the finest people in the world. They truly are genuine, concerned,

wise, and kind. What an honor to be a part of such a longstanding organization whose mission is to keep information true and secure.

In a discussion recently, the comment “What do you do?” was asked. Putting the standard answer aside I said, “my goal is to be the best

representative of the payments data security community.”

When I ask those in the data security community, “what do you see that can be improved in your focus for keeping data secure?”, I get all

kinds of comments and suggestions but the one that sits with me longest is “how can we make MULTI-FACTOR AUTHENTICATION as

common as username/password?”

Indeed, MFA won’t solve all of the world’s problems, but it seems to be a powerful step for the masses. If a vast number of users would
adopt MFA there would be a noticeable change in the security of payment data. Keeping data protected is easy, keeping data secure is

altogether a different challenge. Think about it and please accept the challenge.

Wen Free

VP, North America

PCI News & Program Updates

Join Us at the Upcoming 2023 PCI SSC Asia-Pacific Community Meeting

We invite you and your colleagues to attend the 2023 PCI SSC Asia-Pacific Community

Meeting! Learn more about the latest updates and technologies in the payment card industry,

network with industry colleagues, and connect with the vendors and sponsors.

You won't want to miss our inspiring keynote speaker Khoo Swee Chiow and other great sessions

including:

• Asia-Pacific Regional Update

• PCI SSC - Where We Are Going And How We Are Getting There

• PCI SSC Mobile Security and Solutions Standards Update

• Our “Key” Experience in PIN Security / P2PE / FIPS 140-3

• Compliance is a Program, Not a Project

• Evolution of Payment Landscape In Asia and Its Implication Globally

While in Kuala Lumpur, take advantage of in-person training opportunities, reserve a booth in the

vendor showcase or become an exhibitor. Be sure to book your hotel soon as rooms are filling

quickly.

Did you know this event is open to the entire payment card industry? Let your payments

industry colleagues know they are welcome to attend, even if they are not a PCI SSC stakeholder.

> Register for the Asia-Pacific Community Meeting

Connect on the PCI Community Job Board

In an effort to help connect the industry, the PCI SSC has launched a new PCI Community Job

Board. Designed to be a centralized resource, the new website offers a way to make it easier for

the payment industry to advertise its available jobs, while also creating an easy-to-use platform for

payment security professionals to find those jobs.

The PCI Community Job Board is open to all companies and professionals involved in all sectors

of global payment security including merchants, service providers, developers, financial

institutions, processors, assessors, and others who protect payment data.

> Read more on the blog

Help Improve the PCI SSC Mobile App by Taking a Quick Survey!

Did you know that PCI SSC has a mobile app? Whether you’ve used it yet or not, we want to hear

from you so that we can continue to make the mobile app a valuable resource. We invite you to

take a brief survey about your current mobile application usage and preferences. We value your
feedback and are always seeking ways to improve the user experience.

> Take the survey

Paving the Way: Inspiring Women in Payments Featuring Ruth Barra

Ruth Barra knows that when you enter a career in technology, you will never know everything. You

are, in fact, signing up for a lifetime of learning. However, one of the most important aspects of

lifelong learning is having the benefit of mentorships. In this edition of our blog, Ruth explains how

the sharing of knowledge and lessons learned can have a significant impact on both the mentor

and the mentee.

> Read more on the blog

Coffee with the Council Podcast: A Panel Discussion from India featuring Nitin Bhatnagar

In this episode of Coffee with the Council, PCI SSC Regional Director of India and South Asia Nitin

Bhatnagar hosts a panel discussion about the latest trends and challenges in India’s payment

landscape with two prominent leaders from the payment industry, Ms. Anuprita Daga, CISO, YES

BANK and Mr. Avs Prabhakar, Chief Risk and Compliance Officer, Zeta.

> Read the blog or listen to the podcast

PFI Appendix A Submission to Payment Brands

It should be noted that while the PCI SSC portal does require the completed Appendix A to be

submitted with fields unlocked, that rule does not apply to the copies you may send to the Payment

Brands along with your final report. In fact, in most cases, it is preferred to completely lock down

the version sent to the Payment Brands without any fields editable – please contact the affected
payment brand(s) for their specific requirements.

Should you have any questions related to this request, please do not hesitate to reach out to the

respective payment brand, and/or the PFI Program Manager at PFI@pcisecuritystandards.org.

> Visit the PCI SSC Portal

Secure Software Lifecycle Standard RFC

PCI SSC would like to thank everyone who participated in the Secure Software Lifecycle (Secure

SLC) v1.1 RFC. The RFC, which ran from 15 August to 15 October, produced over 125 individual

comments from 12 different organizations. Each feedback item will be evaluated and considered

as part of the next revision of the Secure SLC Standard.

An RFC on the currently published version of the Secure Software Standard (version 1.2.1) is also

planned and is expected to take place in Q1 or Q2 2024.

> Visit the RFC page

Europe Community Meeting SSF Assessor Roundtable Recap

PCI SSC recently held its second of two planned SSF Assessor Roundtable sessions at the

Community Meeting in Dublin. Like the first SSF Assessor Roundtable session at the NACM in

Portland, the EUCM session was well attended and represented. PCI SSC plans to present a

summary of the discussion and feedback received during both sessions at the Q4 2023 SSF

Assessor community call planned for mid-November.

PCI DSS v4.0: Document Updates

SAQ A-EP has been updated to remove the erroneous SAQ Completion Guidance at Requirement

11.6.1, as it is not applicable to SAQ A-EP merchants. The updated document, PCI DSS v4.0 SAQ

A-EP Revision 2, can be found in the Document Library.

The following FAQs were published this month:

New:

• FAQ 1574 – If an organization provides software or functionality that runs on a

consumer’s device (for example, a smartphone, tablet, or laptop) and is used to accept

payment account data, can the organization store card verification codes for those

consumers?
Updated:

• FAQ 1280 – Can card verification codes be stored for card-on-file or recurring

transactions?

• FAQ 1283 – How do PCI standards apply to organizations that develop software that runs

on a consumer’s device (for example, a smartphone, tablet, or laptop) and is used to

accept payment card data?

• FAQ 1089 – How can hashing be used to protect Primary Account Numbers (PAN) and in

what circumstances can hashed PANs be considered out of scope for PCI DSS?

> Visit the FAQ page

Common Misses Detected During Pre-Screening

What is pre-screening? Program Managers perform an initial quality check of the submission for

consistency, completeness, and accuracy prior to sending the listing on to AQM for review. The

pre-screening process helps ensure that all required documentation has been included and the

submission requirements have been satisfied. More information about pre-screening can be found

in each of the respective Program Guide(s).

Vendor Listing Submission reviews could be expedited by reducing errors in the initial

submissions. Please review and consider the following common misses or errors identified during

the pre-screening process. Be sure to incorporate a check for these into your internal QA

Processes:

• Consistency between the Portal and the listing documentation, e.g., ROV, ROC, P-ROV,

AOV, VRA, and Remote Assessment Addendum:

o Date of Report in the ROC, ROV, or P-ROV should match the Report of

Completion Date in the Portal and the Report date in the AOV

o POI devices and Validated Payment Applications

o Dependencies

o Tested operating systems including build/version

• The version of the applicable Standard must be consistent in the Portal and the

assessment
 • Signatures, signatures, signatures! Per FAQ 1481 Attestation documents, including

AOCs, AOVs, and program-related attestations that are provided by the PCI SSC, require

an assessor’s signature

Note: Acceptable forms of signature currently are wet signature (performed with ink) or PCI SSC-

accepted electronic/digital signature (cryptographically protected, such as under the US Federal

ESIGN Act, the Uniform Electronic Transactions Act (UETA), or European Union Regulation NO

910/2014 on Electronic Identification, Authentication and Trust Services (eIDAS)).

With your help, submissions can complete the pre-screen process more expeditiously.

> Visit the PCI SSC Portal

Eligibility Criteria for Self-Assessment Questionnaires

Each Self-Assessment Questionnaire (SAQ) was created to support the assessment of a specific

type of environment, depending on how the entity stores, processes, and/or transmits payment

account data. The Self-Assessment Questionnaire Instructions and Guidelines v4.0 has been

recently updated and published in the Document Library on the PCI SSC website.

With PCI DSS v4.0, there is a new SAQ as well as clarified eligibility criteria for existing SAQs.

Organizations will need to review the eligibility criteria to understand which SAQ is right for them.

For example, the new SAQ may be better aligned with an organization’s particular environment

than the SAQ used previously. Similarly, an organization that previously completed one type of

SAQ under PCI DSS v 3.2.1 will need to review the updated eligibility criteria for that SAQ to

determine whether it is still appropriate for their environment.

The intent of the eligibility criteria is to ensure that the environment is properly scoped and is

suitable for validation against the subset of PCI DSS requirements contained in the SAQ.

Environments not meeting the criteria will not be eligible for assessment against the particular

SAQ, as they will likely be subject to additional or all PCI DSS requirements.

Please ensure Merchants consult with their acquirer (merchant bank) or the payment brands

directly to determine which SAQ is appropriate for their environment.

Also remember, when documenting a PCI DSS assessment based on an SAQ, the assessor

MUST include details in ROC Section 3.1 documenting how it was determined the assessed

merchant meets ALL eligibility criteria for the applicable SAQ. Please refer to the recently updated

FAQ 1331 for additional details regarding using SAQ eligibility criteria for determining applicability

of PCI DSS requirements for assessments documented in a Report on Compliance.

For additional information regarding SAQ eligibility criteria, please refer to the following PCI SSC

published guidance:

• FAQ 1443: What is the intent of the SAQ eligibility criteria?

• FAQ 1331 (recently updated): Can SAQ eligibility criteria be used for determining

applicability of PCI DSS requirements for assessments documented in a Report on

Compliance?

• SAQ Instructions and Guidelines (recently updated) available in the Document Library

on the PCI SSC Website

The following diagram is from the PCI DSS Self-Assessment Questionnaire Instructions and

Guidelines, v4.0 published September 2023 available in the Document Library on the PCI SSC

website.

Please note: SAQ D for Service Providers is the ONLY SAQ option for SAQ eligible service

providers. A service provider undergoing assessment for services it offers cannot “meet the

eligibility criteria” of any SAQ except for SAQ D for Service Providers because that service provider

is not a merchant.

Merchants may use any SAQ, including SAQ D. Each SAQ defines specific criteria that must be

met in order to be eligible to use that SAQ.

> Visit the Document Library

FAQ of the Month

FAQ #1331:

Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements

for assessments documented in a Report on Compliance?

Service providers cannot use SAQ eligibility criteria to determine applicability of PCI DSS

requirements for assessments documented in a Report on Compliance. The only acceptable SAQ

for service providers is SAQ D for Service Providers. All other SAQs are intended for merchant use

only.

Merchants with environments that fully meet all the eligibility criteria defined in a particular SAQ
may use that SAQ as a reference to identify the applicable PCI DSS requirements for that

environment. This approach must be clearly documented in “Description of Scope of Work and

Approach Taken” section of the ROC.

For PCI DSS v3.2.1, this includes the following:

• Identify the eligibility criteria for the applicable SAQ,

• For each criteria, document how the assessor verified that the merchant environment

meets the criteria.

For PCI DSS v4.0, this approach is documented as specified in ROC Section 3.1.

The assessor will need to perform appropriate testing and validation to verify the non-applicability

of any PCI DSS requirements. As an example: If an e-commerce merchant has a webserver using

a URL redirect to a PCI DSS compliant third-party payment processor, the assessor will need to

verify that the merchant environment, including redirection method and the configuration of the

webserver, meets all the eligibility criteria for SAQ A before they can consider using that SAQ for

guidance. This would include verifying that the merchant accepts only card-not-present

transactions, does not electronically store, process, or transmit any account data on its systems or

premises, that all processing of account data is entirely outsourced to PCI DSS validated third-

party service providers, and that all the other eligibility criteria for SAQ A are met.

Any PCI DSS requirements verified by the assessor to be not applicable should be reported as

“Not Applicable” in accordance with instructions in the Report on Compliance (ROC) Template.
Assessors should refer to the ROC Template and ROC Template FAQs for the version of the

standard being used for relevant guidance.

If an environment meets some but not all eligibility criteria for a particular SAQ, then the SAQ

should not be considered a relevant guide for applicability of requirements.

Merchants and service providers should always consult with their compliance accepting entity—

such as their acquirer (merchant bank), payment brand, or other entity—to confirm their PCI DSS

validation and reporting method. If a detailed assessment and ROC is the appropriate method,

merchants meeting the eligibility criteria from an SAQ should also confirm that the approach

outlined above is acceptable. Contact information for the payment brands can be found in FAQ

#1142 How do I contact the payment card brands?

> View the FAQ

Participation Opportunities

Upcoming Nomination Period - PCI SSC Brazil Regional Engagement Board

Participating Organizations (which includes Affiliate Members) and Qualified Security Assessor

Companies with a significant presence* in Brazil that are in good standing** have an opportunity to

provide regional and industry expertise to the PCI SSC as a member of the Brazil Regional

Engagement Board. Brazil Regional Engagement Board members will serve as advisors to the PCI

SSC on payment data security issues in Brazil and represent the perspectives of PCI SSC and
industry stakeholders in your region. Consider nominating yourself or someone from your

organization for the PCI SSC Brazil Regional Engagement Board. The nomination period opens on

1 November 2023.

* For international companies to participate, nominees must be based in Brazil.

** Good standing means, with respect to a given PCI Program, being in compliance with the

applicable rules and requirements of that PCI Program.

> More information

5 Great Reasons to Attend a 2023 PCI SSC Community Meeting

PCI SSC Community Meetings bring together the brightest minds in payment security. Don’t miss

your opportunity to collaborate and learn about the latest developments in global payment security

and in the PCI Security Standards this year in Kuala Lumpur, Malaysia.

The PCI SSC Community Meetings are open to all in the payments industry. We invite you to

register to attend today!

5 Great Reasons to Attend a 2033 PCI SSC Community Meeting:

1. Grow Your Connections: These events are a perfect place to network with colleagues

face-to-face, meet new industry members, and chat with members of the Council!

2. Gain Valuable Industry Insights: This year’s packed agendas offer terrific opportunities

to gain knowledge on industry updates, trends, and standards. Your attendance allows

you to bring meaningful solutions and ideas back to your own organization!

3. Attend a Training: Make the most of your experience and attend one of our several

training courses offered onsite in Kuala Lumpur.

4. Get Your Unique Questions Answered: A prime benefit of attending the Community

Meetings is having 1 on 1 access to PCI SSC executives and card brands. Ask questions

about your unique environment in one on one conversations with the experts that know

the standards the best.

5. Generate Leads and Boost Brand Visibility: Face-to-face interaction cannot be beat

when it comes to networking! Whether you are staffing a booth, or just visiting, the Vendor

Showcase is a great way to build lasting business relationships and view product
demonstrations, services and solutions!

> Read the blog post

> Register for the Asia-Pacific Community Meeting

Limited Space Left to Sponsor or Exhibit at the 2023 PCI SSC Community Meetings

There are only 3 spaces left in the Asia-Pacific Community Meeting Vendor Showcase! Exhibitors

select their booth location in the order in which they sign-up. Be sure to visit our website to reserve

your spot in the Vendor Showcase. Limited space is available, be sure to secure your booth space

soon!

Sponsor the Community Meeting today:

• Networking Break - Provide a raffle prize and supply attendees with branded gifts during

the sponsored break. The raffled prize is announced through the mobile app.

• Wellness Sponsor - Give attendees the opportunity to step away to relax and unwind

with comfortable seating, low lighting, and relaxing music right in the Vendor Showcase

Hall. - NEW

Download our 2023 PCI SSC Sponsorship Prospectus to review all of the sponsorship

opportunities.

> Download the Sponsorship Prospectus

> Reserve your spot in the Vendor Showcase

Training

Upcoming In-Person Training Opportunities in the Asia-Pacific Region

Registration is open for in-person Qualified Security Assessor (QSA), and Internal Security

Assessor (ISA) training in the Asia-Pacific region. These trainings will be delivered by a PCI SSC

industry expert where you will have the opportunities to interact with other industry experts as well

as ask questions related to the content being delivered.

Kuala Lumpur Training Opportunities:

Maximize your training and travel budgets when you take training in Malaysia and attend the 2023

PCI SSC Asia-Pacific Community Meeting!

ISA Training:

Date: 9 - 10 November
Time: 9:00 - 17:30 GMT

> Enroll here

QSA Training:

Date: 13 - 14 November

Time: 9:00 - 17:30 GMT

> Enroll here

Melbourne Training Opportunities:

QSA Training:

Date: 27 - 28 November

Time: 9:00 - 17:30 AEDT

> Enroll here

ISA Training:

Date: 29 - 30 November

Time: 9:00 - 17:30 AEDT

> Enroll here

For more information, please contact administration@pcisecuritystandards.org.

> More information

Register for PCI SSC Knowledge Training

The PCI Security Standards Council is pleased to announce that registration is open for

Knowledge Training. These training courses are designed to bridge the knowledge gap between

organizations and assessors by helping learners speak the same language as the Assessor. In

doing so, learners will be able to guide their organization through an assessment and any pre-work

and work alongside the Assessor during an engagement, making for a much smoother, more

efficient process for all involved. All P2PE, SSF, Card Production, 3DS and PIN assessor training

classes are eligible for Knowledge Training.

Learn more by watching a video interview with Tracey Long, VP of Programs, or by visiting the

Knowledge Training webpage.

> More information

Take Work From Home Security Awareness Training

The PCI SSC Working from Home Security Awareness Training course outlines many of the

threats and challenges of handling and securing payment account data within home offices and

remote working environments. This training also reinforces how following a PCI DSS compliant

organization’s information security policies and requirements can help ensure that payment

account data remains safe.

Geared to all audiences including executives, managers, as well as staff who are affected by PCI

DSS compliance requirements, this course is for anyone working from a home office or remote

office environments that may handle payment account data or could affect the security of those

individuals or environments that do.

> More information

Instructor-led Corporate Group Training Available for Your Team

Get your team trained together! We are pleased to offer all our PCI training programs in-person or

via eLearning with remote exam for organizations wishing to train their teams remotely. Corporate

Group Training offered as eLearning incorporates a combination of computer-based training as

well as remote instructor-led training sessions with online exam.

> More information

Subscribe to the Blog Events FAQ of the Month

Archives
Keep up to date with PCI SSC blog Informa Payments International 2023
notifications delivered straight to 15 November September 2023: FAQ 1573
your email inbox. Subscribe here. Presenter: Jeremy King
August 2023: FAQ 1301
> Subscribe to the blog PCI SSC Asia-Pacific Community
Meeting
15 - 16 November July 2023: FAQ 1572

June 2023: FAQ 1356

 Australian Payments Network Summit May 2023: FAQ 1569
12 December
Presenter: Andrew Jamieson April 2023: FAQ 1568

> View all upcoming events March 2023: FAQ 1564

February 2023: FAQ 1354

January 2023: FAQ 1562

November 2022: FAQ 1220

October 2022: FAQ 1561

September 2022: FAQ 1444

> View all FAQs

PCI Security Standards Council, LLC 401 Edgewater Place Suite 600 Wakefield, MA 01880
You received this email because you are subscribed to Qualified Security Assessor (QSA) ™ from PCI Security Standards Council, LLC.
Update your email preferences to choose the types of emails you receive. Unsubscribe from all future emails