Tag: IT Security

Understanding SAQ types for PCI DSS

The PCI DSS self-assessment questionnaires (SAQs) are validation tools intended to assist merchants and service providers to report the results of their PCI DSS self-assessment. The different SAQ types are shown in the table below to help you identify which SAQ best applies to your organization. Detailed descriptions for each SAQ are provided within the applicable SAQ.

Type Description
SAQ A Card-not-present merchants. For merchants that outsource their entire card data processing to validated third parties. This includes e-commerce merchants and mail/telephone order merchants. Nearly all online merchants aim for SAQ A, because it is the simplest, least time-consuming assessment.
SAQ A-EP E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Applicable only to e-commerce channels.
SAQ B Merchants using only:
• Imprint machines with no electronic cardholder data storage; and/or
• Standalone, dial-out terminals with no electronic cardholder data storage.
Not applicable to e-commerce channels.
SAQ B-IP Merchants use only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.
Not applicable to e-commerce channels.
SAQ C-VT Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels.
SAQ C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
Not applicable to e-commerce channels.
SAQ P2PE-HW Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.
Not applicable to e-commerce channels.
SAQ D SAQ D for Merchants: All merchants are not included in descriptions for the above SAQ types.
SAQ D SAQ D for Service Providers: All service providers defined by a payment brand as eligible to complete a SAQ.

[source: pcisecuritystandards.org]

How to disable SSL and TLSv1&1.1 on F5 LTM for VMware iApp

Due to the cybersecurity compliance requirements, we had to disable insecure SSL and TLS protocol versions. Our infrastructure consists of VMware multi-tenants and F5 LTM as the ADC (Application Delivery Controller). Since the UAGs (Unified Access Gateway) sit behind the F5 LTM, the configuration changes need to be done at the F5 ADC. 

There was no proper article written specifically for this purpose. So, I thought of sharing this with the community. Let’s look at the steps involved in the configuration change. 

  • From the configuration utility, navigate to Local Traffic > Profiles > SSL > Client
  • Select the Client SSL profile used in the virtual server, and then change to Advanced

  • We need to change 2 fields (Cipers and Enabled Options)
  • Under the Ciphers, select Cipher Suites
  • In Cipher Suites, you need to change the value to DEFAULT:!RC4:!MEDIUM:@STRENGTH
  • Then, under the Enabled Options select only No TLSv1.3, No TLSv1.1, and No TLSv1 (refer to the below image)

  • Once you confirm the values, you may save the changes and test the access. 
  • If you need to confirm the security settings and collect evidence, you can simply test the URL with ssllabs