Embed Size (px)
Citation preview
1
PCI DSS v3.2Overview and Summary of Changes
Welcome
2
PCI DSS v3.2 - Overview and Summary of Changes
Your Hosts
Nadav Shatz, QSAManaging Director, Comsec UK
• Cyber Security professional with more than 15 years of experience
• Led complex Cyber and PCI Security engagements with high profile clients across the globe
30 years Established in 1987, Comsec has nearly three-decades of
experience in all aspects of information security.
150 consultants Allows us to deliver a broad spectrum of services and to
provide a uniquely flexible service level.
600 clients From blue chip companies to start-ups, Comsec has a deep
sector expertise in most verticals and un-paralleled
understanding of our clients’ business environment.
22 countriesWith offices in London, Rotterdam and excellence center in
Tel Aviv, Comsec is able to deliver global impact through
local presence spanning over 22 countries and five
continents.
Ariel Ben Harosh, QSAPCI Program Manager, Comsec UK
• Performed more than 100 PCI assessments
• 8 years of PCI experience across a broad spectrum of industries
• One of the first QSAs to hold the P2PE standard accreditation
3
What we are going to cover
PCI 2016 Timeline
• Timeline and Effective
Dates
• Coming soon in 2016
DSS v3.2 Detailed Changes
Overview
• Detailed overview new
and updated
requirements in PCI
DSS v3.2
v3.2 Special Focus Areas
• Change highlights and
new requirements
• Special focus: Multi-
Factor Authentication
and Service Providers
Why change, why now?
• PCI DSS update
process
• Background for
updating to v3.2
PCI DSS v3.2 - Overview and Summary of Changes
4
PCI DSS Update ProcessPCI DSS v3.2 - Overview and Summary of Changes
5
Changing payment and threat environment
General improvement of requirements through
clarifications and guidelines
Feedback from Industry Address trends in breach report
$
PCI DSS v3.2 - Why Now?PCI DSS v3.2 - Overview and Summary of Changes
6
New Requirements
• Multi-Factor Authentication
• Service Provider Requirements
• PAN Display
• Change Control Process
Incorporated Guidance
• Incorporate DESV (Designated Entities Supplemental Validation) requirements
• Additional requirements for entities using SSL/Early TLS
Clarifications• Added clarifications to specific requirements, provide additional
guidance, general polishing.
Three Types of ChangesPCI DSS v3.2 - Overview and Summary of Changes
7
PCI DSS v3.2 - New requirements
At a glance
1
Expanded Multi Factor
Authentication Requirements
2
Additional requirements
for Service Providers
f
3
Updated
PAN Display
Requirement
4
New
Change Control
Requirement
f
PCI DSS v3.2 - Overview and Summary of Changes
8
Multi-Factor Authentication
• Now required for personnel with administrative access to the CDE (Internal and External)
• “Multi-factor” instead of “two-factor”
o Clarified correct terminology
o Does not change intent of original requirement - Two or more factors may be used
• Still required for all remote access to the CDE
f
Requirement 8.3 – Multi-Factor Authentication
63% of confirmed data breaches involved leveraging weak/default/stolen passwords
Verizon DBIR 2016
PCI DSS v3.2 - Overview and Summary of Changes
9
Service Provider Requirementsf
• Documented description of the cryptographic
architecture
• Establish a PCI DSS compliance program
• Detect and report on failures of critical
security control systems
• Semi-Annual Penetration testing on
segmentation controls
• Quarterly reviews to confirm personnel are
following security policies
• Requirement 3.5.1
• Requirement 10.8
• Requirement 11.3.4.1
• Requirement 12.11
• Requirement 12.4
5 New Requirements
PCI DSS v3.2 - Overview and Summary of Changes
10
Updated Requirement - PAN Display
• Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than first six/last four digits of the PAN.
Requirement 3.3 - Pan display
PCI DSS v3.2 - Overview and Summary of Changes
11
• Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.
New Requirement - Change Control Process
Requirement 6.4.6 – Change Control
PCI DSS v3.2 - Overview and Summary of Changes
12
Incorporating Recent Guidance(as new Appendices)
1
Additional requirements
for entities using SSL/Early
TLS
2
DESV(Designated
Entities Supplemental
Validation)
RequirementsJune 30, 2018
13
PCI DSS v3.2 Timeline and Effective Dates
•PCI DSS v3.2 published
•Both PCI DSS versions 3.1 and 3.2 are effective
April 2016
•PCI DSS 3.1 is retired (6 months after 3.2 release)
•PCI DSS assessments must use v3.2
31st Oct 2016•New requirements
effective
•New requirements are considered as best practice until this date
1st February 2018
PCI DSS v3.2 - Overview and Summary of Changes
14
PCI DSS Coming Soon in 2016
• Effective Daily Log Monitoring SIG Information
Supplement
• PA-DSS v3.2 – May 2016
• Payment security guidance for SMBs – Summer
2016
PCI DSS v3.2 - Overview and Summary of Changes
15
questions
17
PCI ComplianceInnovation, Knowledge & Experience to Keep You Ahead of the Curve.
Through our engagements with leading financial
sector organisations we have seen directly the impact of the evolving
cyber-threat landscape and witnessed a sharp increase
in the sophistication and extend of attacks on financial institutions.
True PartnershipUnrivalled Experience
Comsec adopts a partnership approach to PCI. Our unique advantage stems from our ability to provide the end-to-end support and guidance you require to achieve PCI compliance.
Our approach to PCI compliance leverages upon years of experience and the successful collaboration with over 100 PCI clients across the globe. Our QSA flexibility and consistency are two of the fundamental principles for any PCI engagement Comsec performs.
