Click here to load reader

Thoughts on PCI DSS 3 - isaca.org IT... · Thoughts on PCI DSS 3.0 D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director

  • View
    216

  • Download
    0

Embed Size (px)

Text of Thoughts on PCI DSS 3 - isaca.org IT... · Thoughts on PCI DSS 3.0 D. Timothy Hartzell CISSP, CISM,...

  • Thoughts on PCI DSS 3.0

    D. Timothy Hartzell CISSP, CISM, QSA, PA-QSAAssociate Director

  • 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

    2

    Agenda

    4 PCI DSS Version 3.0: ChangesPCI DSS Version 3.0: Changes

    PCI DSS OverviewPCI DSS Overview2

    Global Payment Card Statistics and TrendsGlobal Payment Card Statistics and Trends1

    PCI DSS Version 3.0: Important TimelinesPCI DSS Version 3.0: Important Timelines3

    5 Next Steps & QuestionsNext Steps & Questions

  • 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

    3

    Global Payment Card Statistics

    Issuers, merchants, and acquirers of credit, debit, and prepaid general purpose and private label payment cards worldwide experienced gross fraud losses of $11.27 billion in 2012, up 14.6% over the prior year, according to The Nilson Report, a leading payment industry newsletter. Of that $11.27 billion, card issuers lost 63% and merchants and acquirers lost the other 37%.

    Fraud as percentage of total volume was lowest for PIN-based debit networks worldwide at 1.10 per $100 in total volume. The global brand cards Visa, MasterCard, American Express, UnionPay, Diners Club, and JCB averaged fraud losses of 6.13 for every $100 in total volume.

    Card issuer losses occur mainly at the point of sale from counterfeit cards. Issuers bear the fraud loss if they give merchants authorization to accept the payment.

    Merchant and acquirer losses occur mainly on card-not-present (CNP) transactions on the Web, at a call center, or through mail order because issuers can chargeback fraudulent transactions.

    Source: http://www.nilsonreport.com/publication_chart_and_graphs_archive.php

    Need for the Payment Card Industry Data Security Standard (PCI DSS)

  • 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

    4

    PCI DSS Overview

    The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that store , process or transmit credit card information maintain a secure environment.

    The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that store , process or transmit credit card information maintain a secure environment.

    The Payment Card Industry Data Security Standard (PCI DSS)

    About PCI DSS

    The PCI DSS is administered and managed by the PCI Security Standards Council (SSC), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.).

    PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accept, transmit or store any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

    Source: http://www.pcicomplianceguide.org/pcifaqs.php#2

    U.S. Purchase Volume - Consumer vs. Commercial Cards

  • 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

    5

    PCI DSS Version 3.0 Aims and Objectives

    Address emerging and evolving

    threats to cardholder data

    security by clarifying existing

    requirements;

    Provide additional guidance on how

    to comply with the standard;

    Introduce new requirements to

    bring the standard in line with

    emerging threats and changes in the

    market

    Aims and Objectives

    PCI DSS Version 3.0

    Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 Key Changes and New Requirements

    Earlier this year, the PCI Security Standards Council (PCI SSC) announced the release of a new version of the PCI Data Security Standard (PCI DSS) Version 3.0. The new version aims to do the three things:

  • 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

    6

    PCI DSS Version 3.0: Important Timelines

    Sep, 2013

    The detailed Summary of Changes and draft

    versions of the Standards was shared

    with Participating Organizations and the

    assessment community

    Sept, 2013

    Discussion at the North American

    Community Meeting in Las Vegas on 24-

    26 September. Jan 1, 2014

    Effective date of version 3.0

    of the Standard

    Nov, 2013

    Introduction of PCI DSS

    Version 3.0

    Source: Data Security Standard and Payment Application Data Security Standard: Version 3.0 Change Highlights

    Recognizing that additional time may be necessary to implement some of these sub-requirements, the Council has given companies that process payment cards a full year to comply with the new standard. During 2014, both versions 2.0 and version 3.0 are available and companies can validate to either version.

    June 30, 2015

    Some of the Sub-requirements for 12 core security areas

    will remain best practices

    Dec 31, 2014Version 2.0 will sunset and only version 3.0 will

    be valid for validations in

    2015

  • 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

    7

    PCI DSS Version 3.0: Changes Overview

    The core 12 security areas remain the same, but the updates include several new sub-requirements that did not exist previously.

    The updated standards will help organizations not by making the requirements more prescriptive, but by adding more flexibility and guidance for integrating card security into their business-as-usual activities.

    The changes will provide increased stringency for validating that these controls have been implemented properly, with more rigorous and specific testing procedures that clarify the level of validation the assessor is expected to perform.

    Overall, the changes are designed to give organizations a strong but flexible security architecture with principles that can be applied to their unique technology, payment, and business environments.

    Source: Data Security Standard and Payment Application Data Security Standard: Version 3.0 Change Highlights

    The new standard Version 3 has brought with it policy and procedural changes that will impact the security of the entire electronic payment ecosystem.

  • 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

    8

    ChallengeAreas

    1Lack of education and awareness around payment security

    2 Weak passwords, authentication

    3 Third-party security challenges

    4 Slow self-detection, malware

    PCI DSS Version 3.0: Change Drivers

    5 Inconsistency in assessments

    Common challenge areas and drivers for change include:

    Source: Data Security Standard and Payment Application Data Security Standard: Version 3.0 Change Highlights

  • 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

    9

    Updated Versions Of PCI DSS: Focus Areas

    Provide stronger focus on some of the greater risk areas in the threat environment

    Provide increased clarity on PCI DSS requirements

    Build greater understanding on the intent of the requirements and how to apply them

    Improve flexibility for all entities implementing, assessing, and building to the standard

    Drive more consistency among assessors

    Help manage evolving risks / threats

    Align with changes in industry best practices

    Clarify scoping and reporting

    Eliminate redundant sub-requirements and consolidate documentation

    Source: https://www.pcisecuritystandards.org/documents/DSS_and_PA-DSS_Change_Highlights.pdf

  • 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

    10

    PCI DSS 3.0 Compliance Changes

    The 5 New Requirements

    8.5.1 Unique authentication credentials for service providers with access to customer environments

    6.5.10 Broken authentication and session management

    12.9 Additional requirement for service providers on data security

    11.3 Developing and implementing a methodology for penetration testing

    9.9 Protection of point-of-sale (POS) devices from tampering

    Version 3 of the PCI DSS includes five new requirements that are to be considered best practices until they officially become compliance requirements in mid-2015.

    Source: http://www.tripwire.com/state-of-security/regulatory-compliance/will-pci-dss-v3-0-affects-organization/

  • 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

    11

    Notable Most Notable

    Specifically, scoping has been clarified to indicate that system components include, Any component or device located within or connected to the [cardholder data environment].

    The new language also states that the PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment

    Additionally, a new requirement has been added requiring that if segmentation is used, penetration testing procedures are designed to test all segmentation methods to confirm they are operational and effective, and isolate all out-of-scope systems from in-scope systems.

    As further clarity, the standard states that, To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the CDE such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.

    The additional focus on connected systems likely expands (potentially greatly) the number of systems considered in-scope for many organizations. For example, in most networks using Windows Activity Directory security, a compromise of systems outside the CDE could impact the CDE and then could be considered in-scope for the PCI assessment.

    PCI DSS Version 3.0: Most Notable Changes (1/3)

    A Higher Bar to Achieve Segmentation

    Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 Key Changes and New Requirements

  • 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

    12

    Notable Most NotablePCI DSS Version 3.0: Most Notable Changes (2/3)

    PCI DSS 3.0 offers a new definition of system components: System components include systems that may impact the security of the CDE (for example web redirection servers).

    Up until now, web servers had been considered out-of-scope if they used iFrames, hosted payment pages or other redirection technologies to prevent cardholder data from touching the merchants systems.

    Under the new standard, all of these servers fall in-scope and, due to the new segmentation requirement, likely bring the rest of a companys network into scope as well.

    The only out for companies that lack the ability to ensure the security of web servers internally remains fully outsourcing the web infrastructure.

    Hosted Payment Pages Are No Longer A silver bullet

    The new standard requires larger samples. Specifically, Samples of system components must include every type and combination that is in use. For example, where applications are sampled, the sample must include all versions and platforms for each type of application.

    Larger Samples

    Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 Key Changes and New Requirements

  • 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

    13

    Notable Most NotablePCI DSS Version 3.0: Most Notable Changes (3/3)

    For merchants undergoing a third party assessment or Level 1 merchants that self assess, the level of effort in the validation process is likely to increase.

    Larger Samples

    POS Physical Controls

    In response to recent attacks in which POS devices have been physically modified to capture card holder data, there is a new set of control requirements around physical security for POS devices.

    First, merchants must maintain an inventory of POS devices, which must be identified in detail, including the location and serial number of each device.

    Additionally, POS devices must be inspected periodically for tampering, and employees at POS locations must be trained in how to detect and prevent device tampering.

    Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 Key Changes and New Requirements

  • 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

    14

    PCI DSS Version 3.0: Other Changes (1/3)

    Default accounts The previous requirement stated only that default passwords should not be used.

    Default accounts The previous requirement stated only that default passwords should not be used.

    Default accounts have to be disabled or removed whenever possible

    Default accounts have to be disabled or removed whenever possible

    Inventory of system components Companies must maintain an inventory of system components that are in-

    scope for PCI DSS

    Inventory of system components Companies must maintain an inventory of system components that are in-

    scope for PCI DSSThis will support effective scoping practices This will support effective scoping practices

    Disk encryption Logical access must be managed separately and independently of native operating system

    authentication and access control mechanisms

    Disk encryption Logical access must be managed separately and independently of native operating system

    authentication and access control mechanisms

    Active Directory credentials may no longer be acceptable to manage disk encryption

    Active Directory credentials may no longer be acceptable to manage disk encryption

    Split knowledge/dual control For manual clear-text operations, two people are required to perform any key-

    management operations (such as rotating keys).

    Split knowledge/dual control For manual clear-text operations, two people are required to perform any key-

    management operations (such as rotating keys).

    This would mean not only that knowledge of the key must be split, but also that the account that provides access to

    any key management functionality must also be split

    This would mean not only that knowledge of the key must be split, but also that the account that provides access to

    any key management functionality must also be split

    PCI DSS Update Implications

    1

    4

    3

    2

    Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 Key Changes and New Requirements

    In PCI DSS 3.0, there are updates that, while less likely to impact the payment processing structure significantly within organizations, are still noteworthy:

    Notable Most Notable

  • 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

    15

    Notable Most Notable

    PCI DSS Update Implications

    5

    8

    7

    6

    Custom developers Procedures for secure development and code review now applies to all software developed internally as well as custom

    software developed by a third party.

    Custom developers Procedures for secure development and code review now applies to all software developed internally as well as custom

    software developed by a third party.

    This means that any developers with whom a company works will need to be required contractually to comply

    with the updated PCI standard

    This means that any developers with whom a company works will need to be required contractually to comply

    with the updated PCI standard

    Vulnerability scans dont meet requirements for web application security

    Vulnerability scans dont meet requirements for web application security

    PCI DSS 3.0 makes this clear vulnerability scans are not sufficient

    PCI DSS 3.0 makes this clear vulnerability scans are not sufficient

    Service providers must use a unique password for each customer This applies only to Service Providers

    Service providers must use a unique password for each customer This applies only to Service Providers

    Many of Service provider still use the same password for the service account for every customer. This is not

    permitted after June 30, 2015

    Many of Service provider still use the same password for the service account for every customer. This is not

    permitted after June 30, 2015

    Unique certificates Merchants who use certificates, smart cards or tokens must ensure these security items

    are unique and tie to an individual account

    Unique certificates Merchants who use certificates, smart cards or tokens must ensure these security items

    are unique and tie to an individual account

    If employees were to swap tokens, they would not be able to log on

    If employees were to swap tokens, they would not be able to log on

    Inventory of wireless access points Inventory of wireless access points Merchants and SPs must maintain an inventory of

    authorized wireless access pointsalong with a business justification for each

    Merchants and SPs must maintain an inventory of authorized wireless access points

    along with a business justification for each9

    PCI DSS Version 3.0: Other Changes (2/3)

    Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 Key Changes and New Requirements

  • 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

    16

    More frequent risk assessmentsMore frequent risk assessments Now be performed upon any significant changes to the environment, as well as annuallyNow be performed upon any significant changes to the

    environment, as well as annually

    Expansion of service providers required to be in compliance The new standard expands this

    requirement to include all Service Providers that could affect the security of the cardholder data.

    Additionally, companies must maintain information on which PCI DSS requirements are managed by each SP

    and which are managed by the company.

    Expansion of service providers required to be in compliance The new standard expands this

    requirement to include all Service Providers that could affect the security of the cardholder data.

    Additionally, companies must maintain information on which PCI DSS requirements are managed by each SP

    and which are managed by the company.

    This expansion adds many more Service Providers to the list, including custom developers, hosting providers and

    managed security service providers

    This expansion adds many more Service Providers to the list, including custom developers, hosting providers and

    managed security service providers

    PCI DSS Update Implications

    10

    11

    PCI DSS Version 3.0: Other Changes (3/3)

    Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 Key Changes and New Requirements

    Notable Most Notable

  • 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

    17

    Key Takeaways

    The bar for Segmentation is

    raised

    Point-to-pointencryption as a more valuable

    scope reduction strategy

    This technology encrypts card data at the point of swipe and maintains that encryption all the way to the processor such that the merchant cannot ever decrypt the data.

    Use of point-to-point encryption remains one of the most effective ways to reduce PCI scope.

    Merchants and service providers alike will require time to address these new requirements and expanded scoping.Merchants and service providers alike will require time to address these new requirements and expanded scoping.

    1

    Nevertheless, those entities that are able to implement the new rules effectively can gain competitive advantage and ensure better protection of personal payment information, as well as avoid serious reputational harm caused by unauthorized exposure of customers credit card data..

    Nevertheless, those entities that are able to implement the new rules effectively can gain competitive advantage and ensure better protection of personal payment information, as well as avoid serious reputational harm caused by unauthorized exposure of customers credit card data..

    2

    3

    The changes in PCI DSS 3.0 are likely to result in significant additional effort for companies processing credit card payments

    Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 Key Changes and New Requirements

  • 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

    18

    Next Steps

    Be aware, changes are here

    Gap assess against new requirements Especially around scope!

    Continue to monitor the PCI SSC website for updates and clarification

    Look for reporting templates and information supplements

    Ask your QSA for their interpretation of each new information supplement as it relates to your environment -remember these are immediately effective

  • 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

    19

    Questions

  • 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

    20

    Confidentiality Statement and Restriction for Use

    This document contains confidential material proprietary to Protiviti Inc. ("Protiviti"), a wholly-owned subsidiary of Robert Half ("RHI"). RHI is a publicly-traded company and as such, the materials, information, ideas, and concepts contained herein are non-public, should be used solely and exclusively to evaluate the capabilities of Protiviti to provide assistance to your Company, and should not be used in any inappropriate manner or in violation of applicable securities laws. The contents are intended for the use of your Company and may not

    be distributed to third parties.