Thoughts on PCI DSS 3 - isaca.org IT... · Thoughts on PCI DSS 3.0 D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director

Thoughts on PCI DSS 3.0

D. Timothy Hartzell CISSP, CISM, QSA, PA-QSAAssociate Director

© 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

2

Agenda

4 PCI DSS Version 3.0: ChangesPCI DSS Version 3.0: Changes

PCI DSS OverviewPCI DSS Overview2

Global Payment Card Statistics and TrendsGlobal Payment Card Statistics and Trends1

PCI DSS Version 3.0: Important TimelinesPCI DSS Version 3.0: Important Timelines3

5 Next Steps & QuestionsNext Steps & Questions


3

Global Payment Card Statistics

• Issuers, merchants, and acquirers of credit, debit, and prepaid general purpose and private label payment cards worldwide experienced gross fraud losses of $11.27 billion in 2012, up 14.6% over the prior year, according to The Nilson Report, a leading payment industry newsletter. Of that $11.27 billion, card issuers lost 63% and merchants and acquirers lost the other 37%.

• Fraud as percentage of total volume was lowest for PIN-based debit networks worldwide at 1.10¢ per $100 in total volume. The global brand cards —Visa, MasterCard, American Express, UnionPay, Diners Club, and JCB — averaged fraud losses of 6.13¢ for every $100 in total volume.

• Card issuer losses occur mainly at the point of sale from counterfeit cards. Issuers bear the fraud loss if they give merchants authorization to accept the payment.

• Merchant and acquirer losses occur mainly on card-not-present (CNP) transactions on the Web, at a call center, or through mail order because issuers can chargeback fraudulent transactions.

Source: http://www.nilsonreport.com/publication_chart_and_graphs_archive.php

Need for the Payment Card Industry Data Security Standard (PCI DSS)


4

PCI DSS Overview

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that store , process or transmit credit card information maintain a secure environment.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that store , process or transmit credit card information maintain a secure environment.

The Payment Card Industry Data Security Standard (PCI DSS)

About PCI DSS

The PCI DSS is administered and managed by the PCI Security Standards Council (SSC), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.).

PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accept, transmit or store any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

Source: http://www.pcicomplianceguide.org/pcifaqs.php#2

U.S. Purchase Volume - Consumer vs. Commercial Cards


5

PCI DSS Version 3.0 Aims and Objectives

Address emerging and evolving

threats to cardholder data

security by clarifying existing

requirements;

Provide additional guidance on how

to comply with the standard;

Introduce new requirements to

bring the standard in line with

emerging threats and changes in the

market

Aims and Objectives

PCI DSS Version 3.0

Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 – Key Changes and New Requirements

Earlier this year, the PCI Security Standards Council (PCI SSC) announced the release of a new version of the PCI Data Security Standard (PCI DSS) Version 3.0. The new version aims to do the three things:


6

PCI DSS Version 3.0: Important Timelines

Sep, 2013

The detailed Summary of Changes and draft

versions of the Standards was shared

with Participating Organizations and the

assessment community

Sept, 2013

Discussion at the North American

Community Meeting in Las Vegas on 24-

26 September. Jan 1, 2014

Effective date of version 3.0

of the Standard

Nov, 2013

Introduction of PCI DSS

Version 3.0

Source: Data Security Standard and Payment Application Data Security Standard: Version 3.0 Change Highlights

Recognizing that additional time may be necessary to implement some of these sub-requirements, the Council has given companies that process payment cards a full year to comply with the new standard. During 2014, both versions 2.0 and version 3.0 are available and companies can validate to either version.

June 30, 2015

Some of the Sub-requirements for 12 core security areas

will remain best practices

Dec 31, 2014Version 2.0 will sunset and only version 3.0 will

be valid for validations in

2015


7

PCI DSS Version 3.0: Changes Overview

The core 12 security areas remain the same, but the updates include several new sub-requirements that did not exist previously.

The updated standards will help organizations not by making the requirements more prescriptive, but by adding more flexibility and guidance for integrating card security into their business-as-usual activities.

The changes will provide increased stringency for validating that these controls have been implemented properly, with more rigorous and specific testing procedures that clarify the level of validation the assessor is expected to perform.

Overall, the changes are designed to give organizations a strong but flexible security architecture with principles that can be applied to their unique technology, payment, and business environments.


The new standard Version 3 has brought with it policy and procedural changes that will impact the security of the entire electronic payment ecosystem.


8

ChallengeAreas

1Lack of education and awareness around payment security

2 Weak passwords, authentication

3 Third-party security challenges

4 Slow self-detection, malware

PCI DSS Version 3.0: Change Drivers

5 Inconsistency in assessments

Common challenge areas and drivers for change include:



9

Updated Versions Of PCI DSS: Focus Areas

Provide stronger focus on some of the greater risk areas in the threat environment

Provide increased clarity on PCI DSS requirements

Build greater understanding on the intent of the requirements and how to apply them

Improve flexibility for all entities implementing, assessing, and building to the standard

Drive more consistency among assessors

Help manage evolving risks / threats

Align with changes in industry best practices

Clarify scoping and reporting

Eliminate redundant sub-requirements and consolidate documentation

Source: https://www.pcisecuritystandards.org/documents/DSS_and_PA-DSS_Change_Highlights.pdf


10

PCI DSS 3.0 Compliance Changes

The 5 New Requirements

8.5.1 – Unique authentication credentials for service providers with access to customer environments

6.5.10 – Broken authentication and session management

12.9 – Additional requirement for service providers on data security

11.3 – Developing and implementing a methodology for penetration testing

9.9 – Protection of point-of-sale (POS) devices from tampering

Version 3 of the PCI DSS includes five new requirements that are to be considered best practices until they officially become compliance requirements in mid-2015.

Source: http://www.tripwire.com/state-of-security/regulatory-compliance/will-pci-dss-v3-0-affects-organization/


11

Notable Most Notable

• Specifically, scoping has been clarified to indicate that system components include, “Any component or device located within or connected to the [cardholder data environment].”

• The new language also states that the “PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment

• Additionally, a new requirement has been added requiring that if segmentation is used, “penetration testing procedures are designed to test all segmentation methods to confirm they are operational and effective, and isolate all out-of-scope systems from in-scope systems.”

• As further clarity, the standard states that, “To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the CDE such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.”

• The additional focus on connected systems likely expands (potentially greatly) the number of systems considered in-scope for many organizations. For example, in most networks using Windows Activity Directory security, a compromise of systems outside the CDE could impact the CDE and then could be considered in-scope for the PCI assessment.

PCI DSS Version 3.0: Most Notable Changes (1/3)

A Higher Bar to Achieve “Segmentation”



12

Notable Most NotablePCI DSS Version 3.0: Most Notable Changes (2/3)

• PCI DSS 3.0 offers a new definition of system components: “System components include systems that may impact the security of the CDE (for example web redirection servers).”

• Up until now, web servers had been considered out-of-scope if they used iFrames, hosted payment pages or other redirection technologies to prevent cardholder data from touching the merchant’s systems.

• Under the new standard, all of these servers fall in-scope and, due to the new segmentation requirement, likely bring the rest of a company’s network into scope as well.

• The only “out” for companies that lack the ability to ensure the security of web servers internally remains fully outsourcing the web infrastructure.

Hosted Payment Pages Are No Longer A “silver bullet”

• The new standard requires larger samples. Specifically, “Samples of system components must include every type and combination that is in use. For example, where applications are sampled, the sample must include all versions and platforms for each type of application.”

Larger Samples



13

Notable Most NotablePCI DSS Version 3.0: Most Notable Changes (3/3)

• For merchants undergoing a third party assessment or Level 1 merchants that self assess, the level of effort in the validation process is likely to increase.

Larger Samples

POS Physical Controls

• In response to recent attacks in which POS devices have been physically modified to capture card holder data, there is a new set of control requirements around physical security for POS devices.

• First, merchants must maintain an inventory of POS devices, which must be identified in detail, including the location and serial number of each device.

• Additionally, POS devices must be inspected periodically for tampering, and employees at POS locations must be trained in how to detect and prevent device tampering.



14

PCI DSS Version 3.0: Other Changes (1/3)

Default accounts – The previous requirement stated only that default passwords should not be used.

Default accounts – The previous requirement stated only that default passwords should not be used.

Default accounts have to be disabled or removed whenever possible

Default accounts have to be disabled or removed whenever possible

Inventory of system components – Companies must maintain an inventory of system components that are in-

scope for PCI DSS

Inventory of system components – Companies must maintain an inventory of system components that are in-

scope for PCI DSSThis will support effective scoping practices This will support effective scoping practices

Disk encryption – Logical access must be managed separately and independently of native operating system

authentication and access control mechanisms

Disk encryption – Logical access must be managed separately and independently of native operating system

authentication and access control mechanisms

Active Directory credentials may no longer be acceptable to manage disk encryption

Active Directory credentials may no longer be acceptable to manage disk encryption

Split knowledge/dual control – For manual clear-text operations, two people are required to perform any key-

management operations (such as rotating keys).

Split knowledge/dual control – For manual clear-text operations, two people are required to perform any key-

management operations (such as rotating keys).

This would mean not only that knowledge of the key must be split, but also that the account that provides access to

any key management functionality must also be split

This would mean not only that knowledge of the key must be split, but also that the account that provides access to

any key management functionality must also be split

PCI DSS Update Implications

1

4

3

2


In PCI DSS 3.0, there are updates that, while less likely to impact the payment processing structure significantly within organizations, are still noteworthy:



15



5

8

7

6

Custom developers – Procedures for secure development and code review now “applies to all software developed internally as well as custom

software developed by a third party.”

Custom developers – Procedures for secure development and code review now “applies to all software developed internally as well as custom

software developed by a third party.”

This means that any developers with whom a company works will need to be required contractually to comply

with the updated PCI standard

This means that any developers with whom a company works will need to be required contractually to comply

with the updated PCI standard

Vulnerability scans don’t meet requirements for web application security

Vulnerability scans don’t meet requirements for web application security

PCI DSS 3.0 makes this clear – vulnerability scans are not sufficient

PCI DSS 3.0 makes this clear – vulnerability scans are not sufficient

Service providers must use a unique password for each customer – This applies only to Service Providers

Service providers must use a unique password for each customer – This applies only to Service Providers

Many of Service provider still use the same password for the service account for every customer. This is not

permitted after June 30, 2015

Many of Service provider still use the same password for the service account for every customer. This is not

permitted after June 30, 2015

Unique certificates – Merchants who use certificates, smart cards or tokens must ensure these security items

are unique and tie to an individual account

Unique certificates – Merchants who use certificates, smart cards or tokens must ensure these security items

are unique and tie to an individual account

If employees were to swap tokens, they would not be able to log on

If employees were to swap tokens, they would not be able to log on

Inventory of wireless access points Inventory of wireless access points Merchants and SPs must maintain an inventory of

authorized wireless access pointsalong with a business justification for each

Merchants and SPs must maintain an inventory of authorized wireless access points

along with a business justification for each9




16

More frequent risk assessmentsMore frequent risk assessments Now be performed upon any significant changes to the environment, as well as annually

Now be performed upon any significant changes to the environment, as well as annually

Expansion of service providers required to be in compliance – The new standard expands this

requirement to include all Service Providers that could affect the security of the cardholder data.

Additionally, companies must maintain information on which PCI DSS requirements are managed by each SP

and which are managed by the company.

Expansion of service providers required to be in compliance – The new standard expands this

requirement to include all Service Providers that could affect the security of the cardholder data.

Additionally, companies must maintain information on which PCI DSS requirements are managed by each SP

and which are managed by the company.

This expansion adds many more Service Providers to the list, including custom developers, hosting providers and

managed security service providers

This expansion adds many more Service Providers to the list, including custom developers, hosting providers and

managed security service providers


10

11





17

Key Takeaways

The bar for Segmentation is

raised

Point-to-pointencryption as a more valuable

scope reduction strategy

• This technology encrypts card data at the point of swipe and maintains that encryption all the way to the processor such that the merchant cannot ever decrypt the data.

• Use of point-to-point encryption remains one of the most effective ways to reduce PCI scope.

Merchants and service providers alike will require time to address these new requirements and expanded scoping.Merchants and service providers alike will require time to address these new requirements and expanded scoping.

1

Nevertheless, those entities that are able to implement the new rules effectively can gain competitive advantage and ensure better protection of personal payment information, as well as avoid serious reputational harm caused by unauthorized exposure of customers’ credit card data..

Nevertheless, those entities that are able to implement the new rules effectively can gain competitive advantage and ensure better protection of personal payment information, as well as avoid serious reputational harm caused by unauthorized exposure of customers’ credit card data..

2

3

The changes in PCI DSS 3.0 are likely to result in significant additional effort for companies processing credit card payments



18

Next Steps

Be aware, changes are here

Gap assess against new requirements – Especially around scope!

Continue to monitor the PCI SSC website for updates and clarification

Look for reporting templates and information supplements

Ask your QSA for their interpretation of each new information supplement as it relates to your environment -remember these are immediately effective


19

Questions


20

Confidentiality Statement and Restriction for Use

This document contains confidential material proprietary to Protiviti Inc. ("Protiviti"), a wholly-owned subsidiary of Robert Half ("RHI"). RHI is a publicly-traded company and as such, the materials, information, ideas, and concepts contained herein are non-public, should be used solely and exclusively to evaluate the capabilities of Protiviti to provide assistance to your Company, and should not be used in any inappropriate manner or in violation of applicable securities laws. The contents are intended for the use of your Company and may not

be distributed to third parties.

Documents

Thoughts on PCI DSS 3 - isaca.org IT... · Thoughts on PCI DSS 3.0 D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director