PCI DSS 3.0 – Making Compliance Business As Usual

By Kishor Vaswani – CEO, ControlCase

Agenda

• About PCI DSS

• Overview of changes

• PCI BAU by requirement number

• Implementation tips

• ControlCase solution

• Q&A

1

About PCI DSS

What is PCI DSS?

Payment Card Industry Data Security Standard:

• Guidelines for securely processing, storing, or transmitting payment card account data

• Established by leading payment card brands• Maintained by the PCI Security Standards Council

(PCI SSC)

2

PCI DSS Requirements

Control Objectives Requirements

Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data 3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public

networks

Maintain a vulnerability management program

5. Use and regularly update anti-virus software on all systems commonly affected by malware

6. Develop and maintain secure systems and applications

Implement strong access control measures

7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an information security policy

12. Maintain a policy that addresses information security

3

Timeline of PCI DSS 3.0

4

• The new PCI DSS 3.0 have been published• Effective Jan 1st, 2014• Can comply to PCI DSS 2.0 or 3.0 in 2014• Must comply to PCI DSS 3.0 starting 2015

Overview of changes

Overview

5

Segmentation

• Adequacy of segmentation• Penetration test

Third parties/Service providers

• Must validate PCI DSS compliance; OR• Must participate in customers PCI DSS compliance audit

Overview contd…

6

PCI DSS as Business as Usual

• Monitoring of security controls• Review changes to environment• Review changes to org structure• Periodic review of controls vs. during audit• Separation of duties (operational vs. security)

Physical protection of POS, ATM and Kiosks

• Maintain inventory• Periodic inspection for tampering• Train personnel

PCI DSS 3.0 Business As Usual by Requirement Number

PCI Council Guidance on BAU

7

Monitoring of security controls

• Firewalls• IDS/IPS• File Integrity Monitoring (FIM)• Anti Virus

Ensuring failures in security

controls are detected and

responded

• Restoring the security control• Identifying the root cause• Identifying any security issues because of the failure• Mitigation• Resume monitoring of security control• Segregation of duties between detective and preventive controls

PCI Council Guidance on BAU

8

Review changes to environment

• Addition of new systems• Changes or organizational structure• Impact of change to PCI DSS scope• Requirement applicable to new scope• Implement any additional security controls because of change• New hardware and software (and older ones) continue to be supported and do not

impact compliance

Periodic reviews

• Configuration• Physical security• Patches and Anti Virus• Audit logs• Access rights

Requirement 1: Firewalls

9

People- PCI project manager to

escalate non-compliance- Segregation of duties

between operations performing change and compliance personnel reviewing change

Process- PCI impact analysis as part of

firewall change management process

Technology- Automated/Periodic ruleset

reviews- Weekly port scans from CDE

to Internet to verify no outbound connections

Requirement 2: Configuration Standards

10

People- PCI project manager to

escalate non-compliance

Process- Periodic update to

configuration standards- New infrastructure

onboarding process to include PCI configuration standards check

Technology- Automated/Periodic

configuration scans- Reminders to update

configuration standards quarterly

- Technology to flag new assets that have not formally undergone PCI configuration standards check

Requirement 3: Protect Stored Cardholder Data

11

People- PCI project manager to

escalate non-compliance to highest levels within organization

Process- Periodic false positive

management- Search for cardholder data

during roll out tests/quality assurance

Technology- Automated/Periodic

cardholder data scans- Alerts in case of new

cardholder data found

Requirement 4: Protect Cardholder Data in Transmission

12

People- Training to ensure personnel

do not email/chat clear text card data

- Personnel allocated to review outbound data at random

Process- Periodic review of modes of

transmission i.e. wireless, chat, email etc.

Technology- Automated technology to

monitor transmission of card data through perimeter (e.g. email, chat monitoring)

Requirement 5: Antivirus and Malware

13

People- PCI project manager to

escalate non-compliance

Process- Process to ensure all assets

are protected by antivirus- Process to implement

antivirus and anti-malware on all new systems being deployed

Technology- Technology to detect any

systems that do not have anti virus/anti malware installed

Requirement 6: Secure Applications

14

People- Segregation of development

and security duties- Periodic training of

developers to security standards such as OWASP

Process- Continuous scanning of

applications- Scanning of applications as

part of SDLC- Code review as part of SDLC- Review of QA/test cases on a

periodic basis to ensure all of them have a security checkpoint and approval

Technology- Application scanning software- Code review software- Identification of instances

where changes have occurred to applications

- Application firewalls

Requirements 7 & 8: Access Control and User IDs

15

People- Segregation of personnel

provisioning IDs and review of user access

Process- Periodic review of user access- Attestation of user access- Onboarding procedures- Termination procedures

Technology- Role based access control- Single sign on- Use of LDAP/AD/TACACS for

password management

Requirement 9: Physical Security

16

People- Designation of a person at

every site as a site coordinator

Process- Periodic walkthroughs and

random audits of physical security

- Weekly review of CCTV and badge logs

- Periodic review of scope

Technology- Alarms to report malfunction

of devices such as cameras and badge access readers

Requirement 10: Logging and Monitoring

17

People- Personnel to actively monitor

logs 24/7/365

Process- Periodic review of asset inventory- Periodic review of scope- Process to ensure logs from all

assets are feeding the SIEM solution- Restoration of logs from 12 months

back every week/month

Technology- Security and Event

Management (SIEM)- Technology to identify new

assets not covered within SIEM

Requirement 11: Vulnerability Management

18

People- Segregation of personnel

responsible for scanning vs remediation of anomalies

- PCI project manager to escalate non-compliance

Process- Ongoing review of target

assets vs asset inventory for appropriateness/change

- Periodic testing of IDS/IPS effectiveness through random penetration tests/vulnerability scans

Technology- Automated scanning

technology- Technology to manage false

positives and compensating controls

- Asset management repository- File Integrity Monitoring (FIM)

technology

Requirement 12: Policies and Procedures

19

People- Coordination between

procurement and compliance personnel

Process- PCI DSS requirements tied to

procurement process- PCI anomalies to be tracked

within vendor/third party management solution

Technology- Vendor management/Third

party management solution

PCI DSS Requirements

20

Control Objectives Requirements

Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data 3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public

networks

Maintain a vulnerability management program

5. Use and regularly update anti-virus software on all systems commonly affected by malware

6. Develop and maintain secure systems and applications

Implement strong access control measures

7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an information security policy

12. Maintain a policy that addresses information security

Key Implementation Tips

Key Themes

21

Segregation of duties

Technology

operating effectivel

y

Automation

Dedicated PCI

project manager

Repeatability

Periodic Reviews

Dashboard for tracking activities

22

Calendar of reminders/tracking back to controls

23

ControlCase Solutions

ControlCase Cloud GRC

24

• Out of box tracking of PCI Controls• Out of box reminders for key BAU activities• Out of box dashboard for key compliance

tasks to be done periodically• Out of box tracking of BAU anomalies

To Learn More About PCI Compliance…

• Visit www.controlcase.com

• Call +1.703.483.6383 (US)

• Call +91.9820293399 (India)

25

Thank You for Your Time