29
PCI DSS 3.0 changes By Kishor Vaswani – CEO, ControlCase

PCI DSS & PA DSS Version 3.0 Changes Webinar

Embed Size (px)

DESCRIPTION

Agenda: - About PCI DSS - Overview of changes - Changes by requirement number - Implementation tips - Q&A

Citation preview

Page 1: PCI DSS & PA DSS Version 3.0 Changes Webinar

PCI DSS 3.0 changesBy Kishor Vaswani – CEO, ControlCase

Page 2: PCI DSS & PA DSS Version 3.0 Changes Webinar

Agenda

• About PCI DSS

• Overview of changes

• Changes by requirement number

• Implementation tips

• Q&A

1

Page 3: PCI DSS & PA DSS Version 3.0 Changes Webinar

About PCI DSS

Page 4: PCI DSS & PA DSS Version 3.0 Changes Webinar

What is PCI DSS?

Payment Card Industry Data Security Standard:

• Guidelines for securely processing, storing, or transmitting payment card account data

• Established by leading payment card issuers• Maintained by the PCI Security Standards Council

(PCI SSC)

2

Page 5: PCI DSS & PA DSS Version 3.0 Changes Webinar

PCI DSS Requirements

Control Objectives Requirements

Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data 3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public

networks

Maintain a vulnerability management program

5. Use and regularly update anti-virus software on all systems commonly affected by malware

6. Develop and maintain secure systems and applications

Implement strong access control measures

7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an information security policy

12. Maintain a policy that addresses information security

3

Page 6: PCI DSS & PA DSS Version 3.0 Changes Webinar

Timeline of PCI DSS 3.0

4

• The new PCI DSS 3.0 have been published• Effective Jan 1st, 2014• Can comply to PCI DSS 2.0 or 3.0 in 2014• Must comply to PCI DSS 3.0 starting 2015

Page 7: PCI DSS & PA DSS Version 3.0 Changes Webinar

Overview of changes

Page 8: PCI DSS & PA DSS Version 3.0 Changes Webinar

Overview

5

Segmentation• Adequacy of segmentation• Penetration test

Third parties/Service providers• Must validate PCI DSS compliance; OR• Must participate is customers PCI DSS

compliance audit

Page 9: PCI DSS & PA DSS Version 3.0 Changes Webinar

Overview contd…

6

PCI DSS as Business as Usual• Monitoring of security controls• Review changes to environment• Review changes to org structure• Periodic review of controls vs. during audit• Separation of duties (operational vs. security)

Physical protection of POS, ATM and Kiosks• Maintain inventory• Periodic inspection for tampering• Train personnel

Page 10: PCI DSS & PA DSS Version 3.0 Changes Webinar

Changes by requirement number

Page 11: PCI DSS & PA DSS Version 3.0 Changes Webinar

Requirement 1: Firewalls

• Network Diagram› Must include cardholder data flows › Must include clear boundary showing PCI DSS CDE scope

7

Page 12: PCI DSS & PA DSS Version 3.0 Changes Webinar

Requirement 2: Configuration Standards

• Maintain an inventory of system components› Business as usual function› Inventory of hardware and software must be maintained› Function of systems must be maintained

8

Page 13: PCI DSS & PA DSS Version 3.0 Changes Webinar

Requirement 3: Protect Stored Cardholder Data

No significant changes

9

Page 14: PCI DSS & PA DSS Version 3.0 Changes Webinar

Requirement 4: Protect Cardholder Data in Transmission

No significant changes

10

Page 15: PCI DSS & PA DSS Version 3.0 Changes Webinar

Requirement 5: Antivirus

• Intent to prevent malware in addition to viruses› Evaluate malware threats against systems EVEN if it is not

a system commonly affected by viruses/malicious software, for e.g. AS/400

› Anti-virus should be running in an active mode AND cannot be disabled by regular users without management approval

11

Page 16: PCI DSS & PA DSS Version 3.0 Changes Webinar

Requirement 6: Secure Applications

12

• Test applications for broken authentication and session management flaws

• Renamed “Web Application Firewall” to “Automated Technical Solution” to detect flaws

Page 17: PCI DSS & PA DSS Version 3.0 Changes Webinar

Requirements 7 & 8: Access Control and User IDs

• Provides for flexibility is password controls› Minimum of 7 characters› Alphanumeric› Alternatives are acceptable as long as objective is met› Allows for alternative mechanisms such as tokens and

certificates

• Service Providers with access to customer environments MUST ensure unique password per customer

13

Page 18: PCI DSS & PA DSS Version 3.0 Changes Webinar

Requirement 9: Physical Security

• Physical security access to “sensitive areas” must be implemented for onsite personnel› Data center› Computer room› Telecommunications room

• Protect physical devices such as POS› Maintain a list› Periodically inspect for tampering of device› Train personnel to be aware of suspicious behavior

14

Page 19: PCI DSS & PA DSS Version 3.0 Changes Webinar

Requirement 10: Logging and Monitoring

• Clarified what is meant by identification and authentication logging› Elevation of privileges must be logged› Changes, addition or deletion to root or admin must be

logged

• Logging the audit logs› Initialization of audit logs must be captured› Stopping or pausing of audit logs must be captured

15

Page 20: PCI DSS & PA DSS Version 3.0 Changes Webinar

Requirement 11: Vulnerability Management

• Maintain an inventory of authorized wireless access points

• Penetration testing MUST validate segmentation› Testing must be done to prove conclusively that a

compromise in non CDE network will not result in a breach to the CDE network (if segmentation was implemented)

• Critical files must be compared at least weekly AND an individual must evaluate and investigate change to a critical files.

16

Page 21: PCI DSS & PA DSS Version 3.0 Changes Webinar

Requirement 12: Policies and Procedures

• Third Party/Service provider requirements have been enhanced› Must maintain an inventory of which requirements are

dependent upon service provider› Written acknowledgement required from service providers

attesting to PCI DSS requirements› Third parties to provide PCI DSS certificate OR be willing to

be a part of customers PCI DSS audit

17

Page 22: PCI DSS & PA DSS Version 3.0 Changes Webinar

PCI DSS Requirements

18

Control Objectives Requirements

Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data 3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public

networks

Maintain a vulnerability management program

5. Use and regularly update anti-virus software on all systems commonly affected by malware

6. Develop and maintain secure systems and applications

Implement strong access control measures

7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an information security policy

12. Maintain a policy that addresses information security

Page 23: PCI DSS & PA DSS Version 3.0 Changes Webinar

Key Implementation Tips

Page 24: PCI DSS & PA DSS Version 3.0 Changes Webinar

Key Takeaways

• Revisit segmentation for adequacy• Focus on third party compliance• Identify GRC technology for business as usual

implementation• Revisit penetration testing methodology• Identify how to secure physical devices such as

POS, ATM and Kiosks

19

Page 25: PCI DSS & PA DSS Version 3.0 Changes Webinar

Available Documents

Following documents are available athttps://www.pcisecuritystandards.org/security_standards/documents.php

• PCI DSS ver 3.0• PCI DSS Summary of Changes v2.0 to v3.0• ROC reporting template for v3.0• PCI DSS and PA DSS 3.0 Ver 3.0 change highlights

20

Page 26: PCI DSS & PA DSS Version 3.0 Changes Webinar

ControlCase Solutions

Page 27: PCI DSS & PA DSS Version 3.0 Changes Webinar

ControlCase PCI 3.0 transition package

21

PCI DSS 3.0 change assessment

Implement business as usual using ControlCase GRC

Third party PCI DSS data collection program

Review of penetration test methodology

Page 28: PCI DSS & PA DSS Version 3.0 Changes Webinar

To Learn More About PCI Compliance…

• Visit www.controlcase.com

[email protected]

22

Page 29: PCI DSS & PA DSS Version 3.0 Changes Webinar

Thank You for Your Time