View
196
Download
7
Tags:
Embed Size (px)
DESCRIPTION
Educate your organization on the practical impacts of performing a PCI assessment under the new standard. This SlideShare will focus on the following learning objectives: • Provide an overview of PCI v3.0 • Discuss the background and the drivers • Identify the immediate updates • Discuss the updates for 2015
Citation preview
Overview……………………………….……3 Background & Drivers……………….……7 PCI DSS 3.0 Updates…………………...…22 3.0 Updates Effective July 1, 2015…......26 Summary………………………………...….30
CONTENTS
OVERVIEW
Payment Card Industry Data Security Standards (PCI DSS) A set of requirements designed to ensure that all companies that store, process or transmit credit card information maintain a secure environment
OVERVIEW
Payment Card Industry Security Standards Council (PCI SSC) An independent body created by the major payment card brands in 2006 to administor and manage the ongoing evolution of the PCI DSS
OVERVIEW
History of PCI DSS Revisions OVERVIEW
2004 Version 1.0
2006 Version 1.1
2008 Version 1.2
2010 Version 2.0
2009 Version 1.2.1
2013 Version 3.0
BACKGROUND & DRIVERS
Several standards introduced new versions for 2014 including:
– SOC 2 (Trust Services Principles)
Several standards introduced new versions for 2014 including:
– SOC 2 (Trust Services Principles) – ISO 27001 (2013)
Several standards introduced new versions for 2014 including:
– SOC 2 (Trust Services Principles) – ISO 27001 (2013) – FedRAMP - NIST 800-53 Rev 4
Several standards introduced new versions for 2014 including:
– SOC 2 (Trust Services Principles) – ISO 27001 (2013) – FedRAMP - NIST 800-53 Rev 4 – CSA STAR
Several standards introduced new versions for 2014 including:
– SOC 2 (Trust Services Principles) – ISO 27001 (2013) – FedRAMP - NIST 800-53 Rev 4 – CSA STAR – PCI DSS 3.0
WHY UPDATE TO 3.0?
The PCI Security Standards Council’s (“SSC”) three year update schedule
WHY UPDATE TO 3.0?
The PCI Security Standards Council’s (“SSC”) three year update schedule
Consistency in assessments
WHY UPDATE TO 3.0?
The PCI Security Standards Council’s (“SSC”) three year update schedule
Consistency in assessments
Streamline certain requirements
WHY UPDATE TO 3.0?
The PCI Security Standards Council’s (“SSC”) three year update schedule
Consistency in assessments
Streamline certain requirements
Align with technology trends
WHY UPDATE TO 3.0?
The PCI Security Standards Council’s (“SSC”) three year update schedule
Consistency in assessments
Streamline certain requirements
Align with technology trends
Cooperate with “business as usual”
January 1, 2014 PCI DSS 3.0 is effective
(Merchant or service provider’s choice)
WHEN TO UPDATE?
January 1, 2015 (Required for all assessments)
WHEN TO UPDATE?
BrightLine recommends for any merchant or service provider preparing
for the first time
WHEN TO UPDATE?
BrightLine recommends use of 3.0 for clients performing assessments
after August
WHEN TO UPDATE?
PCI DSS 3.0 UPDATES
• Breadth and depth of requirements • Systems inventory • Dataflow diagrams • Detailed access needs for each role • Service provider due diligence
ADDITIONAL DOCUMENTATION REQUIREMENTS
• Antivirus definition • Additional application security vectors
– e.g. memory scraping • Additional validation testing required for:
– Access control and authentication – More flexibility for ‘daily’ log monitoring
TECHNICAL UPDATES
• SAQ A vs. SAQ A-EP – SAQ A: 14 questions – SAQ A-EP: ~ 150 questions
• Of note - a properly formed iFrame can use SAQ-A • All e-commerce providers have to meet all
applicable requirements regardless of SAQ form
SELF ASSESSMENT QUESTIONNAIRE & E-COMMERCE IMPLICATIONS
3.0 UPDATES EFFECTIVE JULY 1, 2015
• In a shared hosting environment, unique authentication credentials to each environment
• Physical protection of payment devices
• Web application vulnerability testing for broken authentication and session management
ACCESS CONTROL & TECHNICAL
Pen Testing Special Interest Group (SIG) to release an Information Supplement by the end of 2014
PENETRATION TESTING
• Implement a methodology • Emphasis on external AND internal network
and application testing • Validate segmentation and scope-reduction
controls
• Acknowledgement of responsibility from service providers
• Define which requirements are managed by service providers and which are managed by the entity
SERVICE PROVIDER MANAGEMENT
SUMMARY
In summary, the PCI DSS is:
MATURING
In summary, the PCI DSS is:
FACILITATING CONSISTENCY
In summary, the PCI DSS is:
INSISTING CONTINUOUS COMPLIANCE
THANK YOU! www.brightline.com/PCI