PCI DSS 3.0 Overview and Key Updates

Overview……………………………….……3 Background & Drivers……………….……7 PCI DSS 3.0 Updates…………………...…22 3.0 Updates Effective July 1, 2015…......26 Summary………………………………...….30

CONTENTS

OVERVIEW

Payment Card Industry Data Security Standards (PCI DSS) A set of requirements designed to ensure that all companies that store, process or transmit credit card information maintain a secure environment

OVERVIEW

Payment Card Industry Security Standards Council (PCI SSC) An independent body created by the major payment card brands in 2006 to administor and manage the ongoing evolution of the PCI DSS

OVERVIEW

History of PCI DSS Revisions OVERVIEW

2004 Version 1.0

2006 Version 1.1

2008 Version 1.2

2010 Version 2.0

2009 Version 1.2.1

2013 Version 3.0

BACKGROUND & DRIVERS

Several standards introduced new versions for 2014 including:

– SOC 2 (Trust Services Principles)


– SOC 2 (Trust Services Principles) – ISO 27001 (2013)


– SOC 2 (Trust Services Principles) – ISO 27001 (2013) – FedRAMP - NIST 800-53 Rev 4


– SOC 2 (Trust Services Principles) – ISO 27001 (2013) – FedRAMP - NIST 800-53 Rev 4 – CSA STAR


– SOC 2 (Trust Services Principles) – ISO 27001 (2013) – FedRAMP - NIST 800-53 Rev 4 – CSA STAR – PCI DSS 3.0

WHY UPDATE TO 3.0?

The PCI Security Standards Council’s (“SSC”) three year update schedule

WHY UPDATE TO 3.0?


Consistency in assessments

WHY UPDATE TO 3.0?



Streamline certain requirements

WHY UPDATE TO 3.0?




Align with technology trends

WHY UPDATE TO 3.0?




Align with technology trends

Cooperate with “business as usual”

January 1, 2014 PCI DSS 3.0 is effective

(Merchant or service provider’s choice)

WHEN TO UPDATE?

January 1, 2015 (Required for all assessments)

WHEN TO UPDATE?

BrightLine recommends for any merchant or service provider preparing

for the first time

WHEN TO UPDATE?

BrightLine recommends use of 3.0 for clients performing assessments

after August

WHEN TO UPDATE?

PCI DSS 3.0 UPDATES

• Breadth and depth of requirements • Systems inventory • Dataflow diagrams • Detailed access needs for each role • Service provider due diligence

ADDITIONAL DOCUMENTATION REQUIREMENTS

• Antivirus definition • Additional application security vectors

– e.g. memory scraping • Additional validation testing required for:

– Access control and authentication – More flexibility for ‘daily’ log monitoring

TECHNICAL UPDATES

• SAQ A vs. SAQ A-EP – SAQ A: 14 questions – SAQ A-EP: ~ 150 questions

• Of note - a properly formed iFrame can use SAQ-A • All e-commerce providers have to meet all

applicable requirements regardless of SAQ form

SELF ASSESSMENT QUESTIONNAIRE & E-COMMERCE IMPLICATIONS

3.0 UPDATES EFFECTIVE JULY 1, 2015

• In a shared hosting environment, unique authentication credentials to each environment

• Physical protection of payment devices

• Web application vulnerability testing for broken authentication and session management

ACCESS CONTROL & TECHNICAL

Pen Testing Special Interest Group (SIG) to release an Information Supplement by the end of 2014

PENETRATION TESTING

• Implement a methodology • Emphasis on external AND internal network

and application testing • Validate segmentation and scope-reduction

controls

• Acknowledgement of responsibility from service providers

• Define which requirements are managed by service providers and which are managed by the entity

SERVICE PROVIDER MANAGEMENT

SUMMARY

In summary, the PCI DSS is:

MATURING


FACILITATING CONSISTENCY


INSISTING CONTINUOUS COMPLIANCE

THANK YOU! www.brightline.com/PCI

Technology

PCI DSS 3.0 Overview and Key Updates