©2015 RSM US LLP. All Rights Reserved. PCI 3.1 AND 3.2 AND BEYOND Tips and Tricks to Stay PCI Compliant April 14, 2016.

Slides:



Advertisements
Similar presentations
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Advertisements

National Bank of Dominica Ltd Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
Mobile Payment Security The Good, the Bad and the Ugly
PCI DSS for Retail Industry
Troy Leach April 2012 The PCI Security Standards Council.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
University of Utah Financial and Business Services
Property of CampusGuard Compliance With The PCI DSS.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
PCI DSS Version 3.0 For Controllers and Business Users Luke Harris, Office of State the Controller David Reavis, UNC General Administration November 10,
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008.
Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.
Why Comply with PCI Security Standards?
Introduction to PCI DSS
PCI and how it affects College Stores… ROBIN MAYO | PCIP ECOMMERCE MANAGER EAST CAROLINA UNIVERISTY.
Payment Card Industry (PCI) Data Security Standard
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP
Disclaimer Copyright Michael Chapple and Jane Drews, This work is the intellectual property of the authors. Permission is granted for this material.
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0.
MasterCard Site Data Protection Program Program Alignment.
PCI DSS Managed Service Solution October 18, 2011.
Protecting Your Credit Card Security Environment (PCI) September 26, 2012 Jacob Arthur, CPA, QSA, CEH Timothy Agee, CISA, CGEIT, QSA FDH Consulting Frasier,
The influence of PCI upon retail payment design and architectures Ian White QSA Head of UK&I and ME PCI Team September 4, 2013 Weekend Conference 7 & 8.
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
PCI requirements in business language What can happen with the cardholder data?
Date goes here PCI COMPLIANCE: What’s All the Fuss? Mark Banbury Vice President and CIO, Plan Canada.
DATE: 3/28/2014 GETTING STARTED WITH THE INTEGRITY EASY PCI PROGRAM Presenter : Integrity Payment Systems Title: Easy PCI Program.
PCI DSS Readiness Presented By: Paul Grégoire, CISSP, QSA, PA-QSA
Introduction to Payment Card Industry Data Security Standard
North Carolina Community College System IIPS Conference – Spring 2009 Jason Godfrey IT Security Manager (919)
Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.
Walter Conway, QSA 403 Labs, LLC Sneak Preview: What to Expect from PCI DSS v. 2.0  Changes  Clarifications  Guidance.
Agenda EMV – What Is It? EMV In The UK EMV Is Coming To The US
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
Jon Bonham, CISA, QSA Director, ERC
The Unique Alternative to the Big Four ® 25 th Annual Conference of the Association of Local Government Auditors (ALGA) Understanding Payment Card Industry.
©2015 RSM US LLP. All Rights Reserved IASA CAROLINA’S CHAPTER MEETING WAKE FOREST UNIVERSITY CHARLOTTE DECEMBER 14, 2015.
Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
WHAT NEW, WHAT NEXT IN PAYMENT PROCESSING. EMV WHAT IS EMV? 3  An acronym created by Europay ®, MasterCard ® and Visa ®  The global standard for the.
PCI 3.1 Boot Camp Payment Card Industry Data Security Standards 3.1.
© 2014 McGladrey LLP. All Rights Reserved. June 30, 2014 Emergency Medical Services Authority Data portrayed in the attached graphic presentations were.
Payment Card Industry Data Security Standards
Payment Card Industry (PCI) Rules and Standards
Summary of Changes PCI DSS V. 3.1 to V. 3.2
Payment Card Industry (PCI) Rules and Standards
PCI-DSS Security Awareness
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment card industry data security standards
Internet Payment.
Breaches by Merchant Type
Session 11 Other Assurance Services
Making a Holiday Special For All The Right Reasons
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
PCI Compliance : Whys and wherefores
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Presentation transcript:

©2015 RSM US LLP. All Rights Reserved. PCI 3.1 AND 3.2 AND BEYOND Tips and Tricks to Stay PCI Compliant April 14, 2016

©2015 RSM US LLP. All Rights Reserved. Speaker Joel Dubin Manager, Security and Privacy Services PCI QSA, PA-QSA, CISSP Eight years as a QSA and PA-QSA -Conducted PCI and PA-DSS assessments in the U.S., Latin America, Europe and Middle East -Scoped architectures for PCI

©2015 RSM US LLP. All Rights Reserved. Agenda What, and who, is PCI and its ecosystem? What is new in PCI 3.0, 3.1 and now 3.2? Impacts on PCI of new credit card technologies Tips and tricks for maintaining PCI compliance

©2015 RSM US LLP. All Rights Reserved. WHAT, AND WHO, IS PCI AND ITS ECOSYSTEM?

©2015 RSM US LLP. All Rights Reserved. PCI Standards Ecosystem and Hierarchy PTS  PIN-pad Level PA-DSS  Application Level PCI  Network Level

©2015 RSM US LLP. All Rights Reserved. Who is the PCI SSC? Payment Card Industry Security Standards Council Visa MasterCard American Express Discover JCB One standard for merchants – PCI

©2015 RSM US LLP. All Rights Reserved. PCI DSS Requirements

©2015 RSM US LLP. All Rights Reserved. Differences between PCI DSS 2.0 vs 3.1 Version 3.1 released in April, mandatory for all assessments after June 30, 2015 − Version 3.0 mandatory since January 2015 − Version 3.1: SSL to TLS migration now June 2018 Formerly June 2016 Total changes – 114 modified requirements − Clarifications – 92 changes − Additional guidance – 8 changes − Evolving requirement – 14 changes 16 new requirements – all fit into one of the above categories Most of the changes in version 3 were “clarifications” of the version 2 requirements (83%) These were already requirements − Wording just “codifies” the requirement

©2015 RSM US LLP. All Rights Reserved. Key PCI 3.1 requirements Requirement 2.1 – Remove default passwordsRequirement – Disk encryption Bitlocker is NOT approved Requirement – Environment separation Production & Development Requirement – Audit CHD access User access audited/No shared accounts Requirement 10.6 – Log reviews Daily review for anomalies/SIEM solution recommended Requirement 12.8 – Vendor management Service provider agreement/acknowledgement must document the responsibilities of the vendor protecting CHD

©2015 RSM US LLP. All Rights Reserved. Key PCI 3.1 requirements (continued) Requirement 9.9 – Protect capture devices All devices that capture payment data (PIN PADs, card swipes, CHIP readers, etc) must have unique tamper proof stickers Requirement 11.3 – Pentesting methodology Methodology has to be documented and based on industry standard (such as NIST SP ) and include current threats and vulnerabilities Requirement – Vendor management Maintain information of which PCI DSS requirements are managed by each servicer provider/entity Requirement 12.9 – Vendor acknowledgement Written acknowledgement of responsibilities discussed in 12.8

©2015 RSM US LLP. All Rights Reserved. What’s new in PCI DSS 3.2? Multi-factor authentication now required for admins accessing CDE. − Two-factor expanded to multi-factor. Will include the updated migration dates for SSL/TLS migration. Masking of primary account number (PAN) when displayed beyond “first six last four”. Addition of some elements of Designated Entities Supplemental Validation (DESV) for service providers into ROC. 11

©2015 RSM US LLP. All Rights Reserved. PCI DSS More Points to Keep in Mind Sound a bit vague? − Still under developments and details not yet publicly available. So, when will we know? − Release expected sometime in April 2016 – this month − Once released, version 3.1 sunset in six months. What happened to the three-year cycle? − SSC now considers PCI mature. − SSC replacing with incremental releases – more nimble in rapidly changing current threat environment. 12

©2015 RSM US LLP. All Rights Reserved. IMPACTS OF NEW CREDIT CARD TECHNOLOGIES ON PCI DSS

©2015 RSM US LLP. All Rights Reserved. New Credit Card Technologies P2PE Tokenization EMV or Chip & PIN Mobile Payments

©2015 RSM US LLP. All Rights Reserved. Point-of-Sale (POS) architecture – Standard Cardholder data not encrypted and subject to compromise. Includes network and POS Server

©2015 RSM US LLP. All Rights Reserved. Point-of-Sale (POS) architecture – P2PE P2PE - POS device direct to processor

©2015 RSM US LLP. All Rights Reserved. Tokenization The process of replacing a credit card number with a unique set of numbers that have no bearing on the original data.

©2015 RSM US LLP. All Rights Reserved. EMV (Europay/Mastercard®/Visa®) or Chip & PIN October 1, 2015 – EMV implementation date − Fraud liability shifts to merchants that do not have certified chip card readers More secure for card present transactions − However, consider… Cards are not encrypted Data transmission across network Implementation costs for new EMV POS terminal Doesn’t change, or narrow, PCI scope Doesn't provide additional security for e-commerce, mail, phone and fax orders

©2015 RSM US LLP. All Rights Reserved. Mobile Payments Still in evolution in regards to PCI Still being reviewed by SSC − Key mobile device issues and risks Loss of mobile device could mean loss of payment information (physical security) Capturing transmission of information Securing the OS and checking for malware 19

©2015 RSM US LLP. All Rights Reserved. TIPS AND TRICKS FOR MAINTAINING PCI COMPLIANCE

©2015 RSM US LLP. All Rights Reserved. Navigating a Changing PCI Landscape PCI is constantly changing, so what can I do to stay on top of it? 21

©2015 RSM US LLP. All Rights Reserved. If Last ROC Was Already Compliant Keep doing what your doing: Keep documentation in order and up-to-date. Keep track of firewalls segmenting CDE. Continue annual internal and external pen tests. Continue employee security awareness Keep track of all your vendors accessing CDE 22

©2015 RSM US LLP. All Rights Reserved. Key cybersecurity tasks – Good Full disk/file encryption for key systems including servers (when appropriate) Properly trained IT staff Inventory of authorized hardware and software on the network Testing and production networks are segregated

©2015 RSM US LLP. All Rights Reserved. Key cybersecurity tasks - Better Incident Response Plan (IRP) and table top exercises Quarterly auditing of user accounts for network and key applications Employee onboarding/termination program System patch management solution Information security officer is not an IT employee Security awareness training

©2015 RSM US LLP. All Rights Reserved. Key cybersecurity tasks - Sweet Regularly performing network testing and program to remediate identified issues Security Incident and Event Management (SIEM) solution and daily review 24/7 incident response team and not Monday to Friday 9-5 Third party solutions − FireEye − WebSense − Carbon Black/Bit 9 − DLP Solutions

©2015 RSM US LLP. All Rights Reserved. Key takeaways Third party vendors cause the impression of information security responsibilities of the client are relinquished Confusion around information security responsibilities when multiple IT vendors involved Network vulnerability and penetration testing is not properly performed PCI Self Assessment Questionnaires (SAQ) are not being completed or answers are inaccurate Antivirus programs are a placebo Information technology and information security are different Organizations need to find alternatives to conduct business w/o collection of unnecessary PII

©2015 RSM US LLP. All Rights Reserved. Key takeaways (continued) PCI DSS version 3.2 is not a sea change. The changes are incremental. Just keep doing what you’re doing: − Keep the controls in place after the QSA leaves. Don’t turn them on just to make the QSA happy, And then shut them down after the QSA is out the door. Keep segmenting, keep patching, keep pen testing. Keep on top of your vendors.

©2015 RSM US LLP. All Rights Reserved. Final Word of Advice AND BE ABLE TO DOCUMENT IT!!

©2015 RSM US LLP. All Rights Reserved.

This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. RSM® and the RSM logo are registered trademarks of RSM International Association. The power of being understood® is a registered trademark of RSM US LLP. © 2015 RSM US LLP. All Rights Reserved. RSM US LLP One South Wacker Drive, Suite 800 Chicago, IL