Summary of Changes PCI DSS V. 3.1 to V. 3.2

Slides:



Advertisements
Similar presentations
Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Advertisements

Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
PCI DSS for Retail Industry
Protecting Credit Card Information
Navigating the New SAQs (Helping the 99% validate PCI compliance)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
University of Utah Financial and Business Services
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
PCI DSS Version 3.0 For Controllers and Business Users Luke Harris, Office of State the Controller David Reavis, UNC General Administration November 10,
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Visa Cemea Account Information Security (AIS) Programme
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.
Computer Security: Principles and Practice
Payment Card Industry (PCI) Data Security Standard
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP
Security & PCI Compliance The Future of Electronic Payments Security & PCI Compliance Greg Grant Vice President – Managed Security Services.
Disclaimer Copyright Michael Chapple and Jane Drews, This work is the intellectual property of the authors. Permission is granted for this material.
Web Advisory Committee June 17,  Implementing E-commerce at UW  Current Status and Future Plans  PCI Data Security Standard  Questions.
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0.
MasterCard Site Data Protection Program Program Alignment.
PCI DSS Managed Service Solution October 18, 2011.
Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010.
Protecting Your Credit Card Security Environment (PCI) September 26, 2012 Jacob Arthur, CPA, QSA, CEH Timothy Agee, CISA, CGEIT, QSA FDH Consulting Frasier,
Doug Landoll, CISSP, CISA, QSA, MBA Sr. Solutions Architect Risk and Compliance Management
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
PCI requirements in business language What can happen with the cardholder data?
DATE: 3/28/2014 GETTING STARTED WITH THE INTEGRITY EASY PCI PROGRAM Presenter : Integrity Payment Systems Title: Easy PCI Program.
Payment Card PCI DSS Compliance SAQ-A Training Accounts Receivable Services, Controller’s Office 7/1/2012.
North Carolina Community College System IIPS Conference – Spring 2009 Jason Godfrey IT Security Manager (919)
Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.
Walter Conway, QSA 403 Labs, LLC Sneak Preview: What to Expect from PCI DSS v. 2.0  Changes  Clarifications  Guidance.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Payment Card PCI DSS Compliance SAQ-B Training Accounts Receivable Services, Controller’s Office 7/1/2012.
PCI Training for PointOS Resellers PointOS Updated September 28, 2010.
The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
Jon Bonham, CISA, QSA Director, ERC
©2015 RSM US LLP. All Rights Reserved. PCI 3.1 AND 3.2 AND BEYOND Tips and Tricks to Stay PCI Compliant April 14, 2016.
Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
PCI 3.1 Boot Camp Payment Card Industry Data Security Standards 3.1.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Payment Card Industry Data Security Standards
Defining your requirements for a successful security (and compliance
Payment Card Industry (PCI) Rules and Standards
Wake Forest University
PCI DSS Improve the Security of Your Ecommerce Environment
Managing Compliance for All Departments
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment card industry data security standards
The view from the Bridge
Where Do You Have Cardholder Data?
PCI DSS modular approach for F2F EMV mature environments
Secure Software Confidentiality Integrity Data Security Authentication
2013 PCI:DSS Meeting OSU Business Affairs
Internet Payment.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
PCI Compliance : Whys and wherefores
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment Card Industry (PCI)
Presented by: Jeff Soukup
Presentation transcript:

Summary of Changes PCI DSS V. 3.1 to V. 3.2 Version 3.2 voluntary through October 31, 2016 Mandatory thereafter

Not a Major New Version The standard is mature Most changes are cosmetic or are clarifications of version 3.1 Incorporates interim deadlines as final deadlines (SSL/TLS issue) Changed terminology use from “two-factor” authentication to “multi-factor” authentication Clarified that patching all software includes payment applications Created new Appendix A2 to address SSL/Early TLS issue Added new Appendix A3 to include Designated Entity Supplemental Validation requirements

Areas of Emphasis There are several new areas of emphasis in Version 3.2 Change management Administrative access Incident response Ecommerce, particularly A-EP environments

Version 3.2 SAQs No new SAQ versions, but changes to existing ones # Questions V3.1 # Questions V3.2 Difference SAQ D-SP 347 369 +22 SAQ D-MER 326 331 +5 SAQ C 139 162 +23 SAQ A-EP 193 +54 SAQ B-IP 83 84 +1 SAQ C-VT 73 80 +7 SAQ B 41 SAQ P2PE-HW 35 33 -2 SAQ A 14 22 +8 SAQ A-EP now defines the merchant web site as the CDE, so there are significantly more controls that must be met within the A-EP environment. Much more emphasis in the A-EP on the firewall (Requirement 1), secure coding (Requirement 6), access to systems (Requirement 8), auditing of access to system(s) (Requirement 10), intrusion detection (Requirement 11).

Masking PAN Displaying the Primary Account Number (PAN) Current requirement is no more than first six and last four digits of PAN can be displayed 123456XXXXXX1234 Any display of more digits of PAN require a legitimate business need Requirement 3.3

Change Control Additional change control requirement Change control processes must include verification of PCI DSS requirements impacted by a (significant) change All relevant controls must be implemented on all new or changed systems Documentation must be updated as applicable Requirement 6.4.6 Effective February 1, 2018

Remote Administrative Access to CDE For any non-console administrative access to CDE: All non-console access into CDE for personnel with administrative access must use multi-factor authentication (8.3.1) Current requirement for multi-factor authentication for remote access to CDE for personnel with administrative access still applies (8.3.2) Requirement 8.3.1 Best practice until January 31, 2018, then mandatory thereafter

High Risk Vulnerabilities Vulnerabilities must be integrated into the risk assessment process Clarification that all “high risk” vulnerabilities must be addressed for internal scans In accordance with the entity’s vulnerability ranking (as per Requirement 6.1) Remediation must be verified by rescans Requirement 11.2.1

Appendix A1 – Shared Hosting Providers Additional requirements for Service Providers (including Shared Hosting Providers) Must maintain documented description of cryptographic architecture Requirement 3.5.1; best practice until January 31, 2018, then mandatory thereafter Detect and report on failures of critical security control systems Requirement 10.8, effective February 1, 2018 Perform penetration testing on segmentation controls at least every six months Requirement 11.3.4.1, effective February 1, 2018 Service Provider Executive Management to establish responsibilities for protection of cardholder data and PCI DSS compliance program Requirement 12.4, effective February 1, 2018 Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures Requirement 12.11, effective February 1, 2018

Appendix A2– SSL/Early TLS Incorporate requirements around insecure SSL/Early TLS New system implementations must not use SSL or early TLS (1.0) If TLS 1.1 is deprecated by the National Institutes for Standards and Technology (NIST), then TLS 1.1 must no longer be used by the deprecation effective date All service providers must provide a secure service offering by June 30, 2016 After June 30, 2018, all entities must have stopped use of SSL/Early TLS If SSL/Early TLS is being used, must have BOTH: Mitigation plan to compensate for the risk of SSL/Early TLS Migration plan to get off of SSL/Early TLS no later than June 30, 2018

Appendix A3 – DESV Requirements Designated Entities Supplemental Validation (DESV) requirements are now officially incorporated into the DSS Any entity touching cardholder data can be designated a “Designated Entity” by the payment brand(s) or the Acquirer For storing, processing, and/or transmitting large volumes of cardholder data Providing aggregation points for cardholder data Suffering significant or repeated breaches of cardholder data Does NOT add any new requirements to the DSS Enhances the documentation / processes already required

Resources Documents available from the PCI Security Council website at: https://www.pcisecuritystandards.org/document_library?category=pcidss PCI DSS V3.2 PCI DSS Summary of Changes, V3.1 to V3.2 Prioritized Approach for PCI DSS V3.2 Prioritized Approach Tool V3.2 Glossary of Terms, Abbreviations, and Acronyms V3.2

For More Information For additional information or if you have any questions, please contact Coalfire through: Joseph D. Tinucci, CTP, QSA, CISSP Joseph.Tinucci@Coalfire.com Jon Bonham, CISA, QSA Jon.Bonham@Coalfire.com Dirk Anderson, CRISC, CISA, QSA, ASV Dirk.Anderson@Coalfire.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.