NUAGA May 22, 2014
IT Specialist, Utah Department of Technology Services (DTS) Assigned to Department of Alcoholic Beverage Control PCI Professional (PCIP) and PCI Internal Security Assessor (ISA) Certification 4/2014 Annual re-certification Currently responsible for PCI security for all 44 of the DABC’s retail stores 18 Years Experience with DTS/DABC
Easton-Bell Sports Bright Horizons Bell-Canada Several major hotel chains ◦ These breaches have all occurred by exploiting weaknesses in the systems and processes of a third-party business partner.
The PCI DSS represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. The standard provides an actionable framework for developing a robust data security process - including preventing, detecting and reacting to security incidents. Applies to any entity that stores, processes and/or transmits CHD.
PCI Data Security Standard Requirements PCI DSS is the global data security standard that any business of any size must adhere to in order to accept payment cards, and to store, process, and/or transmit cardholder data. It presents common sense steps that mirror best security practices. Goals PCI DSS Requirements – Validated by Self or Outside Assessment Build and Maintain a Secure Network1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy12. Maintain a policy that addresses information security for all personnel
Build and Maintain a Secure Network Protect Card Holder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy
The updated versions of PCI DSS and PA-DSS will: Provide stronger focus on some of the greater risk areas in the threat environment Provide increased clarity on PCI DSS & PA-DSS requirements Build greater understanding on the intent of the requirements and how to apply them Improve flexibility for all entities implementing, assessing, and building to the Standards Drive more consistency among assessors Help manage evolving risks / threats Align with changes in industry best practices Clarify scoping and reporting Eliminate redundant sub-requirements and consolidate documentation
The PCI Standards are updated based on feedback from the industry, per the standards development lifecycle as well as in response to current market needs. Common challenge areas and drivers for change include: Lack of education and awareness Weak passwords, authentication Third-party security challenges Slow self-detection, malware Inconsistency in assessments
1.1.x - Clarified that firewall and router standards have to be both documented and implemented. Clarified what the network diagram must include and added a new requirement (1.1.3) for a current diagram that shows cardholder data flows. New requirement to maintain an inventory of system components in scope for PCI DSS New requirement to evaluate malware threats for any systems not considered to be commonly affected by malicious software
New requirement to ensure that anti-virus solutions are actively running and cannot be disabled or altered by users unless specifically authorized by management on a per-case basis 6.1 -Clarified the process for identifying and risk ranking new vulnerabilities and (6.2) patching critical vulnerabilities New requirement for coding practices to protect against broken authentication and session management New requirement to cover definition of access needs for each role Clarified requirements for two-factor authentication applies to users, administrators, and all third parties, including vendor access for support or maintenance
New requirement for service providers with remote access to customer devices, to use unique authentication credentials for each customer 9.9.x - New requirement to protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution – Enhanced requirement to include changes to identification and authentication mechanisms (including creation of new account, elevation of privileges) and all changes, additions and deletions to accounts with root or admin privileges
11.1.x -New requirement to include an inventory of authorized wireless access points and scanning for unauthorized wireless devices New requirement to implement a methodology for penetration testing, to also include verification that segmentation methods are operational and effective (11.3.4) Clarified that the risk assessment should be performed at least annually and after significant changes to the environment Clarified the responsibilities for the service provider’s written agreement/acknowledgement
New requirement to maintain information about which PCI requirements are managed by each service provider, and which are managed by the entity New requirement for service providers to provide a written agreement/acknowledgment to their customers x - Clarified the intent for alerts from security monitoring systems to be included in the incident response plan
Implementing security into business as usual (BAU) activities Audit ready anytime In my opinion, the PCI Data Security Standard is not a policy or procedure. PCI-DSS is a lifestyle!
Kevin Perry DTS/DABC