Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2015 RSM US LLP. All Rights Reserved. PCI 3.1 AND 3.2 AND BEYOND Tips and Tricks to Stay PCI Compliant April 14, 2016.

Published byCornelia Holland Modified over 8 years ago

Similar presentations

Presentation on theme: "©2015 RSM US LLP. All Rights Reserved. PCI 3.1 AND 3.2 AND BEYOND Tips and Tricks to Stay PCI Compliant April 14, 2016."— Presentation transcript:

1 ©2015 RSM US LLP. All Rights Reserved. PCI 3.1 AND 3.2 AND BEYOND Tips and Tricks to Stay PCI Compliant April 14, 2016

2 ©2015 RSM US LLP. All Rights Reserved. Speaker Joel Dubin Manager, Security and Privacy Services PCI QSA, PA-QSA, CISSP 312-634-3422 joel.dubin@rsmus.com -Eight years as a QSA and PA-QSA -Conducted PCI and PA-DSS assessments in the U.S., Latin America, Europe and Middle East -Scoped architectures for PCI

3 ©2015 RSM US LLP. All Rights Reserved. Agenda What, and who, is PCI and its ecosystem? What is new in PCI 3.0, 3.1 and now 3.2? Impacts on PCI of new credit card technologies Tips and tricks for maintaining PCI compliance

4 ©2015 RSM US LLP. All Rights Reserved. WHAT, AND WHO, IS PCI AND ITS ECOSYSTEM?

5 ©2015 RSM US LLP. All Rights Reserved. PCI Standards Ecosystem and Hierarchy PTS  PIN-pad Level PA-DSS  Application Level PCI  Network Level

6 ©2015 RSM US LLP. All Rights Reserved. Who is the PCI SSC? Payment Card Industry Security Standards Council Visa MasterCard American Express Discover JCB One standard for merchants – PCI

7 ©2015 RSM US LLP. All Rights Reserved. PCI DSS Requirements

8 ©2015 RSM US LLP. All Rights Reserved. Differences between PCI DSS 2.0 vs 3.1 Version 3.1 released in April, mandatory for all assessments after June 30, 2015 − Version 3.0 mandatory since January 2015 − Version 3.1: SSL to TLS migration now June 2018 Formerly June 2016 Total changes – 114 modified requirements − Clarifications – 92 changes − Additional guidance – 8 changes − Evolving requirement – 14 changes 16 new requirements – all fit into one of the above categories Most of the changes in version 3 were “clarifications” of the version 2 requirements (83%) These were already requirements − Wording just “codifies” the requirement

9 ©2015 RSM US LLP. All Rights Reserved. Key PCI 3.1 requirements Requirement 2.1 – Remove default passwordsRequirement 3.4.1 – Disk encryption Bitlocker is NOT approved Requirement 6.4.1 – Environment separation Production & Development Requirement 10.2.1 – Audit CHD access User access audited/No shared accounts Requirement 10.6 – Log reviews Daily review for anomalies/SIEM solution recommended Requirement 12.8 – Vendor management Service provider agreement/acknowledgement must document the responsibilities of the vendor protecting CHD

10 ©2015 RSM US LLP. All Rights Reserved. Key PCI 3.1 requirements (continued) Requirement 9.9 – Protect capture devices All devices that capture payment data (PIN PADs, card swipes, CHIP readers, etc) must have unique tamper proof stickers Requirement 11.3 – Pentesting methodology Methodology has to be documented and based on industry standard (such as NIST SP800-115) and include current threats and vulnerabilities Requirement 12.8.5 – Vendor management Maintain information of which PCI DSS requirements are managed by each servicer provider/entity Requirement 12.9 – Vendor acknowledgement Written acknowledgement of responsibilities discussed in 12.8

11 ©2015 RSM US LLP. All Rights Reserved. What’s new in PCI DSS 3.2? Multi-factor authentication now required for admins accessing CDE. − Two-factor expanded to multi-factor. Will include the updated migration dates for SSL/TLS migration. Masking of primary account number (PAN) when displayed beyond “first six last four”. Addition of some elements of Designated Entities Supplemental Validation (DESV) for service providers into ROC. 11

12 ©2015 RSM US LLP. All Rights Reserved. PCI DSS 3.2 -- More Points to Keep in Mind Sound a bit vague? − Still under developments and details not yet publicly available. So, when will we know? − Release expected sometime in April 2016 – this month − Once released, version 3.1 sunset in six months. What happened to the three-year cycle? − SSC now considers PCI mature. − SSC replacing with incremental releases – more nimble in rapidly changing current threat environment. 12

13 ©2015 RSM US LLP. All Rights Reserved. IMPACTS OF NEW CREDIT CARD TECHNOLOGIES ON PCI DSS

14 ©2015 RSM US LLP. All Rights Reserved. New Credit Card Technologies P2PE Tokenization EMV or Chip & PIN Mobile Payments

15 ©2015 RSM US LLP. All Rights Reserved. Point-of-Sale (POS) architecture – Standard Cardholder data not encrypted and subject to compromise. Includes network and POS Server

16 ©2015 RSM US LLP. All Rights Reserved. Point-of-Sale (POS) architecture – P2PE P2PE - POS device direct to processor

17 ©2015 RSM US LLP. All Rights Reserved. Tokenization The process of replacing a credit card number with a unique set of numbers that have no bearing on the original data.

18 ©2015 RSM US LLP. All Rights Reserved. EMV (Europay/Mastercard®/Visa®) or Chip & PIN October 1, 2015 – EMV implementation date − Fraud liability shifts to merchants that do not have certified chip card readers More secure for card present transactions − However, consider… Cards are not encrypted Data transmission across network Implementation costs for new EMV POS terminal Doesn’t change, or narrow, PCI scope Doesn't provide additional security for e-commerce, mail, phone and fax orders

19 ©2015 RSM US LLP. All Rights Reserved. Mobile Payments Still in evolution in regards to PCI Still being reviewed by SSC − Key mobile device issues and risks Loss of mobile device could mean loss of payment information (physical security) Capturing transmission of information Securing the OS and checking for malware 19

20 ©2015 RSM US LLP. All Rights Reserved. TIPS AND TRICKS FOR MAINTAINING PCI COMPLIANCE

21 ©2015 RSM US LLP. All Rights Reserved. Navigating a Changing PCI Landscape PCI is constantly changing, so what can I do to stay on top of it? 21

22 ©2015 RSM US LLP. All Rights Reserved. If Last ROC Was Already Compliant Keep doing what your doing: Keep documentation in order and up-to-date. Keep track of firewalls segmenting CDE. Continue annual internal and external pen tests. Continue employee security awareness Keep track of all your vendors accessing CDE 22

23 ©2015 RSM US LLP. All Rights Reserved. Key cybersecurity tasks – Good Full disk/file encryption for key systems including servers (when appropriate) Properly trained IT staff Inventory of authorized hardware and software on the network Testing and production networks are segregated

24 ©2015 RSM US LLP. All Rights Reserved. Key cybersecurity tasks - Better Incident Response Plan (IRP) and table top exercises Quarterly auditing of user accounts for network and key applications Employee onboarding/termination program System patch management solution Information security officer is not an IT employee Security awareness training

25 ©2015 RSM US LLP. All Rights Reserved. Key cybersecurity tasks - Sweet Regularly performing network testing and program to remediate identified issues Security Incident and Event Management (SIEM) solution and daily review 24/7 incident response team and not Monday to Friday 9-5 Third party solutions − FireEye − WebSense − Carbon Black/Bit 9 − DLP Solutions

26 ©2015 RSM US LLP. All Rights Reserved. Key takeaways Third party vendors cause the impression of information security responsibilities of the client are relinquished Confusion around information security responsibilities when multiple IT vendors involved Network vulnerability and penetration testing is not properly performed PCI Self Assessment Questionnaires (SAQ) are not being completed or answers are inaccurate Antivirus programs are a placebo Information technology and information security are different Organizations need to find alternatives to conduct business w/o collection of unnecessary PII

27 ©2015 RSM US LLP. All Rights Reserved. Key takeaways (continued) PCI DSS version 3.2 is not a sea change. The changes are incremental. Just keep doing what you’re doing: − Keep the controls in place after the QSA leaves. Don’t turn them on just to make the QSA happy, And then shut them down after the QSA is out the door. Keep segmenting, keep patching, keep pen testing. Keep on top of your vendors.

28 ©2015 RSM US LLP. All Rights Reserved. Final Word of Advice AND BE ABLE TO DOCUMENT IT!!

29 ©2015 RSM US LLP. All Rights Reserved.

30 This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. RSM® and the RSM logo are registered trademarks of RSM International Association. The power of being understood® is a registered trademark of RSM US LLP. © 2015 RSM US LLP. All Rights Reserved. RSM US LLP One South Wacker Drive, Suite 800 Chicago, IL 60606 312.634.3400 www.rsmus.com

Download ppt "©2015 RSM US LLP. All Rights Reserved. PCI 3.1 AND 3.2 AND BEYOND Tips and Tricks to Stay PCI Compliant April 14, 2016."

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
National Bank of Dominica Ltd. 2011 Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.

National Bank of Dominica Ltd Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
Mobile Payment Security The Good, the Bad and the Ugly

Mobile Payment Security The Good, the Bad and the Ugly
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Troy Leach April 2012 The PCI Security Standards Council.

Troy Leach April 2012 The PCI Security Standards Council.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
University of Utah Financial and Business Services

University of Utah Financial and Business Services
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.

© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.

© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
PCI DSS Version 3.0 For Controllers and Business Users Luke Harris, Office of State the Controller David Reavis, UNC General Administration November 10,

PCI DSS Version 3.0 For Controllers and Business Users Luke Harris, Office of State the Controller David Reavis, UNC General Administration November 10,
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008.

PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008.

Similar presentations

Ads by Google