Presentation is loading. Please wait.

Presentation is loading. Please wait.

Summary of Changes PCI DSS V. 3.1 to V. 3.2

Similar presentations


Presentation on theme: "Summary of Changes PCI DSS V. 3.1 to V. 3.2"— Presentation transcript:

1 Summary of Changes PCI DSS V. 3.1 to V. 3.2
Version 3.2 voluntary through October 31, Mandatory thereafter

2 Not a Major New Version The standard is mature
Most changes are cosmetic or are clarifications of version 3.1 Incorporates interim deadlines as final deadlines (SSL/TLS issue) Changed terminology use from “two-factor” authentication to “multi-factor” authentication Clarified that patching all software includes payment applications Created new Appendix A2 to address SSL/Early TLS issue Added new Appendix A3 to include Designated Entity Supplemental Validation requirements

3 Areas of Emphasis There are several new areas of emphasis in Version 3.2 Change management Administrative access Incident response Ecommerce, particularly A-EP environments

4 Version 3.2 SAQs No new SAQ versions, but changes to existing ones
# Questions V3.1 # Questions V3.2 Difference SAQ D-SP 347 369 +22 SAQ D-MER 326 331 +5 SAQ C 139 162 +23 SAQ A-EP 193 +54 SAQ B-IP 83 84 +1 SAQ C-VT 73 80 +7 SAQ B 41 SAQ P2PE-HW 35 33 -2 SAQ A 14 22 +8 SAQ A-EP now defines the merchant web site as the CDE, so there are significantly more controls that must be met within the A-EP environment. Much more emphasis in the A-EP on the firewall (Requirement 1), secure coding (Requirement 6), access to systems (Requirement 8), auditing of access to system(s) (Requirement 10), intrusion detection (Requirement 11).

5 Masking PAN Displaying the Primary Account Number (PAN)
Current requirement is no more than first six and last four digits of PAN can be displayed 123456XXXXXX1234 Any display of more digits of PAN require a legitimate business need Requirement 3.3

6 Change Control Additional change control requirement
Change control processes must include verification of PCI DSS requirements impacted by a (significant) change All relevant controls must be implemented on all new or changed systems Documentation must be updated as applicable Requirement 6.4.6 Effective February 1, 2018

7 Remote Administrative Access to CDE
For any non-console administrative access to CDE: All non-console access into CDE for personnel with administrative access must use multi-factor authentication (8.3.1) Current requirement for multi-factor authentication for remote access to CDE for personnel with administrative access still applies (8.3.2) Requirement 8.3.1 Best practice until January 31, 2018, then mandatory thereafter

8 High Risk Vulnerabilities
Vulnerabilities must be integrated into the risk assessment process Clarification that all “high risk” vulnerabilities must be addressed for internal scans In accordance with the entity’s vulnerability ranking (as per Requirement 6.1) Remediation must be verified by rescans Requirement

9 Appendix A1 – Shared Hosting Providers
Additional requirements for Service Providers (including Shared Hosting Providers) Must maintain documented description of cryptographic architecture Requirement 3.5.1; best practice until January 31, 2018, then mandatory thereafter Detect and report on failures of critical security control systems Requirement 10.8, effective February 1, 2018 Perform penetration testing on segmentation controls at least every six months Requirement , effective February 1, 2018 Service Provider Executive Management to establish responsibilities for protection of cardholder data and PCI DSS compliance program Requirement 12.4, effective February 1, 2018 Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures Requirement 12.11, effective February 1, 2018

10 Appendix A2– SSL/Early TLS
Incorporate requirements around insecure SSL/Early TLS New system implementations must not use SSL or early TLS (1.0) If TLS 1.1 is deprecated by the National Institutes for Standards and Technology (NIST), then TLS 1.1 must no longer be used by the deprecation effective date All service providers must provide a secure service offering by June 30, 2016 After June 30, 2018, all entities must have stopped use of SSL/Early TLS If SSL/Early TLS is being used, must have BOTH: Mitigation plan to compensate for the risk of SSL/Early TLS Migration plan to get off of SSL/Early TLS no later than June 30, 2018

11 Appendix A3 – DESV Requirements
Designated Entities Supplemental Validation (DESV) requirements are now officially incorporated into the DSS Any entity touching cardholder data can be designated a “Designated Entity” by the payment brand(s) or the Acquirer For storing, processing, and/or transmitting large volumes of cardholder data Providing aggregation points for cardholder data Suffering significant or repeated breaches of cardholder data Does NOT add any new requirements to the DSS Enhances the documentation / processes already required

12 Resources Documents available from the PCI Security Council website at: PCI DSS V3.2 PCI DSS Summary of Changes, V3.1 to V3.2 Prioritized Approach for PCI DSS V3.2 Prioritized Approach Tool V3.2 Glossary of Terms, Abbreviations, and Acronyms V3.2

13 For More Information For additional information or if you have any questions, please contact Coalfire through: Joseph D. Tinucci, CTP, QSA, CISSP Jon Bonham, CISA, QSA Dirk Anderson, CRISC, CISA, QSA, ASV


Download ppt "Summary of Changes PCI DSS V. 3.1 to V. 3.2"

Similar presentations


Ads by Google