Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kevin R Perry August 12, 2014. Part 1: High Level Changes & Clarifications.

Published byRaymond Stone Modified over 9 years ago

Similar presentations

Presentation on theme: "Kevin R Perry August 12, 2014. Part 1: High Level Changes & Clarifications."— Presentation transcript:

1 Kevin R Perry August 12, 2014

2 Part 1: High Level Changes & Clarifications

3  Service Provider: ◦ Any entity which stores, processes, or transmits cardholder data on a merchant’s behalf OR ◦ Any entity which manages components such as routers, firewalls, databases, physical security, and/or servers.  If you use a service provider(s), compliance is a shared responsibility ◦ Clarify roles & responsibilities requirement by requirement ◦ If relying on a service provider Report on Compliance, ensure it covers relevant requirements 3

4 4

5  NOT a change, but a clarification  PCI DSS has always been about continuous compliance  Business objective should be liability mitigation, not passing an assessment ◦ Breach Prevention ◦ Early Detection and Containment ◦ ‘Safe Harbor ’ “…enables an entity to monitor the effectiveness of their security controls on an ongoing basis, and maintain their … compliance … between assessments.” 5

6  PCI DSS 2.0 requirement -> Testing procedure + Navigating the PCI DSS ◦ Testing procedures = Secret PCI DSS decoder ring ◦ Testing procedures are more prescriptive ◦ Testing procedures dictate the proper interpretation of the requirement ◦ Navigating the PCI DSS provided useful guidance and clarification of intent  PCI DSS 3.0 has reconciled requirements with testing procedure language  PCI DSS 3.0 now includes intent column 6

7 Navigating the PCI DSS 7

8 8

9 Part 2: New/Evolving Requirements

10 5.1.2: Evaluate evolving malware threats for any systems not considered to be commonly affected by malicious software 8.5.1: Service providers with remote access to customer premises must have unique auth for each customer 12.8.5 & 12.9: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity 9.9.x: Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution New Requirements Effective 1/1/2014 10

11 11.3: Implement a formal methodology for penetration testing 12.9: Service providers must provide a written agreement/ acknowledgement to their customers as specified in 12.8 New Requirements Effective 7/1/2015 11

12 1.1.3Current diagram that shows cardholder data flows across systems and networks 2.4Maintain an inventory of system components in scope for PCI DSS to support development of configuration standards 5.3Ensure that anti-virus solutions are actively running (formerly in 5.2), and cannot be disabled or altered by users unless specifically authorized by management on a per-case basis 8.6Where other authentication mechanisms are used (for example, physical or logical security tokens) that the mechanisms must be linked to an individual account and ensure only the intended user can gain access with that mechanism New Requirements 12

13 9.3Control physical access to sensitive areas for onsite personnel, including a process authorize access, and revoke access immediately upon termination 11.1.2Align with an already existing testing procedure, for incident response procedures if unauthorized wireless access points are detected 11.3.4If segmentation is used to isolate the CDE from other networks, perform penetration tests to verify that the segmentation methods are operational and effective 11.5.1Implement a process to respond to any alerts generated by the change-detection mechanism 6.5.10Coding practices to protect against broken authorization and session management* New Requirements 13 * Effective 7/1/2015

14 MYTH! System inventory only includes the main application servers Correct: It includes ALL network devices (routers, firewalls, switches), servers, etc. within the CDE network segments MYTH! Vulnerability scans are only required quarterly Correct: They’re also required after any “significant” change – you should define “significant” in your procedures! 14

15

16 Within Our Organization All IT resources  Desktop & Security  Network & Server  Applications & Database  Development Non-IT  HR & Legal  Accounting & Finance  Customer Service & Training  Executive Team Use External Resources  To guide your internal resources  All security reviews  QSA for scans  Penetration testing 16

17 17

18 18 Evolving Requirements Details (For your reference – Not discussed in seminar)

19 PCI DSS 3.0 Requirement ChangeComment 1.1.3Include Cardholder Data Flows on Network Diagram Generally Required to Properly Scope CDE 2.4Maintain Inventory of In-Scope System Components One of the First Questions An Assessor Should Ask 5.1.2Requirement to Evaluate Threats to Systems Not Commonly Affected by Malware Implicit in PCI DSS 2.0 5.3New Requirement to Ensure AV is Actively Running and Cannot Be Disabled/Altered by Users Implicitly Covered By PCI DSS 2.0 Given Requirement 1.4 Testing Procedure 6.5.10New requirement for coding practices to protect against broken authentication and session management Back-to-the-Future – This was included in PCI DSS 1.2. 3.0 has more rigor on testing procedures than 1.2 version. 19

20 PCI DSS 3.0 Requirement ChangeComment 8.2.3Combined minimum password complexity and strength requirements into single requirement, and increased flexibility for alternatives that meet the equivalent complexity and strength. Using alternatives of equal strength was one of the most common compensating controls NIST SP 800-63-1 for understanding equivalent password strength variability for passwords/phrases of different formats. 8.5.1New requirement for service providers with remote access to customer premises, to use unique Authentication credentials for each customer. Effective July 1, 2015 Logical application of PCI DSS v2.0’s Requirements 8.1 and 8.2. 20

21 PCI DSS 3.0 Requirement ChangeComment 8.6New requirement where other authentication mechanisms are used ( For example, physical or logical security tokens, smart cards, certificates, etc.) that the mechanisms must be linked to an individual account and ensure only the intended user can gain access with that Mechanism. Logical extension of PCI DSS v2.0 Requirement 8.1 and 8.3 guidance. 9.3New requirement to control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination Logical application of PCI DSS v2.0’s Requirements 9.1 and 8.5.4. 21

22 PCI DSS 3.0 Requirement ChangeComment 9.9New requirements to protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution. Effective July 1, 2015 Significant new requirement which will involve training personnel to look for evidence of skimming attacks. 10.2.5Enhanced requirement to include changes to identification and authentication mechanisms (including creation of new accounts, elevation of privileges), and all changes, additions and deletions to accounts with root or administrative access. Clarification of a rather ambiguous logging requirement. 10.2.6Enhanced requirement to include stopping or pausing of the audit logs. Could be a significant change or a nonevent depending on what your applications support. 22

23 PCI DSS 3.0 Requirement ChangeComment 11.1Enhanced requirement to include an inventory of authorized wireless access points and a business justification (11.1.1) and added new requirement 11.1.2 for incident response procedures if unauthorized wireless access points are detected. Detecting unauthorized wireless access points (11.1) implicitly requires an inventory of authorized ones. PCI DSS v2.0 already covered 11.1.2 under Testing Procedure 11.1.e. 11.3 / 11.3.4 New requirement to implement a methodology for penetration testing. Effective July 1, 2015. Significant expansion of penetration testing requirement. Almost certain to require budget increases for testing and remediation. 23

24 PCI DSS 3.0 Requirement ChangeComment 11.5.1New requirement to implement a process to respond to any alerts generated by the change-detection mechanism (supports 11.5) Clarification. Covered as part of the 12.9.3 Testing Procedure. 12.2Expanded frequency of the risk assessment from at least annually to include updates after significant changes to the environment. Most organizations will need to update change management/governan ce procedures. 12.8.5New requirement to maintain information about which PCI DSS requirements are managed by Each service provider, and which are managed by the entity. Knowledge previously required for compliance. Formal documentation now required. 24

25 PCI DSS 3.0 Requirement ChangeComment 12.9New requirement for service providers to provide the written agreement/ acknowledgment to their customers as specified at requirement 12.8. Effective July 1, 2015 Service Provider requirement only. Should facilitate compliance with 12.8.2 25

Download ppt "Kevin R Perry August 12, 2014. Part 1: High Level Changes & Clarifications."

Similar presentations

Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
JARED BIRD Nagios: Providing Value Throughout the Organization.

JARED BIRD Nagios: Providing Value Throughout the Organization.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
Copyright Security-Assessment.com 2005 Payment Card Industry Digital Security Standards Presented By Carl Grayson.

Copyright Security-Assessment.com 2005 Payment Card Industry Digital Security Standards Presented By Carl Grayson.
 Controls that provide security against internal and external threats  2 Types of access controls: › Physical controls › Logical controls.

 Controls that provide security against internal and external threats  2 Types of access controls: › Physical controls › Logical controls.
Security Analysis and Recommendations. PB’s&J Presenters & Topics David Bihm User Account Management Nathan Julson Data Classification Firewall Architectures.

Security Analysis and Recommendations. PB’s&J Presenters & Topics David Bihm User Account Management Nathan Julson Data Classification Firewall Architectures.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?
Introduction to PCI DSS

Introduction to PCI DSS
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP

PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP
Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material.

Disclaimer Copyright Michael Chapple and Jane Drews, This work is the intellectual property of the authors. Permission is granted for this material.
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger 515-237-5007.

Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0.

PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0.

Similar presentations

Ads by Google