1. Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010

2. Overview  Summary of Changes  Operational Perspective  Details of Changes  Observations

3. Summary of Changes (136)  Clarifications 119 total Wording portrays intent  Additional Guidance 15 total Increase understanding  Evolving Requirements 2 total Emerging threats and changes https://www.pcisecuritystandards.org/pdfs/summary_of_changes_highlights.pdf https://www.pcisecuritystandards.org/documents/pci_dss_v2_summary_of_changes.pdf

4. Operational Perspective  Informational 61 total  Moderate Impact 41 total  Significant Impact 34 total Subjective (your mileage may vary)

5. Details - General  Operations Staff PCI DSS Applicability Information ○ Account Data = Cardholder Data + Sensitive Authentication Data Scope of Assessment for Compliance with PCI DSS Requirements ○ Added “virtualization components” to the definition of “system components” Policies, Procedures, Standards, etc.  Auditors Sampling of Business Facilities and System Components ○ Criteria that must be documented when sampling ○ Sampling rationale must be (re)validated with each audit Instructions and Content for Report on Compliance ○ Pp 14-17 > detailed instructions for the RoC Consistency (QSA selection) How much will the Summary of Changes alter QSA procedures?

6. Details – Section 1  Moderate Impact 1 > “system components providing firewall functionality” to be treated as firewalls 1.1.5 > examples of insecure services, protocols, & ports (FTP, Telnet, POP3, IMAP, SNMP) 1.3.6 > removed specification of port scanner use 1.3.7 > testing procedure applies to “any type of cardholder data storage” (i.e., files)  Significant Impact 1.4.b > “personal firewall software should not be alterable by employee-owned computer users” ○ Local admin rights?

7. Details – Section 2  Moderate Impact 2.1.1.a-e > removed reference to WPA ○ WPA cracked in late 2008 2.2 > added sources for hardening standards ○ CIS, ISO, SANS, NIST 2.2b > linked system configuration standards to vulnerabilities (was in in 6.2.b) 2.2.2.a-b > only enable “necessary and secure” services 2.3.a-c > “strong” cryptography is required ○ Need for agility (point-in-time)  Significant Impact 2.2.1 > clarified intent of “one primary function per server” and use of virtualization ○ Web, Database, DNS; functions that require different security levels 2.2.1.b > optional testing procedure for virtualization technologies

8. Details – Section 3  Moderate Impact 3.4 > Deleted note on compensation controls ○ “may be applicable for most PCI DSS requirements” 3.4.1.c > Clarification on encryption removable media ○ Rendered unreadable through encryption or some other method 3.5 > “Any” keys used to secure cardholder data must be secured 3.6.6 > Clarification around key management operations ○ “manual clear-text cryptographic key mgmt operations” 3.6.8 > Key custodians formal acknowledgment (writing or electronic)  Significant Impact 3 > Introductory Paragraph, don’t send PAN’s via end-user messaging tech (email, IM) ○ Enforcement? 3.2 > business justification for storing “sensitive authentication data” 3.6.4 > Increased frequency of key changes, per “defined cryptoperiod” 3.6.5 > New testing procedures for retired keys

9. Details – Section 4  Moderate Impact 4.1.c > Protocol “must be implemented” to use only secure configurations (i.e., encrypted)  Significant Impact 4.1.1 > 6/3/2010 has passed; no more WEP 4.2 > PANs should never be sent by end- user messaging technologies (see section 3)

10. Details – Section 5  Moderate Impact none  Significant Impact 5.2 > AV must be generating audit logs, and not just “capable of generating” logs

11. Details – Section 6  Moderate Impact 6.3.2 > clarified scope to include non-web applications 6.4.5.a-b > addresses security patches and software modifications ○ Details to include in change documentation 6.4.5.1 > documentation of impact is required 6.5 > broadened to include OWASP, SANS CWE, & CERT 6.5.1-9 > again, OWASP + CWE + CERT  Significant Impact * 6.2 > evolving req, rank vulnerabilities according to risk 6.3.a-d > added types of software apps to be tested (scope) ○ Security in “written software development proceses” 6.4.5.3.a-b > requires security testing for application changes * 6.5.6 > new req regarding high-risk vulnerabilities ○ Best Practice through 6/30/2012

12. Details – Section 7  Moderate Impact none  Significant Impact none

13. Details – Section 8  Moderate Impact 8 > POS access to one card number at a time ○ Aligned with PA-DSS requirement 3.2 8.3 > clarified intent of multi-factor authentication ○ Know, Have, Are ○ No clarification on physical vs. virtual here 8.5.3 > password resets (unique value, immediate change) 8.5.6.a-b > clarified “access” by vendors ○ Disabled by default, enabled only when needed ○ Monitored while being used 8.5.9-13 > password management for “non-consumer users” ○ For service providers only  Significant Impact 8.5.2/7/8/13 > allow for authentication mechanisms outside of passwords 8.5.16.a-d > restricting user queries against databases ○ Closer review of database config

14. Details – Section 9  Moderate Impact 9.1.3 > restrict physical access to ”networking / communications hardware and telecommunications lines” 9.3.1 > visitors are not permitted unescorted physical access to areas that store cardholder data 9.6 > changed “paper and electronic media” to “all media” ○ Computers, removable electronic media, paper receipts, paper reports, faces, etc.  Significant Impact 9.7.1 > intent is to determine sensitivity of data on media ○ “Verify that all media is classified…”

15. Details – Section 10  Moderate Impact 10.4.2 > changes to time settings are authorized 10.4.3 > time is received from industry accepted sources  Significant Impact 10.7.b > processes to “immediately restore” log data (vs. “immediately available)

16. Details – Section 11  Moderate Impact none  Significant Impact 11.1 > “detect unauthorized wireless access points on a quarterly basis” (vs. real-time) 11.1.a-e > detect & alert on unauthorized wireless access points 11.2.1-3 > internal & external scans must be verified (ASV) 11.2.1.a-c > scans must be repeated & verified until all high vulnerabilities have been resolved 11.2.2.a-b > ref to ASV Program Guide Requirements 11.2.3.a-c > keep scanning until high vulnerabilities are resolved 11.3.2 > vulnerability scanning must encompass all application types in-scope (see 6.5) 11.4 > IDS/IPS at the perimeter and at key points inside the CDE

17. Details – Section 12  Moderate Impact 12.1.3 > replaced “once a year” with “annually” 12.3 > added “tablet” to example technologies 12.3.10.a-b > flexibility to limit prohibitions to those “personnel without authorization” 12.7 > “potential personnel to be hired for certain positions” ○ Recommendation if personnel can only access one card number at a time  Significant Impact 12.1.2 > test should verify risk assessment documentation 12.8.4 > monitor service providers’ PCI compliance at least annually 12.9.3 > designated personnel should be available 24/7 for incident response

18. Details – Appendices  Moderate Impact Appendix E is now “Attestation of Compliance – Service Providers” ○ options for list of services not covered by PCI DSS assessment Appendix D > Segmentation and Sampling of Business Facilities / system Components ○ was Appendix F ○ aligns with new introduction  Significant Impact none

19. Observations  Perception Revised vs. New  Should vs. Must 27 vs. 77  Effective Date  Risk-Based  New Technologies Wireless Virtualization Encryption (future-state)  Better Log Management  Opportunities Fresh Document Auditors can help Operations achieve compliance Budget

20. Questions? Jerod Brennen http://twitter.com/slandail http://www.linkedin.com/in/jerodbrennen