Presentation is loading. Please wait.

Presentation is loading. Please wait.

Walter Conway, QSA 403 Labs, LLC Sneak Preview: What to Expect from PCI DSS v. 2.0  Changes  Clarifications  Guidance.

Published byNelson Hood Modified over 9 years ago

Similar presentations

Presentation on theme: "Walter Conway, QSA 403 Labs, LLC Sneak Preview: What to Expect from PCI DSS v. 2.0  Changes  Clarifications  Guidance."— Presentation transcript:

1 Walter Conway, QSA 403 Labs, LLC Sneak Preview: What to Expect from PCI DSS v. 2.0  Changes  Clarifications  Guidance

2 University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 20102 Agenda  PCI DSS in context  New PCI version in October – “fine tuning” -Lifecycle -Cardholder data discovery -Clarifications -SAQ revisions -Emerging technology guidance  What this means for you

3 University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 20103 403 Labs, LLC  Information security consulting firm  Payment Card Industry: -Qualified Security Assessor (QSA) -Payment Application QSA (PA-QSA) -Approved Scanning Vendor (ASV)  Work with service providers and merchants of all sizes

4 University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 20104 PCI DSS: 6 Goals, 12 Requirements

5 University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 20105 Some PCI DSS Basics  Payment Card Industry Data Security Standard  Goal is to protect Cardholder Data -And to keep you out of the headlines  If you take plastic, PCI applies to you -“Store, process, or transmit” cardholder data  Whole of PCI DSS apples to all merchants  New PCI release due October 2010 -Reflect latest attack vectors, technology, practices  PCI does not make you secure

6 University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 20106 Some PCI DSS Basics (cont.)  Each card brand has its own security program -Merchant levels -Validation (e.g., MasterCard’s new rules) -Penalties, fees  Safe harbor – can it exist?  Compliance -People, process, technology -No “silver bullet”

7 University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 20107 PCI DSS v. 2.0 – Lifecycle  3-Year Lifecycle -Announced in June -Consistency: PCI DSS, PA-DSS, PCI PTS -Interim versions for errata, new threats -FAQ, supplements to continue  Benefits -Fewer new requirements -More time for implementation and feedback -Version 1.2 sunset December 2011

8 University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 20108 PCI DSS v. 2.0 – Lifecycle

9 University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 20109 PCI DSS v. 2.0 – Data Discovery  Cardholder data discovery “methodology”  Find all your electronic cardholder data  “Data leakage”  Data breaches and “unknown unknowns”

10 University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 201010 PCI DSS v. 2.0 – Hashing  Hashing  Produces unique fixed length output for each unique input  Hash functions are not keyed/reversible  Hash may include a “salt”

11 University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 201011 PCI DSS v. 2.0 – Segmentation  Network segmentation is not required, but recommended  Isolate systems that “store, process, or transmit” CHD  Limit PCI scope

12 University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 201012 PCI DSS v. 2.0 – SAQs  Goal is to remove ambiguities  Expect minor but critical changes clarifying who can use them  Will we see new SAQ(s)?

13 University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 201013 PCI DSS v. 2.0 – Guidance  Emerging technologies  Virtualization  Tokenization  End-to-end encryption  EMV standard (chip cards)  PCI Council guidance for compliance  Impact on PCI  Map to PCI requirements

14 University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 201014 PCI DSS v. 2.0 – Tokenization  A data security technology in which strings of random characters called tokens can be used in lieu of other, more valuable data, such as PANs  Vendor and in-house solutions  Tokenization can reduce (not eliminate) PCI scope -Everything depends on implementation PlaintextCiphertext Tokenization Engine 4123 4567 8901 23458894 7296 6294 0598 Secure Repository

15 University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 201015 PCI DSS v. 2.0 – End-to-End Encryption  Encryption: a cryptographic process for disguising data by applying a series of complex mathematical operations to data to render it unreadable to anyone without the proper decryption key  Encryption is a keyed, reversible function  Security depends on the key -A big number that if compromised, bye-bye security  Encrypted data are still in PCI scope PlaintextCiphertext Key Encryption 4123 4567 8901 2345 7693398720684553 8894 7296 6294 0598

16 University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 201016 PCI DSS v. 2.0 – End-to-End Encryption  Really “point-to-point”  End-to-End encryption -PAN encrypted from POS terminal all the way through the payment processing cycle -CHD always stored and transmitted as ciphertext -Critical element: merchant cannot decrypt  For more information -PCI Council guidance documents, FAQ -Visa’s best practices for data field encryption

17 University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 201017 PANs, Hashes, Encryption, Tokens PAN (card number)5647 8377 8388 2299 Truncated PAN5647 83XX XXXX 2299 Hashed PAN (Renders PAN unreadable; one way)2fd4e1c6 7a2d28fc Encrypted PAN (More characters than the PAN and is structurally different) 9Ojr73h3d^&hh#&HFH&##ED*HD#* Format-preserving encryption (Structurally similar to the PAN)8734 6392 8581 9284 Token (Like the PAN in length and character type, but randomly derived) 9483 7266 3928 9819

18 University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 201018 PCI DSS v. 2.0 – Emerging Technologies  Encryption, tokenization are still maturing -May not work with all applications, systems -Standards? -Lots of marketing hype  Encryption security depends on protecting key  Look for guidance from PCI Council -Don’t expect specifics on implementation  Read Visa’s best practices document  As of today, only truncation and hashing remove CHD from scope

19 University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 201019 PCI DSS v. 2.0 – Get Smart  PCI Council FAQ  PCI Council courses  Standards training  Independent Security Assessor (ISA)  Other PCI training options

20 University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 201020 PCI DSS v. 2.0 – Conclusions  Expect refinements, not major changes  3-year lifecycle for each standard  Find your CHD…all of it!  Revised SAQs should help  Guidance on emerging technologies  Announcements, webinars over the summer  DSS v. 2.0 not unveiled until September?

21 University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 201021 What to Expect from PCI DSS v. 2.0  Questions? Comments? Thoughts?  Thank you! wconway@403labs.com See my PCI column at StorefrontBacktalk.com Higher Ed PCI blog: treasuryinstitutepcidss.blogspot.com

Download ppt "Walter Conway, QSA 403 Labs, LLC Sneak Preview: What to Expect from PCI DSS v. 2.0  Changes  Clarifications  Guidance."

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
National Bank of Dominica Ltd. 2011 Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.

National Bank of Dominica Ltd Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
Mobile Payment Security The Good, the Bad and the Ugly

Mobile Payment Security The Good, the Bad and the Ugly
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
Troy Leach April 2012 The PCI Security Standards Council.

Troy Leach April 2012 The PCI Security Standards Council.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Protecting Your Customers’ Card Data ASTRA Presentation 05.14.2013 Brian Chapman and Peter O’Rourke.

Protecting Your Customers’ Card Data ASTRA Presentation Brian Chapman and Peter O’Rourke.
University of Utah Financial and Business Services

University of Utah Financial and Business Services
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
Smart Payment Processing ™ 800-846-4472 www.MercuryPay.com Protecting Your Business from Card Data Theft Presenter: Lucas Zaichkowsky.

Smart Payment Processing ™ Protecting Your Business from Card Data Theft Presenter: Lucas Zaichkowsky.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Payment Card Industry (PCI) Data Security Standards (DSS) Updates and Trends for 2009.

Payment Card Industry (PCI) Data Security Standards (DSS) Updates and Trends for 2009.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Similar presentations

Ads by Google