PCI 3.0 – What You Need to Know
-
Upload
terra-verde -
Category
Business
-
view
438 -
download
4
description
Transcript of PCI 3.0 – What You Need to Know
![Page 1: PCI 3.0 – What You Need to Know](https://reader033.fdocuments.us/reader033/viewer/2022051609/54809ebbb379597b2b8b5ace/html5/thumbnails/1.jpg)
PCI 3.0 – What You Need to Know
Carlos Alberto Villalba FrancoDirector of Security [email protected] (x 21)Scottsdale, Arizona
![Page 2: PCI 3.0 – What You Need to Know](https://reader033.fdocuments.us/reader033/viewer/2022051609/54809ebbb379597b2b8b5ace/html5/thumbnails/2.jpg)
Agenda
PCI - OverviewPart II - What’s new in PCI DSS 3.0Part III – Q&A
![Page 3: PCI 3.0 – What You Need to Know](https://reader033.fdocuments.us/reader033/viewer/2022051609/54809ebbb379597b2b8b5ace/html5/thumbnails/3.jpg)
A PRIMER ON PCI DSS
![Page 4: PCI 3.0 – What You Need to Know](https://reader033.fdocuments.us/reader033/viewer/2022051609/54809ebbb379597b2b8b5ace/html5/thumbnails/4.jpg)
The Payment Card Industry (PCI)
American Express, Discover, JCB, MasterCard, and Visa created the Security Standards Council (SSC).The PCI SSC has created a number of security and certification standards for:– Merchants– Financial Institutions– Hardware/Software vendors– Service Professionals
![Page 5: PCI 3.0 – What You Need to Know](https://reader033.fdocuments.us/reader033/viewer/2022051609/54809ebbb379597b2b8b5ace/html5/thumbnails/5.jpg)
Data Security Standard (DSS)
The PCI Data Security Standard (PCI DSS) is in its second version.– The third version was made available in November 2013
It applies to any entity that stores, use, processes, or transmits cardholder data (CHD).Those entities that process/stores many credit card transactions each year, e.g. over 6 million, must undergo an annual audit by a QSA.Twelve requirements
![Page 6: PCI 3.0 – What You Need to Know](https://reader033.fdocuments.us/reader033/viewer/2022051609/54809ebbb379597b2b8b5ace/html5/thumbnails/6.jpg)
The 12 domains of PCI DSS 2.0
![Page 7: PCI 3.0 – What You Need to Know](https://reader033.fdocuments.us/reader033/viewer/2022051609/54809ebbb379597b2b8b5ace/html5/thumbnails/7.jpg)
WHAT’S NEW IN 3.0
![Page 8: PCI 3.0 – What You Need to Know](https://reader033.fdocuments.us/reader033/viewer/2022051609/54809ebbb379597b2b8b5ace/html5/thumbnails/8.jpg)
Important datesPCI DSS 3.0 released in November 2013
RetirementTransitionReadyRelease
2014 Transition year, PCI DSS 2.0 is valid in 2014
Effective on January 1. PCI DSS 3.0 to be retired December 31, 2017
![Page 9: PCI 3.0 – What You Need to Know](https://reader033.fdocuments.us/reader033/viewer/2022051609/54809ebbb379597b2b8b5ace/html5/thumbnails/9.jpg)
Version 3Beginning with version 2, the PCI Council established a three-year cycle for new versions
![Page 10: PCI 3.0 – What You Need to Know](https://reader033.fdocuments.us/reader033/viewer/2022051609/54809ebbb379597b2b8b5ace/html5/thumbnails/10.jpg)
What did they want to fixDivergent interpretations of the standardWeak or default passwordsSlow detection of compromiseSecurity problems introduced by 3rd parties and various areasInconsistency in Assessments
![Page 11: PCI 3.0 – What You Need to Know](https://reader033.fdocuments.us/reader033/viewer/2022051609/54809ebbb379597b2b8b5ace/html5/thumbnails/11.jpg)
Highlights
Descriptions of tests are more precise
More rigor in determining scope of assessment
More guidance on log reviews
Some sub-requirements added
The twelve domains remain
More rigorous penetration testing
![Page 12: PCI 3.0 – What You Need to Know](https://reader033.fdocuments.us/reader033/viewer/2022051609/54809ebbb379597b2b8b5ace/html5/thumbnails/12.jpg)
Eschew AmbiguityToo much variance in interpretation among QSAs
Clients get different interpretations.PCI Counsel’s Quality Control sees too much variance in the Reports on Compliance (ROC).
![Page 13: PCI 3.0 – What You Need to Know](https://reader033.fdocuments.us/reader033/viewer/2022051609/54809ebbb379597b2b8b5ace/html5/thumbnails/13.jpg)
Eschew AmbiguityRemove ambiguities in the specification that result in inconsistent interpretations of a requirement.
![Page 14: PCI 3.0 – What You Need to Know](https://reader033.fdocuments.us/reader033/viewer/2022051609/54809ebbb379597b2b8b5ace/html5/thumbnails/14.jpg)
Eschew AmbiguityThe challenge is to improve the clarity of the requirement and the specificity of the tests without being so prescriptive that it excludes methods and technology that also meet the goal of the requirement.
![Page 15: PCI 3.0 – What You Need to Know](https://reader033.fdocuments.us/reader033/viewer/2022051609/54809ebbb379597b2b8b5ace/html5/thumbnails/15.jpg)
Eschew AmbiguityThere is a natural tension between stating a requirement precisely enough to prevent divergent interpretations and having the language loose enough to allow that requirement to be satisfied by a variety of methods and technology.
![Page 16: PCI 3.0 – What You Need to Know](https://reader033.fdocuments.us/reader033/viewer/2022051609/54809ebbb379597b2b8b5ace/html5/thumbnails/16.jpg)
Guidance for each requirement
![Page 17: PCI 3.0 – What You Need to Know](https://reader033.fdocuments.us/reader033/viewer/2022051609/54809ebbb379597b2b8b5ace/html5/thumbnails/17.jpg)
A Penetration Test Methodology
Based on industry-accepted approaches,e.g. NIST SP800-115A new clause 11.3– Test entire perimeter of CDE & all critical systems– Validate all scope-reduction controls—segmentation– Test from inside and from outside of the network– Test network-function components and OSs– As a minimum, perform application tests for the
vulnerabilities listed in Requirement 6.5
![Page 18: PCI 3.0 – What You Need to Know](https://reader033.fdocuments.us/reader033/viewer/2022051609/54809ebbb379597b2b8b5ace/html5/thumbnails/18.jpg)
Updated VulnerabilitiesProgrammers of internally-developed and bespoke applications must be trained to avoid known vulnerabilitiesList expanded to include new requirements for– coding practices to protect against broken authentication
and session management – coding practices to document how PAN and SAD are
handled in memory • Combating memory scraping is a good idea for PA-DSS• This was a bit contentious for PCI-DSS
![Page 19: PCI 3.0 – What You Need to Know](https://reader033.fdocuments.us/reader033/viewer/2022051609/54809ebbb379597b2b8b5ace/html5/thumbnails/19.jpg)
AuthenticationRequirement text recognizes methods other than password/passphrases, e.g. certificates– Authentication credentials
Minimum password length is still 7 characters– “Alternatively, the passwords/phrases must have
complexity and strength at least equivalent to the parameters specified above.”
A service provider must use a different password for each of its clients.Educate users
![Page 20: PCI 3.0 – What You Need to Know](https://reader033.fdocuments.us/reader033/viewer/2022051609/54809ebbb379597b2b8b5ace/html5/thumbnails/20.jpg)
Default Passwords
Default passwords– Change those being used– Change and disable those not being used
Change all the default passwords including– systems– applications– security software– terminals
![Page 21: PCI 3.0 – What You Need to Know](https://reader033.fdocuments.us/reader033/viewer/2022051609/54809ebbb379597b2b8b5ace/html5/thumbnails/21.jpg)
Quicker detection of compromise
Deploy a change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files • configure the software to perform
critical file comparisons at least weekly.
New requirement, 11.5.1, mandates the implementation of a process to respond to any
alerts generated by that mechanism.
![Page 22: PCI 3.0 – What You Need to Know](https://reader033.fdocuments.us/reader033/viewer/2022051609/54809ebbb379597b2b8b5ace/html5/thumbnails/22.jpg)
Manage Service Providers
New requirement, 12.8.5, mandates the documentation of which DSS requirements are managed by the 3rd party.New requirement, 12.9, mandates that 3rd parties must acknowledge in writing that they will comply with the DSS to protect CHD entrusted to them or, if managing some aspect of the CDE, state they will comply with the DSS in performing that management.
![Page 23: PCI 3.0 – What You Need to Know](https://reader033.fdocuments.us/reader033/viewer/2022051609/54809ebbb379597b2b8b5ace/html5/thumbnails/23.jpg)
Et cetera
Must have a data flow diagram.Maintain inventory of all systems in scope.Monitor new threats to systems not normally susceptible to malware. Control onsite staff’s access to sensitive areas.Establish incident response procedures to handle detection of unauthorized wireless.Separate security functions from operations.
![Page 24: PCI 3.0 – What You Need to Know](https://reader033.fdocuments.us/reader033/viewer/2022051609/54809ebbb379597b2b8b5ace/html5/thumbnails/24.jpg)
More acronyms
BTW VCD ENDBy the way “Vayan con Dios” the end.
![Page 25: PCI 3.0 – What You Need to Know](https://reader033.fdocuments.us/reader033/viewer/2022051609/54809ebbb379597b2b8b5ace/html5/thumbnails/25.jpg)
?Carlos A. VillalbaDirector of Security [email protected] (x 21)