Thoughts on PCI DSS 3 - ISACA · Thoughts on PCI DSS 3.0 D. Timothy ... INFORMATION TECHNOLOGY...
-
Upload
nguyenthuan -
Category
Documents
-
view
215 -
download
1
Transcript of Thoughts on PCI DSS 3 - ISACA · Thoughts on PCI DSS 3.0 D. Timothy ... INFORMATION TECHNOLOGY...
Thoughts on PCI DSS 3.0
D. Timothy Hartzell CISSP, CISM, QSA, PA-QSAAssociate Director
© 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
2
Agenda
4 PCI DSS Version 3.0: ChangesPCI DSS Version 3.0: Changes
PCI DSS OverviewPCI DSS Overview2
Global Payment Card Statistics and TrendsGlobal Payment Card Statistics and Trends1
PCI DSS Version 3.0: Important TimelinesPCI DSS Version 3.0: Important Timelines3
5 Next Steps & QuestionsNext Steps & Questions
© 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
3
Global Payment Card Statistics
• Issuers, merchants, and acquirers of credit, debit, and prepaid general purpose and private label payment cards worldwide experienced gross fraud losses of $11.27 billion in 2012, up 14.6% over the prior year, according to The Nilson Report, a leading payment industry newsletter. Of that $11.27 billion, card issuers lost 63% and merchants and acquirers lost the other 37%.
• Fraud as percentage of total volume was lowest for PIN-based debit networks worldwide at 1.10¢ per $100 in total volume. The global brand cards —Visa, MasterCard, American Express, UnionPay, Diners Club, and JCB — averaged fraud losses of 6.13¢ for every $100 in total volume.
• Card issuer losses occur mainly at the point of sale from counterfeit cards. Issuers bear the fraud loss if they give merchants authorization to accept the payment.
• Merchant and acquirer losses occur mainly on card-not-present (CNP) transactions on the Web, at a call center, or through mail order because issuers can chargeback fraudulent transactions.
Source: http://www.nilsonreport.com/publication_chart_and_graphs_archive.php
Need for the Payment Card Industry Data Security Standard (PCI DSS)
© 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
4
PCI DSS Overview
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that store , process or transmit credit card information maintain a secure environment.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that store , process or transmit credit card information maintain a secure environment.
The Payment Card Industry Data Security Standard (PCI DSS)
About PCI DSS
The PCI DSS is administered and managed by the PCI Security Standards Council (SSC), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.).
PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accept, transmit or store any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.
Source: http://www.pcicomplianceguide.org/pcifaqs.php#2
U.S. Purchase Volume - Consumer vs. Commercial Cards
© 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
5
PCI DSS Version 3.0 Aims and Objectives
Address emerging and evolving
threats to cardholder data
security by clarifying existing
requirements;
Provide additional guidance on how
to comply with the standard;
Introduce new requirements to
bring the standard in line with
emerging threats and changes in the
market
Aims and Objectives
PCI DSS Version 3.0
Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 – Key Changes and New Requirements
Earlier this year, the PCI Security Standards Council (PCI SSC) announced the release of a new version of the PCI Data Security Standard (PCI DSS) Version 3.0. The new version aims to do the three things:
© 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
6
PCI DSS Version 3.0: Important Timelines
Sep, 2013
The detailed Summary of Changes and draft
versions of the Standards was shared
with Participating Organizations and the
assessment community
Sept, 2013
Discussion at the North American
Community Meeting in Las Vegas on 24-
26 September. Jan 1, 2014
Effective date of version 3.0
of the Standard
Nov, 2013
Introduction of PCI DSS
Version 3.0
Source: Data Security Standard and Payment Application Data Security Standard: Version 3.0 Change Highlights
Recognizing that additional time may be necessary to implement some of these sub-requirements, the Council has given companies that process payment cards a full year to comply with the new standard. During 2014, both versions 2.0 and version 3.0 are available and companies can validate to either version.
June 30, 2015
Some of the Sub-requirements for 12 core security areas
will remain best practices
Dec 31, 2014Version 2.0 will sunset and only version 3.0 will
be valid for validations in
2015
© 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
7
PCI DSS Version 3.0: Changes Overview
The core 12 security areas remain the same, but the updates include several new sub-requirements that did not exist previously.
The updated standards will help organizations not by making the requirements more prescriptive, but by adding more flexibility and guidance for integrating card security into their business-as-usual activities.
The changes will provide increased stringency for validating that these controls have been implemented properly, with more rigorous and specific testing procedures that clarify the level of validation the assessor is expected to perform.
Overall, the changes are designed to give organizations a strong but flexible security architecture with principles that can be applied to their unique technology, payment, and business environments.
Source: Data Security Standard and Payment Application Data Security Standard: Version 3.0 Change Highlights
The new standard Version 3 has brought with it policy and procedural changes that will impact the security of the entire electronic payment ecosystem.
© 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
8
ChallengeAreas
1Lack of education and awareness around payment security
2 Weak passwords, authentication
3 Third-party security challenges
4 Slow self-detection, malware
PCI DSS Version 3.0: Change Drivers
5 Inconsistency in assessments
Common challenge areas and drivers for change include:
Source: Data Security Standard and Payment Application Data Security Standard: Version 3.0 Change Highlights
© 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
9
Updated Versions Of PCI DSS: Focus Areas
Provide stronger focus on some of the greater risk areas in the threat environment
Provide increased clarity on PCI DSS requirements
Build greater understanding on the intent of the requirements and how to apply them
Improve flexibility for all entities implementing, assessing, and building to the standard
Drive more consistency among assessors
Help manage evolving risks / threats
Align with changes in industry best practices
Clarify scoping and reporting
Eliminate redundant sub-requirements and consolidate documentation
Source: https://www.pcisecuritystandards.org/documents/DSS_and_PA-DSS_Change_Highlights.pdf
© 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
10
PCI DSS 3.0 Compliance Changes
The 5 New Requirements
8.5.1 – Unique authentication credentials for service providers with access to customer environments
6.5.10 – Broken authentication and session management
12.9 – Additional requirement for service providers on data security
11.3 – Developing and implementing a methodology for penetration testing
9.9 – Protection of point-of-sale (POS) devices from tampering
Version 3 of the PCI DSS includes five new requirements that are to be considered best practices until they officially become compliance requirements in mid-2015.
Source: http://www.tripwire.com/state-of-security/regulatory-compliance/will-pci-dss-v3-0-affects-organization/
© 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
11
Notable Most Notable
• Specifically, scoping has been clarified to indicate that system components include, “Any component or device located within or connected to the [cardholder data environment].”
• The new language also states that the “PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment
• Additionally, a new requirement has been added requiring that if segmentation is used, “penetration testing procedures are designed to test all segmentation methods to confirm they are operational and effective, and isolate all out-of-scope systems from in-scope systems.”
• As further clarity, the standard states that, “To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the CDE such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.”
• The additional focus on connected systems likely expands (potentially greatly) the number of systems considered in-scope for many organizations. For example, in most networks using Windows Activity Directory security, a compromise of systems outside the CDE could impact the CDE and then could be considered in-scope for the PCI assessment.
PCI DSS Version 3.0: Most Notable Changes (1/3)
A Higher Bar to Achieve “Segmentation”
Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 – Key Changes and New Requirements
© 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
12
Notable Most NotablePCI DSS Version 3.0: Most Notable Changes (2/3)
• PCI DSS 3.0 offers a new definition of system components: “System components include systems that may impact the security of the CDE (for example web redirection servers).”
• Up until now, web servers had been considered out-of-scope if they used iFrames, hosted payment pages or other redirection technologies to prevent cardholder data from touching the merchant’s systems.
• Under the new standard, all of these servers fall in-scope and, due to the new segmentation requirement, likely bring the rest of a company’s network into scope as well.
• The only “out” for companies that lack the ability to ensure the security of web servers internally remains fully outsourcing the web infrastructure.
Hosted Payment Pages Are No Longer A “silver bullet”
• The new standard requires larger samples. Specifically, “Samples of system components must include every type and combination that is in use. For example, where applications are sampled, the sample must include all versions and platforms for each type of application.”
Larger Samples
Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 – Key Changes and New Requirements
© 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
13
Notable Most NotablePCI DSS Version 3.0: Most Notable Changes (3/3)
• For merchants undergoing a third party assessment or Level 1 merchants that self assess, the level of effort in the validation process is likely to increase.
Larger Samples
POS Physical Controls
• In response to recent attacks in which POS devices have been physically modified to capture card holder data, there is a new set of control requirements around physical security for POS devices.
• First, merchants must maintain an inventory of POS devices, which must be identified in detail, including the location and serial number of each device.
• Additionally, POS devices must be inspected periodically for tampering, and employees at POS locations must be trained in how to detect and prevent device tampering.
Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 – Key Changes and New Requirements
© 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
14
PCI DSS Version 3.0: Other Changes (1/3)
Default accounts – The previous requirement stated only that default passwords should not be used.
Default accounts – The previous requirement stated only that default passwords should not be used.
Default accounts have to be disabled or removed whenever possible
Default accounts have to be disabled or removed whenever possible
Inventory of system components – Companies must maintain an inventory of system components that are in-
scope for PCI DSS
Inventory of system components – Companies must maintain an inventory of system components that are in-
scope for PCI DSSThis will support effective scoping practices This will support effective scoping practices
Disk encryption – Logical access must be managed separately and independently of native operating system
authentication and access control mechanisms
Disk encryption – Logical access must be managed separately and independently of native operating system
authentication and access control mechanisms
Active Directory credentials may no longer be acceptable to manage disk encryption
Active Directory credentials may no longer be acceptable to manage disk encryption
Split knowledge/dual control – For manual clear-text operations, two people are required to perform any key-
management operations (such as rotating keys).
Split knowledge/dual control – For manual clear-text operations, two people are required to perform any key-
management operations (such as rotating keys).
This would mean not only that knowledge of the key must be split, but also that the account that provides access to
any key management functionality must also be split
This would mean not only that knowledge of the key must be split, but also that the account that provides access to
any key management functionality must also be split
PCI DSS Update Implications
1
4
3
2
Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 – Key Changes and New Requirements
In PCI DSS 3.0, there are updates that, while less likely to impact the payment processing structure significantly within organizations, are still noteworthy:
Notable Most Notable
© 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
15
Notable Most Notable
PCI DSS Update Implications
5
8
7
6
Custom developers – Procedures for secure development and code review now “applies to all software developed internally as well as custom
software developed by a third party.”
Custom developers – Procedures for secure development and code review now “applies to all software developed internally as well as custom
software developed by a third party.”
This means that any developers with whom a company works will need to be required contractually to comply
with the updated PCI standard
This means that any developers with whom a company works will need to be required contractually to comply
with the updated PCI standard
Vulnerability scans don’t meet requirements for web application security
Vulnerability scans don’t meet requirements for web application security
PCI DSS 3.0 makes this clear – vulnerability scans are not sufficient
PCI DSS 3.0 makes this clear – vulnerability scans are not sufficient
Service providers must use a unique password for each customer – This applies only to Service Providers
Service providers must use a unique password for each customer – This applies only to Service Providers
Many of Service provider still use the same password for the service account for every customer. This is not
permitted after June 30, 2015
Many of Service provider still use the same password for the service account for every customer. This is not
permitted after June 30, 2015
Unique certificates – Merchants who use certificates, smart cards or tokens must ensure these security items
are unique and tie to an individual account
Unique certificates – Merchants who use certificates, smart cards or tokens must ensure these security items
are unique and tie to an individual account
If employees were to swap tokens, they would not be able to log on
If employees were to swap tokens, they would not be able to log on
Inventory of wireless access points Inventory of wireless access points Merchants and SPs must maintain an inventory of
authorized wireless access pointsalong with a business justification for each
Merchants and SPs must maintain an inventory of authorized wireless access points
along with a business justification for each9
PCI DSS Version 3.0: Other Changes (2/3)
Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 – Key Changes and New Requirements
© 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
16
More frequent risk assessmentsMore frequent risk assessments Now be performed upon any significant changes to the environment, as well as annually
Now be performed upon any significant changes to the environment, as well as annually
Expansion of service providers required to be in compliance – The new standard expands this
requirement to include all Service Providers that could affect the security of the cardholder data.
Additionally, companies must maintain information on which PCI DSS requirements are managed by each SP
and which are managed by the company.
Expansion of service providers required to be in compliance – The new standard expands this
requirement to include all Service Providers that could affect the security of the cardholder data.
Additionally, companies must maintain information on which PCI DSS requirements are managed by each SP
and which are managed by the company.
This expansion adds many more Service Providers to the list, including custom developers, hosting providers and
managed security service providers
This expansion adds many more Service Providers to the list, including custom developers, hosting providers and
managed security service providers
PCI DSS Update Implications
10
11
PCI DSS Version 3.0: Other Changes (3/3)
Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 – Key Changes and New Requirements
Notable Most Notable
© 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
17
Key Takeaways
The bar for Segmentation is
raised
Point-to-pointencryption as a more valuable
scope reduction strategy
• This technology encrypts card data at the point of swipe and maintains that encryption all the way to the processor such that the merchant cannot ever decrypt the data.
• Use of point-to-point encryption remains one of the most effective ways to reduce PCI scope.
Merchants and service providers alike will require time to address these new requirements and expanded scoping.Merchants and service providers alike will require time to address these new requirements and expanded scoping.
1
Nevertheless, those entities that are able to implement the new rules effectively can gain competitive advantage and ensure better protection of personal payment information, as well as avoid serious reputational harm caused by unauthorized exposure of customers’ credit card data..
Nevertheless, those entities that are able to implement the new rules effectively can gain competitive advantage and ensure better protection of personal payment information, as well as avoid serious reputational harm caused by unauthorized exposure of customers’ credit card data..
2
3
The changes in PCI DSS 3.0 are likely to result in significant additional effort for companies processing credit card payments
Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 – Key Changes and New Requirements
© 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
18
Next Steps
Be aware, changes are here
Gap assess against new requirements – Especially around scope!
Continue to monitor the PCI SSC website for updates and clarification
Look for reporting templates and information supplements
Ask your QSA for their interpretation of each new information supplement as it relates to your environment -remember these are immediately effective
© 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
19
Questions
© 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
20
Confidentiality Statement and Restriction for Use
This document contains confidential material proprietary to Protiviti Inc. ("Protiviti"), a wholly-owned subsidiary of Robert Half ("RHI"). RHI is a publicly-traded company and as such, the materials, information, ideas, and concepts contained herein are non-public, should be used solely and exclusively to evaluate the capabilities of Protiviti to provide assistance to your Company, and should not be used in any inappropriate manner or in violation of applicable securities laws. The contents are intended for the use of your Company and may not
be distributed to third parties.