Truvantis PCI 3.0 Webcast: Minimizing the Business Impact of the PCI-DSS 3.0 Transition
-
Upload
truvantis -
Category
Technology
-
view
146 -
download
1
Transcript of Truvantis PCI 3.0 Webcast: Minimizing the Business Impact of the PCI-DSS 3.0 Transition
Andy Cottrell
12/14/2013 1
The PCI DSS refresh cycle
What has changed in general terms
Review of specific, significant changes
Requirement 0
Requirements 1-12
Reorganization of documents
Final notes
12/14/2013 2
The YouTube recording of this webcast is linked
from the end of the presentation and available
here: http://youtu.be/mwvx1q9aMDw
12/14/2013 3
IT security consulting company:
www.truvantis.com
Authorized PCI DSS Qualified Security
Assessor (QSA) Company
Deep, comprehensive expertise in IT security
testing (pen testing, vulnerability
assessments, etc.), policy creation, audit,
PCI assessments and governance
We also understand that IT security can’t get
in the way of doing business!
12/14/2013 4
12/14/2013 5
A great deal of clarification
Some additional requirements
More useful narrative before the
requirements
Reorganization of the documents
Focus on goals, not technology
Today, look at a few of the more important
changes
12/14/2013 6
Scope
Cannot store SAD after authorization even
without the PAN
Determination of the scope of the CDE is the
entity’s responsibility
Segmentation
If a control is used to de-scope, then that control
is in-scope
A system can only be out of scope if its
compromise would not impact the security of the
CDE
12/14/2013 7
Wireless
Don’t
Service providers
It’s still your job to monitor the compliance of
your service providers
The fact that they have an AOC does not change that,
it just helps with validation
“For example, providing the AOC and/or relevant sections of
the service provider’s ROC (redacted to protect any
confidential information) could help provide all or some of
the information.”
12/14/2013 8
Business-as-Usual
Totally new section
Discusses how to build compliance into your daily
routine
This is not a new requirement
Consider it guidance and advice that will help
12/14/2013 9
Security policies and daily operational
procedures moved into relevant sections
Just moving section 12 items into a more sensible
place
NEW: Inventory of system components and
the function/use
You probably did this anyway
Just leave an audit trail to show you keep it
current
TIP: Create a task regularly to review it
12/14/2013 10
Still at least 7 characters, alphanumeric
Can now use equivalent strength
Do the math to establish equivalence
TIP: This is a low bar – do better
12/14/2013 11
2.0 “Deploy anti-virus software on all
systems commonly affected by malicious
software”
Now your responsibility to make sure they
continue to not need it
3.0 “perform periodic evaluations to identify and
evaluate evolving malware threats”
12/14/2013 12
These requirements have been coordinated
Security patches indicate vulnerabilities
All vulnerabilities must be ‘risk-ranked’
At least HIGH risk (to you)
Additionally flag CRITICAL if
“they pose an imminent threat to the environment,
impact critical systems, and/or would result in a
potential compromise if not addressed”
CRITICAL vendor-supplied security patches
One month
Other vendor-supplied security patches
‘Appropriate’ time frame (Three months)
12/14/2013 13
NEW: Broken authentication and session
management
Flagging session tokens … as “secure”
Not exposing session IDs in the URL
Incorporating appropriate time-outs and rotation
of session IDs after a successful login
PCI is following OWASP Top 10
TIP: OWASP has a new Top 10 for 2013
TIP: Also see www.securecoding.cert.org
12/14/2013 14
NEW: Protect devices that capture payment
Mandatory after July 1st 2015
Maintain a list of devices
Periodically inspect device surfaces to detect
tampering
Training for personnel to detect tampering or
replacement
12/14/2013 15
Scanning for rogue devices
Must test for all routes to get wireless devices in
Just looking for add IP addresses is not enough
USB etc. specifically called out
TIP: Focus on intent, not the language
12/14/2013 16
Can now combine multiple scans to get a
passing grade
Recognizes that new issues can arise during a
remediation phase
Re-test would show new failing items
Avoid the never ending cycle of not passing
12/14/2013 17
Greatly enhanced detail and deeper in scope New goals mandatory as of July 1st, 2015
Test de-scoping controls
Review last 12mo threats and vulnerabilities
The type, depth, and complexity of the testing will depend on the specific environment and the organization’s risk assessment
TIP: Don’t be sold a vulnerability assessment as a pen test
TIP: Ask your penetration tester when they will be working with the new rules
12/14/2013 18
“at least annually and after significant
changes to the environment”
Many requirements now reference your risk
assessment
TIP: Use the new prevalence of “Risk
Assessment” in the standard to help you
work out what your risk assessment should
look like
12/14/2013 19
Plan not just for a major breach
It should drill down into more alerts from
monitoring systems like firewalls
Larger mandate to choose what to monitor and
where alerts should come from
TIP: Again - focus on intent, not language
12/14/2013 20
Guidance regarding intent moved into the
standard
Reporting instructions moved to a template
SAQs will be updated - not released yet
Expect:
Multiple SAQ submission will be permitted
New SAQs such as hosted payment pages
12/14/2013 21
Download and review the ‘Summary of
Changes’ document now
Review every item and measure the impact
Comply with the language, but focus on the
intent
Review your ‘risk assessment’ in the light of
3.0
By understanding your risk, you can scale your
behavior appropriately
12/14/2013 22
By web: www.truvantis.com
By phone: +1 855.345.6298
By email: [email protected]
View this presentation in the recorded
webcast (with audio):
http://youtu.be/mwvx1q9aMDw
12/14/2013 23