Alcumus ISOQAR India Pvt. Ltd. – PCI DSS QSA
PCI – DSS 3.2 News Letter
© 2016 ISOQAR India Pvt. Ltd., an Indian Registered company and a member firm of the Alcumus Group International Cooperative (“Alcumus ISOQAR”), an entity. All rights reserved.
Foreword
“The security benefits associated with maintaining
PCI compliance are vital to the long-term success of
all merchants who process card payments. This
includes continual identification of threats and
vulnerabilities that could potentially impact the
organization. Most organizations never fully recover
from data breaches because the loss is greater than
the data itself.”
© 2016 ISOQAR India Pvt. Ltd., an Indian Registered company and a member firm of the Alcumus Group International Cooperative (“Alcumus ISOQAR”), an entity. All rights reserved.
The leadership team with the BIG FOUR background; focuses on delivering
performance with passion. We believe in knowledge performance integration.
With the growing demand for compliance; the team ALCUMUS ISOQAR believes in
enhancing its capability to provide value added services in the field of audits,
trainings coupled with compliances.
Our long term vision is to be the ONE STOP SHOP for all requirements related to
audit/ training/ compliances/ Tools etc. in all domains.
Our business idea supports this vision by providing wide range of audit and training
services globally utilizing domain knowledge, audit experience and utmost professional
approach.
Today we work on all standards including ISO standards in all domains; 2nd party audits;
PCI Compliances; SSAE 16 SOC compliances; HIPAA compliances; BRC; RJC compliances
etc.
ISOQAR uses the knowledge assets to drive performance. Knowledge embedded in our
services and business processes now drives what can be created and delivered to our
esteemed customers.
We are publishing a newsletter on PCI DSS which puts a finger on the pulse of various
requirements under new version of PCI DSS version 3.2.
We hope the newsletter provides you with insights that can be leveraged in shaping the
PCI DSS implementation posture in your organization.
Regards,
ISOQAR India Pvt. Ltd.
Partner – PCI DSS Compliance
Services
Executive Director – Compliance
Nishid Shivdas
Prashant Koranne
Statistics of Card Related and Identity Theft Frauds
© 2016 ISOQAR India Pvt. Ltd., an Indian Registered company and a member firm of the Alcumus Group International Cooperative (“Alcumus ISOQAR”), an entity. All rights reserved.
Source: The UK Cards Association
Source: Krebsonsecurity
Statistics
What is new in PCI DSS 3.2?
Within the 12 core requirements of the PCI DSS, there are five new
sub-requirements for service providers affecting requirements 3, 10,
11 and 12. New sub-requirements have been added to
requirement 8 to ensure multi-factor authentication is used for all
non-console administrative access and all remote access in the
cardholder data environment. There are also two new
appendices. Appendix A2 incorporates new migration deadlines
for removal of Secure Sockets Layer (SSL) /early Transport Layer
Security (TLS) in line with the December 2015 bulletin. Appendix A3
incorporates the “Designated Entities Supplemental Validation”
(DESV), which was previously a separate document.
Link to get the complete summary of changes in PCI DSS Version
3.2:
https://www.pcisecuritystandards.org/document_library?categor
y=pcidss&document=pci_dss
How long do organizations have
to implement PCI DSS 3.2?
PCI DSS 3.1 will retire on 31 October 2016, and after this time all
assessments will need to use version 3.2. Between now and 31
October 2016, either PCI DSS 3.1 or 3.2 may be used for PCI DSS
assessments. The new requirements introduced in PCI DSS 3.2 are
considered best practices until 31 January 2018. Starting 1
February 2018 they are effective as requirements and must be
used.
© 2016 ISOQAR India Pvt. Ltd., an Indian Registered company and a member firm of the Alcumus Group International Cooperative (“Alcumus ISOQAR”), an entity. All rights reserved.
How to prepare?
PCI DSS 3.2 marks the start of refining the payment data regulations,
rather than minor changes, and includes requirements to strengthen
encryption and multifactor authentication.
The PCI Security Standards Council (PCI SSC) has published a new
version of its data security standard (DSS), used to safeguard payment
data before, during and after a purchase is made. PCI DSS version 3.2
replaces version 3.1, which will expire on Oct. 31.
Multifactor Authentication - One significant change in PCI DSS 3.2 is
that it includes multi-factor authentication as a requirement for any
personnel with administrative access into environments handling card
data. Previously this requirement applied only to remote access from
untrusted networks.
“A password alone should not be enough to verify the administrator’s
identity and grant access to sensitive information,” said PCI Security
Standards Council CTO Troy Leach. “We’ve seen an increase in
attacks that circumvent a single point of failure, allowing criminals to
access systems undetected and to compromise card data.”
PCI DSS 3.2 focuses on
Encryption and
Multifactor Authentication
© 2016 ISOQAR India Pvt. Ltd., an Indian Registered company and a member firm of the Alcumus Group International Cooperative (“Alcumus ISOQAR”), an entity. All rights reserved.
5 Platinum Principles for continual PCI
compliance
Know the Standard 1 Unlike many other compliance standards e.g. ISO 27001
(too generic) and SSAE 16 (you can define your own
frequency), PCI DSS has a definite frequency for
maintaining controls. There are multiple requirements
which could have a cascading effect on your
compliance posture if you fail to maintain the
effectiveness of the required controls.
There could be various teams involved and unless there
is a crystal clear understanding and communication
within the teams, you are most likely to face difficulties.
For example – the purchase is done by procurement
team, device hardening is done by some other team
and vulnerability scanning is someone else’s
responsibility. Unless these teams are in sync and know
the standard well, maintenance becomes difficult.
© 2016 ISOQAR India Pvt. Ltd., an Indian Registered company and a member firm of the Alcumus Group International Cooperative (“Alcumus ISOQAR”), an entity. All rights reserved.
5 Platinum Principles for continual PCI
compliance
2 Get the Necessary Budgetary
Approval for the Upkeep
As a CISO, you may need to
procure stuff and outsource some
of your activities viz. Scans from
ASV and other periodic scans.
While submitting the budget, it is
advisable to include the recurring
maintenance cost as well. This will
ensure that you have necessary
funds available and you don’t
need to run at the eleventh hour
and delay the mandatory
requirements for compliance.
© 2016 ISOQAR India Pvt. Ltd., an Indian Registered company and a member firm of the Alcumus Group International Cooperative (“Alcumus ISOQAR”), an entity. All rights reserved.
.
3
5 Platinum Principles for continual PCI
compliance
Develop an Annual
Compliance Calendar
A simple spreadsheet can do wonders. List the tasks as Daily
(Log Reviews), Weekly (File Integrity Checks), Monthly (Newly
Added Devices, Employee Background Checks, Recent
Infrastructure Changes etc.), Quarterly (Scans), Semi-
Annually (Network device rule set reviews) and annually
(policy reviews, risk assessment, training programs, pen tests,
incidents).Once the list is ready, name the “Owner” for each
activity. Add the column “Checker”. Circulate the calendar
to all the relevant stakeholders.
© 2016 ISOQAR India Pvt. Ltd., an Indian Registered company and a member firm of the Alcumus Group International Cooperative (“Alcumus ISOQAR”), an entity. All rights reserved.
4
5 Platinum Principles for continual PCI
compliance
Assign Tasks and
Monitor Them
Once the calendar is circulated,
ask all the checkers to report the
progress on a periodic basis. My
strong recommendation – do this
on a fortnight basis. This will ensure
in initiating the immediate
corrections and corrective actions
if something is amiss and will not
come as a last minute surprise or
show spoiler. Our sincere advice –
For any challenges, take required
advice from the QSA Company.
They will guide in addressing any
bottlenecks. Remember – hiding
facts helps nobody in compliance
© 2016 ISOQAR India Pvt. Ltd., an Indian Registered company and a member firm of the Alcumus Group International Cooperative (“Alcumus ISOQAR”), an entity. All rights reserved.
5
5 Platinum Principles for continual PCI
compliance
Include Vendors in
Compliance Program
Communicate your compliance
requirements to the vendors well in
advance; in fact, it needs to be a
contractual obligation. Vendors
play a vital role in maintaining the
compliance program when it
comes to PCI DSS. If you have third
party vendors, keep them well
informed. If you have outsourced
any of your activities, get the
records well in time to avoid last
minute hiccups. You’re also now
required to maintain a formal list of
PCI responsibilities shared with
vendors, down to the specific
requirements you and the vendor
handle. Vendor non-compliance
can become a big challenge for
your own maintenance and could
be a show stopper.
© 2016 ISOQAR India Pvt. Ltd., an Indian Registered company and a member firm of the Alcumus Group International Cooperative (“Alcumus ISOQAR”), an entity. All rights reserved.
Alcumus PCI DSS Value
Proposition by FOUR fold
(Triple A -S) approach
Assess
•We assist clients in defining the exact scope (thus saving lot of money and efforts), identifying the gaps and propose a feasible remediation approach.
Accelerate
•Our expert consultants and QSAs are always ready to walk that extra mile for the clients and reduce the timelines in achieving the compliance goals.
Achieve
•Once the system is audit ready, our QSAs conduct a formal PCI DSS assessment onsite and release the Report On Compliance (ROC) and Attestation Of Compliance (AOC) in due course of time.
Sustain
•This is one of the highlights of ISOQAR approach. In the Achieve phase we mentor all our clients get ready for the next challenge i.e. continual maintenance of compliance. Our project team not only grooms the clients in maintenance activity, but also keeps a close watch on their PCI DSS activities and its compliance. Please check for our “PCI Protector Plan”.
We at Alcumus ISOQAR India realize the pains in
achieving any compliance and maintaining it.
Specifically, when it comes to achieving and
maintaining the PCI DSS compliance the mission is
even tougher.
© 2016 ISOQAR India Pvt. Ltd., an Indian Registered company and a member firm of the Alcumus Group International Cooperative (“Alcumus ISOQAR”), an entity. All rights reserved.
PCI Compliance as a Service (P-CaaS)
We focus on all pertinent areas of PCI DSS and dive into
the details associated with each required control. Our
PCI compliance services utilize a combination of
remote and onsite interviews, documentation reviews,
walkthroughs of cardholder data processing
environments, examine process flows, supporting
systems, and all other areas associated with card-data
processing.
We also provide PCI DSS support
services and solutions.
Vulnerability Assessment and
Penetration Testing (VA/PT)
Application Security Assessment (AppSec)
Network Security Architecture Review
Firewall and Router Rule Set Reviews
Implementation of Security and Incident Management (SIEM)
tool
Implementation of File Integrity Monitoring
(FIM) tool
Identity Management Solution (IDM)
Multi-Factor Authentication
Services
© 2016 ISOQAR India Pvt. Ltd., an Indian Registered company and a member firm of the Alcumus Group International Cooperative (“Alcumus ISOQAR”), an entity. All rights reserved.
How Alcumus ISOQAR can help?
You construct your business.
We Protect it.
Alcumus ISOQAR India Pvt. Ltd. was founded in 2006 & is rooted in performing security assessments
meeting compliance frameworks such as HIPAA, SOX, ISO 27001, ISO 20000, ISO 22301, ISO 33000, PCI-
DSS QSA etc.
With the rich experience of conducting compliances for various security frameworks, whether you are a
large multinational bank or a small payment processor, Alcumus ISOQAR has the ability to serve your
needs and ensure your organization is brought up to speed and into compliance with the PCI Data
Security Standard.
Alcumus ISOQAR is a Qualified Security Assessor (QSA) as certified by the PCI Standards Council and has
been qualified to perform the following PCI DSS compliance.
We have performed a wide variety of PCI related engagements and is presently involved in compliance
efforts for the following areas:
Service providers
Payment Gateway PCI Scenarios
PCI in BPOs
PCI for Banks
Issuing Operations; and
Datacenter related PCI refinements
The PCI Security Standards Council is constantly working to monitor threats and improve the industry’s
means of dealing with them, through enhancements to PCI Security Standards and by the training of
security professionals.
For many small and mid-sized businesses, getting started embracing change with the PCI DSS can be
overwhelming. The good news is that it doesn’t have to be! Let us help remove the burden by stepping
you through the compliance process and showing you where you can secure your business, validate
compliance, and save time, hassle and money over the long term.
When you’re just starting out with PCI compliance, the last thing you want to do is wade through
hundreds of pages of rules and requirements.
Our specialized services and PCI DSS experts will help you quickly identify and address your organization’s
biggest security risks and their corresponding compliance gaps so you can successfully achieve and
maintain PCI compliance.
© 2016 ISOQAR India Pvt. Ltd., an Indian Registered company and a member firm of the Alcumus Group International Cooperative (“Alcumus ISOQAR”), an entity. All rights reserved.
#ISOQAR India Pvt. Ltd.
The information contained herein is of a general nature and is not intended
to address the circumstances of any particular individual or entity. Although
we endeavor to provide accurate and timely information, there can be no
guarantee that such information is accurate as of the date it is received or
that it will continue to be accurate in the future.
No one should act on such information without appropriate professional
advice after a thorough examination of the particular situation.
The views and opinions expressed herein are those of the internet based
research, they do not necessarily represent the views of ISOQAR in India.
© 2016 ISOQAR India Pvt. Ltd., an Indian Registered company and a member
firm of the Alcumus Group
International Cooperative (“Alcumus ISOQAR”), an entity. All rights reserved.
This document is meant for e-communications only.
Book a 60 minutes Virtual
Tea Consultation with
Prashant Koranne (PK)
Send us email on [email protected]
ISOQAR (INDIA) PVT. LTD.
303, Matrix, Corporate Road, Prahladnagar, Off.
S.G.Highway, Ahmedabad – 380051, Gujarat, India.
Open Invite to Discuss PCIDSS Implementation
© 2016 ISOQAR India Pvt. Ltd., an Indian Registered company and a member firm of the Alcumus Group International Cooperative (“Alcumus ISOQAR”), an entity. All rights reserved.
Top Related