• No results found

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS"

Copied!
25
0
0

Loading.... (view fulltext now)

Download now ( 25 Page )

Full text

(1)

PCI DSS 3.0 :

THE CHANGES AND HOW THEY

WILL EFFECT YOUR BUSINESS

(2)

WELCOME AND AGENDA

PCI-DSS 3.0 is mandatory starting January 1, 2015 Goals of the session

• Compliance as “Business as Usual”

• Review the high-level areas that will shift

• Clarify why the change happened; with support from what we’re already seeing in our assessments and our investigations

• Identify opportunities for you to prepare your organization

(3)
(4)

COMPLIANCE

AS “BUSINESS

AS USUAL”

(5)

COMPLIANCE AS “BUSINESS AS USUAL”

• Duty of care.

• Move toward compliance as “business as usual” and a reminder of ongoing responsibility.

• Businesses are also expected to stay aware of the changes to the standard.

(6)

COMPLIANCE AS “BUSINESS AS USUAL”

• Security is 24/7 X 365 – not just when the assessor coming.

• Depending on the service provider or merchant level, the Investigator will ask you about your last PCI

assessment.

– What was in scope?

– What was actually assessed?

– Do you have a current network diagram?

– Has anything changed between assessments? – What is your PCI assets inventory?

(7)

1

Change Drivers

2

Penetration Testing rigidity

3

Scope change for e-commerce redirect merchants

• SAQ A vs. SAQ A-EP

4

Adjustment to Anti-virus requirement

5

Service Provider requirements

6

POS physical protection

7

Log review specifications

8

Assess data in memory

(8)

Change Drivers

• The PCI Standards are updated based on feedback from the industry, per the standards development lifecycle as well as in response to

current market needs. Common challenge areas and drivers for change include:

– Lack of education and awareness – Weak passwords, authentication – Third-party security challenges – Slow self-detection, malware – Inconsistency in assessments

(9)

PEN TEST REQUIREMENT RIGIDITY

• New requirement to implement a methodology for penetration testing.

• Effective July 1, 2015

– Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)

– Includes testing from both inside and outside the network

– Includes review and consideration of threats and vulnerabilities experienced in the last 12 months

• New requirement, if segmentation is used to isolate the CDE from other networks, to perform penetration tests to verify that the

segmentation methods are operational and effective

Compliance point of view

(10)

E-COMMERCE REDIRECT MERCHANTS

• Clarification of what is in scope:

– Systems that provide security services (for example, authentication servers), facilitate segmentation (for example, internal firewalls), or may impact the security of (for example, name resolution or web redirection servers) the CDE.

• Affects e-commerce redirect merchants

• These websites are a key security control for the flow of CHD into the CDE. They therefore are required to apply PCI security controls.

(11)

SAQ A Versus SAQ A-EP

(12)

SAQ A-EP

Overview

• Why was this new SAQ

created?

• Who does it apply to?

• When do merchants

have to start using it?

• What is included in this

(13)

E-COMMERCE REDIRECT MERCHANTS

• Have seen many examples of iframes and

e-commerce pages modified to intercept information and PII and cardholder information stolen in this

process.

• While redirects are a more convenient way to do

business, security of these system(s) still needs to be monitored closely.

(14)

ADJUSTMENT TO AV REQUIREMENT

• New requirement to evaluate evolving malware threats for any systems not considered to be commonly affected by malicious software.

• New requirement to ensure that anti-virus solutions cannot be disabled or altered by users unless specifically authorized by management on a per-case basis

• Configured to perform automatic updates. • Configured to perform regular scans.

(15)

ADJUSTMENT TO AV REQUIREMENT

• You have a lock on your house, do you lock it? • AV controls should be treated the same way.

• Attackers will disable it or even make exceptions for their malware.

Investigations point of view

Do you have adequate procedures and technology to prevent employee misuse?

(16)

SERVICE PROVIDER REQUIREMENTS

• Authentication Credentials

– New requirement for service providers with remote access to customer premises, to use unique authentication credentials for each customer.

– Effective July 1, 2015

• New Agreements

– Service Provider Agreements MUST articulate what they’re responsible for

(17)

SERVICE PROVIDER AUTH CREDENTIALS

(18)

SERVICE PROVIDER AUTH CREDENTIALS

• Several recent investigations with different

merchants from different states all had one thing in common: The remote access password.

• Passwords are often the first line of defense.

– Does your SP rotate passwords? – Does it require two-factor auth?

Investigations point of view

(19)

POS PHYSICAL PROTECTION

• New requirement to protect devices that capture payment card data via direct physical interaction with the card from tampering and

substitution.

• Effective July 1, 2015

• Essential Requirement:

– Maintain a list of devices

– Periodically inspect devices to look for tampering or substitution – Train personnel to be aware of suspicious behavior and to report

tampering or substitution of devices.

(20)

IMPROVING LOG REVIEWS

Investigations point of view

• In almost every single case that we’ve seen there was never a process to do log reviews, especially when these were done in house – ability to monitor 24/7 is ideal.

• No supporting evidence at the border (Firewalls, Router, or IDS/IPS).

• If logging is not enabled, an organization will have no way to detect if they are compromised.

• Logging also allows the investigators to trace back to the origin, which in some cases can aid law enforcement in a successful apprehension.

Do you have 24x7 log review coverage?

(21)

ASSESS DATA IN MEMORY

(22)

ASSESS DATA IN MEMORY

• Proposal to drive awareness of how CHD or SAD is handled in memory.

• Proposal to require documentation that discusses how CHD or SAD is protected while being processed in memory.

(23)

ASSESS DATA IN MEMORY

• Investigations point of view

– Attackers will find the weakest link in your payment application.

– Developers have put more thought about protecting data at rest.

• Encryption/Tokens

• 49.9% of the compromised system data was in memory.

Investigations point of view

If you’re developing an application – ask yourself this:

– Do your developers have an adequate security and threat research

(24)

IN A NUTSHELL…

• Improved Education / Awareness • Increased Flexibility

• Moving towards a sensible risk based approach • Responsibility for everyone to consider security

(25)

References

Download now ( PDF - 25 Page - 913.49 KB )

Related documents

ISO PCI DSS 2.0 Title Number Requirement

Develop software applications (internal and external, and including web-based administrative access to applications) in accordance with PCI DSS (for example, secure authentication and

The state of PCI DSS compliance. Irish Payments Services Organisation PCI DSS Explained

• PCI DSS coverage within security circles • PCI DSS Council Participating Organizations. PCI DSS in

PCI Compliance for Large Computer Systems

DSS= Data Security Standard PCI SSC= PCI Security Standards Council QSA= Qualified Security Assessor SAQ=Self Assessment... PCI DSS Structure

Chocolate Milk is the Ultimate Recovery Aid For Exhausted Muscles

According to the American College of Sports Medicine and the American Dietetic Association, they recommend chocolate milk for athletes to help aid in muscle recovery due to a study

LightShop App

En este proyecto se muestra el desarrollo de LightShop App, una aplicación móvil nativa en React Native que permite al usuario acceder a los productos de las tiendas cercanas que

International sport federations in the world city network

Thus a first major pattern within the transnational social spaces produced by ISFs relates to a city network centred on winter sports organizations articulating Northern and

Example Of Letter For Teacher

Spark that so this example of teacher should include your browser will help make sure to the letter examples below, as close a teacher cover the teachers.. Finding jobs are cookies

Saving the Details for Guidance EXAMPLE 1:

Meaningful EHR user means an eligible hospital that, for an EHR reporting period for a payment year, demonstrates meaningful use of EHR technology by meeting the requirements set