PCI-DSS v3.0 - What you need to know
Upcoming SlideShare
Loading in...5
×
 

PCI-DSS v3.0 - What you need to know

on

  • 667 views

Imperva webinar 11/7/2013

Imperva webinar 11/7/2013
Covering the latest changes to the PCI-DSS standard.

Statistics

Views

Total Views
667
Views on SlideShare
662
Embed Views
5

Actions

Likes
0
Downloads
40
Comments
0

1 Embed 5

https://twitter.com 5

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Unlike CIS or SANS which are Benchmarks, PCI DSS is a mandateThis is the one standard that impacted actual information security most in the past decadeEvolution has three aspects: language, requirements, approach to deployment and process around standard evaluation.Barry : this is the regulation intro. Add the payment industry POV.
  • Timeline is morespead out than in the past, very mature regulation.
  • Theme around POS security.
  • Way to detect skimmers -> if someone hangs too long next to an ATM, that should raise a red flag
  • ClearForest Company that provides BOFA with analytics, breached -> BOFA data compromised
  • Coding technique to document how PAN/SAD is handled in memory to minimize potential exposure
  • PCI 2.0 to promote PCI in spirit. Overall security (scope, risk-based and all custom-apps)
  • Coding technique to document how PAN/SAD is handled in memory to minimize potential exposure
  • Coding technique to document how PAN/SAD is handled in memory to minimize potential exposure
  • Coding technique to document how PAN/SAD is handled in memory to minimize potential exposure
  • Coding technique to document how PAN/SAD is handled in memory to minimize potential exposure
  • PCI 2.0 to promote PCI in spirit. Overall security (scope, risk-based and all custom-apps)
  • Coding technique to document how PAN/SAD is handled in memory to minimize potential exposure
  • Coding technique to document how PAN/SAD is handled in memory to minimize potential exposure
  • http://www.imperva.com/resources/overview.html

PCI-DSS v3.0 - What you need to know PCI-DSS v3.0 - What you need to know Presentation Transcript

  • PCI-DSS v3.0: What You Need to Know Barry Shteiman – Director of Security Strategy 11/7/2013 1 © 2013 Imperva, Inc. All rights reserved. Confidential
  • Agenda  PCI-DSS Themes and Drivers  Dates and Deadlines  New Requirements  Web App Compliance 2 © 2013 Imperva, Inc. All rights reserved. © Copyright 2012 Imperva, Inc. All rights reserved.
  • Today’s Speaker - Barry Shteiman  Director of Security Strategy  Security Researcher working with the CTO office  Author of several application security tools, including HULK  Open source security projects code contributor  CISSP  Twitter @bshteiman 3 © 2013 Imperva, Inc. All rights reserved. Confidential
  • Introducing PCI-DSS 3.0 4 © 2013 Imperva, Inc. All rights reserved. Confidential
  • PCI-DSS Payment Card Industry (PCI) Data Security Standard (DSS) “A set of control requirements created to help protect cardholder data.”  Industry driven • From conception to enforcement  Evolving • 4th version over 7 years • Rate of releases has slowed – 3 years since v2.0 release  Concise and Pragmatic • Does not avoid naming technologies • Calls out threats by name • Very specific about data scope 5 © 2013 Imperva, Inc. All rights reserved.
  • PCI-DSS Evolution  PCI 1.2  PCI 1.0 • December 2004 12 major sections  PCI 1.1 • September 2006 • App security, compensating controls 2005 6 2006 2007 © 2013 Imperva, Inc. All rights reserved.  PCI 3.0 • October 2008 • November 2013 • Risk based approach, • Consistency for emphasis on wireless assessors, risk based approach,  PCI 2.0 flexibility • October 2010 2008 • Definition of scope, clarifications 2009 2010 2011 2012 2013
  • PCI-DSS 3.0 Key Drivers  Lack of education and awareness  Weak passwords, authentication  Third-party security challenges  Slow self-detection, malware  Inconsistency in assessments 7 © 2013 Imperva, Inc. All rights reserved.
  • General Themes  Penetration testing gets real • More explicitly-defined penetration test guidelines  Skimmers, skimmers and more skimmers • New requirement to maintain list of POS devices, periodically inspect devices and train personnel • Inclusion of POS devices in other sections  Service provider accountability  PCI requirement clarifications and details 8 © 2013 Imperva, Inc. All rights reserved.
  • Why Protect Point-of-Sale Devices? Physical data theft incidents from 2013 Verizon Data Breach Incident Report Source: http://www.verizonenterprise.com/DBIR/ 9 © 2013 Imperva, Inc. All rights reserved.
  • Service Providers accountability Third-party awareness at the compliance level Source: http://www.bankinfosecurity.com/bofa-confirms-third-party-breach-a-5582 10 © 2013 Imperva, Inc. All rights reserved.
  • PCI DSS 3.0 Dates and Deadlines  Publication Date: November 7, 2013  Effective Date: January 1, 2014 • Version 2.0 will remain active until December 31, 2014  Deadline for New Requirements: June 30, 2015 11 © 2013 Imperva, Inc. All rights reserved.
  • What’s New? New requirements added in PCI-DSS 3.0 12 © 2013 Imperva, Inc. All rights reserved.
  • New Req. 6.5.6 Insecure handling of credit card and authentication data in memory. Compliance: • document how PAN/SAD is handled in memory to minimize exposure 13 © 2013 Imperva, Inc. All rights reserved.
  • New Req. 6.5.11 Broken authentication & session management. Compliance: • • • • 14 Flag session tokens Don’t expose session ID in URL Implement time-outs Prevent User ID manipulation © 2013 Imperva, Inc. All rights reserved.
  • New Req. 8.5.1 Service providers with access to customer environments must use a unique authentication credential for each customer Compliance: • Authentication policies and procedures to mandate different authentication is used to access each customer environment ** Only mandated for service providers 15 © 2013 Imperva, Inc. All rights reserved.
  • New Req. 9.9 Protect POS devices that capture payment card data from tampering Compliance: • Maintain a list of POS devices • Periodical inspection for tampering/substitution • Training for awareness Note: PCI-DSS now addresses skimmers. 16 © 2013 Imperva, Inc. All rights reserved.
  • New Req. 11.3 Develop penetration testing methodology based on industry guidelines like NIST Compliance: • Implement a penetration testing approach based on an industry standard (like NIST SP800-115) • Define pen-test for all layers • Specify retention and remediation activity 17 © 2013 Imperva, Inc. All rights reserved.
  • New Req. 12.9 Service providers must document in writing they will adhere to PCI DSS standards Compliance: • Acknowledge in writing to customers that service provider will maintain PCI DSS in full on behalf of the customer ** Only mandated for service providers 18 © 2013 Imperva, Inc. All rights reserved.
  • Web Application Compliance Using a WAF to close the compliance gap 19 © 2013 Imperva, Inc. All rights reserved.
  • Web application relevant requirements 20 © 2013 Imperva, Inc. All rights reserved.
  • [6.5.11] Broken Auth & Session Mgmt Authentication/Session attacks • • • • • • • 21 © 2013 Imperva, Inc. All rights reserved. Cookie Tampering Cookie Poisoning Session Hijacking Session Reuse Parameter Tampering SSL Reuse Brute Force
  • [11.3] Pen Testing and Remediation Source: http://www.imperva.com/docs/SB_Imperva_WhiteHat.pdf 22 © 2013 Imperva, Inc. All rights reserved.
  • PCI-DSS Carry-ons Req 6.6: Protect public-facing Web applications Req 10: Audit all access to cardholder data Req 7: Limit access to systems and data on a business need to know Req 8.5: Identify and disable dormant user accounts and access rights Req 11.5: Alert personnel to unauthorized modification of files Source: http://www.imperva.com/PCI/ 23 © 2013 Imperva, Inc. All rights reserved.
  • Where can I learn more? 24 © 2013 Imperva, Inc. All rights reserved.
  • PCI PCI-DSS Council http://www.pcisecuritystandards.org Imperva’s PCI Resource Center http://www.imperva.com/PCI/ 25 © 2013 Imperva, Inc. All rights reserved.
  • Skimmers KrebsOnSecurity http://krebsonsecurity.com/category/all-about-skimmers/ 26 © 2013 Imperva, Inc. All rights reserved.
  • Third-Party Breaches Imperva’s January 2013 HII and Imperva’s CMS Hacking Webinar http://www.imperva.com/resources/overview.html 27 © 2013 Imperva, Inc. All rights reserved.
  • Webinar Materials Join Imperva LinkedIn Group, Imperva Data Security Direct, for… Post-Webinar Discussions Webinar Recording Link 28 Answers to Attendee Questions Join Group © 2013 Imperva, Inc. All rights reserved. Confidential
  • Questions? www.imperva.com 29 © 2013 Imperva, Inc. All rights reserved. Confidential
  • Thank You 30 © 2013 Imperva, Inc. All rights reserved. Confidential