0
PCI-DSS v3.0:
What You Need to Know Today
Barry Shteiman – Director of Security Strategy

1

© 2013 Imperva, Inc. All righ...
Agenda

§  PCI-DSS Themes and Drivers
§  Dates and Deadlines
§  New Requirements
§  Web App Compliance

2

© 2013 Impe...
Today’s Speaker - Barry Shteiman

§  Director of Security Strategy
§  Security Researcher working
with the CTO office
§...
Introducing PCI-DSS 3.0

4

© 2013 Imperva, Inc. All rights reserved.

Confidential
PCI-DSS
Payment Card Industry (PCI) Data Security Standard (DSS)

§  Industry driven
•  From conception to enforcement

§...
PCI-DSS Evolution
§  PCI 1.2
§  PCI 1.0
•  December 2004
12 major sections

•  October 2010
•  Definition of scope,
clar...
PCI-DSS 3.0 Key Drivers

§  Lack of education and awareness
§  Weak passwords, authentication
§  Third-party security c...
General Themes
§  Penetration testing gets real
•  More explicitly-defined penetration test guidelines

§  Skimmers, ski...
Why Protect Point-of-Sale Devices?
Physical data theft incidents from 2013 Verizon Data
Breach Incident Report

Source: ht...
Service Providers Accountability
Third-party awareness at the compliance level

Source: http://www.bankinfosecurity.com/bo...
PCI DSS 3.0 Dates and Deadlines
§  Publication Date: November 7, 2013
§  Effective Date: January 1, 2014
•  Version 2.0 ...
What’s New?
New Requirements Added in PCI-DSS 3.0

12

© 2013 Imperva, Inc. All rights reserved.

Confidential
New Req. 6.5.6
Insecure handling of credit card and
authentication data in memory.
Compliance:
•  document how PAN/SAD
is ...
New Req. 6.5.11
Broken authentication & session management.

Compliance:
• 
• 
• 
• 

14

Flag session tokens
Don’t expose...
New Req. 8.5.1
Service providers with access to customer
environments must use a unique authentication
credential for each...
New Req. 9.9
Protect POS devices that capture payment card
data from tampering
Compliance:
•  Maintain a list of POS devic...
New Req. 11.3
Develop penetration testing methodology based
on industry guidelines like NIST
Compliance:
•  Implement a pe...
New Req. 12.9
Service providers must document in writing they
will adhere to PCI DSS standards
Compliance:
•  Acknowledge ...
Web Application Compliance
Using a WAF to Close the Compliance Gap

19

© 2013 Imperva, Inc. All rights reserved.

Confide...
Web Application Relevant Requirements

20

© 2013 Imperva, Inc. All rights reserved.

Confidential
[6.5.11] Broken Auth. & Session Mgmt.

Authentication/Session attacks
• 
• 
• 
• 
• 
• 
• 

21

© 2013 Imperva, Inc. All r...
[11.3] Pen Testing and Remediation

Source: http://www.imperva.com/docs/SB_Imperva_WhiteHat.pdf
22

© 2013 Imperva, Inc. A...
PCI-DSS Carry-ons

Req 6.6: Protect public-facing Web applications
Req 10: Audit all access to cardholder data
Req 7: Limi...
Learn More

24

© 2013 Imperva, Inc. All rights reserved.

Confidential
PCI

PCI-DSS Council
http://www.pcisecuritystandards.org

Imperva’s PCI Resource Center
http://www.imperva.com/PCI/

25

©...
Skimmers

KrebsOnSecurity
http://krebsonsecurity.com/category/all-about-skimmers/

26

© 2013 Imperva, Inc. All rights res...
Third-Party Breaches
Imperva’s January 2013 HII and Imperva’s CMS Hacking Webinar
http://www.imperva.com/resources/overvie...
www.imperva.com

28

© 2013 Imperva, Inc. All rights reserved.

Confidential
Upcoming SlideShare
Loading in...5
×

PCI 3.0 Revealed - What You Need to Know Today

682

Published on

On November 7, 2013 the PCI Security Standards Council unveiled v3.0 of the Payment Card Industry Data Security Standard (PCI DSS). This presentation focuses on the most significant changes to the standard.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
682
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
58
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "PCI 3.0 Revealed - What You Need to Know Today"

  1. 1. PCI-DSS v3.0: What You Need to Know Today Barry Shteiman – Director of Security Strategy 1 © 2013 Imperva, Inc. All rights reserved. Confidential
  2. 2. Agenda §  PCI-DSS Themes and Drivers §  Dates and Deadlines §  New Requirements §  Web App Compliance 2 © 2013 Imperva, Inc. All rights reserved. Confidential
  3. 3. Today’s Speaker - Barry Shteiman §  Director of Security Strategy §  Security Researcher working with the CTO office §  Author of several application security tools, including HULK §  Open source security projects code contributor §  CISSP §  Twitter @bshteiman 3 © 2013 Imperva, Inc. All rights reserved. Confidential
  4. 4. Introducing PCI-DSS 3.0 4 © 2013 Imperva, Inc. All rights reserved. Confidential
  5. 5. PCI-DSS Payment Card Industry (PCI) Data Security Standard (DSS) §  Industry driven •  From conception to enforcement §  Evolving •  4th version over 7 years •  Rate of releases has slowed – 3 years since v2.0 release §  Concise and Pragmatic •  Does not avoid naming technologies •  Calls out threats by name •  Very specific about data scope 5 © 2013 Imperva, Inc. All rights reserved. Confidential
  6. 6. PCI-DSS Evolution §  PCI 1.2 §  PCI 1.0 •  December 2004 12 major sections •  October 2010 •  Definition of scope, clarifications •  September 2006 •  App security, compensating controls 6 2006 •  November 2013 •  Consistency for assessors, risk based approach, flexibility §  PCI 2.0 §  PCI 1.1 2005 §  PCI 3.0 •  October 2008 •  Risk based approach, emphasis on wireless 2007 © 2013 Imperva, Inc. All rights reserved. 2008 2009 Confidential 2010 2011 2012 2013
  7. 7. PCI-DSS 3.0 Key Drivers §  Lack of education and awareness §  Weak passwords, authentication §  Third-party security challenges §  Slow self-detection, malware §  Inconsistency in assessments 7 © 2013 Imperva, Inc. All rights reserved. Confidential
  8. 8. General Themes §  Penetration testing gets real •  More explicitly-defined penetration test guidelines §  Skimmers, skimmers and more skimmers •  New requirement to maintain list of POS devices, periodically inspect devices and train personnel •  Inclusion of POS devices in other sections §  Service provider accountability §  PCI requirement clarifications and details 8 © 2013 Imperva, Inc. All rights reserved. Confidential
  9. 9. Why Protect Point-of-Sale Devices? Physical data theft incidents from 2013 Verizon Data Breach Incident Report Source: http://www.verizonenterprise.com/DBIR/ 9 © 2013 Imperva, Inc. All rights reserved. Confidential
  10. 10. Service Providers Accountability Third-party awareness at the compliance level Source: http://www.bankinfosecurity.com/bofa-confirms-third-party-breach-a-5582 10 © 2013 Imperva, Inc. All rights reserved. Confidential
  11. 11. PCI DSS 3.0 Dates and Deadlines §  Publication Date: November 7, 2013 §  Effective Date: January 1, 2014 •  Version 2.0 will remain active until December 31, 2014 §  Deadline for New Requirements: June 30, 2015 11 © 2013 Imperva, Inc. All rights reserved. Confidential
  12. 12. What’s New? New Requirements Added in PCI-DSS 3.0 12 © 2013 Imperva, Inc. All rights reserved. Confidential
  13. 13. New Req. 6.5.6 Insecure handling of credit card and authentication data in memory. Compliance: •  document how PAN/SAD is handled in memory to minimize exposure 13 © 2013 Imperva, Inc. All rights reserved. Confidential
  14. 14. New Req. 6.5.11 Broken authentication & session management. Compliance: •  •  •  •  14 Flag session tokens Don’t expose session ID in URL Implement time-outs Prevent User ID manipulation © 2013 Imperva, Inc. All rights reserved. Confidential
  15. 15. New Req. 8.5.1 Service providers with access to customer environments must use a unique authentication credential for each customer Compliance: •  Authentication policies and procedures to mandate different authentication is used to access each customer environment ** Only mandated for service providers 15 © 2013 Imperva, Inc. All rights reserved. Confidential
  16. 16. New Req. 9.9 Protect POS devices that capture payment card data from tampering Compliance: •  Maintain a list of POS devices •  Periodical inspection for tampering/substitution •  Training for awareness Note: PCI-DSS now addresses skimmers. 16 © 2013 Imperva, Inc. All rights reserved. Confidential
  17. 17. New Req. 11.3 Develop penetration testing methodology based on industry guidelines like NIST Compliance: •  Implement a penetration testing approach based on an industry standard (like NIST SP800-115) •  Define pen-test for all layers •  Specify retention and remediation activity 17 © 2013 Imperva, Inc. All rights reserved. Confidential
  18. 18. New Req. 12.9 Service providers must document in writing they will adhere to PCI DSS standards Compliance: •  Acknowledge in writing to customers that service provider will maintain PCI DSS in full on behalf of the customer ** Only mandated for service providers 18 © 2013 Imperva, Inc. All rights reserved. Confidential
  19. 19. Web Application Compliance Using a WAF to Close the Compliance Gap 19 © 2013 Imperva, Inc. All rights reserved. Confidential
  20. 20. Web Application Relevant Requirements 20 © 2013 Imperva, Inc. All rights reserved. Confidential
  21. 21. [6.5.11] Broken Auth. & Session Mgmt. Authentication/Session attacks •  •  •  •  •  •  •  21 © 2013 Imperva, Inc. All rights reserved. Cookie Tampering Cookie Poisoning Session Hijacking Session Reuse Parameter Tampering SSL Reuse Brute Force Confidential
  22. 22. [11.3] Pen Testing and Remediation Source: http://www.imperva.com/docs/SB_Imperva_WhiteHat.pdf 22 © 2013 Imperva, Inc. All rights reserved. Confidential
  23. 23. PCI-DSS Carry-ons Req 6.6: Protect public-facing Web applications Req 10: Audit all access to cardholder data Req 7: Limit access to systems and data on a business need to know Req 8.5: Identify and disable dormant user accounts and access rights Req 11.5: Alert personnel to unauthorized modification of files Source: http://www.imperva.com/PCI/ 23 © 2013 Imperva, Inc. All rights reserved. Confidential
  24. 24. Learn More 24 © 2013 Imperva, Inc. All rights reserved. Confidential
  25. 25. PCI PCI-DSS Council http://www.pcisecuritystandards.org Imperva’s PCI Resource Center http://www.imperva.com/PCI/ 25 © 2013 Imperva, Inc. All rights reserved. Confidential
  26. 26. Skimmers KrebsOnSecurity http://krebsonsecurity.com/category/all-about-skimmers/ 26 © 2013 Imperva, Inc. All rights reserved. Confidential
  27. 27. Third-Party Breaches Imperva’s January 2013 HII and Imperva’s CMS Hacking Webinar http://www.imperva.com/resources/overview.html 27 © 2013 Imperva, Inc. All rights reserved. Confidential
  28. 28. www.imperva.com 28 © 2013 Imperva, Inc. All rights reserved. Confidential
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×