PCI DSS 3.0 changes
By Kishor Vaswani – CEO, ControlCase
Agenda
• About PCI DSS
• Overview of changes
• Changes by requirement number

• Implementation tips
• Q&A

1
About PCI DSS
What is PCI DSS?
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or
transmitt...
PCI DSS Requirements
Control Objectives

Requirements

Build and maintain a secure network

1. Install and maintain a fire...
Timeline of PCI DSS 3.0
•
•
•
•

The new PCI DSS 3.0 have been published
Effective Jan 1st, 2014
Can comply to PCI DSS 2.0...
Overview of changes
Overview
Segmentation
• Adequacy of segmentation
• Penetration test

Third parties/Service providers
• Must validate PCI D...
Overview contd…
PCI DSS as Business as Usual
•
•
•
•
•

Monitoring of security controls
Review changes to environment
Revi...
Changes by requirement number
Firewalls
• Network Diagram
› Must include cardholder data flows
› Must include clear boundary showing PCI DSS CDE scope

...
Configuration Standards
• Maintain an inventory of system components
› Business as usual function
› Inventory of hardware ...
Protect Stored Cardholder Data

No significant changes

9
Protect Cardholder Data in Transmission

No significant changes

10
Antivirus
• Intent to prevent malware in addition to viruses
› Evaluate malware threats against systems EVEN if it is not ...
Secure Applications
• Test applications for broken authentication and session
management flaws
• Renamed “Web Application ...
Access Control and User IDs

• Provides for flexibility is password controls
›
›
›
›

Minimum of 7 characters
Alphanumeric...
Physical Security
• Physical security access to “sensitive areas” must
be implemented for onsite personnel
› Data center
›...
Logging and Monitoring
• Clarified what is meant by identification and
authentication logging
› Elevation of privileges mu...
Vulnerability Management
• Maintain an inventory of authorized wireless
access points
• Penetration testing MUST validate ...
Policies and Procedures
• Third Party/Service provider requirements have
been enhanced
› Must maintain an inventory of whi...
PCI DSS Requirements
Control Objectives

Requirements

Build and maintain a secure network

1. Install and maintain a fire...
Key Implementation Tips
Key Takeaways as you Make Cloud Decisions
• Revisit segmentation for adequacy
• Focus on third party compliance
• Identify...
ControlCase Solutions
ControlCase PCI 3.0 transition package

PCI DSS 3.0 change assessment

Implement business as usual using ControlCase GRC

...
To Learn More About PCI Compliance…
• Visit www.ControlCase.com
• Call +1.703.483.6383 (US)
• Call +91.9820293399 (India)
...
Thank You for Your Time
Upcoming SlideShare
Loading in …5
×

PCI DSS and PA DSS Version 3.0 Changes

1,375 views

Published on

Slides from Webinar.

Published in: News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,375
On SlideShare
0
From Embeds
0
Number of Embeds
20
Actions
Shares
0
Downloads
666
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

PCI DSS and PA DSS Version 3.0 Changes

  1. 1. PCI DSS 3.0 changes By Kishor Vaswani – CEO, ControlCase
  2. 2. Agenda • About PCI DSS • Overview of changes • Changes by requirement number • Implementation tips • Q&A 1
  3. 3. About PCI DSS
  4. 4. What is PCI DSS? Payment Card Industry Data Security Standard: • Guidelines for securely processing, storing, or transmitting payment card account data • Established by leading payment card issuers • Maintained by the PCI Security Standards Council (PCI SSC) 2
  5. 5. PCI DSS Requirements Control Objectives Requirements Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an information security policy 12. Maintain a policy that addresses information security 3
  6. 6. Timeline of PCI DSS 3.0 • • • • The new PCI DSS 3.0 have been published Effective Jan 1st, 2014 Can comply to PCI DSS 2.0 or 3.0 in 2014 Must comply to PCI DSS 3.0 starting 2015 4
  7. 7. Overview of changes
  8. 8. Overview Segmentation • Adequacy of segmentation • Penetration test Third parties/Service providers • Must validate PCI DSS compliance; OR • Must participate is customers PCI DSS compliance audit 5
  9. 9. Overview contd… PCI DSS as Business as Usual • • • • • Monitoring of security controls Review changes to environment Review changes to org structure Periodic review of controls vs. during audit Separation of duties (operational vs. security) Physical protection of POS, ATM and Kiosks • Maintain inventory • Periodic inspection for tampering • Train personnel 6
  10. 10. Changes by requirement number
  11. 11. Firewalls • Network Diagram › Must include cardholder data flows › Must include clear boundary showing PCI DSS CDE scope 7
  12. 12. Configuration Standards • Maintain an inventory of system components › Business as usual function › Inventory of hardware and software must be maintained › Function of systems must be maintained 8
  13. 13. Protect Stored Cardholder Data No significant changes 9
  14. 14. Protect Cardholder Data in Transmission No significant changes 10
  15. 15. Antivirus • Intent to prevent malware in addition to viruses › Evaluate malware threats against systems EVEN if it is not a system commonly affected by viruses/malicious software, for e.g. AS/400 › Anti-virus should be running in an active mode AND cannot be disabled by regular users without management approval 11
  16. 16. Secure Applications • Test applications for broken authentication and session management flaws • Renamed “Web Application Firewall” to “Automated Technical Solution” to detect flaws 12
  17. 17. Access Control and User IDs • Provides for flexibility is password controls › › › › Minimum of 7 characters Alphanumeric Alternatives are acceptable as long as objective is met Allows for alternative mechanisms such as tokens and certificates • Service Providers with access to customer environments MUST ensure unique password per customer 13
  18. 18. Physical Security • Physical security access to “sensitive areas” must be implemented for onsite personnel › Data center › Computer room › Telecommunications room • Protect physical devices such as POS › Maintain a list › Periodically inspect for tampering of device › Train personnel to be aware of suspicious behavior 14
  19. 19. Logging and Monitoring • Clarified what is meant by identification and authentication logging › Elevation of privileges must be logged › Changes, addition or deletion to root or admin must be logged • Logging the audit logs › Initialization of audit logs must be captured › Stopping or pausing of audit logs must be captured 15
  20. 20. Vulnerability Management • Maintain an inventory of authorized wireless access points • Penetration testing MUST validate segmentation › Testing must be done to prove conclusively that a compromise in non CDE network will not result in a breach to the CDE network (if segmentation was implemented) • Critical files must be compared at least weekly AND an individual must evaluate and investigate change to a critical files. 16
  21. 21. Policies and Procedures • Third Party/Service provider requirements have been enhanced › Must maintain an inventory of which requirements are dependent upon service provider › Written acknowledgement required from service providers attesting to PCI DSS requirements › Third parties to provide PCI DSS certificate OR be willing to be a part of customers PCI DSS audit 17
  22. 22. PCI DSS Requirements Control Objectives Requirements Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an information security policy 12. Maintain a policy that addresses information security 18
  23. 23. Key Implementation Tips
  24. 24. Key Takeaways as you Make Cloud Decisions • Revisit segmentation for adequacy • Focus on third party compliance • Identify GRC technology for business as usual implementation • Revisit penetration testing methodology • Identify how to secure physical devices such as POS, ATM and Kiosks 19
  25. 25. ControlCase Solutions
  26. 26. ControlCase PCI 3.0 transition package PCI DSS 3.0 change assessment Implement business as usual using ControlCase GRC Third party PCI DSS data collection program Review of penetration test methodology 20
  27. 27. To Learn More About PCI Compliance… • Visit www.ControlCase.com • Call +1.703.483.6383 (US) • Call +91.9820293399 (India) 21
  28. 28. Thank You for Your Time

×