Summarizes a few of the key changes from PCI Data Security Standard Version 3.1 to 3.2. It provides a high level view of the impact of the changes on organizations subject to PCI requirements, based on Online Business Systems’ QSA viewpoint.
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
What You Need to Know About PCI DSS v3.2
1. PCI DSS v3.2
The sooner you fall behind,
the more time you have to
catch up
Online Business Systems
Steve Levinson
Mark Hannah
2. This SlideShare summarizes a few of the key changes from PCI Data Security
Standard Version 3.1 to 3.2. It provides a high level view of the impact of
the changes on organizations subject to PCI requirements, based on Online
Business Systems’ QSA viewpoint. Many of the new sub-requirements will
remain as best practices until February 1, 2018.
PCI DSS v3.2
3. • Slide 3: Change Drivers for v3.2
• Slide 4: Important Dates
• Slide 5: SSL & TLS 1.0 – What we know
• Slide 6: SSL & TLS 1.0 – Mitigation
Strategy
• Slides 7-10: PCI Changes
• Slide 11: Six practical tips for avoiding
PCI failure
Table of Contents
4. Change Drivers for v3.2
• Improves prescriptiveness
• Scoping, data flow, and inventory
inconsistencies
• SSL TLS
• Third-party security challenges
• Slow self-detection, malware
• You’re only one change away from being out
of compliance
• Recent breaches
5. April28,2016
Summary of
changes
document, PCI
DSS 3.2, and ROC
reporting
template are
available on the
PCI SSC website
October31,2016
Version 3.1 will be
retired
All assessments
completed after
this date require:
• New 3.2 ROC
reporting template
and reporting
instructions
• New 3.2 AOCs
• Version 3.2 SAQs
February1,2018
Final date to
implement the
“Evolving
Requirements”
Important Dates
6. June30,2016
All service providers
must provide a
secure TLS service
offering
June30,2016
All entities must
have stopped use of
SSL/early TLS as a
security control,
and use only secure
versions of the
protocol.
SSL & TLS 1.0 – What we Know
7. SSL & TLS 1.0 – Mitigation Strategy
Plan A – Eradicate or target date
Plan B – Document, analyze and plan
• Inventory of all locations it is in use
• Data being transmitted for each implementation
• Documented risk assessment and RRMP
• May include compensating or mitigating controls
• Potential re-scoping issues
• Vigilance
• Change Control
• Appendix A2 – SSL/TLS Additional Requirements
PCI Council - INFORMATION SUPPLEMENT Migrating from SSL and Early TLS Version 1.1 Date: April 2016
8. 2.1 – Changing vendor defaults and passwords
Updated to clarify payment applications are included in this
requirement.
3.5.1 – Documentation of their cryptographic architecture
Service Providers must create documentation of their cryptographic
architecture – this is a new requirement that is considered a best
practice until 2/1/2018.
6.2 – Payment applications
Security patches for all software including payment applications.
PCI Changes
9. 6.4.6 – Infuse PCI DSS impact analysis into your change
management procedures
This new requirement (best practice until 2/1/2018) applies to ALL
assessed entities.
8.3.1 – All administrative access will require multi-factor
authentication (“MFA”)
This new requirement is probably the most robust change, and is a
best practice until 2/1/2018.
10.8 – Service providers must identify any critical security
control failures and respond accordingly
This new requirement will raise the bar for Service Providers (not
merchants) to improve their security event monitoring capabilities,
including monitoring the health of these functions.
10. 11.3.4.1 – More frequent segmentation pen testing for
Service Providers
Increases the periodicity from once a year (or after ‘significant’
changes) to twice a year.
12.4 – Accountability!
Requires executive management to document PCI accountability,
create a charter for a PCI compliance program, and report updates to
executive management/board annually.
12.10.2 – Fine tune Incident Response Plan
Requires you to ensure that your annual IR test plan includes a
thorough review of all sub-elements from requirement.
11. 12.11 – Service Providers must perform and document
quarterly reviews, best practice until 2/1/2018
12.11 Additional requirement for service providers only: Perform
reviews at least quarterly to confirm personnel are following security
policies and operational procedures. Reviews must cover the
following processes:
• Daily log reviews
• Firewall rule-set reviews
• Applying configuration standards to new systems
• Responding to security alerts
• Change management processes
12. Six Practical Tips for Avoiding PCI Failure
Slide from 2008 Presentation on DSS v1.2
The more things change the
more they stay the same
1. Store less data, and encrypt
or tokenize!
2. Understand your data flows
3. Address app and network
vulnerabilities
4. Improve security awareness
5. Monitor systems for
intrusions
6. Segment credit card networks
13. • Contact info:
• Steve Levinson
• Managing Director
• slevinson@obsglobal.com
• 619.701.8614
• Mark Hannah
• PCI Practice Lead
• mhannah@obsglobal.com
• 951.587.7991
To learn more visit our resource center:
http://info.obsglobal.com/online-business-systems-pci-3.2-resource-center
PCI Website: https://www.pcisecuritystandards.org