In this presentation, Andy Cottrell, CEO and founder of Truvantis, reviews the changes between PCI 2.0 and 3.0 and provides practical tips on how to minimize the business impact of the transition. From these slides, you will learn the scope and timing of the new requirements, how they are likely to impact your business and ways to make implementation as painless as possible.
2. The
PCI DSS refresh cycle
What has changed in general terms
Review of specific, significant changes
Requirement 0
Requirements 1-12
Reorganization
Final
of documents
notes
Q&A
12/13/2013
2
3. IT
security consulting company:
www.truvantis.com
Authorized PCI DSS Qualified Security
Assessor (QSA) Company
Deep, comprehensive expertise in IT security
testing (pen testing, vulnerability
assessments, etc.), policy creation, audit,
PCI assessments and governance
We also understand that IT security can’t get
in the way of doing business!
12/13/2013
3
5. A
great deal of clarification
Some additional requirements
More useful narrative before the
requirements
Reorganization of the documents
Focus
on goals, not technology
Today,
look at a few of the more important
changes
12/13/2013
5
6. Scope
Cannot store SAD after authorization even
without the PAN
Determination of the scope of the CDE is the
entity’s responsibility
Segmentation
If a control is used to de-scope, then that control
is in-scope
A system can only be out of scope if its
compromise would not impact the security of the
CDE
12/13/2013
6
7. Wireless
Don’t
Service
providers
It’s still your job to monitor the compliance of
your service providers
The fact that they have an AOC does not change that,
it just helps with validation
“For example, providing the AOC and/or relevant sections of
the service provider’s ROC (redacted to protect any
confidential information) could help provide all or some of
the information.”
12/13/2013
7
8. Business-as-Usual
Totally new section
Discusses how to build compliance into your daily
routine
This is not a new requirement
Consider it guidance and advice that will help
12/13/2013
8
9. Security
policies and daily operational
procedures moved into relevant sections
Just moving section 12 items into a more sensible
place
NEW:
Inventory of system components and
the function/use
You probably did this anyway
Just leave an audit trail to show you keep it
current
TIP: Create a task regularly to review it
12/13/2013
9
10. Still
at least 7 characters, alphanumeric
Can now use equivalent strength
Do the math to establish equivalence
TIP: This is a low bar – do better
12/13/2013
10
11. 2.0
“Deploy anti-virus software on all
systems commonly affected by malicious
software”
Now
your responsibility to make sure they
continue to not need it
3.0 “perform periodic evaluations to identify and
evaluate evolving malware threats”
12/13/2013
11
12. These
Security patches indicate vulnerabilities
All vulnerabilities must be ‘risk-ranked’
requirements have been coordinated
At least HIGH risk (to you)
Additionally flag CRITICAL if
“they pose an imminent threat to the environment,
impact critical systems, and/or would result in a
potential compromise if not addressed”
CRITICAL
One month
Other
vendor-supplied security patches
vendor-supplied security patches
‘Appropriate’ time frame (Three months)
12/13/2013
12
13. NEW:
Broken authentication and session
management
Flagging session tokens … as “secure”
Not exposing session IDs in the URL
Incorporating appropriate time-outs and rotation
of session IDs after a successful login
PCI
is following OWASP Top 10
TIP:
OWASP has a new Top 10 for 2013
TIP: Also see www.securecoding.cert.org
12/13/2013
13
14. NEW:
Protect devices that capture payment
Mandatory after July 1st 2015
Maintain a list of devices
Periodically inspect device surfaces to detect
tampering
Training for personnel to detect tampering or
replacement
12/13/2013
14
15. Scanning
for rogue devices
Must test for all routes to get wireless devices in
Just looking for add IP addresses is not enough
USB etc. specifically called out
TIP:
Focus on intent, not the language
12/13/2013
15
16. Can
now combine multiple scans to get a
passing grade
Recognizes that new issues can arise during a
remediation phase
Re-test would show new failing items
Avoid the never ending cycle of not passing
12/13/2013
16
17. Greatly
enhanced detail and deeper in scope
New goals mandatory as of July 1st, 2015
Test de-scoping controls
Review last 12mo threats and vulnerabilities
The type, depth, and complexity of the testing
will depend on the specific environment and the
organization’s risk assessment
TIP:
Don’t be sold a vulnerability assessment
as a pen test
TIP:
Ask your penetration tester when they
will be working with the new rules
12/13/2013
17
18. “at
least annually and after significant
changes to the environment”
Many requirements now reference your risk
assessment
TIP:
Use the new prevalence of “Risk
Assessment” in the standard to help you
work out what your risk assessment should
look like
12/13/2013
18
19. Plan
not just for a major breach
It should drill down into more alerts from
monitoring systems like firewalls
Larger mandate to choose what to monitor and
where alerts should come from
TIP:
Again - focus on intent, not language
12/13/2013
19
20. Guidance
regarding intent moved into the
standard
Reporting instructions moved to a template
SAQs
will be updated - not released yet
Expect:
Multiple SAQ submission will be permitted
New SAQs such as hosted payment pages
12/13/2013
20
21. Download
and review the ‘Summary of
Changes’ document now
Review every item and measure the impact
Comply with the language, but focus on the
intent
Review
your ‘risk assessment’ in the light of
3.0
By understanding your risk, you can scale your
behavior appropriately
12/13/2013
21
22. By
web: www.truvantis.com
By
phone: +1 855.345.6298
By
email: info@truvantis.com
View
this presentation in the recorded
webcast (with audio):
http://youtu.be/mwvx1q9aMDw
12/13/2013
22