Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar

1
PCI DSS v3.2
Overview and Summary of Changes
Welcome

2
PCI DSS v3.2 - Overview and Summary of Changes
Your Hosts
Nadav Shatz, QSA
Managing Director, Comsec UK
• Cyber Security professional with
more than 15 years of experience
• Led complex Cyber and PCI
Security engagements with high
profile clients across the globe
30 years
Established in 1987, Comsec has nearly three-decades of
experience in all aspects of information security.
150 consultants
Allows us to deliver a broad spectrum of services and to
provide a uniquely flexible service level.
600 clients
From blue chip companies to start-ups, Comsec has a deep
sector expertise in most verticals and un-paralleled
understanding of our clients’ business environment.
22 countries
With offices in London, Rotterdam and excellence center in
Tel Aviv, Comsec is able to deliver global impact through
local presence spanning over 22 countries and five
continents.
Ariel Ben Harosh, QSA
PCI Program Manager, Comsec UK
• Performed more than 100 PCI
assessments
• 8 years of PCI experience across a
broad spectrum of industries
• One of the first QSAs to hold the
P2PE standard accreditation

3
What we are going to cover
PCI 2016
Timeline
• Timeline and Effective
Dates
• Coming soon in 2016
DSS v3.2
Detailed
Changes
Overview
• Detailed overview new
and updated
requirements in PCI
DSS v3.2
v3.2 Special
Focus Areas
• Change highlights and
new requirements
• Special focus: Multi-
Factor Authentication
and Service Providers
Why change,
why now?
• PCI DSS update
process
• Background for
updating to v3.2

4
PCI DSS Update Process

5
Changing payment and
threat environment
General improvement of
requirements through
clarifications and
guidelines
Feedback from Industry Address trends in breach
report
$
PCI DSS v3.2 - Why Now?

6
New
Requirements
• Multi-Factor Authentication
• Service Provider Requirements
• PAN Display
• Change Control Process
Incorporated
Guidance
• Incorporate DESV (Designated Entities Supplemental Validation)
requirements
• Additional requirements for entities using SSL/Early TLS
Clarifications
• Added clarifications to specific requirements, provide additional
guidance, general polishing.
Three Types of Changes

7
PCI DSS v3.2 - New requirements
At a glance
1
Expanded
Multi Factor
Authentication
Requirements
2
Additional
requirements
for Service
Providers
f
3
Updated
PAN
Display
Requirement
4
New
Change
Control
Requirement
f

8
Multi-Factor Authentication
• Now required for personnel with administrative access
to the CDE (Internal and External)
• “Multi-factor” instead of “two-factor”
o Clarified correct terminology
o Does not change intent of original requirement - Two or more
factors may be used
• Still required for all remote access to the CDE
f
Requirement 8.3 – Multi-Factor Authentication
63% of confirmed
data breaches
involved leveraging
weak/default/stolen
passwords
Verizon DBIR 2016

9
Service Provider Requirementsf
• Documented description of the cryptographic
architecture
• Establish a PCI DSS compliance program
• Detect and report on failures of critical
security control systems
• Semi-Annual Penetration testing on
segmentation controls
• Quarterly reviews to confirm personnel are
following security policies
• Requirement 3.5.1
• Requirement 10.8
• Requirement 11.3.4.1
5 New Requirements

10
Updated Requirement - PAN Display
• Mask PAN when displayed (the first six and last four
digits are the maximum number of digits to be
displayed), such that only personnel with a
legitimate business need can see more than first
six/last four digits of the PAN.
Requirement 3.3 - Pan display

11
• Upon completion of a significant change, all relevant
PCI DSS requirements must be implemented on all
new or changed systems and networks, and
documentation updated as applicable.
New Requirement - Change Control Process
Requirement 6.4.6 – Change Control

12
Incorporating Recent Guidance
(as new Appendices)
1
Additional
requirements
for entities
using SSL/Early
TLS
2
DESV
(Designated
Entities
Supplemental
Validation)
Requirements
June 30, 2018

13
PCI DSS v3.2 Timeline and Effective Dates
•PCI DSS v3.2 published
•Both PCI DSS versions 3.1
and 3.2 are effective
April 2016
•PCI DSS 3.1 is retired (6
months after 3.2 release)
•PCI DSS assessments
must use v3.2
31st Oct 2016 •New requirements
effective
•New requirements are
considered as best
practice until this date
1st February
2018

14
PCI DSS Coming Soon in 2016
• Effective Daily Log Monitoring SIG Information
Supplement
• PA-DSS v3.2 – May 2016
• Payment security guidance for SMBs – Summer
2016

16
nadavs@comsecglobal.com
www.comsecglobal.com
Stay in Touch
Join us at PCI London 2016!
28th June 2016

17
PCI ComplianceInnovation, Knowledge & Experience to Keep You Ahead of the Curve.
Through our engagements
with leading financial
sector organisations we
have seen directly the
impact of the evolving
cyber-threat landscape and
witnessed a sharp increase
in the sophistication and
extend of attacks on
financial institutions.
True Partnership
Unrivalled Experience
Comsec adopts a partnership approach to PCI. Our unique advantage stems from our ability
to provide the end-to-end support and guidance you require to achieve PCI compliance.
Our approach to PCI compliance leverages upon years of experience and the successful
collaboration with over 100 PCI clients across the globe. Our QSA flexibility and consistency
are two of the fundamental principles for any PCI engagement Comsec performs.
nadavs@comsecglobal.comwww.comsecglobal.com

Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar

Similar to Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar (20)

Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar