Recommended
More Related Content
What's hot
What's hot (18)
Viewers also liked
Viewers also liked (16)
Similar to PCI 3.0 Webcast: Minimizing the Business Impact of the PCI 2.0 - 3.0 Transition
Similar to PCI 3.0 Webcast: Minimizing the Business Impact of the PCI 2.0 - 3.0 Transition (20)
Recently uploaded
Recently uploaded (20)
PCI 3.0 Webcast: Minimizing the Business Impact of the PCI 2.0 - 3.0 Transition
- 2. The PCI DSS refresh cycle What has changed in general terms Review of specific, significant changes Requirement 0 Requirements 1-12 Reorganization Final of documents notes Q&A 12/13/2013 2
- 3. IT security consulting company: www.truvantis.com Authorized PCI DSS Qualified Security Assessor (QSA) Company Deep, comprehensive expertise in IT security testing (pen testing, vulnerability assessments, etc.), policy creation, audit, PCI assessments and governance We also understand that IT security can’t get in the way of doing business! 12/13/2013 3
- 4. 12/13/2013 4
- 5. A great deal of clarification Some additional requirements More useful narrative before the requirements Reorganization of the documents Focus on goals, not technology Today, look at a few of the more important changes 12/13/2013 5
- 6. Scope Cannot store SAD after authorization even without the PAN Determination of the scope of the CDE is the entity’s responsibility Segmentation If a control is used to de-scope, then that control is in-scope A system can only be out of scope if its compromise would not impact the security of the CDE 12/13/2013 6
- 7. Wireless Don’t Service providers It’s still your job to monitor the compliance of your service providers The fact that they have an AOC does not change that, it just helps with validation “For example, providing the AOC and/or relevant sections of the service provider’s ROC (redacted to protect any confidential information) could help provide all or some of the information.” 12/13/2013 7
- 8. Business-as-Usual Totally new section Discusses how to build compliance into your daily routine This is not a new requirement Consider it guidance and advice that will help 12/13/2013 8
- 9. Security policies and daily operational procedures moved into relevant sections Just moving section 12 items into a more sensible place NEW: Inventory of system components and the function/use You probably did this anyway Just leave an audit trail to show you keep it current TIP: Create a task regularly to review it 12/13/2013 9
- 10. Still at least 7 characters, alphanumeric Can now use equivalent strength Do the math to establish equivalence TIP: This is a low bar – do better 12/13/2013 10
- 11. 2.0 “Deploy anti-virus software on all systems commonly affected by malicious software” Now your responsibility to make sure they continue to not need it 3.0 “perform periodic evaluations to identify and evaluate evolving malware threats” 12/13/2013 11
- 12. These Security patches indicate vulnerabilities All vulnerabilities must be ‘risk-ranked’ requirements have been coordinated At least HIGH risk (to you) Additionally flag CRITICAL if “they pose an imminent threat to the environment, impact critical systems, and/or would result in a potential compromise if not addressed” CRITICAL One month Other vendor-supplied security patches vendor-supplied security patches ‘Appropriate’ time frame (Three months) 12/13/2013 12
- 13. NEW: Broken authentication and session management Flagging session tokens … as “secure” Not exposing session IDs in the URL Incorporating appropriate time-outs and rotation of session IDs after a successful login PCI is following OWASP Top 10 TIP: OWASP has a new Top 10 for 2013 TIP: Also see www.securecoding.cert.org 12/13/2013 13
- 14. NEW: Protect devices that capture payment Mandatory after July 1st 2015 Maintain a list of devices Periodically inspect device surfaces to detect tampering Training for personnel to detect tampering or replacement 12/13/2013 14
- 15. Scanning for rogue devices Must test for all routes to get wireless devices in Just looking for add IP addresses is not enough USB etc. specifically called out TIP: Focus on intent, not the language 12/13/2013 15
- 16. Can now combine multiple scans to get a passing grade Recognizes that new issues can arise during a remediation phase Re-test would show new failing items Avoid the never ending cycle of not passing 12/13/2013 16
- 17. Greatly enhanced detail and deeper in scope New goals mandatory as of July 1st, 2015 Test de-scoping controls Review last 12mo threats and vulnerabilities The type, depth, and complexity of the testing will depend on the specific environment and the organization’s risk assessment TIP: Don’t be sold a vulnerability assessment as a pen test TIP: Ask your penetration tester when they will be working with the new rules 12/13/2013 17
- 18. “at least annually and after significant changes to the environment” Many requirements now reference your risk assessment TIP: Use the new prevalence of “Risk Assessment” in the standard to help you work out what your risk assessment should look like 12/13/2013 18
- 19. Plan not just for a major breach It should drill down into more alerts from monitoring systems like firewalls Larger mandate to choose what to monitor and where alerts should come from TIP: Again - focus on intent, not language 12/13/2013 19
- 20. Guidance regarding intent moved into the standard Reporting instructions moved to a template SAQs will be updated - not released yet Expect: Multiple SAQ submission will be permitted New SAQs such as hosted payment pages 12/13/2013 20
- 21. Download and review the ‘Summary of Changes’ document now Review every item and measure the impact Comply with the language, but focus on the intent Review your ‘risk assessment’ in the light of 3.0 By understanding your risk, you can scale your behavior appropriately 12/13/2013 21
- 22. By web: www.truvantis.com By phone: +1 855.345.6298 By email: info@truvantis.com View this presentation in the recorded webcast (with audio): http://youtu.be/mwvx1q9aMDw 12/13/2013 22