The document provides an overview of the Payment Card Industry Data Security Standard (PCI DSS) 3.2, detailing its purpose for securely processing payment card data and listing specific requirements for compliance. It outlines important dates for implementing version 3.2, as well as changes in requirements related to network security, encryption, access control, and security policies for service providers. Additional sections discuss significant changes and enhancements in the PCI DSS, including the phase-out of outdated protocols and the importance of multi-factor authentication.

1. PCI DSS 3.2
By Kishor Vaswani – CEO, ControlCase

2. Agenda
• About PCI DSS
• Overview of changes in PCI DSS 3.2
• Changes by requirement number
• About ControlCase
• Q&A
1

3. About PCI DSS

4. What is PCI DSS?
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or
transmitting payment card account data
• Established by leading payment card issuers
• Maintained by the PCI Security Standards Council
(PCI SSC)
2

5. PCI DSS Requirements
Control Objectives Requirements
Build and maintain a secure network 1. Install and maintain a firewall configuration to protect
cardholder data
2. Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect cardholder data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public
networks
Maintain a vulnerability
management program
5. Use and regularly update anti-virus software on all systems
commonly affected by malware
6. Develop and maintain secure systems and applications
Implement strong access control
measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and
cardholder data
11. Regularly test security systems and processes
Maintain an information security
policy
12. Maintain a policy that addresses information security
3

6. Important Dates for PCI DSS v3.2
•Final DSS 3.2
released
April 2016
•V3.2 can be
used
May 1, 2016
•Sunset date for
v3.1
Oct 31, 2016
•v3.2 is must to
use
Nov 1, 2016
•Controls marked as
“New Requirements”
becomes mandatory
Feb 1, 2018
4

7. Overview of changes in PCI 3.2

8. Overview
5
SSL/early TLS
• Work towards remediation
• No new SSL/early TLS
• Service provider offering by June 30, 2016
• No SSL/early TLS after June 30, 2018
• Some exceptions for POS POI terminals
Display of PAN
• Permits display of PAN beyond first 6/last 4
• Justification and business need must exist
• Only the digits needed by business need must be displayed

9. Overview contd…
6
Multifactor Authentication
• All remote access must be multifactor
• All non console admin access to CDE must be multifactor effective Jan 31,
2018
• Multifactor can be at system or application layer
New Service Provider Requirements
• Maintain documented description of cryptographic architecture
• Detect and report on failures of critical security control systems
• Quarterly review to ensure personnel following security procedures
• Perform segmentation penetration test once every six months (Effective
Feb 2018)
• Executive management to establish responsibilities (Effective Feb 2018)

10. Changes by requirement

11. Requirement 1 – Firewall Configuration
• Install personal firewall software or equivalent
functionality on any portable computing
devices (including company and/or employee-
owned) that connect to the Internet when
outside the network (for example, laptops
used by employees), and which are also used
to access the CDE.
7

12. Requirement 3 - Encryption
• 3.4.1 - If disk encryption is used (rather than
file- or column-level database encryption),
logical access must be managed separately
and independently of native operating system
authentication and access control mechanisms
Note: This requirement applies in addition to all
other PCI DSS encryption and key-management
requirements.
8

13. Requirement 3 - Encryption
3.5.1 Additional requirement for service providers only:
Maintain a documented description of the cryptographic
architecture that includes:
• Details of all algorithms, protocols, and keys used for
the protection of cardholder data, including key
strength and expiry date
• Description of the key usage for each key
• Inventory of any HSMs and other SCDs used for key
management
Note: This requirement is a best practice until January 31,
2018, after which it becomes a requirement.
9

14. Requirement 6 – Secure Applications
• 6.2 Ensure that all system components and
software are protected from known
vulnerabilities by installing applicable vendor-
supplied security patches. Install critical
security patches within one month of release.
• This requirement applies to applicable patches
for all installed software, including payment
applications (both those that are PA-DSS
validated and those that are not).
10

15. Requirement 6 – Secure Application
• 6.4.6 Upon completion of a significant change,
all relevant PCI DSS requirements must be
implemented on all new or changed systems
and networks, and documentation updated as
applicable.
Note: This requirement is a best practice until
January 31, 2018, after which it becomes a
requirement.
11

16. Requirement 8 – Access Control
• 8.3.1 Incorporate multi-factor authentication
for all non-console access into the CDE for
personnel with administrative access.
Note: This requirement is a best practice until
January 31, 2018, after which it becomes a
requirement.
12

17. Requirement 10 – Logging and Monitoring
• 10.8 Additional requirement for service providers
only: Implement a process for the timely detection and
reporting of failures of critical security control systems,
including but not limited to failure of:
Firewalls
IDS/IPS
FIM
Anti-virus
Physical access controls
Logical access controls
Audit logging mechanisms
Segmentation controls (if used)
• Note: This requirement is a best practice until January
31, 2018, after which it becomes a requirement.
13

18. Requirement 11 – Security Testing
11.3.4.1 Additional requirement for service
providers only: If segmentation is used, confirm
PCI DSS scope by performing penetration testing
on segmentation controls at least every six
months and after any changes to segmentation
controls/methods.
Note: This requirement is a best practice until
January 31, 2018, after which it becomes a
requirement.
14

19. Requirement 12 – Policies and Procedures
12.4.1 Additional requirement for service providers only:
Executive management shall establish responsibility for
the protection of cardholder data and a PCI DSS
compliance program to include:
Overall accountability for maintaining PCI DSS
compliance
Defining a charter for a PCI DSS compliance program
and communication to executive management
Note: This requirement is a best practice until January 31,
2018, after which it becomes a requirement.
15

20. Requirement 12 – Policies and Procedures
12.11 Additional requirement for service providers only:
Perform reviews at least quarterly to confirm personnel
are following security policies and operational
procedures. Reviews must cover the following processes:
Daily log reviews
Firewall rule-set reviews
Applying configuration standards to new systems
Responding to security alerts
Change management processes
Note: This requirement is a best practice until January 31,
2018, after which it becomes a requirement.
16

21. Requirement 12 – Policies and Procedures
12.11.1 Additional requirement for service
providers only: Maintain documentation of
quarterly review process to include:
Documenting results of the reviews
Review and sign-off of results by personnel
assigned responsibility for the PCI DSS
compliance program
Note: This requirement is a best practice until
January 31, 2018, after which it becomes a
requirement.
17

22. Appendix A2: Additional PCI DSS Requirements for Entities using
SSL/early TLS
• New implementations must not use SSL or early TLS as a security
control.
• All service providers must provide a secure service offering by June
30, 2016.
• After June 30, 2018, all entities must have stopped use of SSL/early
TLS as a security control, and use only secure versions of the
protocol (an allowance for certain POS POI terminals is described in
the last bullet below).
• Prior to June 30, 2018, existing implementations that use SSL
and/or early TLS must have a formal Risk Mitigation and Migration
Plan in place.
• POS POI terminals (and the SSL/TLS termination points to which
they connect) that can be verified as not being susceptible to any
known exploits for SSL and early TLS, may continue using these as a
security control after June 30, 2018.
18

23. Appendix A3: Designated Entities Supplemental Validation (DESV)
This Appendix applies only to entities designated by a
payment brand(s) or acquirer as requiring additional
validation of existing PCI DSS requirements. Examples of
entities that this Appendix could apply to include:
• Those storing, processing, and/or transmitting large
volumes of cardholder data,
• Those providing aggregation points for cardholder
data, or
• Those that have suffered significant or repeated
breaches of cardholder data.
Note: An entity is required to undergo an assessment
according to this Appendix ONLY if instructed to do so by
an acquirer or a payment brand.
19

24. ControlCase Products and Solutions

25. Learn more about continual compliance ….
20
Compliance
as a Service
(Caas)

26. Integrated compliance
21
Question.
No.
Question PCIDSS2.0Reference PCIDSS3.0 ISO27002:2013 SOC2 HIPAA NIST800-53
37
Provide dataEncryptionpolicyexplainingencryptioncontrolsimplementedfor
Cardholderdatadatasecure storage (e.g.encryption,truncation,maskingetc.) –
applicable forapplication,database andbackuptapes
-Screenshotsshowingfull PANdataisencryptedwithstrongencryptionwhile
stored(database tablesorfiles). The captureddetailsshouldalsoshowthe
encryptionalgorithmandstrengthused
-ForBackuptapes,screenshotshowingthe encryptionapplied(algorithmand
strength–e.g.AES256bit)throughbackupsolution
SecurityPostureQA:QSAtoverifythatencryptionisappropriateORcompensating
controlsareperControlCasestandard.
3.4.a,3.4.b,3.4.c,3.4.d 3.4 10.1.1,18.1.5 164.312(a)(1)
38
IfDiskencryptionusedforcarddatadata,thenisthe logical accesstoencryptedfile-
systemisseparatefromnative operatingsystemuseraccess? (Provide the
adequate evidencesshowingthe logical accessforlocal operatingsystemand
encryptedfile systemiswithseparateuserauthentication)
SecurityPostureQA:QSAtoverifythatencryptionisappropriateORcompensating
controlsareperControlCasestandard.
3.4.1.a 3.4.1 10.1.2 164.312(a)(1)
39
Provide evidence showingrestrictedaccesscontrol forDataEncryptionKeys(DEK)
andKeyEncryptionKeys(KEK)atstore
SecurityPostureQA:QSAtoverifythatencryptionisappropriateORcompensating
controlsareperControlCasestandard.
3.5 3.5.2 10.1.2 164.312(a)(1)
40
Provide the evidence showingthe exactlocationswhere encryptionkeysare stored
(keysshouldbe storedatfewestpossible locations)
3.5.3 10.1.2 164.312(a)(1)

27. Why Choose ControlCase?
• Global Reach
› Serving more than 400 clients in 40 countries and rapidly growing
• Certified Resources
› PCI DSS Qualified Security Assessor (QSA)
› QSA for Point-to-Point Encryption (QSA P2PE)
› Certified ASV vendor
› Certified ISO 27001 Assessment Department
› EI3PA Assessor
› HIPAA Assessor
› HITRUST Assessor
› SOC1, SOC2, SOC3 Assessor
› Shared Assessments AUP/SIG
22

28. To Learn More About PCI Compliance…
• Visit www.controlcase.com
• contact@controlcase.com

29. Thank You for Your Time