With the recent news of the payment card industry (PCI) credit card breaches surrounding retailers, ensuring compliance and security in which you process, store and transmit credit card information is paramount.
If you are someone in business who sells goods or services and accepts credit card payments, you will want to plan to join us for this free lunch-and-learn event:
PCI 3.0 - Is Your Organization Ready?
Led by Joe Compton, CISSP, CISA, QSA this presentation features an overview of the PCI Data Security Standards (DSS), PCI 3.0 security framework, point out the changes from the 2.x framework, and provide a plan for organizations to build a PCI compliance program.
1. PCI 3.0
Is Your Organization Ready?
Joseph Compton, CISSP, CISA, QSA
March 27, 2014
2. PCI DSS?
WHAT IS
• Payment Card Industry Data
Security Standard
Issued by the PCI Security
Standards Council
Compliance regulation for keeping credit
card information secure
Applies to organizations that handle
credit cards, e.g. merchants, merchant
banks, payment processors
Goal: Prevent credit card theft and fraud
3. CARDHOLDER DATA?
WHAT IS
• At a minimum, cardholder data consists of the full Primary
Account Number (PAN)
• Cardholder data may also appear in the form of the full
PAN plus any of the following: cardholder name, expiration
date and/or service code
4. LIFECYCLE
PCI DSS
• The PCI Council has adopted a three-year lifecycle,
allowing feedback prior to adopting PCI
standards enactment
• 12 Core Security areas stay the same, but the update
from 2.0 to 3.0 will include new sub-requirements that
did not exist previously
• Because implementation of updated standards takes
time, some sub-requirements will remain best practices
only until July 1, 2015
• PCI DSS Version 2.0 will remain active until
December 31, 2014
• PCI DSS Version 3.0 became effective January 1, 2014
5. CHANGE DRIVERS
• Lack of education and
awareness
• Weak passwords,
authentication
• Third-party security challenges
• Slow self-detection, malware
• Inconsistency in assessments
6. CHANGE TYPES
• Clarification – Clarifies intent of requirement and ensures
that concise wording in the standard portrays the desired
intent of requirements
• Additional Guidance – Explanation, definition, and/or
instruction to increase understanding or provide further
information or guidance on a particular topic
• Evolving Requirement – Changes to ensure that the
standards are up-to-date with emerging threats and
changes in the market
8. REQUIREMENTS
SCOPE OF PCI
• Added examples of system components and added
guidance about how to accurately determine the scope of
the assessment
• Clarified the intent of segmentation
• Clarified responsibilities of both the third party and their
customers for scoping and coverage of PCI
requirements, and clarified evidence that third parties are
expected to provide to verify the scope
9. PCI DSS (BAU)
IMPLEMENTING
• New section in the PCI standards guide to provide
“business-as-usual” (BAU) guidance for implementing
security into business-as-usual activities to maintain on-
going PCI DSS compliance
• Note that this section includes recommendations and
guidance only, not new PCI DSS requirements
11. ALL REQUIREMENTS
• New column in PCI standards guide to describe the intent
of each requirement, with content derived from former
Navigating PCI DSS guidance document
• The guidance in this column is intended to assist in
understanding of the requirements and does not replace or
extend the PCI DSS requirements and testing procedures
13. CONFIGURATION
1. FIREWALL
• Install and maintain a
firewall configuration to
protect cardholder data
1.1.2 Clarified what the
network diagram must include
and added new requirements
at 1.1.3
1.1.3 Calls for a current
diagram that shows cardholder
data flows
14. VENDOR DEFAULTS
2. REMOVE
• Do not use vendor-supplied
defaults for system passwords
and other security parameters
2.4 New requirement to maintain
an inventory of system
components in scope for PCI DSS
to support development of
configuration standards
15. 4. ENCRYPTION
3. CARDHOLDER DATA
• Protect stored
cardholder data
No change
• Encrypt transmission of
cardholder data across
open, public networks
No change
16. 5. MALWARE
• Protect all systems against
malware and regularly update
anti-virus software or programs
5.1.2 New requirement to evaluate
evolving malware threats for any
systems not considered to be
commonly affected by
malicious software
5.3 New requirement to ensure that
antivirus solutions are actively
running (formerly in 5.2) and cannot
be disabled or altered by users
unless specifically authorized by
management on a per-case basis
17. 7. NEED TO KNOW
6. SECURE SYSTEMS
• Develop and maintain secure
systems and applications
6.5.10 New requirement for
coding practices to protect against
broken authentication and session
management (Effective July
1, 2015)
• Restrict access to cardholder
data by business need to know
No change
18. 8. IDENTITY ACCESS
• Identify and authenticate access to system components
8.2.3 Combined minimum password complexity and strength
requirements into single requirement, and increased flexibility for
alternatives that meet the equivalent complexity and strength
8.5.1 New requirement where service providers with remote
access to customer premises use unique authentication
credentials for each customer (Effective July 1, 2015)
19. 8. IDENTITY ACCESS
8.6 New requirement where
other authentication
mechanisms are used (for
example, physical or logical
security tokens, smart
cards, certificates, etc.) that the
mechanisms must be linked to
an individual account and
ensure only the intended user
can gain access with that
mechanism
20. PHYSICAL ACCESS
9. RESTRICT
• Restrict physical access to
cardholder data
9.3 New requirement to control
physical access to sensitive areas for
onsite personnel, including a process
to authorize access, and revoke
access immediately upon termination
9.9.x New requirements to protect
devices that capture payment card
data via direct physical interaction
with the card from tampering and
substitution (Effective July 1, 2015)
21. MONITOR ACCESS
10. TRACK AND
• Track and monitor all access to network resources and
cardholder data
10.2.5 Enhanced requirement to include changes to identification
and authentication mechanisms (including creation of new
accounts, elevation of privileges), and all changes, additions and
deletions to accounts with root or administrative privileges
Enhanced requirement to include stopping or pausing of the
audit logs
22. 11. TEST SECURITY
• Regularly test security systems and processes
11.1.x Enhanced requirement to include an inventory of authorized
wireless access points and a business justification (11.1.1) to
support scanning for unauthorized wireless devices, and added
new requirement (11.1.2) to align with an already existing testing
procedure, for incident response procedures if unauthorized
wireless access points are detected
11.2 Additional guidance only added guidance on combining
multiple scan reports in order to achieve and document a
passing result
23. 11. TEST SECURITY
11.3.4 New requirement, if
segmentation is used to isolate the
CDE from other networks, to
perform penetration tests to verify
that the segmentation methods are
operational and effective
11.5.1 New requirement to
implement a process to respond to
any alerts generated by the
change detection mechanism
(supports 11.5)
24. 12. SECURITY POLICY
• Maintain a policy that addresses information security for
all personnel
12.2 Moved former requirement 12.1.2 for annual risk assessment
process to 12.2, and clarified that the risk assessment should be
performed at least annually and after significant changes to
the environment
12.8.5 New requirement to maintain information about which PCI
DSS requirements are managed by each service provider, and
which are managed by the entity
12.9 New requirement for service providers to provide the written
agreement/acknowledgment to their customers as specified at
requirement 12.8 (Effective July 1, 2015)
25. FACTS
• Payment card data remains one of the easiest types of
data to convert to cash, and therefore the preferred choice
of criminals.*
• 74% of attacks on retail, accommodation, and food service
companies target payment card information.*
• For more information on PCI DSS, the standards can be
found at: https://www.pcisecuritystandards.org
*Data from Verizon Data Breach Investigations Reports (DBIRs), 2011, 2012 and 2013