Andy Cottrell

12/13/2013 1

The PCI DSS refresh cycle

What has changed in general terms

Review of specific, significant changes

Requirement 0

Requirements 1-12

Reorganization of documents

Final notes

Q&A

12/13/2013 2

IT security consulting company:

www.truvantis.com

Authorized PCI DSS Qualified Security

Assessor (QSA) Company

Deep, comprehensive expertise in IT security

testing (pen testing, vulnerability

assessments, etc.), policy creation, audit,

PCI assessments and governance

We also understand that IT security can’t get

in the way of doing business!

12/13/2013 3

12/13/2013 4

A great deal of clarification

Some additional requirements

More useful narrative before the

requirements

Reorganization of the documents

Focus on goals, not technology

Today, look at a few of the more important

changes

12/13/2013 5

Scope

Cannot store SAD after authorization even

without the PAN

Determination of the scope of the CDE is the

entity’s responsibility

Segmentation

If a control is used to de-scope, then that control

is in-scope

A system can only be out of scope if its

compromise would not impact the security of the

CDE

12/13/2013 6

Wireless

Don’t

Service providers

It’s still your job to monitor the compliance of

your service providers

The fact that they have an AOC does not change that,

it just helps with validation

“For example, providing the AOC and/or relevant sections of

the service provider’s ROC (redacted to protect any

confidential information) could help provide all or some of

the information.”

12/13/2013 7

Business-as-Usual

Totally new section

Discusses how to build compliance into your daily

routine

This is not a new requirement

Consider it guidance and advice that will help

12/13/2013 8

Security policies and daily operational

procedures moved into relevant sections

Just moving section 12 items into a more sensible

place

NEW: Inventory of system components and

the function/use

You probably did this anyway

Just leave an audit trail to show you keep it

current

TIP: Create a task regularly to review it

12/13/2013 9

Still at least 7 characters, alphanumeric

Can now use equivalent strength

Do the math to establish equivalence

TIP: This is a low bar – do better

12/13/2013 10

2.0 “Deploy anti-virus software on all

systems commonly affected by malicious

software”

Now your responsibility to make sure they

continue to not need it

3.0 “perform periodic evaluations to identify and

evaluate evolving malware threats”

12/13/2013 11

These requirements have been coordinated

Security patches indicate vulnerabilities

All vulnerabilities must be ‘risk-ranked’

At least HIGH risk (to you)

Additionally flag CRITICAL if

“they pose an imminent threat to the environment,

impact critical systems, and/or would result in a

potential compromise if not addressed”

CRITICAL vendor-supplied security patches

One month

Other vendor-supplied security patches

‘Appropriate’ time frame (Three months)

12/13/2013 12

NEW: Broken authentication and session

management

Flagging session tokens … as “secure”

Not exposing session IDs in the URL

Incorporating appropriate time-outs and rotation

of session IDs after a successful login

PCI is following OWASP Top 10

TIP: OWASP has a new Top 10 for 2013

TIP: Also see www.securecoding.cert.org

12/13/2013 13

NEW: Protect devices that capture payment

Mandatory after July 1st 2015

Maintain a list of devices

Periodically inspect device surfaces to detect

tampering

Training for personnel to detect tampering or

replacement

12/13/2013 14

Scanning for rogue devices

Must test for all routes to get wireless devices in

Just looking for add IP addresses is not enough

USB etc. specifically called out

TIP: Focus on intent, not the language

12/13/2013 15

Can now combine multiple scans to get a

passing grade

Recognizes that new issues can arise during a

remediation phase

Re-test would show new failing items

Avoid the never ending cycle of not passing

12/13/2013 16

Greatly enhanced detail and deeper in scope New goals mandatory as of July 1st, 2015

Test de-scoping controls

Review last 12mo threats and vulnerabilities

The type, depth, and complexity of the testing will depend on the specific environment and the organization’s risk assessment

TIP: Don’t be sold a vulnerability assessment as a pen test

TIP: Ask your penetration tester when they will be working with the new rules

12/13/2013 17

“at least annually and after significant

changes to the environment”

Many requirements now reference your risk

assessment

TIP: Use the new prevalence of “Risk

Assessment” in the standard to help you

work out what your risk assessment should

look like

12/13/2013 18

Plan not just for a major breach

It should drill down into more alerts from

monitoring systems like firewalls

Larger mandate to choose what to monitor and

where alerts should come from

TIP: Again - focus on intent, not language

12/13/2013 19

Guidance regarding intent moved into the

standard

Reporting instructions moved to a template

SAQs will be updated - not released yet

Expect:

Multiple SAQ submission will be permitted

New SAQs such as hosted payment pages

12/13/2013 20

Download and review the ‘Summary of

Changes’ document now

Review every item and measure the impact

Comply with the language, but focus on the

intent

Review your ‘risk assessment’ in the light of

3.0

By understanding your risk, you can scale your

behavior appropriately

12/13/2013 21

By web: www.truvantis.com

By phone: +1 855.345.6298

By email: info@truvantis.com

View this presentation in the recorded

webcast (with audio):

http://youtu.be/mwvx1q9aMDw

12/13/2013 22