Upload
kimberly-simon
View
1.554
Download
0
Embed Size (px)
Citation preview
PCI DSS 3.2By Kishor Vaswani – CEO, ControlCase
Agenda
• About PCI DSS
• Overview of changes in PCI DSS 3.2
• Changes by requirement number
• About ControlCase
• Q&A
1
About PCI DSS
What is PCI DSS?
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or transmitting payment card account data
• Established by leading payment card issuers• Maintained by the PCI Security Standards Council
(PCI SSC)
2
PCI DSS RequirementsControl Objectives Requirements
Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data 3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public
networks
Maintain a vulnerability management program
5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement strong access control measures
7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security policy
12. Maintain a policy that addresses information security
3
Important Dates for PCI DSS v3.2
• Final DSS 3.2 released
April 2016
• V3.2 can be used
May 1, 2016• Sunset date for
v3.1
Oct 31, 2016
• v3.2 is must to use
Nov 1, 2016•Controls marked as “New Requirements” becomes mandatory
Feb 1, 2018
4
Overview of changes in PCI 3.2
Overview
5
SSL/early TLS• Work towards remediation• No new SSL/early TLS• Service provider offering by June 30, 2016• No SSL/early TLS after June 30, 2018• Some exceptions for POS POI terminals
Display of PAN• Permits display of PAN beyond first 6/last 4• Justification and business need must exist• Only the digits needed by business need must be displayed
Overview contd…
6
Multifactor Authentication• All remote access must be multifactor• All non console admin access to CDE must be multifactor effective Jan 31,
2018• Multifactor can be at system or application layer
New Service Provider Requirements• Maintain documented description of cryptographic architecture• Detect and report on failures of critical security control systems• Quarterly review to ensure personnel following security procedures• Perform segmentation penetration test once every six months (Effective
Feb 2018)• Executive management to establish responsibilities (Effective Feb 2018)
Changes by requirement
Requirement 1 – Firewall Configuration
• Install personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE.
7
Requirement 3 - Encryption
• 3.4.1 - If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms
Note: This requirement applies in addition to all other PCI DSS encryption and key-management requirements.
8
Requirement 3 - Encryption
3.5.1 Additional requirement for service providers only: Maintain a documented description of the cryptographic architecture that includes: • Details of all algorithms, protocols, and keys used for the
protection of cardholder data, including key strength and expiry date
• Description of the key usage for each key • Inventory of any HSMs and other SCDs used for key
management
Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
9
Requirement 6 – Secure Applications
• 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.
• This requirement applies to applicable patches for all installed software, including payment applications (both those that are PA-DSS validated and those that are not).
10
Requirement 6 – Secure Application
• 6.4.6 Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.
Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
11
Requirement 8 – Access Control
• 8.3.1 Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.
Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
12
Requirement 10 – Logging and Monitoring
• 10.8 Additional requirement for service providers only: Implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of:
Firewalls IDS/IPS FIM Anti-virus Physical access controls Logical access controls Audit logging mechanisms Segmentation controls (if used)
• Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
13
Requirement 11 – Security Testing
11.3.4.1 Additional requirement for service providers only: If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods. Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
14
Requirement 12 – Policies and Procedures
12.4.1 Additional requirement for service providers only: Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include: Overall accountability for maintaining PCI DSS
compliance Defining a charter for a PCI DSS compliance program
and communication to executive management
Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
15
Requirement 12 – Policies and Procedures
12.11 Additional requirement for service providers only: Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes:
Daily log reviews Firewall rule-set reviews Applying configuration standards to new systems Responding to security alerts Change management processes
Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
16
Requirement 12 – Policies and Procedures
12.11.1 Additional requirement for service providers only: Maintain documentation of quarterly review process to include: Documenting results of the reviews Review and sign-off of results by personnel
assigned responsibility for the PCI DSS compliance program
Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
17
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS
• New implementations must not use SSL or early TLS as a security control.
• All service providers must provide a secure service offering by June 30, 2016.
• After June 30, 2018, all entities must have stopped use of SSL/early TLS as a security control, and use only secure versions of the protocol (an allowance for certain POS POI terminals is described in the last bullet below).
• Prior to June 30, 2018, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place.
• POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS, may continue using these as a security control after June 30, 2018.
18
Appendix A3: Designated Entities Supplemental Validation (DESV)
This Appendix applies only to entities designated by a payment brand(s) or acquirer as requiring additional validation of existing PCI DSS requirements. Examples of entities that this Appendix could apply to include: • Those storing, processing, and/or transmitting large
volumes of cardholder data, • Those providing aggregation points for cardholder data, or • Those that have suffered significant or repeated breaches
of cardholder data. Note: An entity is required to undergo an assessment according to this Appendix ONLY if instructed to do so by an acquirer or a payment brand.
19
ControlCase Products and Solutions
Learn more about continual compliance ….
20
Complianceas a Service
(Caas)
Integrated compliance
21
Question. No.
Question PCI DSS 2.0 Reference PCI DSS 3.0 ISO 27002: 2013 SOC2 HIPAA NIST 800-53
37
Provide data Encryption policy explaining encryption controls implemented for Cardholder data data secure storage (e.g. encryption, truncation, masking etc.) – applicable for application, database and backup tapes
- Screenshots showing full PAN data is encrypted with strong encryption while stored (database tables or files) . The captured details should also show the encryption algorithm and strength used - For Backup tapes, screenshot showing the encryption applied (algorithm and strength – e.g. AES 256 bit) through backup solution
Security Posture QA: QSA to verify that encryption is appropriate OR compensating controls are per ControlCase standard.
3.4.a, 3.4.b, 3.4.c, 3.4.d 3.4 10.1.1, 18.1.5 164.312(a)(1)
38
If Disk encryption used for card data data, then is the logical access to encrypted file-system is separate from native operating system user access? (Provide the adequate evidences showing the logical access for local operating system and encrypted file system is with separate user authentication)
Security Posture QA: QSA to verify that encryption is appropriate OR compensating controls are per ControlCase standard.
3.4.1.a 3.4.1 10.1.2 164.312(a)(1)
39
Provide evidence showing restricted access control for Data Encryption Keys (DEK) and Key Encryption Keys (KEK) at store
Security Posture QA: QSA to verify that encryption is appropriate OR compensating controls are per ControlCase standard.
3.5 3.5.2 10.1.2 164.312(a)(1)
40Provide the evidence showing the exact locations where encryption keys are stored (keys should be stored at fewest possible locations)
3.5.3 10.1.2 164.312(a)(1)
Why Choose ControlCase?
• Global Reach
› Serving more than 400 clients in 40 countries and rapidly growing
• Certified Resources
› PCI DSS Qualified Security Assessor (QSA)
› QSA for Point-to-Point Encryption (QSA P2PE)
› Certified ASV vendor
› Certified ISO 27001 Assessment Department
› EI3PA Assessor
› HIPAA Assessor
› HITRUST Assessor
› SOC1, SOC2, SOC3 Assessor
› Shared Assessments AUP/SIG
22
To Learn More About PCI Compliance…
• Visit www.controlcase.com
Thank You for Your Time