Thoughts on PCI DSS 3.0. D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director

Transcription

1 Thoughts on PCI DSS 3.0 D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director

2 Agenda Global Payment Card Statistics and Trends PCI DSS Overview PCI DSS Version 3.0: Important Timelines 4 PCI DSS Version 3.0: Changes 5 Next Steps & Questions 2

3 Global Payment Card Statistics Need for the Payment Card Industry Data Security Standard (PCI DSS) Issuers, merchants, and acquirers of credit, debit, and prepaid general purpose and private label payment cards worldwide experienced gross fraud losses of $11.27 billion in 2012, up 14.6% over the prior year, according to The Nilson Report, a leading payment industry newsletter. Of that $11.27 billion, card issuers lost 63% and merchants and acquirers lost the other 37%. Fraud as percentage of total volume was lowest for PIN-based debit networks worldwide at 1.10 per $100 in total volume. The global brand cards Visa, MasterCard, American Express, UnionPay, Diners Club, and JCB averaged fraud losses of 6.13 for every $100 in total volume. Card issuer losses occur mainly at the point of sale from counterfeit cards. Issuers bear the fraud loss if they give merchants authorization to accept the payment. Merchant and acquirer losses occur mainly on card-not-present (CNP) transactions on the Web, at a call center, or through mail order because issuers can chargeback fraudulent transactions. 3 Source:

4 PCI DSS Overview The Payment Card Industry Data Security Standard (PCI DSS) The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that store, process or transmit credit card information maintain a secure environment. About PCI DSS U.S. Purchase Volume - Consumer vs. Commercial Cards The PCI DSS is administered and managed by the PCI Security Standards Council (SSC), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.). PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accept, transmit or store any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply. 4 Source:

5 PCI DSS Version 3.0 Aims and Objectives Earlier this year, the PCI Security Standards Council (PCI SSC) announced the release of a new version of the PCI Data Security Standard (PCI DSS) Version 3.0. The new version aims to do the three things: PCI DSS Version 3.0 Aims and Objectives Address emerging and evolving threats to cardholder data security by clarifying existing requirements; Provide additional guidance on how to comply with the standard; Introduce new requirements to bring the standard in line with emerging threats and changes in the market 5 Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 Key Changes and New Requirements

6 PCI DSS Version 3.0: Important Timelines Recognizing that additional time may be necessary to implement some of these sub-requirements, the Council has given companies that process payment cards a full year to comply with the new standard. During 2014, both versions 2.0 and version 3.0 are available and companies can validate to either version. Discussion at the North American Community Meeting in Las Vegas on September. Sept, 2013 Effective date of version 3.0 of the Standard Jan 1, 2014 Some of the Subrequirements for 12 core security areas will remain best practices June 30, 2015 Sep, 2013 The detailed Summary of Changes and draft versions of the Standards was shared with Participating Organizations and the assessment community Nov, 2013 Introduction of PCI DSS Version 3.0 Dec 31, 2014 Version 2.0 will sunset and only version 3.0 will be valid for validations in Source: Data Security Standard and Payment Application Data Security Standard: Version 3.0 Change Highlights

7 PCI DSS Version 3.0: Changes Overview The new standard Version 3 has brought with it policy and procedural changes that will impact the security of the entire electronic payment ecosystem. The core 12 security areas remain the same, but the updates include several new sub-requirements that did not exist previously. The updated standards will help organizations not by making the requirements more prescriptive, but by adding more flexibility and guidance for integrating card security into their business-as-usual activities. The changes will provide increased stringency for validating that these controls have been implemented properly, with more rigorous and specific testing procedures that clarify the level of validation the assessor is expected to perform. Overall, the changes are designed to give organizations a strong but flexible security architecture with principles that can be applied to their unique technology, payment, and business environments. 7 Source: Data Security Standard and Payment Application Data Security Standard: Version 3.0 Change Highlights

8 PCI DSS Version 3.0: Change Drivers Common challenge areas and drivers for change include: 1 Lack of education and awareness around payment security 2 Weak passwords, authentication Challenge Areas 3 Third-party security challenges 4 Slow self-detection, malware 5 Inconsistency in assessments 8 Source: Data Security Standard and Payment Application Data Security Standard: Version 3.0 Change Highlights

9 Updated Versions Of PCI DSS: Focus Areas Provide stronger focus on some of the greater risk areas in the threat environment Provide increased clarity on PCI DSS requirements Build greater understanding on the intent of the requirements and how to apply them Improve flexibility for all entities implementing, assessing, and building to the standard Drive more consistency among assessors Help manage evolving risks / threats Align with changes in industry best practices Clarify scoping and reporting Eliminate redundant sub-requirements and consolidate documentation 9 Source:

10 PCI DSS 3.0 Compliance Changes Version 3 of the PCI DSS includes five new requirements that are to be considered best practices until they officially become compliance requirements in mid Unique authentication credentials for service providers with access to customer environments 9.9 Protection of pointof-sale (POS) devices from tampering The 5 New Requirements Broken authentication and session management 12.9 Additional requirement for service providers on data security 11.3 Developing and implementing a methodology for penetration testing 10 Source:

11 PCI DSS Version 3.0: Most Notable Changes (1/3) Notable Most Notable A Higher Bar to Achieve Segmentation Specifically, scoping has been clarified to indicate that system components include, Any component or device located within or connected to the [cardholder data environment]. The new language also states that the PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment Additionally, a new requirement has been added requiring that if segmentation is used, penetration testing procedures are designed to test all segmentation methods to confirm they are operational and effective, and isolate all out-of-scope systems from in-scope systems. As further clarity, the standard states that, To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the CDE such that even if the out-of-scope system component was compromised it could not impact the security of the CDE. The additional focus on connected systems likely expands (potentially greatly) the number of systems considered in-scope for many organizations. For example, in most networks using Windows Activity Directory security, a compromise of systems outside the CDE could impact the CDE and then could be considered in-scope for the PCI assessment. 11 Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 Key Changes and New Requirements

12 PCI DSS Version 3.0: Most Notable Changes (2/3) Notable Most Notable Hosted Payment Pages Are No Longer A silver bullet PCI DSS 3.0 offers a new definition of system components: System components include systems that may impact the security of the CDE (for example web redirection servers). Up until now, web servers had been considered out-of-scope if they used iframes, hosted payment pages or other redirection technologies to prevent cardholder data from touching the merchant s systems. Under the new standard, all of these servers fall in-scope and, due to the new segmentation requirement, likely bring the rest of a company s network into scope as well. The only out for companies that lack the ability to ensure the security of web servers internally remains fully outsourcing the web infrastructure. Larger Samples The new standard requires larger samples. Specifically, Samples of system components must include every type and combination that is in use. For example, where applications are sampled, the sample must include all versions and platforms for each type of application. 12 Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 Key Changes and New Requirements

13 PCI DSS Version 3.0: Most Notable Changes (3/3) Notable Most Notable Larger Samples For merchants undergoing a third party assessment or Level 1 merchants that self assess, the level of effort in the validation process is likely to increase. POS Physical Controls In response to recent attacks in which POS devices have been physically modified to capture card holder data, there is a new set of control requirements around physical security for POS devices. First, merchants must maintain an inventory of POS devices, which must be identified in detail, including the location and serial number of each device. Additionally, POS devices must be inspected periodically for tampering, and employees at POS locations must be trained in how to detect and prevent device tampering. 13 Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 Key Changes and New Requirements

14 PCI DSS Version 3.0: Other Changes (1/3) In PCI DSS 3.0, there are updates that, while less likely to impact the payment processing structure significantly within organizations, are still noteworthy: Notable Most Notable PCI DSS Update Implications 1 Default accounts The previous requirement stated only that default passwords should not be used. Default accounts have to be disabled or removed whenever possible 2 Inventory of system components Companies must maintain an inventory of system components that are inscope for PCI DSS This will support effective scoping practices 3 Disk encryption Logical access must be managed separately and independently of native operating system authentication and access control mechanisms Active Directory credentials may no longer be acceptable to manage disk encryption 4 Split knowledge/dual control For manual clear-text operations, two people are required to perform any keymanagement operations (such as rotating keys). This would mean not only that knowledge of the key must be split, but also that the account that provides access to any key management functionality must also be split 14 Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 Key Changes and New Requirements

15 PCI DSS Version 3.0: Other Changes (2/3) Notable Most Notable PCI DSS Update Implications 5 Custom developers Procedures for secure development and code review now applies to all software developed internally as well as custom software developed by a third party. This means that any developers with whom a company works will need to be required contractually to comply with the updated PCI standard 6 Vulnerability scans don t meet requirements for web application security PCI DSS 3.0 makes this clear vulnerability scans are not sufficient 7 Service providers must use a unique password for each customer This applies only to Service Providers Many of Service provider still use the same password for the service account for every customer. This is not permitted after June 30, Unique certificates Merchants who use certificates, smart cards or tokens must ensure these security items are unique and tie to an individual account If employees were to swap tokens, they would not be able to log on 9 Inventory of wireless access points Merchants and SPs must maintain an inventory of authorized wireless access points along with a business justification for each 15 Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 Key Changes and New Requirements

16 PCI DSS Version 3.0: Other Changes (3/3) Notable Most Notable PCI DSS Update Implications 10 More frequent risk assessments Now be performed upon any significant changes to the environment, as well as annually 11 Expansion of service providers required to be in compliance The new standard expands this requirement to include all Service Providers that could affect the security of the cardholder data. Additionally, companies must maintain information on which PCI DSS requirements are managed by each SP and which are managed by the company. This expansion adds many more Service Providers to the list, including custom developers, hosting providers and managed security service providers 16 Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 Key Changes and New Requirements

17 Key Takeaways The changes in PCI DSS 3.0 are likely to result in significant additional effort for companies processing credit card payments 1 The bar for Segmentation is raised Point-to-point encryption as a more valuable scope reduction strategy This technology encrypts card data at the point of swipe and maintains that encryption all the way to the processor such that the merchant cannot ever decrypt the data. Use of point-to-point encryption remains one of the most effective ways to reduce PCI scope. 2 Merchants and service providers alike will require time to address these new requirements and expanded scoping. 3 Nevertheless, those entities that are able to implement the new rules effectively can gain competitive advantage and ensure better protection of personal payment information, as well as avoid serious reputational harm caused by unauthorized exposure of customers credit card data.. 17 Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 Key Changes and New Requirements

18 Next Steps Be aware, changes are here Gap assess against new requirements Especially around scope! Continue to monitor the PCI SSC website for updates and clarification Look for reporting templates and information supplements Ask your QSA for their interpretation of each new information supplement as it relates to your environment - remember these are immediately effective 18

19 Questions 19

20 Confidentiality Statement and Restriction for Use 20 This document contains confidential material proprietary to Protiviti Inc. ("Protiviti"), a wholly-owned subsidiary of Robert Half ("RHI"). RHI is a publicly-traded company and as such, the materials, information, ideas, and concepts contained herein are non-public, should be used solely and exclusively to evaluate the capabilities of Protiviti to provide assistance to your Company, and should not be used in any inappropriate manner or in violation of applicable securities laws. The contents are intended for the use of your Company and may not be distributed to third parties.