PCI Self-Assessment: PCI DSS 3.0

Transcription

1 PCI Self-Assessment: PCI DSS 3.0 Achieving PCI DSS 3.0 Compliance with our PCI Self-Assessment tool (Author: Heinrich Van Der Westhuizen, Director) Requirement PCI DSS update Purpose/need Addressed 1 Have a current To clarify that diagram that shows documented cardholder cardholder data flows. data flows are an important component of network diagrams. pci-selfassessment.com solution Policy upload feature Clients will be able to upload and maintain network diagrams including card holder dataflow. 2 Maintain an inventory of system components in scope for PCI DSS. To support effective scoping practices. Policy review dates All policies uploaded will be forced to be reviewed within 3, 6 or 12 months. By default, all policies must be reviewed at least once a year. PCI compliance strategy The cardholder data flow diagram will form part of the PCI compliance strategy that forms part of the PCI scope. No new assets will be allowed to be registered outside the compliance strategy. Asset register All PCI assets are maintained on our PCI asset register and associated to an owner. All risks associated with the asset fall under the responsibility of the asset owner to resolve. Asset location All assets are linked to specific locations and configured as such in compliance with the PCI compliance strategy. This is to translate the PCI compliance strategy into day to day operation. Asset type All asset locations will have asset types that are expected to be located in them and this makes it easier to group assets and align them with the PCI

2 5 Evaluate evolving malware threats for systems not commonly affected by malware. 6 Update list of common vulnerabilities in alignment with OWASP, NIST, SANS, etc., for inclusion in secure coding practices. 8 Security considerations for authentication mechanisms such as physical security tokens, smart cards, and certificates. 9 Protect POS terminals and devices from tampering or substitution. To promote ongoing awareness and due diligence to protect systems from malware. To keep current with emerging threats. To address feedback that requirements for securing authentication methods other than passwords need to be included. To address need for physical security of payment terminals. compliance strategy. Asset policies and procedures With Asset location and asset types defined, we align the appropriate policies and procedures to them as a result, all new assets will inherit the policies and procedures Technical compliance baselines All assets will have a minimum technical baseline applicable to all assets in the PCI zone and this will include malware protection updates. Technical risk board we mandate the inclusion of technical risk review board to be included in the PCI compliance strategy. Policies and procedures software coding policies will be enforced and included as part of the strategy. PCI Change management all change requests where software is identified will be required to comply with the PCI software coding policy and required to be located in the pre-approved PCI zone, thereby inheriting the other policies and procedures. PCI Change management all change requests where authentication is identified will be required to comply with the PCI authentication policy as a baseline and required to be mandated on all projects and assets. PCI Asset register Each PCI asset will be assessed in order to ensure that they comply with all PCI security policies. PCI Asset register Each PCI asset, including POS terminals, their locations and will be assessed in order to ensure that

3 11 Implement a methodology for penetration testing, and perform penetration tests to verify that the segmentation methods are operational and effective. 12 Maintain information about which PCI DSS requirements are managed by service providers and which are managed by the entity. Service providers to acknowledge responsibility for maintaining applicable PCI DSS requirements General General Clarified that sensitive authentication data must not be stored after authorization even if PAN not present Added guidance for implementing security into business as usual (BAU) activities and best practices fir maintaining on going PCI DSS compliance. To address requests for more details for penetration tests, and for more stringent scoping verification. To address feedback from 3 rd party Security Assurance SIG To ensure better understanding of protection of sensitive authentication data To address compromises where the organisation had been PCI DSS compliant but did not maintain that status. Recommendation focus is on helping organisations take a proactive approach to protect cardholder data that focuses on security, not compliance and they comply with all PCI security policies. PCI policy and procedure Penetration testing is included as part of the policies required and updated quarterly. Segmentation is included as part of the PCI compliance technical strategy that is adopted. PCI 3 rd party register we maintain a PCI 3rd party register which includes all the assets and projects managed by the 3rd party. It also allows the 3 rd party to maintain a risk register in order to ensure any risks associated with Privacy Impact Assessment All 3rd parties are required to undergo Privacy impact assessment and this includes privacy risks associated with the PCI estate. PCI risk assessment each project and asset undergoes a PCI risk assessment and risks associated managed via the risk register. PCI policies we reuse existing policies and procedures and incorporate PCI requirements in order to make them manageable

4 Multiple Incorporate security policy/procedure requirements into each requirement 2 Clarified that changing default password is required for application/service accounts as well as user accounts 3 Provided flexibility with more options for secure storage of cryptographic keys, and clarified principles of split knowledge and dual control. 8 Provided increased flexibility in password strength and complexity to allow for variations that are equivalent. Revised password policies to include guidance for users on choosing strong passwords, protecting their credentials, and changing passwords upon suspicion of Compromise. makes PCI DSS a business as usual practice. To address feedback that policy topics should closely align with the related technical PCI DSS requirement To address gaps in basic password security practices that are leading to compromises To clarify common misunderstandings about key management. To address feedback on improving password security. Changes focus on increased flexibility and user guidance rather than new requirements. PCI roles and responsibilities - PCI compliance policies Our suite of policies adopts current security policies and procedures into the PCI requirements. Password baseline All systems will inherit password baseline that will be made available to all systems and assets to adopt, it will include confirmation of default password changes. PCI Compliance strategy The technical baseline will mandate the gathering daily logs from systems and make them available to systems for the identification of suspicious activities. Password baseline All systems will inherit password baseline that will be made available to all systems and assets to adopt.

5 10 Clarified the intent and scope of daily log reviews. To help entities focus log-review efforts on identifying suspicious activity and allow flexibility for review of less-critical logs events, as defined by the entity s risk management strategy. PCI Compliance strategy The technical baseline will mandate the gathering daily logs from systems and make them available to systems for the identification of suspicious activities. Introduction to pci-selfassessment.com Inherent compliance strategy: Ground up approach

6 Scope definition PCI Asset type definition

7 PCI compliance dashboard PCI risk assessment

8 Policy register