PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

Transcription

1 PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS CIVICA Conference 22 January 2015

2 WELCOME AND AGENDA Change is here! PCI-DSS 3.0 is mandatory starting January 1, 2015 Goals of the session Compliance as Business as Usual Review the high-level areas that will shift Clarify why the change happened; with support from what we re already seeing in our assessments and our investigations Identify opportunities for you to prepare your organization

3 PCI DSS Lifecycle

4 COMPLIANCE AS BUSINESS AS USUAL

5 COMPLIANCE AS BUSINESS AS USUAL Compliance point of view Duty of care. Move toward compliance as business as usual and a reminder of ongoing responsibility. Businesses are also expected to stay aware of the changes to the standard.

6 COMPLIANCE AS BUSINESS AS USUAL Investigations point of view Security is 24/7 X 365 not just when the assessor coming. Depending on the service provider or merchant level, the Investigator will ask you about your last PCI assessment. What was in scope? What was actually assessed? Do you have a current network diagram? Has anything changed between assessments? What is your PCI assets inventory?

7 SPECIFIC REQUIREMENT UPDATES 1 Change Drivers 2 Penetration Testing rigidity 3 Scope change for e-commerce redirect merchants SAQ A vs. SAQ A-EP 4 Adjustment to Anti-virus requirement 5 Service Provider requirements 6 POS physical protection 7 Log review specifications 8 Assess data in memory

8 Change Drivers Perceived Weaknesses The PCI Standards are updated based on feedback from the industry, per the standards development lifecycle as well as in response to current market needs. Common challenge areas and drivers for change include: Lack of education and awareness Weak passwords, authentication Third-party security challenges Slow self-detection, malware Inconsistency in assessments

9 PEN TEST REQUIREMENT RIGIDITY Compliance point of view New requirement to implement a methodology for penetration testing. Effective July 1, 2015 Is based on industry-accepted penetration testing approaches (for example, NIST SP ) Includes testing from both inside and outside the network Includes review and consideration of threats and vulnerabilities experienced in the last 12 months New requirement, if segmentation is used to isolate the CDE from other networks, to perform penetration tests to verify that the segmentation methods are operational and effective Do you have an adequate threat research capability?

10 E-COMMERCE REDIRECT MERCHANTS Compliance point of view Clarification of what is in scope: Systems that provide security services (for example, authentication servers), facilitate segmentation (for example, internal firewalls), or may impact the security of (for example, name resolution or web redirection servers) the CDE. Affects e-commerce redirect merchants These websites are a key security control for the flow of CHD into the CDE. They therefore are required to apply PCI security controls.

11 SAQ A Versus SAQ A-EP Big Changes for E-commerce Merchants

12 SAQ A-EP Overview Why was this new SAQ created? Who does it apply to? When do merchants have to start using it? What is included in this new document?

13 E-COMMERCE REDIRECT MERCHANTS Investigations point of view Have seen many examples of iframes and e-commerce pages modified to intercept information and PII and cardholder information stolen in this process. While redirects are a more convenient way to do business, security of these system(s) still needs to be monitored closely.

14 ADJUSTMENT TO AV REQUIREMENT Compliance point of view New requirement to evaluate evolving malware threats for any systems not considered to be commonly affected by malicious software. New requirement to ensure that anti-virus solutions cannot be disabled or altered by users unless specifically authorized by management on a per-case basis Configured to perform automatic updates. Configured to perform regular scans.

15 ADJUSTMENT TO AV REQUIREMENT Investigations point of view You have a lock on your house, do you lock it? AV controls should be treated the same way. Attackers will disable it or even make exceptions for their malware. Do you have adequate procedures and technology to prevent employee misuse?

16 SERVICE PROVIDER REQUIREMENTS Compliance point of view Authentication Credentials New requirement for service providers with remote access to customer premises, to use unique authentication credentials for each customer. Effective July 1, 2015 New Agreements Service Provider Agreements MUST articulate what they re responsible for

17 SERVICE PROVIDER AUTH CREDENTIALS Investigations point of view

18 SERVICE PROVIDER AUTH CREDENTIALS Investigations point of view Several recent investigations with different merchants from different states all had one thing in common: The remote access password. Passwords are often the first line of defense. Does your SP rotate passwords? Does it require two-factor auth? Do you have a vendor risk management process in place?

19 POS PHYSICAL PROTECTION Compliance point of view New requirement to protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution. Effective July 1, 2015 Essential Requirement: Maintain a list of devices Periodically inspect devices to look for tampering or substitution Train personnel to be aware of suspicious behavior and to report tampering or substitution of devices.

20 IMPROVING LOG REVIEWS Investigations point of view In almost every single case that we ve seen there was never a process to do log reviews, especially when these were done in house ability to monitor 24/7 is ideal. No supporting evidence at the border (Firewalls, Router, or IDS/IPS). If logging is not enabled, an organization will have no way to detect if they are compromised. Logging also allows the investigators to trace back to the origin, which in some cases can aid law enforcement in a successful apprehension. Do you have 24x7 log review coverage? Do you have sufficient expertise and analytical processing capability?

21 ASSESS DATA IN MEMORY Investigations point of view

22 ASSESS DATA IN MEMORY Compliance point of view Proposal to drive awareness of how CHD or SAD is handled in memory. Proposal to require documentation that discusses how CHD or SAD is protected while being processed in memory.

23 ASSESS DATA IN MEMORY Investigations point of view Investigations point of view Attackers will find the weakest link in your payment application. Developers have put more thought about protecting data at rest. Encryption/Tokens 49.9% of the compromised system data was in memory. If you re developing an application ask yourself this: Do your developers have an adequate security and threat research background to understand emerging threats?

24 IN A NUTSHELL Improved Education / Awareness Increased Flexibility Moving towards a sensible risk based approach Responsibility for everyone to consider security

25 THANK YOU