Transitioning from PCI DSS 2.0 to 3.1 What You Need to Know April, 2015 Emma Sutcliffe, Director, Data Security Standards
About the PCI Council Founded in 2006 - Guiding open standards for payment card security Development Management Education Awareness
PCI Core Security Standards Protection of Cardholder Payment Data Manufacturers PCI PTS Pin Entry Devices Software Developers PCI PA-DSS Payment Applications Merchants & Service Providers PCI DSS Secure Environments PCI Security & Compliance P2PE Ecosystem of payment devices, applications, infrastructure and users
More PCI Standards and Programs PCI HSM Security Requirements PCI PIN Security Requirements Terminal Software Security Guidelines ATM Guidelines document PCI Card Production Mobile Best Practices Qualified Integrator and Reseller Tokenization Product Security Guidelines
The Standards Continually Evolve Feedback Research Threat Landscape
Feedback and Involvement Board of Advisors Executive Committee Participating Organizations Standards & Operations Committees Task Forces & Working Groups Special Interest Groups
Happy New Year! 1 st January 2015 PCI DSS v3.0
At a Glance PCI DSS v2.0 to v3.0 12 core security principles of PCI DSS remain Some new sub-requirements that impact PCI DSS security efforts Future implementation dates provided for more significant changes Guidance on business as usual Enhanced testing procedures to clarify level of validation expected for each requirement Aligned language between requirements and testing procedures for consistency Added Guidance Column to clarify intent of each requirement Separate from Report on Compliance (ROC) reporting template
New Requirements Effective July 1 st 2015 6.5.10 Develop web applications to protect against broken authentication and session management 8.5.1 9.9 Service providers use a unique authentication credential for each customer Protect card-reading devices used to capture payment card data from tampering and substitution 11.3* Implement a methodology for penetration testing 12.9 12.8 for service providers acknowledgement of responsibility * PCI DSS v2.0 requirements for penetration testing must be followed until v3 is in place.
PCI DSS v3.1
Types of Changes Change Type Clarification Additional guidance Evolving Requirement Definition Clarifies intent of requirement. Ensures that concise wording in the standards portrays the desired intent of requirements. Explanation, definition and/or instruction to increase understanding or provide further information or guidance on a particular topic. Changes to ensure that the standards are up to date with emerging threats and changes in the market.
PCI DSS v3.1 Key Themes Clarification & Guidance Evolving Requirements
Summary of Changes
PCI DSS v3.1 Change highlights Corrections to format and typographical errors Clarification of language to promote understanding & consistency Clarification & Guidance Updates to guidance column Removal of redundant language Updated compensating control example
PCI DSS v3.1 Change highlights Requirement 3.4 new testing procedure to address hashed and truncated PAN in the same environment Clarification & Guidance Requirement 6.6 updated testing procedure to clarify WAF alerts are immediately investigated Requirement 4.2 Included SMS as an example of end-user messaging technology and added guidance Emphasized requirements and testing procedures that apply only if the entity is a service provider
PCI DSS v3.1 Change highlights Testing Procedure 9.9.1 clarification that both devices and device location be observed Requirement 10.6.1 address concerns about daily log monitoring applying to out-of-scope systems Clarification & Guidance Requirement 11.3.4 clarified penetration testing is to verify out-of-scope systems are segmented from systems in the CDE Testing Procedure 12.9 clarification for assessors to review templates rather than actual agreements
PCI DSS v3.1 Change highlights Evolving Requirements SSL and early TLS no longer considered to be strong cryptography PCI DSS Requirements 2.3, 2.2.3 and 4.1
Addressing SSL in PCI DSS v3.1 Summary of approach SSL and early versions of TLS are not considered strong cryptography Future sunset date for using these protocols as a security control will be defined to allow time to migrate New implementations should not use SSL or early versions of TLS Existing implementations will need to have a documented plan to address risk mitigation during migration Allowance for POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits
New and Existing Implementations What is a new implementation? What is an existing implementation?
POS POI Environments Why allowance for POI environments?
ASV Scans How do SSL vulnerabilities affect ASV scan results?
Additional Guidance Information Supplement Clarification on new vs. existing implementations Guidance on allowances for POS POI environments Suggestions/examples of risk mitigation techniques Suggestions/examples on alternative cryptographic options Webinar Available on PCI SSC website
Where Do I Begin with the Migration Process? Suggested steps: Identify all system components and data flows that use/support vulnerable protocols Identify business and/or technical need for using the vulnerable protocol Immediately remove or disable instances without a supporting business or technical need Identify technologies to replace the vulnerable protocols Document a migration project plan Implement risk reduction controls Perform migrations and follow change control procedures Update system configuration standards as migrations are completed
Understanding PCI DSS v3.1 Review Summary of Changes, FAQs and Information Supplement Work with PCI DSS coordinator, departments involved with payments, and your acquirer or payment brands to understand key questions Determine if SSL or early TLS is used in your environment Plan migration according to PCI DSS and supporting guidance
What Else? Supporting documents will also be updated Self-assessment Questionnaires (SAQs) Attestations of Compliance (AOCs) Reporting Templates PCI DSS Glossary of Terms, Abbreviations, and Acronyms Prioritized Approach FAQ Knowledgebase
PCI DSS v3.1 Key Themes Clarification & Guidance Evolving Requirements
Recent Bulletins & Webinars Shellshock GHOST Backoff
Tokenization Product Security Guidelines Technical best practices Security considerations include: Token generation How tokens are retained for use (e.g. in back office systems) and storage Secure implementation controls to address potential attack vectors and mitigate associated risks Just Released!
Special Interest Groups Recent Publication Penetration Testing Guidance Difference between vulnerability scans and penetration tests Qualifications of a penetration tester Penetration testing methodology Penetration test reporting guidance and template
Making Payment Security Business-as-Usual
Maintaining PCI DSS Compliance
Compliance vs. Security
Challenges of Maintaining Compliance Reliance on annual assessments Pressure to meet customer demands Failing to adapt to changes
Implementing PCI DSS into BAU Processes Monitor security control operation Detect and respond to security control failures Understand how changes in the organization affect security controls Conduct periodic security control assessments
BAU Guidance Resources Guidance within PCI DSS Information Supplement: Best Practices for Maintaining PCI DSS Compliance
Partner with the Council
Training Highlights PCI Awareness Training PCI Essentials PCI Professional Program (PCIP) Internal Security Assessor (ISA) Online! Qualified Security Assessor (QSA) Qualified Integrators and Resellers (QIR) Program Corporate Group Training Let Us Come To You! To learn more, visit: www.pcisecuritystandards.org/training
The Formula for PCI Success + + = Technology Processes People Security
Maintaining Security is Running a Marathon, not a Sprint
Save the Dates Community Meetings 2015
Please visit our website at www.pcisecuritystandards.org
Questions?