PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.

PCI 3.1 Changes Jon Bonham, CISA Coalfire System, Inc.

Agenda Introduction of Coalfire What does this have to do with the business office Changes to version 3.1 EMV P2PE Questions and Answers Contact Information 2

Income Easier What does this have to do with business? The decision to take cards was made in the business office. The contracts were signed by the business office. The part in the contract about always being PCI compliant, was signed by the business office. 3

4 What you signed up for.

Business Office Business Need Business Solution Business Responsibilities With help from the IT Department With help from the merchants and their staff 5

6 VERSION 2.0 TO 3.1 CHANGES

7 New SAQ Validation Types

New SAQ Validation Types SAQ Validation Type A A-EP B B-IP C C-VT Description Card-not-present merchants: All payment processing functions fully outsourced, no electronic cardholder data storage E-commerce merchants re-directing to a third-party website for payment processing, no electronic cardholder data storage Merchants with only imprint machines or only standalone dial-out payment terminals: No e-commerce or electronic cardholder data storage Merchants with standalone, IP-connected payment terminals: No e-commerce or electronic cardholder data storage Merchants with payment application systems connected to the Internet: No e-commerce or electronic cardholder data storage Merchants with web-based virtual payment terminals: No e-commerce or electronic cardholder data storage # of Questions v3.0 Change # from v2.0 ASV Scan Required v3.0 Penetration Test Required V3.0 14 +1 No No 139 NEW Yes Yes 41 +12 No No 83 NEW Yes No 139 +59 Yes Yes 73 +22 No No D-MER All other SAQ-eligible merchants 326 +38 Yes Yes D-SP SAQ-eligible service providers 347 NEW Yes Yes P2PE Hardware payment terminals in a validated PCI P2PE solution only: No e-commerce or electronic cardholder data storage 35 NEW No No 8

New SAQ Validation Types SAQ Validation Type A Description Card-not-present merchants: All payment processing functions fully outsourced, no electronic cardholder data storage 9

New SAQ Validation Types SAQ Validation Type A-EP Description E-commerce merchants re-directing to a thirdparty website for payment processing, no electronic cardholder data storage Change # from v2.0 ASV Scan Required v3.0 Penetration Test Required V3.0 NEW Yes Yes 10

New SAQ Validation Types SAQ Validation Type B Description Merchants with only imprint machines or only standalone dialout payment terminals: No e-commerce or electronic cardholder data storage 11

New SAQ Validation Types SAQ Validation Type B-IP Description Merchants with standalone, IPconnected payment terminals: No e- commerce or electronic cardholder data storage Change # from v2.0 Penetration Test ASV Scan Required Required v3.0 V3.0 NEW Yes No 12

New SAQ Validation Types SAQ Validation Type C Description Merchants with payment application systems connected to the Internet: No e-commerce or electronic cardholder data storage ASV Scan Required v3.0 Yes Penetration Test Required V3.0 Yes 13

New SAQ Validation Types SAQ Validation Type C-VT Description Merchants with webbased virtual payment terminals: No e- commerce or electronic cardholder data storage ASV Scan Required v3.0 No Penetration Test Required V3.0 No 14

New SAQ Validation Types SAQ Validation Type D-MER Description All other SAQ-eligible merchants Penetration Test ASV Scan Required Required v3.0 V3.0 Yes Yes 15

New SAQ Validation Types SAQ Validation Type D-SP Description SAQ-eligible service providers Change # from v2.0 ASV Scan Required v3.0 Penetration Test Required V3.0 NEW Yes Yes 16

New SAQ Validation Types SAQ Validation Type P2PE Description Hardware payment terminals in a validated PCI P2PE solution only: No e-commerce or electronic cardholder data storage Change # from v2.0 ASV Scan Required v3.0 Penetration Test Required V3.0 NEW No No 17

New SAQ Validation Types SAQ Validation Type A A-EP B B-IP C C-VT Description Card-not-present merchants: All payment processing functions fully outsourced, no electronic cardholder data storage E-commerce merchants re-directing to a third-party website for payment processing, no electronic cardholder data storage Merchants with only imprint machines or only standalone dial-out payment terminals: No e-commerce or electronic cardholder data storage Merchants with standalone, IP-connected payment terminals: No e-commerce or electronic cardholder data storage Merchants with payment application systems connected to the Internet: No e-commerce or electronic cardholder data storage Merchants with web-based virtual payment terminals: No e-commerce or electronic cardholder data storage # of Questions v3.0 Change # from v2.0 ASV Scan Required v3.0 Penetration Test Required V3.0 14 +1 No No 139 NEW Yes Yes 41 +12 No No 83 NEW Yes No 139 +59 Yes Yes 73 +22 No No D-MER All other SAQ-eligible merchants 326 +38 Yes Yes D-SP SAQ-eligible service providers 347 NEW Yes Yes P2PE Hardware payment terminals in a validated PCI P2PE solution only: No e-commerce or electronic cardholder data storage 35 NEW No No 18

PCI DSS 3.1 Goals The PCI SSC is pushing the concept of ongoing or continuous compliance management. o Monitoring of security controls o Detect and respond to failures in security controls o Review all changes to the environment o Organization structure changes o Periodic reviews o Annual hardware/software review 19

PCI DSS 3.1 Scope and Segmentation It s important to review the guidance on how to accurately determine the scope of a PCI DSS engagement and the intent of segmentation. Successfully identifying the scope of your environment is always the key to a successful PCI DSS assessment. Scope Identification Process Connected Systems = inscope What is your ongoing process? Connected to the CDE and have the ability to access cardholder data. Identifying cardholder data outside of the CDE. Systems that have the ability to impact the security of the CDE

PCI DSS 3.1 Critical Changes to Penetration Testing Expanded Penetration Testing Expectations The penetration testing requirements are much more detailed and now require testing to validate segmentation technologies (best practice until July, 2015).

PCI DSS 3.1 Flexible Changes to Existing Requirements Requirement 6.6 Flexibility Added options to the interpretation of this requirement by changing web-application firewall to automated technical solution that detects and prevents web-based attacks. Password Complexity Flexibility Password complexity and strength requirements have been combined into a single requirement and the PCI SSC has now allowed for some flexibility in meeting these requirements.

PCI DSS 3.1 Critical Changes to Logging Requirements New Logging Events Enhanced logging requirement to include stopping or pausing of the audit logs Log Reviews for Critical Daily or continuous log reviews have been split into two categories: Critical systems and everything else. New Logging Events Enhanced logging requirement to include stopping or pausing of the audit logs. Log Reviews for Critical Components Daily or continuous log reviews have been split into two categories: Critical systems and Everything else.

PCI DSS 3.1 Critical Changes to Developer Training 6.5.c Sensitive Data in Memory Organizations must now demonstrate how they train their developers to understand how sensitive data is handled in memory.

PCI DSS 3.1 New Requirements - Immediate impact Requirement 1.1.3 Dataflow diagrams. Requirement 2.4 Inventory of all in-scope system components. Requirement 5.1.2 Risk-based malware review for systems not commonly affected by malicious software. Requirement 8.1.3.b Termination processes must include all physical authentication methods in addition to systems.

PCI DSS 3.1 New Requirements - Immediate impact Requirement 8.6.x New requirements and testing procedures around the use of physical Authentication Mechanisms assigned to individuals. Requirement 9.3 New requirement to control issuing physical access to sensitive areas for onsite personnel. Requirement 12.8.5 New requirement to maintain information about which PCI DSS requirements are managed by the service provider.

PCI DSS 3.1 Phased Requirements - 2015 These requirements were considered best practices only until June 30, 2015 at which time they became mandatory for all 3.1 assessments. Requirement 6.5.10 Broken authentication and session management. Requirement 8.5.1 New requirement for service providers to use different authentication credentials for access into different customer environments. Requirement(s) 9.9.x New (merchant) requirements to protect point-of-sale devices that capture payment card data from tampering or unauthorized modification or substitution.

PCI DSS 3.1 More Phased Requirements - 2015 Requirement 11.3.X Expanded requirements/expectations for penetration testing controls. PCI DSS v2.0 requirements for penetration testing may be followed until July 2015. Requirement 12.9 Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data.

29 Questions about the changes

What is Chip and Pin or EMV? EMV, which stands for Europay, MasterCard, and Visa, is a global standard for inter-operation of integrated circuit cards (IC cards or "chip cards") and IC card capable point of sale, (POS) terminals, for authenticating credit and card transactions. 30

Contact Cards and RFD Cards Contact cards communicate with the reader over a contact plate. The plate must come into contact with the terminal usually by inserting the card into a slot in the terminal. The card must remain inserted for the duration of the transaction. Contactless cards communicate via radio frequency (RF) and must contain an antenna. Dual interface chip cards combine both technologies and can communicate either way. 31 Source: Visa U.S. Merchant EMV Chip Acceptance Readiness Guide

What does this mean to you The benefit to EMV is that it is almost impossible to create a fake or fraudulent card Card produces a one-time use code for each transaction It takes special equipment to read the card Over 80 percent of fraudulent transactions are Card Present transactions By using EMV those transactions shouldn t take place 32

October 15, 2015 Liability Shift If a magnetic strip card comes in and is read with a magnetic strip reader then, if the purchase is a counterfeit transaction, the merchant is generally not liable, just like today. 33

October 15, 2015 Liability Shift If a EMV card comes in and is read with a Magnetic stripe only POS terminal then, if the purchase is a counterfeit transaction, the merchant is solely liable. 34

October 15, 2015 Liability Shift If a EMV card comes in and is read with an activated EMV terminal then, if the purchase is a counterfeit transaction, the issuer will be liable. 35

Double Down If you are going to invest in the equipment, consider the business case of also buying equipment that can handle Point to Point Encryption technology. The Chip and Pin or what is really Chip and Signature here in the US protects the card and the card only P2PE protects the cardholder data as it passes through your network. 36

Predictions 70% of U.S. credit cards and 41% of debit cards will be EMV-enabled by the end of 2015 The demand for new equipment will increase as the deadline gets closer. Many that order late will be waiting on equipment when the deadline comes Most will think you can just plug it in and go without the proper testing with the processor. They will be wrong. 37

Thank you Jon Bonham Jon.bonham@coalfire.com 38