UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE



Similar documents
PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

Preparing for PCI DSS 3.0 & Ensuring a Seamless Transition. November 2013

PCI Compliance 3.1. About Us

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

New PCI Standards Enhance Security of Cardholder Data

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation

Corbin Del Carlo Director, National Leader PCI Services. October 5, 2015

North Carolina Office of the State Controller Technology Meeting

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Thoughts on PCI DSS 3.0. D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

Becoming PCI Compliant

Continuous compliance through good governance

External Scanning and Penetration Testing in PCI DSS 3.0. Gary Glover, Sr. Director of Security Assessments

HOW SECURE IS YOUR PAYMENT CARD DATA?

Transitioning from PCI DSS 2.0 to 3.1

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Thoughts on PCI DSS 3.0. September, 2014

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

VMware Product Applicability Guide for. Payment Card Industry Data Security Standard

PCI DSS v3.0 Vulnerability & Penetration Testing

PCI Self-Assessment: PCI DSS 3.0

PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

NEW PENETRATION TESTING REQUIREMENTS, EXPLAINED

Four Keys to Preparing for a PCI DSS 3.0 Assessment

Adyen PCI DSS 3.0 Compliance Guide

FairWarning Mapping to PCI DSS 3.0, Requirement 10

PCI Compliance. PCI DSS v3.1. Dan Lobb CRISC. Lisa Gable CISM

PCI DSS 3.1 and the Impact on Wi-Fi Security

Payment Card Industry Compliance Overview

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

Simplifying Payment Card Industry Compliance

PCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard

Network Segmentation

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.1 April 2015

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

Technology Innovation Programme

PCI DSS 2.0 and PA-DSS 2.0 SUMMARY OF CHANGES - HIGHLIGHTS

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.0 November 2013

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

<COMPANY> PR11 - Log Review Procedure. Document Reference Date 30th September 2014 Document Status. Final Version 3.

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance

PCI Compliance Top 10 Questions and Answers

PCI Compliance Updates

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Customer PCI 3.0 Changes = New Opportunity For You. Giles Witherspoon-Boyd SecurityMetrics

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Project Title slide Project: PCI. Are You At Risk?

Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008

PCI DSS Scope Misconceptions. Focusing Compliance Efforts Where it Matters Most

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

PCI v2.0 Compliance for Wireless LAN

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

The Relationship Between PCI, Encryption and Tokenization: What you need to know

PCI Compliance Overview

Josiah Wilkinson Internal Security Assessor. Nationwide

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 3.0 to 3.1

Payment Card Industry (PCI) Data Security Standard

PCI Compliance. Top 10 Questions & Answers

PCI Data Security Standard 3.0

Ecommerce Guide to PCI DSS 3.0

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

Payment Card Industry (PCI) Data Security Standard

PCI Compliance for Cloud Applications

Office of Finance and Treasury

PCI DSS Compliance Information Pack for Merchants

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

Transcription:

UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE April 30 th, 2014 Sean Mathena CISSP, CISA, QSA Trustwave Managing Consultant WELCOME AND AGENDA PCI-DSS 3.0 Review the high-level areas that have changed Review specific requirement changes Clarify why the changes happened Defining and Reducing Scope Review how to accurately determine scope Identify ways to reduce scope thus reducing risk Question and Answer 1

PCI LIFECYCLE ITERATIVE THREE-YEAR PROCESS Eight steps in process to adopting new standard Year 1 November: Standards Published (Done) January: Standards Effective (Done) All year: Market Implementation Year 2 November: Feedback Begins December 31: Older Standards Retired April August: Feedback Review Year 3 November April: Draft Revisions May July: Final Review PCI 3.0 HIGH-LEVEL ADJUSTMENTS 1 Compliance as Business as Usual 2 Segmentation Clarifications 3 Risk Assessment Clarifications 2

COMPLIANCE AS BUSINESS AS USUAL COMPLIANCE AS BUSINESS AS USUAL Duty of care. Move toward compliance as business as usual and a reminder of ongoing responsibility. Businesses are also expected to stay aware of the changes to the standard. 3

RISK ASSESSMENT CLARIFICATION RISK ASSESSMENT Clarified that the risk assessment should be performed at least annually and after significant changes to the environment. 4

SEGMENTATION CLARIFICATIONS SEGMENTATION Segmentation equals isolation Clarification as to the level of separation required SSC will be creating a white paper Segmentation boundary now a part of pen testing requirement 5

SPECIFIC REQUIREMENT UPDATES 1 Penetration Testing rigidity 2 Scope change for e-commerce redirect merchants 3 Adjustment to AV requirement 4 Service Provider requirements 5 POS physical protection 6 Log review specifications 7 Assess data in memory PEN TEST REQUIREMENT RIGIDITY New requirement to implement a methodology for penetration testing. Effective July 1, 2015 Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) Includes testing from both inside and outside the network Includes review and consideration of threats and vulnerabilities experienced in the last 12 months New requirement, if segmentation is used to isolate the CDE from other networks, to perform penetration tests to verify that the segmentation methods are operational and effective 6

E-COMMERCE REDIRECT MERCHANTS Clarification of what is in scope: Systems that provide security services (for example, authentication servers), facilitate segmentation (for example, internal firewalls), or may impact the security of (for example, name resolution or web redirection servers) the CDE. Affects e-commerce redirect merchants SSC will be providing clarification to the PCI community FAQ New SAQ and scanning requirements (include iframes, pure redirects, HOPs). These websites are a key security control for the flow of CHD into the CDE. They therefore are required to apply PCI security controls. ADJUSTMENT TO AV REQUIREMENT New requirement to evaluate evolving malware threats for any systems not considered to be commonly affected by malicious software. New requirement to ensure that anti-virus solutions cannot be disabled or altered by users unless specifically authorized by management on a per-case basis Configured to perform automatic updates. Configured to perform regular scans. 7

SERVICE PROVIDER REQUIREMENTS Auth Credentials New requirement for service providers with remote access to customer premises, to use unique authentication credentials for each customer. Effective July 1, 2015 New Agreements Service Provider Agreements MUST articulate what they re responsible for POS PHYSICAL PROTECTION New requirement to protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution. Effective July 1, 2015 Essential Requirement: Maintain a list of devices Periodically inspect devices to look for tampering or substitution Train personnel to be aware of suspicious behavior and to report tampering or substitution of devices. 8

IMPROVING LOG REVIEWS Requirement change clarified that the intent of log reviews is to identify anomalies or suspicious activity Specifies what needs to be reviewed daily All security events Logs of all system components that store, process, or transmit CHD and/or SAD, or that could impact the security of CHD and/or SAD Logs of all critical system components Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.) Reducing Cardholder Data Environment Scope 9

Identifying Scope Get an Executive Sponsor! Not a trivial exercise Follow the card data Point of entry Card data manipulation Settlement processes Identify non-standard processes Departmental databases Spreadsheets Hard copy data Identify service providers Map out dependent systems Management systems Security systems Monitoring systems Reducing Scope Get rid of the data! Less CHD = Less Risk! Consolidate card data Implement segmentation Outsource Tokenization End-to-end encryption/p2pe 10

QUESTIONS? Thank you! 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information