PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014
Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions
Introduction Compass IT Compliance, LLC Bill Franklin CISA, QSA, CGEIT Senior IT Auditor bfranklin@compassitc.com (978) 821-4863 http://www.compassitc.com
PCI DSS 3.0 Requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect Stored Data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need to know 8. Assign unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers Requirement A.1: Shared hosting providers must protect the cardholder data environment
Data Cardholder Data and Sensitive Authentication Data
Types of Changes 1. Clarification - 68 Clarifies intent of requirement. Ensures that concise wording in the standard portrays the desired intent of requirements. 2. Additional Guidance - 2 Explanation, definition and/or instruction to increase understanding or provide further information or guidance on a particular topic. 3. -19 Changes to ensure that the standards are up to date with emerging threats and changes in the market. https://www.pcisecuritystandards.org/ https://www.pcisecuritystandards.org/security_standards/documents.php
PCI DSS 3.0 Document Incorporates Navigating PCI DSS Understanding the Intent of the Requirements Provides Guidance
Current Network Diagrams Requirement 1.1.2 & 1.1.3 Network Diagrams Clarified what the network diagram must include and added New Requirement for a current diagram that shows cardholder data flows. Create Network Diagram Showing: CDE CHD Stored, Processed or Transmitted Connections to the CDE Physical and Wireless Connections to External Systems, e.g. Gateways, Processors, etc Flow of CHD across Systems and Networks
Maintain an Inventory of System Components Requirement 2.4 Hardware and Software Inventory New Requirement to maintain an inventory of system components in scope for PCI DSS to support development of configuration standards. List of Hardware and Software in the CDE and Provide for each a: Description Function
Protect Against Malware Requirement 5.1.2 Anti-Virus New Requirement to evaluate evolving malware threats for any systems not considered to be commonly affected by malicious software. Update Anti-Virus Policy and Procedures Monitor Vendor Security Notices Monitor Anti-Virus News Groups New Trends Incorporated into Configuration Standards www.nist.org www.cert.org www.sans.org/newsletters
Protect Against Malware Requirement 5.3 Anti-Virus New Requirement to ensure that anti-virus solutions are actively running (formerly in 5.2), and cannot be disabled or altered by users unless specifically authorized by management on a per-case basis. Update Anti-Virus Policy and Procedures Disconnect from the Internet / Full Scan when Reconnected Address Privileged Users This can be a Challenge
Software Development Requirement 6.5.10 Secure Coding Effective July 1, 2015 New requirement for coding practices to protect against broken authentication and session management. Protect against unauthorized individuals from compromising legitimate account credentials, keys, or session tokens that would otherwise enable the intruder to assume the identity of an authorized user. Update Secure Coding Standards Flagging session tokens (for example cookies) as secure Not exposing session IDs in the URL Incorporating appropriate time-outs and rotation of session IDs after a successful login
Authentication Requirement 8.2.3 Password Strength Combined minimum password complexity and strength requirements into single requirement, and increased flexibility for alternatives that meet the equivalent complexity and strength. Update Password Management Policies and Procedures Use Passphrases Is 15 or more characters long Is a series of words that create a phrase Does not contain common phrases found in literature or music Does not contain words found in the dictionary My Sport is Tennis = My $p0rt 1s Tenn1$ Does not contain your user name, real name, or company name Is significantly different from previous passwords or passphrases
Authentication Requirement 8.5.1 Remote Access to Customer Premises Effective July 1, 2015 Additional Requirement for Service Providers New requirement for service providers with remote access to customer premises, to use unique authentication credentials for each customer. Update Access Control Policy and Procedures Replace generic logins across customer accounts with unique credentials
Authentication Requirement 8.6 Authentication Mechanisms Linked to an Account New requirement where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) that the mechanisms must be linked to an individual account and ensure only the intended user can gain access with that mechanism. Update Policy and Procedures Identify where physical or logical security tokens are used as a second factor of authentication Ensure that each physical or logical token is unique to each account
Physical Access Requirement 9.3 Onsite Personnel Access New requirement to control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination. Update Policy and Procedures Isolate CDE and only allow access to those with legitimate business need Storage areas for CHD on hardcopy and removable media Call Centers accepting CHD Computer Rooms
Physical Access Requirement 9.9.x Point of Interaction (POI) devices Effective July 1, 2015 New requirements to protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution. Update Policy and Procedures Keep a list of all devices with Make, Model, Location and Serial Number Periodically inspect devices for tampering Train personnel regarding possible tampering with or substitution of a device
Monitor and Test Networks Requirement 10.2.5 Monitor Identification and Authentication Enhanced requirement to include changes to identification and authentication mechanisms (including creation of new accounts, elevation of privileges), and all changes, additions and deletions to accounts with root or administrative access. Update Monitoring and Logging Policy and Procedures Configure logging to track changes to identification and authentication mechanisms Set an Alert to be sent if there is a change Administer Modify Read Only
Monitor and Test Networks Requirement 10.2.6 Monitoring Audit Logs Enhanced requirement to include stopping or pausing of the audit logs. Turning the audit logs off (or pausing them) prior to performing illicit activities is a common practice for malicious users wishing to avoid detection. Initialization of audit logs could indicate that the log function was disabled by a user to hide their actions. Ensure the Stopping or Pausing of an Audit Log is Recorded Set an Alert to be Sent if an Audit Log is Stopped of Paused
Security Testing Requirement 11.1.x Wireless Access Points Enhanced requirement to include an inventory of authorized wireless access points and a business justification (11.1.1) to support scanning for unauthorized wireless devices, and added new requirement 11.1.2 to align with an already-existing testing procedure, for incident response procedures if unauthorized wireless access points are detected. Update Internet Security Policy and Procedures Update Incident Response Policy and Procedure (Plan) to include unknown wireless access points Keep documented list of authorized wireless access points with business justification Keep list of known wireless access points outside of your business Implement Automated Wireless Access Point Monitoring with Alerts
Security Testing Requirement 11.3 Penetration Testing Effective July 1, 2015 - PCI DSS v2.0 requirements for penetration testing must be followed until v3.0 is in place. New requirement to implement a methodology for penetration testing. Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) Includes coverage for the entire CDE perimeter and critical systems Includes testing from both inside the network, and from outside of the network attempting to get in Includes testing to validate any segmentation and scope-reduction controls Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 Defines network-layer penetration tests to include components that support network functions as well as operating systems Includes review and consideration of threats and vulnerabilities experienced in the last 12 months Specifies retention of penetration testing results and remediation activities results
Security Testing Requirement 11.3 Penetration Testing New requirement to implement a methodology for penetration testing. Outsource Penetration Testing to a Firm with Qualifications and Experience Look for Certifications Such As: GIAC Global Information Assurance Certification GWAPT Global Web Application Penetration Tester Include in Agreement PCI DSS Requirements CISSP Certified Information Systems Security Professional
Security Testing Requirement 11.3.4 Penetration Testing New requirement, if segmentation is used to isolate the CDE from other networks, to perform penetration tests to verify that the segmentation methods are operational and effective. Ensure Penetration Testing is performed to access the CDE from: External Access to the Network (From the Internet) Internal Access to the Network (From behind the Internal Firewall)
Security Testing Requirement 11.5.x Change Detection File Integrity Monitoring to Change-Detection Mechanism New requirement to implement a process to respond to any alerts generated by the change-detection mechanism (supports 11.5). Update procedure to respond to alerts from the Change-Detection Mechanism Document Responses Known Change Suspicious Change and Result of Investigation
Information Security Policy Requirement 12.2 Risk Assessment Moved former requirement 12.1.2 for an annual risk assessment process to 12.2, and clarified that the risk assessment should be performed at least annually and after significant changes to the environment. As part of any change to the Processing, Transmitting, or Storage of CHD evaluate if it is a Significant Change to the Environment including: CDE Business Process Methods of accepting Payment Cards Brands and Types of Cards Accepted Third Party Service Providers
Information Security Policy Requirement 12.8.5 Third Party Service Providers New requirement to maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity. List of all Service Providers for the Processing, Transmission or Storage of CHD to Include: Description of the Service Provided PCI DSS Requirement Addressed Date of Engagement PCI Certification Required and Date of Certification Other Certification Required and Date of Certification e.g. SSAE 16 SOC 2 Service Provider Contact Information
Information Security Policy Requirement 12.9 Third Party Service Providers Effective July 1, 2015 Additional Requirement for Service Providers New requirement for service providers to provide the written agreement/acknowledgment to their customers as specified at requirement 12.8. Update Contract Procedure Create a Template Letter for Customers Acknowledging the: Responsibility to Protect the Customer s CHD that the Service Provider Processes, Transmits, or Stores Responsibility to Protect the Customer s CDE e.g. Managed Service Provider Submit to Existing Customers and Obtain Agreement Include in Contract Process for New Customers Update for Existing Customers When Services Change
When Do I Need to be Compliant? During 2014 Dates November 7, 2013 January 1, 2014 January 1, 2015 PCI DSS 3.0 Released Effective Transition To PCI DSS 3.0 For Recertification New Certification PCI DSS 2.0 Retired https://www.pcisecuritystandards.org/documents/pci_lifecycle_for_changes_to_dss_and_padss.pdf
Questions? Bill Franklin Compass IT Compliance, LLC (888) 246-7593 x 701 bfranklin@compassitc.com
PCI Structure Card Brands MasterCard, Visa, Amex, Discover, JCB PCI Council Service Providers Acquiring Banks (Merchant Banks) Merchants
Areas to Assess Business Process Flow of Payment Card Data Wireless, Email, Encryption Third Party Applications Run In-House Proprietary Applications Network Segmentation Third Parties / Outsourcing Compensating Controls Documentation, Documentation, Documentation
Common Weaknesses Firewall and Router Configuration Documentation Change Management Policy and Procedures Information Security Program Lack of Annual Overall IT Risk Assessment and Remediation Lack of Quarterly External Vulnerability Scan with an ASV Patches Upgrades Lack of Quarterly Internal Vulnerability Scan Open Ports Unnecessary Services Lack of Penetration Tests for Networks and Applications
Common Weaknesses No DMZ (Demilitarized Zone) For Web Applications Processing Payment Card Data
Common Weaknesses Encryption of Cardholder Data In Storage During Transmission Encryption Key Management PCI DSS Section 6 Application Firewall Thorough Application Testing Hackers are focusing more on Applications Lack of Documentation