PROTIVITI FLASH REPORT



Similar documents
FINANCIAL SERVICES FLASH REPORT

TrustED Briefing Series:

SEC FLASH REPORT. June 28, 2011

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Systems Support - Extended

Process of Setting up a New Merchant Account

MSB FINANCIAL CORP. MILLINGTON BANK AUDIT COMMITTEE CHARTER

Oracle Cloud Enterprise Hosting and Delivery Policies

BAMS Third Party Service Providers (TPSPs) FAQs

Audit Committee Charter

VCU Payment Card Policy

Vantiv eprotect iframe Technical Assessment Paper Prepared for:

GUIDANCE FOR BUSINESS ASSOCIATES

PCI DSS Cloud Computing Guidelines

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply

Information Services Hosting Arrangements

Data Warehouse Scope Recommendations

SaaS Listing CA Cloud Service Management

Internal Audit Charter and operating standards

HIPAA HITECH ACT Compliance, Review and Training Services

Service Level Agreement

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

MANITOBA SECURITIES COMMISSION STRATEGIC PLAN

Licensing the Core Client Access License (CAL) Suite and Enterprise CAL Suite

Junos Pulse Instructions for Windows and Mac OS X

CMS Eligibility Requirements Checklist for MSSP ACO Participation

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

Process Improvement Center of Excellence Service Proposal Recommendation. Operational Oversight Committee Report Submission

Symantec User Authentication Service Level Agreement

Security Services. Service Description Version Effective Date: 07/01/2012. Purpose. Overview

This report provides Members with an update on of the financial performance of the Corporation s managed IS service contract with Agilisys Ltd.

Migrating to SharePoint 2010 Don t Upgrade Your Mess

UBC Incident Response Plan V1.5

SPECIFICATION. Hospital Report Manager Connectivity Requirements. Electronic Medical Records DRAFT. OntarioMD Inc. Date: September 30, 2010

PCI - Why You Need to be Compliant When Accepting Credit Card Payments. Agenda. Breaches in the Headlines. Breach Events & Commonalities

AUDIT AND RISK COMMITTEE TERMS OF REFERENCE

WHAT YOU NEED TO KNOW ABOUT. Protecting your Privacy

Version Date Comments / Changes 1.0 January 2015 Initial Policy Released

2. Are there any restrictions on when the work can be performed (e.g. only at night, only during business hours, only on weekends)? No.

Comtrex Systems Corporation. CISP/PCI Implementation Guidance for Odyssey Suite

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

Audit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd

Multi-Year Accessibility Policy and Plan for NSF Canada and NSF International Strategic Registrations Canada Company,

The actions discussed below in this Appendix assume that the firm has already taken three foundation steps:

expertise hp services valupack consulting description security review service for Linux

ACTIVITY MONITOR Real Time Monitor Employee Activity Monitor

FINANCIAL SERVICES FLASH REPORT

Installation Guide Marshal Reporting Console

Cloud Services Frequently Asked Questions FAQ

Service Level Agreement (SLA) Hosted Products. Netop Business Solutions A/S

BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS

Service Level Agreement

Unified Communications

How To Write An Ehsms Training, Awareness And Competency Procedure

Research Report. Abstract: The Emerging Intersection Between Big Data and Security Analytics. November 2012

CASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT

MANAGED VULNERABILITY SCANNING

Incident Management-Roles and Responsibilities

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions

Online Network Administration Degree Programs

Directives to Hospitals in respect of Reporting Requirements under the BPSAA

ViPNet VPN in Cisco Environment. Supplement to ViPNet Documentation

Internet and Policy User s Guide

Database Services - Extended

ensure that all users understand how mobile phones supplied by the council should and should not be used.

Mobile Device Manager Admin Guide. Reports and Alerts

ACTIVITY MONITOR. Live view of remote desktops. You may easily have a look at any user s desktop.

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM

Bit9 Security Solution Technology Whitepaper Date: September 17, 2015

Presentation: The Demise of SAS 70 - What s Next?

State of Wisconsin. File Server Service Service Offering Definition

Preparing to Deploy Reflection : A Guide for System Administrators. Version 14.1

IT CONTROL ENVIRONMENT ASSESSMENT AND RECOMMENDATIONS REPORT

UNT Payment Card Merchant Handbook

Research Report. Abstract: Security Management and Operations: Changes on the Horizon. July 2012

Dates Visa MasterCard Discover American Express. Acquirers, subprocessors. support EMV International ATM liability shift 2

E-Business Strategies For a Cmpany s Bard

HIPAA Notice of Privacy Practices. Central Ohio Surgical Associates, Inc.

Intel Hybrid Cloud Management Portal Update FAQ. Audience: Public

Support Services. v1.19 /

University of Texas at Dallas Policy for Accepting Credit Card and Electronic Payments

Chris Chiron, Interim Senior Director, Employee & Management Relations Jessica Moore, Senior Director, Classification & Compensation

COMPREHENSIVE SAFETY ASSESSMENT INSTRUCTIONS for STUDY ABROAD PROGRAMS

AuditNet Survey of Bring your own Device (BYOD) - Control, Risk and Audit

Creating an Ethical Culture and Protecting Your Bottom Line:

HP Point of Sale FAQ Warranty, Care Pack Service & Support. Limited warranty... 2 HP Care Pack Services... 3 Support... 3

IN-HOUSE OR OUTSOURCED BILLING

Plus500CY Ltd. Statement on Privacy and Cookie Policy

Avaya Business Continuity Plan Overview

ERISA Compliance FAQs: Fiduciary Responsibilities

Vulnerability Management:

Change Management Process

Request for Proposal (RFP) RFP HQ Training Session and Leadership Program Development Consulting Services

Research Report. Abstract: Data Center Networking Trends. January By Jon Oltsik With Bob Laliberte and Bill Lundell

Remote Working (Policy & Procedure)

MaaS360 Cloud Extender

Managed Services. Request for Proposal. February 19, Version 1.1

Serv-U Distributed Architecture Guide

Transcription:

PROTIVITI FLASH REPORT The PCI Security Standards Cuncil Releases PCI DSS Versin 3.2 May 9, 2016 On April 28, 2016, the PCI Security Standards Cuncil (PCI SSC) released PCI Data Security Standard (PCI DSS) versin 3.2, which had been available fr preview t stakehlders since April 15. The PCI DSS is a widely accepted set f plicies and prcedures used t ptimize security f credit, debit and cash card transactins and prtect cardhlders frm misuse f their persnal infrmatin. Versin 3.2 s April release represents a change f pace in PCI DSS updates, ccurring utside the PCI SSC s nrmal update cycle. (Hwever, Try Leach, chief technlgy fficer f the PCI SSC, stated that n further revisins t the PCI DSS will ccur in 2016.) As with every prir versin r release f PCI DSS, many clarificatins have been made, alng with clerical changes. But what the industry wants t knw is which changes impact their business. Belw, we have utlined the mre ntable changes fr affected rganizatins. Majr Changes fr All Entities These are changes in which prcesses r additinal technlgies will need t be deplyed in rder fr an rganizatin t remain in cmpliance with PCI DSS. The changes may lead t high levels f effrt t achieve cmpliance and culd cause rganizatins t be ut f cmpliance fr an extended perid. 1. Multi-factr authenticatin The term multi-factr authenticatin replaces tw-factr authenticatin. This in and f itself shuld nt impact cmpliance fr an rganizatin, but a new requirement fr use f multi-factr authenticatin fr certain types f lcal access will d s. This is a tw-part update: The first part is effective immediately when assessing cmpliance with v3.2, and the secnd part becmes effective February 1, 2018. Effective immediately: Multi-factr authenticatin must be used fr all remte access (riginating frm utside the entity's netwrk), including users, administratrs and third parties. Effective February 1, 2018: Multi-factr authenticatin must be used fr all administrative access t the cardhlder data envirnment (CDE), even when cnnecting frm an internal crprate netwrk.

2. File-integrity mnitring (FIM) The PCI SSC remved within the cardhlder data envirnment frm the testing prcedures fr the 11.5.a requirement. This culd significantly impact thse rganizatins that d nt have FIM r ther change-detectin slutins n all in-scpe systems (i.e., systems that cnnect t the cardhlder envirnment). Many rganizatins d nt necessarily have FIM technlgies n, fr example, pint-f-sale r administrative wrkstatins. 3. Change management This is an area in which many entities have difficulty prperly implementing a prcess and successfully dcumenting changes. The new requirement 6.4.6 adds steps t the existing change management cntrls. Organizatins are nw required t verify and dcument all PCI DSS requirements impacted by the change and t validate that they are still being met. Majr Changes fr Service Prviders The fllwing requirements reveal that the PCI SSC is fcusing n service prviders and increasing the scrutiny f cmpliance fr this grup f rganizatins. Service prviders will need t assess these changes and ensure they are in place in rder t stay in cmpliance with PCI DSS. 1. Security cntrls mnitring Service prviders are required t mnitr and reprt n failures f critical security systems. The specific types f failures may vary depending n the functin f the device and technlgy in use. Typical failures include a system ceasing t perfrm its security functin r nt functining in its intended manner; fr example, a firewall erasing all its rules r ging ffline. 1 Incident respnse/prblem management prcesses need t be updated as applicable t include this prcess. Critical systems include, but are nt limited t, the fllwing: Firewalls Intrusin detectin/intrusin preventin FIM Anti-virus Physical access cntrls Lgical access cntrls Audit lgging mechanisms Segmentatin cntrls (if used) 1 Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Prcedures, Versin, 3.2, April 2016, page 94, www.pcisecuritystandards.rg/dcuments/pci_dss_v3-2.pdf. Prtiviti 2

The fllwing prcesses need t be added t the incident respnse/prblem management prgram: Restring security functins Identifying and dcumenting the duratin (date and time, start t end) f the security failure Identifying and dcumenting the cause(s) f failure, including the rt cause, and dcumenting remediatin required t address the rt cause Identifying and addressing any security issues that arse during the failure Perfrming a risk assessment t determine whether further actins are required as a result f the security failure Implementing cntrls t prevent the cause f failure frm reccurring Resuming mnitring f security cntrls 2. Executive management respnsibility Service prviders are nw required t assign the respnsibility f PCI cmpliance t a representative f executive management. The PCI SSC defines executive management as a C-suite executive, a member f the bard f directrs r an equivalent individual. While service prviders have a designated executive fficer wh signs the attestatin f cmpliance (AOC), this step frmally dcuments the respnsibility. 3. Operatinal reviews Service prviders are required t perfrm quarterly reviews f peratinal prcesses. These include but are nt limited t the fllwing: Daily lg reviews Firewall rule-set reviews Applicatin f cnfiguratin standards t new systems Respnse t security alerts Change management prcesses Other Ntable Changes 1. Penetratin testing Service prviders are nw required t test segmentatin cntrls (if segmentatin is used t reduce scpe) at least every six mnths, cmpared t at least annually in v3.1. 2. Dcumented descriptin f cryptgraphic architecture Service prviders are required t create a dcumented descriptin f the cryptgraphic architecture used in the CDE. This dcument must include the fllwing: Details f all algrithms, prtcls and keys used fr the prtectin f cardhlder data, including key strength and expiry date Prtiviti 3

Descriptin f the key usage fr each key Inventry f any hardware security mdules and ther secure cryptgraphic devices used fr key management Migrating frm Secure Scket Layer (SSL) and Early Transprt Layer Security (TLS) Migrating away frm SSL and early TLS has been an area f discussin fr the past few years. Mst rganizatins shuld have this n their rad map already, if nt already cmpleted. The PCI SSC released a bulletin n December 15, 2015, updating the migratin cutff date fr entities still using SSL r early TLS t June 30, 2018 (previusly June 30, 2016). This update is nw reflected in PCI DSS v3.2 alng with mving the cntrls int Appendix A-2. Key Dates and Deadlines The next Payment Applicatin Data Security Standard (PA-DSS) update will be released in apprximately ne mnth. PCI DSS v3.1 will be retired n Octber 31, 2016. Seven changes have an effective date f February 1, 2018. These changes impact the fllwing requirements: 3.5.1 Dcumenting cryptgraphic architecture 6.4.6 Assessment f PCI DSS requirements impacted by each change 8.3.1 Multi-factr authenticatin fr all access t CDE 10.8, 10.8.1 Detecting and reprting failures in critical security cntrl systems 11.3.4.1 Penetratin testing segmentatin cntrls at least every six mnths 12.4 Executive management respnsibility fr prtecting cardhlder data 12.11, 12.11.1 Quarterly reviews f peratinal prcesses In Clsing Migrating frm SSL and early TLS has been pushed t June 30, 2018. Cmpanies shuld review the summary f changes and determine which f them will impact their envirnment fr PCI cmpliance. Key items wuld include any cntrls that have increased in frequency r cntrls that nw have frequency requirements. Prtiviti 4

Abut Prtiviti Prtiviti (www.prtiviti.cm) is a glbal cnsulting firm that helps cmpanies slve prblems in finance, technlgy, peratins, gvernance, risk and internal audit, and has served mre than 60 percent f Frtune 1000 and 35 percent f Frtune Glbal 500 cmpanies. Prtiviti and ur independently wned Member Firms serve clients thrugh a netwrk f mre than 70 lcatins in ver 20 cuntries. We als wrk with smaller, grwing cmpanies, including thse lking t g public, as well as with gvernment agencies. Ranked 57 n the 2016 Frtune 100 Best Cmpanies t Wrk Fr list, Prtiviti is a whlly wned subsidiary f Rbert Half (NYSE: RHI). Funded in 1948, Rbert Half is a member f the S&P 500 index. Cntacts Billy Guveia +1.212.708.6391 william.guveia@prtiviti.cm Chris Luden +1.703.350.4397 chris.luden@prtiviti.cm Ryan Rubin +44.207.389.0436 ryan.rubin@prtiviti.c.uk David Stantn +1.469.374.2488 david.stantn@prtiviti.cm Jeff Weber +1.412.402.1712 jeffrey.weber@prtiviti.cm Sctt Laliberte +1.267.256.8825 sctt.laliberte@prtiviti.cm Michael Prier +1.713.314.5030 michael.prier@prtiviti.cm Jeff Sanchez +1.213.327.1433 jeffrey.sanchez@prtiviti.cm David Taylr +1.407.849.3916 david.taylr@prtiviti.cm Mark Lippman +1.571.382.7807 mark.lippman@prtiviti.cm Andrew Retrum +1.312.476.6353 andrew.retrum@prtiviti.cm Cal Slemp +1.203.905.2926 cal.slemp@prtiviti.cm Michael Walter +1.404.926.4301 michael.walter@prtiviti.cm 2016 Prtiviti Inc. An Equal Opprtunity Emplyer M/F/Disability/Veterans. Prtiviti is nt licensed r registered as a public accunting firm and des nt issue pinins n financial statements r ffer attestatin services.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information