Preparing for PCI DSS 3.0 & Ensuring a Seamless Transition November 2013
Introductions Brian Serra PCI Practice Director Nick Puetz Managing Director - Strategic Services 2013 FishNet Security Inc. All rights reserved.
Agenda FishNet Security & PCI Compliance Services Overview Key Dates General Observations Clarified Requirements Additional Guidance Flexibility Best Practices & New Requirements Final Recommendations 3 2013 FishNet Security Inc. All rights reserved.
Established 1996 700 employees (over 300 focused on service delivery) US and EMEA presence 5,000 customers (over half of Fortune 500 and Fortune 100) Vital Statistics 50+ Experienced QSAs and Operational PCI Security Experts Consultants average 7 years of experience Sr. Consultants and Principles average 13 years of experience Certifications include: PCI-QSA, PA-QSA, ASV-QSA, CISSP, ISSEP, IAM, GCIA, CISA, CISM, OSCP, CCNP, CCSE, Security+, MCSE, etc. Active Members on All PCI Special Interest Groups (SIG) 50 75 ROC assessments/year Hundreds of PCI engagements annually 2013 FishNet Security Inc. All rights reserved.
FishNet Security s 4 Pillars of PCI Compliance Pre- Assessment Services PCI Executive Workshops PCI Data Discovery and Lifecycle Mapping DLP PCI Scope Reduction Strategies PCI Remediation Services PCI Policy and Procedure Development Network Architecture Review Technology Solution Deployment Firewalls, IDS/IPS, SIEM, etc. Vulnerability Management Program Development PCI Certification Services PCI DSS Gap Analysis and Certification Services PA DSS Gap Analysis and Certification Services Continuous PCI Compliance Services PCI Vulnerability Scanning Services Penetration Testing Services PCI Data Discovery and Lifecycle Mapping DLP Secure Code Review egrc Technology Deployment 5 2013 FishNet Security Inc. All rights reserved.
The FishNet Security Advantage Information Security Provider Focus Payment Card Industry Compliance Methodology Deep Knowledge of Requirements Breadth and Depth of Experience Relationship with Visa and MasterCard Remediation Expertise Multiple Discipline Engagement Approach Proven Project Management Program 6 2013 FishNet Security Inc. All rights reserved.
v3.0 Key Dates Jan. 1, 2014: v3.0 can be used Dec. 31, 2014: v2.0 will still be active up to this date Jan. 1, 2015: v3.0 must be used moving forward July 15, 2015 : Effective date for the new controls that were marked best practices Nov. 2013: Final DSS 3.0 released 7 2013 FishNet Security Inc. All rights reserved.
General Observations There is a focus on some new topics: Sensitive Authentication Data (SAD) Integration of the PCI standards into the day-to-day business practices of organizations aka Business-As-Usual (BAU) POS terminal physical security For QSAs & ISAs: Reporting guidance right within the ROC Sampling guidance Renumbering of requirements and testing procedures 8 2013 FishNet Security Inc. All rights reserved.
Sensitive Authentication Data (SAD) Push to ensure that sensitive authentication data (SAD), formerly known as track data, is properly: Secured prior to authorization. Promptly and securely deleted once authorization/decline has been received. This is being driven by BlackPOS, vskimmer and similar memory scraping threats. 9 2013 FishNet Security Inc. All rights reserved.
Business As Usual (BAU) Incorporate continuous compliance into your security program. Examples of BAU: Monitoring of security controls (FW, IDS/IPS, FIM, AV, etc.) Ensuring security control failures are identified, rectified and a root cause analysis (RCA) is performed Review changes to the environment, i.e. change management Impact on PCI DSS Scope Impact on Cardholder Data Environment (CDE) Update CDE and Scope if necessary Changes to organizational structure, i.e. merger/acquisition Impact on PCI DSS Scope Impact on Cardholder Data Environment (CDE) Update CDE and Scope if necessary 10 2013 FishNet Security Inc. All rights reserved.
Examples of Business As Usual (BAU) Periodic reviews and communication regarding PCI DSS compliance: All facilities retail outlets, data centers, etc. Verify that requirements are still compliant. Periodic is defined based on the size and complexity of the environment. Review hardware and software technologies at least annually to confirm that they continue to be supported by the vendor and can meet the entity s security requirements, including PCI DSS. Consider implementing separation of duties for their security functions so that security and/or audit functions are separated from operational functions. For example, responsibility for configuration and responsibility for approving changes could be assigned to separate individuals. 11 2013 FishNet Security Inc. All rights reserved.
Sampling Guidance QSA/ISA can sample systems to assess during the ROC Assessment Must be a representative sample of each system type You CANNOT apply the DSS requirements to only that sample QSA/ISA cannot only review a sample of relevant requirements QSA/ISA can sample locations to assess compliance Must be a representative sample of each business function type While it is acceptable for an assessor to sample systems as part of their review of an entity s PCI DSS compliance, it is not acceptable for an entity to apply PCI DSS requirements to only a sample of their CDE or for an assessor to only review a sample of PCI DSS requirements for compliance. PCI Security Standards Council 12 2013 FishNet Security Inc. All rights reserved.
Clarified Requirements 1.1.3 Current diagram that shows all cardholder data flows across systems and networks 2.4 Maintain an inventory of system components that are in scope for PCI DSS. Examine system inventory to verify that a list of hardware and software components is maintained and includes a description of function/use for each. 5.1.2 For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require antivirus software. 13 2013 FishNet Security Inc. All rights reserved.
Clarified Requirements 5.3 Ensure that antivirus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period. Note: Antivirus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-bycase basis. If anti-malware protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-malware protection is not active. 14 2013 FishNet Security Inc. All rights reserved.
Clarified Requirements 7.1.1 Define access needs for each role, including: System components and data resources that each role needs to access for their job function. Level of privilege required (for example, user, administrator, etc.) for accessing resources. 15 2013 FishNet Security Inc. All rights reserved.
Clarified Requirements 8.6 Use of authentication mechanisms such as physical security tokens, smart cards and certificates must be assigned to an individual account as follows: Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts. Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access. 16 2013 FishNet Security Inc. All rights reserved.
Clarified Requirements 9.3 Control physical access for onsite personnel to the sensitive areas as follows: Access must be authorized and based on individual job function. Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled. 11.1.1 Need to maintain an inventory of authorized wireless devices including justification. 11.5.1 Implement a process to respond to any alerts generated by the change-detection solution. 12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider and which are managed by the entity. 17 2013 FishNet Security Inc. All rights reserved.
Additional Guidance Requirement 8: ID and Authentication is Restructured Requirements in 8.1 are focused on user identification. Requirements in 8.2 are focused on user authentication. 8.3 still regards two-factor authentication. 8.4 becomes communicating authentication processes to personnel, contractors and vendors. 8.5 becomes do not use shared/generic credentials. 8.7 regards database credentials. 8.8 regards personnel being aware of all authentication policies, standards and procedures. 18 2013 FishNet Security Inc. All rights reserved.
Flexibility 8.2.3 Passwords/phrases must meet the following: Require a minimum length of at least seven characters. Contain both numeric and alphabetic characters. Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above. For cases where this minimum cannot be met due to technical limitations, entities can use equivalent strength to evaluate their alternative. NIST SP 800-63-1 defines entropy as a measure of the difficulty of guessing or determining a password or key. 19 2013 FishNet Security Inc. All rights reserved.
Notable Clarifications 1.3.7 Cardholder data is explicitly not allowed to be stored anywhere with direct access to the Internet or untrusted networks. 3.2 Sensitive authentication data (SAD) is to be rendered unrecoverable once a transaction is completed. Also clarified testing procedures for issuers that retain SAD. 20 2013 FishNet Security Inc. All rights reserved.
Notable Clarifications 3.4.1 When using whole disk encryption, the key management process must be separate and independent from the underlying OS. 4.1 Defined open, public networks to include: The Internet Wireless technologies, including 802.11 and Bluetooth Cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA) General Packet Radio Service (GPRS) Satellite communications 21 2013 FishNet Security Inc. All rights reserved.
Notable Clarifications Flipped requirements 6.1 and 6.2: 6.1 now regards risk rankings and 6.2 regards patching. 6.5.x updated to reflect the changes in application software risks. 6.6 web application firewall terminology replaced with automated technical solution. 9.2 visitor ID badges are not the only option. Requirements 9.5 through 9.8 are restructured and reorganized. 22 2013 FishNet Security Inc. All rights reserved.
Notable Clarifications 10.2.6 now includes logging of pausing and/or stopping audit logging. 10.6 changes include: Intent of log reviews is to identify anomalies or suspicious activity. Provides guidance about scope of daily log reviews. 23 2013 FishNet Security Inc. All rights reserved.
Notable Clarifications 10.6 changes: Allowing more flexibility for review of certain logs events periodically, as defined by the entity s risk management strategy. Notifications or alerts that identify suspicious or anomalous activities Logs from critical system components Logs from systems that perform security functions, such as firewalls, IDS/IPS, file-integrity monitoring (FIM) systems and so on 24 2013 FishNet Security Inc. All rights reserved.
Notable Clarifications 11.2 changes include: Explicitly allows multiple scanning reports to be combined to meet the quarterly requirement. Rescanning must be performed until all high vulnerabilities are resolved. 11.5 now allows for any mechanism to be used that can detect critical file changes. 12.3.4 no longer requires that mobile devices be labeled. 25 2013 FishNet Security Inc. All rights reserved.
Best Practices until June 30, 2015 The following slides discuss the six new requirements that are considered best practices until June 30, 2015. After which these become requirements. 26 2013 FishNet Security Inc. All rights reserved.
Coming June 30, 2015 6.5.10 Broken Authentication and Session Management 8.5.1 Service providers with access to customer environments must use a unique authentication credential (such as a password/phrase) for each customer environment. 9.9 Protect point-of-sale (POS) devices that capture payment card data via direct physical interaction with the card from tampering and substitution. 27 2013 FishNet Security Inc. All rights reserved.
Coming June 30, 2015 11.3 Develop and implement a methodology for penetration testing that: Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115). Includes coverage for the entire CDE perimeter and critical systems. Includes testing from both inside the network and from outside of the network attempting to get in. Includes testing to validate any segmentation and scope-reduction controls. Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5. Defines network-layer penetration tests to include components that support network functions as well as operating systems. Includes review and consideration of threats and vulnerabilities experienced in the last 12 months. Specifies retention of penetration testing results and remediation activities results. 28 2013 FishNet Security Inc. All rights reserved.
Coming June 30, 2015 12.9 Additional requirement for service providers: Service providers acknowledge in writing to customers that they will maintain all applicable PCI DSS requirements to the extent the service provider handles, has access to or otherwise stores, processes or transmits the customer s cardholder data or sensitive authentication data or manages the customer's cardholder data environment on behalf of a customer. 29 2013 FishNet Security Inc. All rights reserved.
Final Recommendations Review the v3.0 DSS closely with your QSA to determine if a gap analysis is recommended. Incorporate Business-as-Usual to maintain security and compliance. Maintain a documented CDE inventory and network diagrams with data flows. Ensure in-house developed payment apps securely handle PAN/SAD in memory. Physically secure and inspect POS terminals periodically, including validating any third-parties authorization to access devices. If CHD is shared with a third-party, ensure they are contractually aware of what controls they are responsible for. 30 2013 FishNet Security Inc. All rights reserved.
Thank You Brian Serra, CISSP, PCIP PCI Practice Director FishNet Security Brian.Serra@fishnetsecurity.com Nick Puetz Managing Director Strategic Services FishNet Security Nick.Puetz@fishnetsecurity.com 31 2013 FishNet Security Inc. All rights reserved.