SlideShare ist ein Scribd-Unternehmen logo

Key implications of PCI DSS v3.1 update

Als PPTX, PDF herunterladen
Ajay Unni
Ajay Unni

In April 2015 the PCI Security Standards Council (SSC) released PCI DSS v3.1 to address threats to SSL and early TLS protocols. This presentation highlights the key implications for businesses that collect payment data and how to migrate to PCI DSS v3.1

Daten & Analysen
1 von 15
© 2016 Stickman Consulting Pty Ltd 1 PCI DSS Update Key implications of PCI DSS v3.1 By Ajay Unni, CEO, Stickman Consulting By Ajay Unni, CEO, Stickman
© 2016 Stickman Consulting Pty Ltd 2 Agenda • Why PCI DSS v3.1 • Summary of PCI DSS v3.1 • How to know if your using SSL/early TLS • What you should do if using SSL/early TLS • Is your organisation using SSL/early TLS? • Key implications for merchants • Key implications for small merchants • What should e-commerce websites do? • Steps to migrate safely • About Stickman 2
© 2016 Stickman Consulting Pty Ltd 3 Why PCI DSS v3.1? • PCI DSS v3.1 was released in April 2015. • Released early due to identified threats to Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) protocols. • POODLE browser attack and vulnerabilities like FREAK and WinShock also expedited it’s release. 3
© 2016 Stickman Consulting Pty Ltd 4 Why PCI DSS v3.1 cont’d • SSL and early versions of TLS are no longer considered strong encryption protocols to send cardholder information between web servers and browsers. 4
© 2016 Stickman Consulting Pty Ltd 5 Summary of PCI DSSv3.1 • Key requirements affected by PCI DSS v3.1 are: – 2.2.3: Requires encryption for services and protocols such as VPNs, FTP, Telnet and file share. – 2.3: Requires encryption for non-console administrative access. – 4.1: Requires encryption and implementation of security protocols to protect cardholder data during transmission over open, public networks. 5
© 2016 Stickman Consulting Pty Ltd 6 How to know if your using SSL/early TLS? • Contact your network vendor to determine what version is being used. • Conduct internal and external vulnerability scans to identify any unsecured SSL-based applications. 6
© 2016 Stickman Consulting Pty Ltd 7 What you should do if using SSL/early TLS • Reconfigure and disable SSL 3.0 in your software by following instructions from the vendor’s website or by getting help from online forums and blogs. • Upgrade by buying the latest software version from the vendor and configure it for the latest version of TLS. • Encrypt your data by using strong cryptography such as application or field-level encryption before transmitting data over SSL/Early TLS. • Set up an encrypted session such as IPsec tunnel, and send the data over SSL through the encrypted tunnel. 7
© 2016 Stickman Consulting Pty Ltd 8 Key implications for merchants • Merchants cannot use SSL and early versions of TLS in any new technology. • SSL and TLS cannot be deployed as security controls for cardholder data after 30 June 2016. • Merchants with existing technology must implement a risk mitigation and migration plan prior to 30 June 2016. • POS terminals not exposed to vulnerabilities can be used after 30 June 2016. 8
© 2016 Stickman Consulting Pty Ltd 9 Key actions for small merchants • Small merchants must also eliminate SSL/early TLS from their cardholder data environment. • Assess security of Point of Sale terminals for SSL vulnerability. • Identify areas (servers, computers, POS terminals) where SSL/early TLS is implemented and upgrade or reconfigure prior to 30 June 2016. 9
© 2016 Stickman Consulting Pty Ltd 10 What should e-commerce websites do? • Create a risk mitigation and migration plan. • Before migration, reduce the number of servers to avoid exposure to vulnerabilities.
© 2016 Stickman Consulting Pty Ltd 11 Steps to migrate safely 1. Identify data flows and system components that support vulnerable protocols. 2. Identify the business or technical need to use the vulnerable protocol for each data flow or system component. 3. Remove all such occurrences of vulnerable protocols which are not supported by a business or a technical need. 4. Identify which technologies can replace the protocols and also develop complete documentation of secure configurations that are planned for implementation. 5. Document the migration plan that outlines steps and timeframes of each update. 6. Deploy controls of risk reduction to counter the effect of known vulnerabilities till all vulnerable protocols are permanently removed. 7. Follow the change control procedures to make sure that all updates are authorised. 8. Upgrade system configuration standards after migration process is complete. 11
© 2016 Stickman Consulting Pty Ltd 12 Our clients
© 2016 Stickman Consulting Pty Ltd 13 The Payment Card Industry Landscape
© 2016 Stickman Consulting Pty Ltd 14 12 months cycle Phase I Assess Phase II Remedia te Phase III Certify Phase IV Maintain PCI Lifecycle Action Plan
© 2016 Stickman Consulting Pty Ltd 15 P: 1800 785 626 E: ajay.unni@stickman.com.au www.stickman.com.au Level 11, Suite 2, 210 George Street, Sydney NSW 2000 Thank you!

Empfohlen

Lan scanning threat
Lan scanning threatLan scanning threat
Lan scanning threatSmilelife.inc
 
karsof systems ips technical brochure
karsof systems ips technical brochurekarsof systems ips technical brochure
karsof systems ips technical brochureColin Valencia
 
Cisco Connect 2018 Indonesia - Delivering intent for data center networking
Cisco Connect 2018 Indonesia - Delivering intent for data center networking Cisco Connect 2018 Indonesia - Delivering intent for data center networking
Cisco Connect 2018 Indonesia - Delivering intent for data center networking NetworkCollaborators
 
Where Are My SSH Keys?
Where Are My SSH Keys?Where Are My SSH Keys?
Where Are My SSH Keys?Venafi
 
Sntc April 2: Decrease Network Risk with Alert Management Draft v2
Sntc April 2: Decrease Network Risk with Alert Management Draft v2Sntc April 2: Decrease Network Risk with Alert Management Draft v2
Sntc April 2: Decrease Network Risk with Alert Management Draft v2B2BContact
 
Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...
Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...
Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...garciathomasbic
 
Network Security
Network SecurityNetwork Security
Network SecurityMonirul Islam Dipu
 
Nagios En
Nagios EnNagios En
Nagios EnAleksey Trusov
 

Empfohlen

Lan scanning threat
Lan scanning threatLan scanning threat
Lan scanning threatSmilelife.inc
 
karsof systems ips technical brochure
karsof systems ips technical brochurekarsof systems ips technical brochure
karsof systems ips technical brochureColin Valencia
 
Cisco Connect 2018 Indonesia - Delivering intent for data center networking
Cisco Connect 2018 Indonesia - Delivering intent for data center networking Cisco Connect 2018 Indonesia - Delivering intent for data center networking
Cisco Connect 2018 Indonesia - Delivering intent for data center networking NetworkCollaborators
 
Where Are My SSH Keys?
Where Are My SSH Keys?Where Are My SSH Keys?
Where Are My SSH Keys?Venafi
 
Sntc April 2: Decrease Network Risk with Alert Management Draft v2
Sntc April 2: Decrease Network Risk with Alert Management Draft v2Sntc April 2: Decrease Network Risk with Alert Management Draft v2
Sntc April 2: Decrease Network Risk with Alert Management Draft v2B2BContact
 
Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...
Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...
Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...garciathomasbic
 
Network Security
Network SecurityNetwork Security
Network SecurityMonirul Islam Dipu
 
Nagios En
Nagios EnNagios En
Nagios EnAleksey Trusov
 
SOC OEM - Datasheet EN
SOC OEM - Datasheet ENSOC OEM - Datasheet EN
SOC OEM - Datasheet ENITrust - Cybersecurity as a Service
 
Ablockplus-Annoying pop ups
Ablockplus-Annoying pop upsAblockplus-Annoying pop ups
Ablockplus-Annoying pop upsAblockplus99
 
Cyber security and ISMS
Cyber security and ISMSCyber security and ISMS
Cyber security and ISMSPhilippe Cohen
 
How to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFWHow to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFWYudi Arijanto
 
PCI 3.0 Revealed - What You Need to Know Today
PCI 3.0 Revealed - What You Need to Know TodayPCI 3.0 Revealed - What You Need to Know Today
PCI 3.0 Revealed - What You Need to Know TodayImperva
 
Kyte company profile oct 2019
Kyte company profile oct 2019Kyte company profile oct 2019
Kyte company profile oct 2019David Pereira
 
Covid 19 staying cyber secure
Covid 19 staying cyber secureCovid 19 staying cyber secure
Covid 19 staying cyber securemascot4u
 
APIdays Singapore 2019 - Rethinking security and compliance for the API ecosy...
APIdays Singapore 2019 - Rethinking security and compliance for the API ecosy...APIdays Singapore 2019 - Rethinking security and compliance for the API ecosy...
APIdays Singapore 2019 - Rethinking security and compliance for the API ecosy...apidays
 
Brochure stonegate sslvpn-x_a4x
Brochure stonegate sslvpn-x_a4xBrochure stonegate sslvpn-x_a4x
Brochure stonegate sslvpn-x_a4xRyanPaul Mandel
 
VPN encryption
VPN encryptionVPN encryption
VPN encryptionHeadAdmin
 
Plastic Surgery
Plastic SurgeryPlastic Surgery
Plastic SurgeryProfessional English Language Teaching
 
Historical Buildings
Historical BuildingsHistorical Buildings
Historical BuildingsProfessional English Language Teaching
 
刁贵鹏CV -中英版
刁贵鹏CV -中英版刁贵鹏CV -中英版
刁贵鹏CV -中英版Tewfik diao
 
Conflict management 11
Conflict management 11Conflict management 11
Conflict management 11kareem3456
 
OCAC dog Mack A1386314 KILLED
OCAC dog Mack A1386314 KILLEDOCAC dog Mack A1386314 KILLED
OCAC dog Mack A1386314 KILLEDNo Kill Shelter Alliance
 
mudassar
mudassarmudassar
mudassarmudassar shahzad
 
Mrcute
MrcuteMrcute
MrcuteProfessional English Language Teaching
 
Teaching the Flipped Classroom Photos
Teaching the Flipped Classroom PhotosTeaching the Flipped Classroom Photos
Teaching the Flipped Classroom PhotosProfessional English Language Teaching
 
Holistic Assessments
Holistic AssessmentsHolistic Assessments
Holistic AssessmentsProfessional English Language Teaching
 
Welcome to Karmsthal Sewa Sansthan
Welcome to Karmsthal Sewa SansthanWelcome to Karmsthal Sewa Sansthan
Welcome to Karmsthal Sewa SansthanKarmsthal Sewa Sansthan
 
Dexter Dog Report OCAC
Dexter Dog Report OCACDexter Dog Report OCAC
Dexter Dog Report OCACNo Kill Shelter Alliance
 
Wonders of the World
Wonders of the WorldWonders of the World
Wonders of the WorldProfessional English Language Teaching
 

Weitere ähnliche Inhalte

Was ist angesagt?

Ablockplus-Annoying pop ups
Ablockplus-Annoying pop upsAblockplus-Annoying pop ups
Ablockplus-Annoying pop upsAblockplus99
 
Cyber security and ISMS
Cyber security and ISMSCyber security and ISMS
Cyber security and ISMSPhilippe Cohen
 
How to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFWHow to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFWYudi Arijanto
 
PCI 3.0 Revealed - What You Need to Know Today
PCI 3.0 Revealed - What You Need to Know TodayPCI 3.0 Revealed - What You Need to Know Today
PCI 3.0 Revealed - What You Need to Know TodayImperva
 
Kyte company profile oct 2019
Kyte company profile oct 2019Kyte company profile oct 2019
Kyte company profile oct 2019David Pereira
 
Covid 19 staying cyber secure
Covid 19 staying cyber secureCovid 19 staying cyber secure
Covid 19 staying cyber securemascot4u
 
APIdays Singapore 2019 - Rethinking security and compliance for the API ecosy...
APIdays Singapore 2019 - Rethinking security and compliance for the API ecosy...APIdays Singapore 2019 - Rethinking security and compliance for the API ecosy...
APIdays Singapore 2019 - Rethinking security and compliance for the API ecosy...apidays
 
Brochure stonegate sslvpn-x_a4x
Brochure stonegate sslvpn-x_a4xBrochure stonegate sslvpn-x_a4x
Brochure stonegate sslvpn-x_a4xRyanPaul Mandel
 
VPN encryption
VPN encryptionVPN encryption
VPN encryptionHeadAdmin
 

Was ist angesagt? (10)

SOC OEM - Datasheet EN
SOC OEM - Datasheet ENSOC OEM - Datasheet EN
SOC OEM - Datasheet EN
 
Ablockplus-Annoying pop ups
Ablockplus-Annoying pop upsAblockplus-Annoying pop ups
Ablockplus-Annoying pop ups
 
Cyber security and ISMS
Cyber security and ISMSCyber security and ISMS
Cyber security and ISMS
 
How to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFWHow to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFW
 
PCI 3.0 Revealed - What You Need to Know Today
PCI 3.0 Revealed - What You Need to Know TodayPCI 3.0 Revealed - What You Need to Know Today
PCI 3.0 Revealed - What You Need to Know Today
 
Kyte company profile oct 2019
Kyte company profile oct 2019Kyte company profile oct 2019
Kyte company profile oct 2019
 
Covid 19 staying cyber secure
Covid 19 staying cyber secureCovid 19 staying cyber secure
Covid 19 staying cyber secure
 
APIdays Singapore 2019 - Rethinking security and compliance for the API ecosy...
APIdays Singapore 2019 - Rethinking security and compliance for the API ecosy...APIdays Singapore 2019 - Rethinking security and compliance for the API ecosy...
APIdays Singapore 2019 - Rethinking security and compliance for the API ecosy...
 
Brochure stonegate sslvpn-x_a4x
Brochure stonegate sslvpn-x_a4xBrochure stonegate sslvpn-x_a4x
Brochure stonegate sslvpn-x_a4x
 
VPN encryption
VPN encryptionVPN encryption
VPN encryption
 

Andere mochten auch

刁贵鹏CV -中英版
刁贵鹏CV -中英版刁贵鹏CV -中英版
刁贵鹏CV -中英版Tewfik diao
 
Conflict management 11
Conflict management 11Conflict management 11
Conflict management 11kareem3456
 
Seoについて
SeoについてSeoについて
Seoについてkayo92
 

Andere mochten auch (20)

Plastic Surgery
Plastic SurgeryPlastic Surgery
Plastic Surgery
 
Historical Buildings
Historical BuildingsHistorical Buildings
Historical Buildings
 
刁贵鹏CV -中英版
刁贵鹏CV -中英版刁贵鹏CV -中英版
刁贵鹏CV -中英版
 
Conflict management 11
Conflict management 11Conflict management 11
Conflict management 11
 
OCAC dog Mack A1386314 KILLED
OCAC dog Mack A1386314 KILLEDOCAC dog Mack A1386314 KILLED
OCAC dog Mack A1386314 KILLED
 
mudassar
mudassarmudassar
mudassar
 
Mrcute
MrcuteMrcute
Mrcute
 
Teaching the Flipped Classroom Photos
Teaching the Flipped Classroom PhotosTeaching the Flipped Classroom Photos
Teaching the Flipped Classroom Photos
 
Holistic Assessments
Holistic AssessmentsHolistic Assessments
Holistic Assessments
 
Welcome to Karmsthal Sewa Sansthan
Welcome to Karmsthal Sewa SansthanWelcome to Karmsthal Sewa Sansthan
Welcome to Karmsthal Sewa Sansthan
 
Dexter Dog Report OCAC
Dexter Dog Report OCACDexter Dog Report OCAC
Dexter Dog Report OCAC
 
Wonders of the World
Wonders of the WorldWonders of the World
Wonders of the World
 
The Homeless
The HomelessThe Homeless
The Homeless
 
My preposterous pet
My preposterous petMy preposterous pet
My preposterous pet
 
Prepostorous Pet
Prepostorous PetPrepostorous Pet
Prepostorous Pet
 
My preposterous pet
My preposterous petMy preposterous pet
My preposterous pet
 
ELT Activities
ELT ActivitiesELT Activities
ELT Activities
 
Seoについて
SeoについてSeoについて
Seoについて
 
Preposterous pet
Preposterous petPreposterous pet
Preposterous pet
 
Remarkable Achievers
Remarkable AchieversRemarkable Achievers
Remarkable Achievers
 

Ähnlich wie Key implications of PCI DSS v3.1 update

Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingIT Governance Ltd
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)Maksim Djackov
 
Bit taka bangladeshi country owned crypto currency
Bit taka bangladeshi country owned crypto currencyBit taka bangladeshi country owned crypto currency
Bit taka bangladeshi country owned crypto currencyMohammad Salehin
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesKai Wähner
 
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceReaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceAlgoSec
 
Information Security Whitepaper
Information Security WhitepaperInformation Security Whitepaper
Information Security Whitepaperrun_frictionless
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL ProcessRocket Software
 
M1-C17-Armando una red.pptx
M1-C17-Armando una red.pptxM1-C17-Armando una red.pptx
M1-C17-Armando una red.pptxAngel Garcia
 
17 - Building small network.pdf
17 - Building small network.pdf17 - Building small network.pdf
17 - Building small network.pdfPhiliphaHaldline
 
Security Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemSecurity Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemInductive Automation
 
The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?BCS ProSoft
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data CenterCisco Canada
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 
System center 2016 10 nyheder på 60 min
System center 2016 10 nyheder på 60 minSystem center 2016 10 nyheder på 60 min
System center 2016 10 nyheder på 60 minPer Larsen
 

Ähnlich wie Key implications of PCI DSS v3.1 update (20)

PCI DSS 3.1: What Are The Changes?
PCI DSS 3.1: What Are The Changes? PCI DSS 3.1: What Are The Changes?
PCI DSS 3.1: What Are The Changes?
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failing
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
Bit taka bangladeshi country owned crypto currency
Bit taka bangladeshi country owned crypto currencyBit taka bangladeshi country owned crypto currency
Bit taka bangladeshi country owned crypto currency
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed Microservices
 
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceReaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
 
Information Security Whitepaper
Information Security WhitepaperInformation Security Whitepaper
Information Security Whitepaper
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL Process
 
M1-C17-Armando una red.pptx
M1-C17-Armando una red.pptxM1-C17-Armando una red.pptx
M1-C17-Armando una red.pptx
 
17 - Building small network.pdf
17 - Building small network.pdf17 - Building small network.pdf
17 - Building small network.pdf
 
Anshika
AnshikaAnshika
Anshika
 
Security Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemSecurity Best Practices for Your Ignition System
Security Best Practices for Your Ignition System
 
The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data Center
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
System center 2016 10 nyheder på 60 min
System center 2016 10 nyheder på 60 minSystem center 2016 10 nyheder på 60 min
System center 2016 10 nyheder på 60 min
 
MultiValue Security
MultiValue SecurityMultiValue Security
MultiValue Security
 
5787355.ppt
5787355.ppt5787355.ppt
5787355.ppt
 

Kürzlich hochgeladen

Gartner's Data Analytics Maturity Model.pptx
Gartner's Data Analytics Maturity Model.pptxGartner's Data Analytics Maturity Model.pptx
Gartner's Data Analytics Maturity Model.pptxchadhar227
 
怎样办理伦敦大学毕业证(UoL毕业证书)成绩单学校原版复制
怎样办理伦敦大学毕业证(UoL毕业证书)成绩单学校原版复制怎样办理伦敦大学毕业证(UoL毕业证书)成绩单学校原版复制
怎样办理伦敦大学毕业证(UoL毕业证书)成绩单学校原版复制vexqp
 
+97470301568>>weed for sale in qatar ,weed for sale in dubai,weed for sale in...
+97470301568>>weed for sale in qatar ,weed for sale in dubai,weed for sale in...+97470301568>>weed for sale in qatar ,weed for sale in dubai,weed for sale in...
+97470301568>>weed for sale in qatar ,weed for sale in dubai,weed for sale in...Health
 
Top profile Call Girls In Chandrapur [ 7014168258 ] Call Me For Genuine Model...
Top profile Call Girls In Chandrapur [ 7014168258 ] Call Me For Genuine Model...Top profile Call Girls In Chandrapur [ 7014168258 ] Call Me For Genuine Model...
Top profile Call Girls In Chandrapur [ 7014168258 ] Call Me For Genuine Model...gajnagarg
 
怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制
怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制
怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制vexqp
 
Harnessing the Power of GenAI for BI and Reporting.pptx
Harnessing the Power of GenAI for BI and Reporting.pptxHarnessing the Power of GenAI for BI and Reporting.pptx
Harnessing the Power of GenAI for BI and Reporting.pptxParas Gupta
 
Discover Why Less is More in B2B Research
Discover Why Less is More in B2B ResearchDiscover Why Less is More in B2B Research
Discover Why Less is More in B2B Researchmichael115558
 
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...Klinik kandungan
 
如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样
如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样
如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样wsppdmt
 
Top profile Call Girls In Hapur [ 7014168258 ] Call Me For Genuine Models We ...
Top profile Call Girls In Hapur [ 7014168258 ] Call Me For Genuine Models We ...Top profile Call Girls In Hapur [ 7014168258 ] Call Me For Genuine Models We ...
Top profile Call Girls In Hapur [ 7014168258 ] Call Me For Genuine Models We ...nirzagarg
 
Capstone in Interprofessional Informatic // IMPACT OF COVID 19 ON EDUCATION
Capstone in Interprofessional Informatic // IMPACT OF COVID 19 ON EDUCATIONCapstone in Interprofessional Informatic // IMPACT OF COVID 19 ON EDUCATION
Capstone in Interprofessional Informatic // IMPACT OF COVID 19 ON EDUCATIONLakpaYanziSherpa
 
Lecture_2_Deep_Learning_Overview-newone1
Lecture_2_Deep_Learning_Overview-newone1Lecture_2_Deep_Learning_Overview-newone1
Lecture_2_Deep_Learning_Overview-newone1ranjankumarbehera14
 
Data Analyst Tasks to do the internship.pdf
Data Analyst Tasks to do the internship.pdfData Analyst Tasks to do the internship.pdf
Data Analyst Tasks to do the internship.pdftheeltifs
 
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteedamy56318795
 
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...Elaine Werffeli
 
Top profile Call Girls In Tumkur [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Tumkur [ 7014168258 ] Call Me For Genuine Models We...Top profile Call Girls In Tumkur [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Tumkur [ 7014168258 ] Call Me For Genuine Models We...nirzagarg
 
Top profile Call Girls In bhavnagar [ 7014168258 ] Call Me For Genuine Models...
Top profile Call Girls In bhavnagar [ 7014168258 ] Call Me For Genuine Models...Top profile Call Girls In bhavnagar [ 7014168258 ] Call Me For Genuine Models...
Top profile Call Girls In bhavnagar [ 7014168258 ] Call Me For Genuine Models...gajnagarg
 
Top profile Call Girls In dimapur [ 7014168258 ] Call Me For Genuine Models W...
Top profile Call Girls In dimapur [ 7014168258 ] Call Me For Genuine Models W...Top profile Call Girls In dimapur [ 7014168258 ] Call Me For Genuine Models W...
Top profile Call Girls In dimapur [ 7014168258 ] Call Me For Genuine Models W...gajnagarg
 

Kürzlich hochgeladen (20)

Gartner's Data Analytics Maturity Model.pptx
Gartner's Data Analytics Maturity Model.pptxGartner's Data Analytics Maturity Model.pptx
Gartner's Data Analytics Maturity Model.pptx
 
怎样办理伦敦大学毕业证(UoL毕业证书)成绩单学校原版复制
怎样办理伦敦大学毕业证(UoL毕业证书)成绩单学校原版复制怎样办理伦敦大学毕业证(UoL毕业证书)成绩单学校原版复制
怎样办理伦敦大学毕业证(UoL毕业证书)成绩单学校原版复制
 
+97470301568>>weed for sale in qatar ,weed for sale in dubai,weed for sale in...
+97470301568>>weed for sale in qatar ,weed for sale in dubai,weed for sale in...+97470301568>>weed for sale in qatar ,weed for sale in dubai,weed for sale in...
+97470301568>>weed for sale in qatar ,weed for sale in dubai,weed for sale in...
 
Abortion pills in Doha Qatar (+966572737505 ! Get Cytotec
Abortion pills in Doha Qatar (+966572737505 ! Get CytotecAbortion pills in Doha Qatar (+966572737505 ! Get Cytotec
Abortion pills in Doha Qatar (+966572737505 ! Get Cytotec
 
Top profile Call Girls In Chandrapur [ 7014168258 ] Call Me For Genuine Model...
Top profile Call Girls In Chandrapur [ 7014168258 ] Call Me For Genuine Model...Top profile Call Girls In Chandrapur [ 7014168258 ] Call Me For Genuine Model...
Top profile Call Girls In Chandrapur [ 7014168258 ] Call Me For Genuine Model...
 
Abortion pills in Jeddah | +966572737505 | Get Cytotec
Abortion pills in Jeddah | +966572737505 | Get CytotecAbortion pills in Jeddah | +966572737505 | Get Cytotec
Abortion pills in Jeddah | +966572737505 | Get Cytotec
 
怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制
怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制
怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制
 
Harnessing the Power of GenAI for BI and Reporting.pptx
Harnessing the Power of GenAI for BI and Reporting.pptxHarnessing the Power of GenAI for BI and Reporting.pptx
Harnessing the Power of GenAI for BI and Reporting.pptx
 
Discover Why Less is More in B2B Research
Discover Why Less is More in B2B ResearchDiscover Why Less is More in B2B Research
Discover Why Less is More in B2B Research
 
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
 
如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样
如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样
如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样
 
Top profile Call Girls In Hapur [ 7014168258 ] Call Me For Genuine Models We ...
Top profile Call Girls In Hapur [ 7014168258 ] Call Me For Genuine Models We ...Top profile Call Girls In Hapur [ 7014168258 ] Call Me For Genuine Models We ...
Top profile Call Girls In Hapur [ 7014168258 ] Call Me For Genuine Models We ...
 
Capstone in Interprofessional Informatic // IMPACT OF COVID 19 ON EDUCATION
Capstone in Interprofessional Informatic // IMPACT OF COVID 19 ON EDUCATIONCapstone in Interprofessional Informatic // IMPACT OF COVID 19 ON EDUCATION
Capstone in Interprofessional Informatic // IMPACT OF COVID 19 ON EDUCATION
 
Lecture_2_Deep_Learning_Overview-newone1
Lecture_2_Deep_Learning_Overview-newone1Lecture_2_Deep_Learning_Overview-newone1
Lecture_2_Deep_Learning_Overview-newone1
 
Data Analyst Tasks to do the internship.pdf
Data Analyst Tasks to do the internship.pdfData Analyst Tasks to do the internship.pdf
Data Analyst Tasks to do the internship.pdf
 
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
 
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
 
Top profile Call Girls In Tumkur [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Tumkur [ 7014168258 ] Call Me For Genuine Models We...Top profile Call Girls In Tumkur [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Tumkur [ 7014168258 ] Call Me For Genuine Models We...
 
Top profile Call Girls In bhavnagar [ 7014168258 ] Call Me For Genuine Models...
Top profile Call Girls In bhavnagar [ 7014168258 ] Call Me For Genuine Models...Top profile Call Girls In bhavnagar [ 7014168258 ] Call Me For Genuine Models...
Top profile Call Girls In bhavnagar [ 7014168258 ] Call Me For Genuine Models...
 
Top profile Call Girls In dimapur [ 7014168258 ] Call Me For Genuine Models W...
Top profile Call Girls In dimapur [ 7014168258 ] Call Me For Genuine Models W...Top profile Call Girls In dimapur [ 7014168258 ] Call Me For Genuine Models W...
Top profile Call Girls In dimapur [ 7014168258 ] Call Me For Genuine Models W...
 

Key implications of PCI DSS v3.1 update

  • 1. © 2016 Stickman Consulting Pty Ltd 1 PCI DSS Update Key implications of PCI DSS v3.1 By Ajay Unni, CEO, Stickman Consulting By Ajay Unni, CEO, Stickman
  • 2. © 2016 Stickman Consulting Pty Ltd 2 Agenda • Why PCI DSS v3.1 • Summary of PCI DSS v3.1 • How to know if your using SSL/early TLS • What you should do if using SSL/early TLS • Is your organisation using SSL/early TLS? • Key implications for merchants • Key implications for small merchants • What should e-commerce websites do? • Steps to migrate safely • About Stickman 2
  • 3. © 2016 Stickman Consulting Pty Ltd 3 Why PCI DSS v3.1? • PCI DSS v3.1 was released in April 2015. • Released early due to identified threats to Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) protocols. • POODLE browser attack and vulnerabilities like FREAK and WinShock also expedited it’s release. 3
  • 4. © 2016 Stickman Consulting Pty Ltd 4 Why PCI DSS v3.1 cont’d • SSL and early versions of TLS are no longer considered strong encryption protocols to send cardholder information between web servers and browsers. 4
  • 5. © 2016 Stickman Consulting Pty Ltd 5 Summary of PCI DSSv3.1 • Key requirements affected by PCI DSS v3.1 are: – 2.2.3: Requires encryption for services and protocols such as VPNs, FTP, Telnet and file share. – 2.3: Requires encryption for non-console administrative access. – 4.1: Requires encryption and implementation of security protocols to protect cardholder data during transmission over open, public networks. 5
  • 6. © 2016 Stickman Consulting Pty Ltd 6 How to know if your using SSL/early TLS? • Contact your network vendor to determine what version is being used. • Conduct internal and external vulnerability scans to identify any unsecured SSL-based applications. 6
  • 7. © 2016 Stickman Consulting Pty Ltd 7 What you should do if using SSL/early TLS • Reconfigure and disable SSL 3.0 in your software by following instructions from the vendor’s website or by getting help from online forums and blogs. • Upgrade by buying the latest software version from the vendor and configure it for the latest version of TLS. • Encrypt your data by using strong cryptography such as application or field-level encryption before transmitting data over SSL/Early TLS. • Set up an encrypted session such as IPsec tunnel, and send the data over SSL through the encrypted tunnel. 7
  • 8. © 2016 Stickman Consulting Pty Ltd 8 Key implications for merchants • Merchants cannot use SSL and early versions of TLS in any new technology. • SSL and TLS cannot be deployed as security controls for cardholder data after 30 June 2016. • Merchants with existing technology must implement a risk mitigation and migration plan prior to 30 June 2016. • POS terminals not exposed to vulnerabilities can be used after 30 June 2016. 8
  • 9. © 2016 Stickman Consulting Pty Ltd 9 Key actions for small merchants • Small merchants must also eliminate SSL/early TLS from their cardholder data environment. • Assess security of Point of Sale terminals for SSL vulnerability. • Identify areas (servers, computers, POS terminals) where SSL/early TLS is implemented and upgrade or reconfigure prior to 30 June 2016. 9
  • 10. © 2016 Stickman Consulting Pty Ltd 10 What should e-commerce websites do? • Create a risk mitigation and migration plan. • Before migration, reduce the number of servers to avoid exposure to vulnerabilities.
  • 11. © 2016 Stickman Consulting Pty Ltd 11 Steps to migrate safely 1. Identify data flows and system components that support vulnerable protocols. 2. Identify the business or technical need to use the vulnerable protocol for each data flow or system component. 3. Remove all such occurrences of vulnerable protocols which are not supported by a business or a technical need. 4. Identify which technologies can replace the protocols and also develop complete documentation of secure configurations that are planned for implementation. 5. Document the migration plan that outlines steps and timeframes of each update. 6. Deploy controls of risk reduction to counter the effect of known vulnerabilities till all vulnerable protocols are permanently removed. 7. Follow the change control procedures to make sure that all updates are authorised. 8. Upgrade system configuration standards after migration process is complete. 11
  • 12. © 2016 Stickman Consulting Pty Ltd 12 Our clients
  • 13. © 2016 Stickman Consulting Pty Ltd 13 The Payment Card Industry Landscape
  • 14. © 2016 Stickman Consulting Pty Ltd 14 12 months cycle Phase I Assess Phase II Remedia te Phase III Certify Phase IV Maintain PCI Lifecycle Action Plan
  • 15. © 2016 Stickman Consulting Pty Ltd 15 P: 1800 785 626 E: ajay.unni@stickman.com.au www.stickman.com.au Level 11, Suite 2, 210 George Street, Sydney NSW 2000 Thank you!

Hinweis der Redaktion

  1. THANK YOU FOR PARTICIPANT PATIENCE and ACKNOWLEDGE THEM FOR TAKING THE TIME OUT TO BE WITH US TODAY INTRODUCE SPEAKERS AND WHAT THEIR ROLES IS AND WHAT a QSA AND PCI IS READ TOPIC and WHAT TO EXPECT Webinar for 30-45 minutes Facts and reality about data breaches Risk Mitigation for a secure business Register to take Action to mitigate your risk LAUNCH POLL S003: Do you know what data is most wanted by cyber criminals? CLOSE POLL Jump to next slide – data sought after by cyber criminals
  2. WELL IT IS CREDIT CARD DATA EXPLAIN VARIOUS BUSINESS TYPES ONLINE BUSINESS ACROSS THE COUNTER – GROCERY STORES MAIL / FAX ORDER OR PHONE ORDER – GIFT SHOPS SERVICE PROVIDER FOR CREDIT CARD PAYMENT BANK WHO PROVIDES MERCHANT FACILITY OR ISSUER OF CREDIT CARDS PAUSE FOR QUESTIONS NEXT SLIDE MAIN CAUSE OF A DATA BREACH
  3. PAUSE FOR QUESTIONS Next Service Providers