An in-depth look at how to prepare for PCI 3.0. Join us as we discuss: scoping, dss, testing requirements, credit card security and threat & vulnerability management.

1. Getting Ready for PCI 3.0
Kurt Hagerman
Chief Information Security Officer
Webinar Series: Part 1 of 6

2. What We’ll Cover
• Overview of Significant Changes
• Guidance on Addressing the Changes
• Observations on Anticipated Challenges
• Recommended Initial To-do List
• Next Time (Series Part 2)
• Address Your Questions
AGENDA
Webinar Series: Getting Ready for PCI 3.0
Submit your questions throughout the
webinar via chat. We’ll address them live
at the end or follow up offline.

3. Scoping
• More responsibility for fully defining and documenting the scope of
the CDE:
Maintain an inventory of all systems within the CDE
(NEW CONTROL)
Produce cardholder data flow diagram
(NEW CONTROL)
Perform pen testing to verify all segmentation
(STRENGTHENED CONTROL)
SIGNIFICANT CHANGES
Webinar Series: Getting Ready for PCI 3.0

4. Scoping (cont.)
• Shared responsibilities with service providers
Maintain a list of control responsibilities with each provider
(NEW CONTROL)
More specified testing of Service Provider controls (policies,
procedures, etc.) throughout the 12 control families
(NEW CONTROLS)
More acknowledgements of responsibilities - require service provider
sign written agreements with all of their customers
(NEW CONTROL) Best practice until June, 2015
SIGNIFICANT CHANGES
Webinar Series: Getting Ready for PCI 3.0

5. SIGNIFICANT CHANGES
Webinar Series: Getting Ready for PCI 3.0
Threat & Vulnerability Management
Evaluate evolving threats to systems not commonly affected by
malware (STRENGTHENED CONTROL)
More requirements to update vulnerabilities based on specific industry
sources (STRENGTHENED CONTROL)
New requirements around physical security of payment terminals (NEW
CONTROL) Best practice until June, 2015
Implement a methodology for pen testing that matches CDE design and
risks (STRENGTHENED CONTROL)

6. SIGNIFICANT CHANGES
Webinar Series: Getting Ready for PCI 3.0
Clarity & Reorganization
Further breakdown of controls with additional
testing requirements
Elimination of redundant sub-controls
More detailed guidance on logging and log review controls
Specific controls for policy and procedure documentation throughout
the 12 control families
Integrated content from guidance document into the DSS

7. Implement PCI into Business-as-Usual Processes
• Monitor security controls to ensure effective operation
• Ensure failures are detected and addressed quickly
• Review changes to the environment and address the
potential impact on scope
• Review the potential impact to scope of changes to organizational
structure (for example, a company merger or acquisition)
• Conduct periodic reviews of DSS requirements to ensure
they continue to operate as designed
• Annually review hardware and software used within the
CDE and confirm their continued vendor support
ADDITIONAL GUIDANCE
Webinar Series: Getting Ready for PCI 3.0

8. Positive Changes
• Addresses many of the well-known weaknesses in the DSS
• Reorganization and consolidation of controls makes the
DSS easier to understand
• More detailed testing procedures and inclusion of guidance for each
control provides needed clarification on how the controls apply and
what QSAs will be looking for
• Clarification of scoping requirements and responsibility will help
improve relationships between QSAs and their customers
• If the changes are embraced and QSAs do proper assessments,
there should be a measurable
improvement in credit card security
OBSERVATIONS ON CHANGES
Webinar Series: Getting Ready for PCI 3.0

9. ANTICIPATED CHALLENGES
Webinar Series: Getting Ready for PCI 3.0
Challenges
• Physical security controls for payment terminals – significant
hardship for retailers with large numbers of sites
• Detailed scoping requirements will be difficult for many smaller and
mid-sized merchants
• Delineation of responsibilities between service providers
and merchants
• Strengthened pen testing requirements will likely result in many
organizations no longer being compliant or at least increasing the
scope of their CDE

10. ANTICIPATED CHALLENGES
Webinar Series: Getting Ready for PCI 3.0
Challenges (cont.)
• Implementing PCI DSS into Business-as-Usual Processes
• PCI compliance has been seen as a once-a-year exercise
• Many organizations lack (mature) InfoSec organizations
to make this happen
• Significant inertia of the checkbox compliance movement
• Immediate impact will likely mean increased time and costs for
organizations to remain compliant
• Resistance to increased audit costs will put pressure on QSAs to
perform proper assessments
• Already strained IT budgets will see further upward pressure increasing
the difficulty security officers have to justify the costs

11. Initial To-Do List
Download the new DSS
Make notes where you have questions about how
it may impact your organization
Schedule a conversation with your QSA
Get their take on the new standard
Start developing a gap analysis of issues
Choose a qualified service provider
Validated as a VISA/MasterCard service provider
Compliance experts on staff
Transparent and auditor friendly
RECOMMENDED TO-DO LIST
Webinar Series: Getting Ready for PCI 3.0

12. What’s Next (Coming in Part 2)
• What to do in the next 12 months
• Getting more detailed with scoping
• Understanding payment terminal security
• Addressing pen testing challenges
• Don’t wait, start now
UP NEXT
Webinar Series: Getting Ready for PCI 3.0

13. Q&A
Webinar Series: Getting Ready for PCI 3.0
&
Questions
Answers

14. Thank You
Email
Phone
Kurt Hagerman
Director of Information Security
kurt.hagerman@firehost.com
877 262 3473 x8073
WRAP UP
Webinar Series: Getting Ready for PCI 3.0