The document provides an overview of the Payment Card Industry Data Security Standard (PCI DSS) and its revisions over time. PCI DSS 3.0 introduced several updates that became effective on July 1, 2015, including additional documentation requirements, strengthened technical security controls, updated self-assessment questionnaires, and changes to service provider management. The overall goal of PCI DSS and its ongoing revisions is to help organizations maintain security and protect cardholder data.
4. Payment Card Industry Data Security
Standards (PCI DSS)
A set of requirements designed to ensure that all
companies that store, process or transmit credit
card information maintain a secure environment
OVERVIEW
5. Payment Card Industry Security
Standards Council (PCI SSC)
An independent body created by the major
payment card brands in 2006 to administor and
manage the ongoing evolution of the PCI DSS
OVERVIEW
6. History of PCI DSS Revisions
OVERVIEW
2004
Version 1.0
2006
Version 1.1
2008
Version 1.2
2010
Version 2.0
2009
Version 1.2.1
2013
Version 3.0
9. Several standards introduced new
versions for 2014 including:
– SOC 2 (Trust Services Principles)
– ISO 27001 (2013)
10. Several standards introduced new
versions for 2014 including:
– SOC 2 (Trust Services Principles)
– ISO 27001 (2013)
– FedRAMP - NIST 800-53 Rev 4
11. Several standards introduced new
versions for 2014 including:
– SOC 2 (Trust Services Principles)
– ISO 27001 (2013)
– FedRAMP - NIST 800-53 Rev 4
– CSA STAR
12. Several standards introduced new
versions for 2014 including:
– SOC 2 (Trust Services Principles)
– ISO 27001 (2013)
– FedRAMP - NIST 800-53 Rev 4
– CSA STAR
– PCI DSS 3.0
13. WHY UPDATE TO 3.0?
The PCI Security Standards Council’s (“SSC”)
three year update schedule
14. WHY UPDATE TO 3.0?
The PCI Security Standards Council’s (“SSC”)
three year update schedule
Consistency in assessments
15. WHY UPDATE TO 3.0?
The PCI Security Standards Council’s (“SSC”)
three year update schedule
Consistency in assessments
Streamline certain requirements
16. WHY UPDATE TO 3.0?
The PCI Security Standards Council’s (“SSC”)
three year update schedule
Consistency in assessments
Streamline certain requirements
Align with technology trends
17. WHY UPDATE TO 3.0?
The PCI Security Standards Council’s (“SSC”)
three year update schedule
Consistency in assessments
Streamline certain requirements
Align with technology trends
Cooperate with “business as usual”
18. January 1, 2014
PCI DSS 3.0 is effective
(Merchant or service provider’s choice)
WHEN TO UPDATE?
23. • Breadth and depth of requirements
• Systems inventory
• Dataflow diagrams
• Detailed access needs for each role
• Service provider due diligence
ADDITIONAL DOCUMENTATION
REQUIREMENTS
24. • Antivirus definition
• Additional application security vectors
– e.g. memory scraping
• Additional validation testing required for:
– Access control and authentication
– More flexibility for ‘daily’ log monitoring
TECHNICAL UPDATES
25. • SAQ A vs. SAQ A-EP
– SAQ A: 14 questions
– SAQ A-EP: ~ 150 questions
• Of note - a properly formed iFrame can use SAQ-A
• All e-commerce providers have to meet all
applicable requirements regardless of SAQ form
SELF ASSESSMENT QUESTIONNAIRE
& E-COMMERCE IMPLICATIONS
27. • In a shared hosting environment, unique
authentication credentials to each environment
• Physical protection of payment devices
• Web application vulnerability testing for broken
authentication and session management
ACCESS CONTROL
& TECHNICAL
28. Pen Testing Special Interest Group (SIG) to release an Information Supplement by the end of 2014
PENETRATION
TESTING
• Implement a methodology
• Emphasis on external AND internal network
and application testing
• Validate segmentation and scope-reduction
controls
29. • Acknowledgement of responsibility from
service providers
• Define which requirements are managed by
service providers and which are managed by
the entity
SERVICE PROVIDER
MANAGEMENT