Agenda: - About PCI DSS - Overview of changes - Changes by requirement number - Implementation tips - Q&A

1. PCI DSS 3.0 changes
By Kishor Vaswani – CEO, ControlCase

2. Agenda
• About PCI DSS
• Overview of changes
• Changes by requirement number
• Implementation tips
• Q&A
1

3. About PCI DSS

4. What is PCI DSS?
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or
transmitting payment card account data
• Established by leading payment card issuers
• Maintained by the PCI Security Standards Council
(PCI SSC)
2

5. PCI DSS Requirements
Control Objectives Requirements
Build and maintain a secure network 1. Install and maintain a firewall configuration to protect
cardholder data
2. Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect cardholder data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public
networks
Maintain a vulnerability
management program
5. Use and regularly update anti-virus software on all systems
commonly affected by malware
6. Develop and maintain secure systems and applications
Implement strong access control
measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and
cardholder data
11. Regularly test security systems and processes
Maintain an information security
policy
12. Maintain a policy that addresses information security
3

6. Timeline of PCI DSS 3.0
4
• The new PCI DSS 3.0 have been published
• Effective Jan 1st, 2014
• Can comply to PCI DSS 2.0 or 3.0 in 2014
• Must comply to PCI DSS 3.0 starting 2015

7. Overview of changes

8. Overview
5
Segmentation
• Adequacy of segmentation
• Penetration test
Third parties/Service providers
• Must validate PCI DSS compliance; OR
• Must participate is customers PCI DSS
compliance audit

9. Overview contd…
6
PCI DSS as Business as Usual
• Monitoring of security controls
• Review changes to environment
• Review changes to org structure
• Periodic review of controls vs. during audit
• Separation of duties (operational vs. security)
Physical protection of POS, ATM and Kiosks
• Maintain inventory
• Periodic inspection for tampering
• Train personnel

10. Changes by requirement number

11. Firewalls
• Network Diagram
› Must include cardholder data flows
› Must include clear boundary showing PCI DSS CDE scope
7

12. Configuration Standards
• Maintain an inventory of system components
› Business as usual function
› Inventory of hardware and software must be maintained
› Function of systems must be maintained
8

13. Protect Stored Cardholder Data
No significant changes
9

14. Protect Cardholder Data in Transmission
No significant changes
10

15. Antivirus
• Intent to prevent malware in addition to viruses
› Evaluate malware threats against systems EVEN if it is not a
system commonly affected by viruses/malicious software,
for e.g. AS/400
› Anti-virus should be running in an active mode AND
cannot be disabled by regular users without management
approval
11

16. Secure Applications
12
• Test applications for broken authentication and session
management flaws
• Renamed “Web Application Firewall” to “Automated Technical
Solution” to detect flaws

17. Access Control and User IDs
• Provides for flexibility is password controls
› Minimum of 7 characters
› Alphanumeric
› Alternatives are acceptable as long as objective is met
› Allows for alternative mechanisms such as tokens and
certificates
• Service Providers with access to customer
environments MUST ensure unique password per
customer
13

18. Physical Security
• Physical security access to “sensitive areas” must
be implemented for onsite personnel
› Data center
› Computer room
› Telecommunications room
• Protect physical devices such as POS
› Maintain a list
› Periodically inspect for tampering of device
› Train personnel to be aware of suspicious behavior
14

19. Logging and Monitoring
• Clarified what is meant by identification and
authentication logging
› Elevation of privileges must be logged
› Changes, addition or deletion to root or admin must be
logged
• Logging the audit logs
› Initialization of audit logs must be captured
› Stopping or pausing of audit logs must be captured
15

20. Vulnerability Management
• Maintain an inventory of authorized wireless
access points
• Penetration testing MUST validate segmentation
› Testing must be done to prove conclusively that a
compromise in non CDE network will not result in a breach
to the CDE network (if segmentation was implemented)
• Critical files must be compared at least weekly
AND an individual must evaluate and investigate
change to a critical files.
16

21. Policies and Procedures
• Third Party/Service provider requirements have
been enhanced
› Must maintain an inventory of which requirements are
dependent upon service provider
› Written acknowledgement required from service providers
attesting to PCI DSS requirements
› Third parties to provide PCI DSS certificate OR be willing to
be a part of customers PCI DSS audit
17

22. PCI DSS Requirements
18
Control Objectives Requirements
Build and maintain a secure network 1. Install and maintain a firewall configuration to protect
cardholder data
2. Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect cardholder data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public
networks
Maintain a vulnerability
management program
5. Use and regularly update anti-virus software on all systems
commonly affected by malware
6. Develop and maintain secure systems and applications
Implement strong access control
measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and
cardholder data
11. Regularly test security systems and processes
Maintain an information security
policy
12. Maintain a policy that addresses information security

23. Key Implementation Tips

24. Key Takeaways
• Revisit segmentation for adequacy
• Focus on third party compliance
• Identify GRC technology for business as usual
implementation
• Revisit penetration testing methodology
• Identify how to secure physical devices such as
POS, ATM and Kiosks
19

25. Available Documents
Following documents are available at
https://www.pcisecuritystandards.org/security_standards/documents.php
• PCI DSS ver 3.0
• PCI DSS Summary of Changes v2.0 to v3.0
• ROC reporting template for v3.0
• PCI DSS and PA DSS 3.0 Ver 3.0 change highlights
20

26. ControlCase Solutions

27. ControlCase PCI 3.0 transition package
21
PCI DSS 3.0 change assessment
Implement business as usual using ControlCase GRC
Third party PCI DSS data collection program
Review of penetration test methodology

28. To Learn More About PCI Compliance…
• Visit www.controlcase.com
• contact@controlcase.com
22

29. Thank You for Your Time