SlideShare a Scribd company logo

Key implications of PCI DSS v3.1 update

Download as PPTX, PDF
Ajay Unni
Ajay Unni

In April 2015 the PCI Security Standards Council (SSC) released PCI DSS v3.1 to address threats to SSL and early TLS protocols. This presentation highlights the key implications for businesses that collect payment data and how to migrate to PCI DSS v3.1

Data & Analytics
1 of 15
© 2016 Stickman Consulting Pty Ltd 1 PCI DSS Update Key implications of PCI DSS v3.1 By Ajay Unni, CEO, Stickman Consulting By Ajay Unni, CEO, Stickman
© 2016 Stickman Consulting Pty Ltd 2 Agenda • Why PCI DSS v3.1 • Summary of PCI DSS v3.1 • How to know if your using SSL/early TLS • What you should do if using SSL/early TLS • Is your organisation using SSL/early TLS? • Key implications for merchants • Key implications for small merchants • What should e-commerce websites do? • Steps to migrate safely • About Stickman 2
© 2016 Stickman Consulting Pty Ltd 3 Why PCI DSS v3.1? • PCI DSS v3.1 was released in April 2015. • Released early due to identified threats to Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) protocols. • POODLE browser attack and vulnerabilities like FREAK and WinShock also expedited it’s release. 3
© 2016 Stickman Consulting Pty Ltd 4 Why PCI DSS v3.1 cont’d • SSL and early versions of TLS are no longer considered strong encryption protocols to send cardholder information between web servers and browsers. 4
© 2016 Stickman Consulting Pty Ltd 5 Summary of PCI DSSv3.1 • Key requirements affected by PCI DSS v3.1 are: – 2.2.3: Requires encryption for services and protocols such as VPNs, FTP, Telnet and file share. – 2.3: Requires encryption for non-console administrative access. – 4.1: Requires encryption and implementation of security protocols to protect cardholder data during transmission over open, public networks. 5
© 2016 Stickman Consulting Pty Ltd 6 How to know if your using SSL/early TLS? • Contact your network vendor to determine what version is being used. • Conduct internal and external vulnerability scans to identify any unsecured SSL-based applications. 6
© 2016 Stickman Consulting Pty Ltd 7 What you should do if using SSL/early TLS • Reconfigure and disable SSL 3.0 in your software by following instructions from the vendor’s website or by getting help from online forums and blogs. • Upgrade by buying the latest software version from the vendor and configure it for the latest version of TLS. • Encrypt your data by using strong cryptography such as application or field-level encryption before transmitting data over SSL/Early TLS. • Set up an encrypted session such as IPsec tunnel, and send the data over SSL through the encrypted tunnel. 7
© 2016 Stickman Consulting Pty Ltd 8 Key implications for merchants • Merchants cannot use SSL and early versions of TLS in any new technology. • SSL and TLS cannot be deployed as security controls for cardholder data after 30 June 2016. • Merchants with existing technology must implement a risk mitigation and migration plan prior to 30 June 2016. • POS terminals not exposed to vulnerabilities can be used after 30 June 2016. 8
© 2016 Stickman Consulting Pty Ltd 9 Key actions for small merchants • Small merchants must also eliminate SSL/early TLS from their cardholder data environment. • Assess security of Point of Sale terminals for SSL vulnerability. • Identify areas (servers, computers, POS terminals) where SSL/early TLS is implemented and upgrade or reconfigure prior to 30 June 2016. 9
© 2016 Stickman Consulting Pty Ltd 10 What should e-commerce websites do? • Create a risk mitigation and migration plan. • Before migration, reduce the number of servers to avoid exposure to vulnerabilities.
© 2016 Stickman Consulting Pty Ltd 11 Steps to migrate safely 1. Identify data flows and system components that support vulnerable protocols. 2. Identify the business or technical need to use the vulnerable protocol for each data flow or system component. 3. Remove all such occurrences of vulnerable protocols which are not supported by a business or a technical need. 4. Identify which technologies can replace the protocols and also develop complete documentation of secure configurations that are planned for implementation. 5. Document the migration plan that outlines steps and timeframes of each update. 6. Deploy controls of risk reduction to counter the effect of known vulnerabilities till all vulnerable protocols are permanently removed. 7. Follow the change control procedures to make sure that all updates are authorised. 8. Upgrade system configuration standards after migration process is complete. 11
© 2016 Stickman Consulting Pty Ltd 12 Our clients
© 2016 Stickman Consulting Pty Ltd 13 The Payment Card Industry Landscape
© 2016 Stickman Consulting Pty Ltd 14 12 months cycle Phase I Assess Phase II Remedia te Phase III Certify Phase IV Maintain PCI Lifecycle Action Plan
© 2016 Stickman Consulting Pty Ltd 15 P: 1800 785 626 E: ajay.unni@stickman.com.au www.stickman.com.au Level 11, Suite 2, 210 George Street, Sydney NSW 2000 Thank you!

Recommended

Lan scanning threat
Lan scanning threatLan scanning threat
Lan scanning threatSmilelife.inc
 
karsof systems ips technical brochure
karsof systems ips technical brochurekarsof systems ips technical brochure
karsof systems ips technical brochureColin Valencia
 
Cisco Connect 2018 Indonesia - Delivering intent for data center networking
Cisco Connect 2018 Indonesia - Delivering intent for data center networking Cisco Connect 2018 Indonesia - Delivering intent for data center networking
Cisco Connect 2018 Indonesia - Delivering intent for data center networking NetworkCollaborators
 
Where Are My SSH Keys?
Where Are My SSH Keys?Where Are My SSH Keys?
Where Are My SSH Keys?Venafi
 
Sntc April 2: Decrease Network Risk with Alert Management Draft v2
Sntc April 2: Decrease Network Risk with Alert Management Draft v2Sntc April 2: Decrease Network Risk with Alert Management Draft v2
Sntc April 2: Decrease Network Risk with Alert Management Draft v2B2BContact
 
Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...
Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...
Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...garciathomasbic
 
Network Security
Network SecurityNetwork Security
Network SecurityMonirul Islam Dipu
 
Nagios En
Nagios EnNagios En
Nagios EnAleksey Trusov
 

Recommended

Lan scanning threat
Lan scanning threatLan scanning threat
Lan scanning threatSmilelife.inc
 
karsof systems ips technical brochure
karsof systems ips technical brochurekarsof systems ips technical brochure
karsof systems ips technical brochureColin Valencia
 
Cisco Connect 2018 Indonesia - Delivering intent for data center networking
Cisco Connect 2018 Indonesia - Delivering intent for data center networking Cisco Connect 2018 Indonesia - Delivering intent for data center networking
Cisco Connect 2018 Indonesia - Delivering intent for data center networking NetworkCollaborators
 
Where Are My SSH Keys?
Where Are My SSH Keys?Where Are My SSH Keys?
Where Are My SSH Keys?Venafi
 
Sntc April 2: Decrease Network Risk with Alert Management Draft v2
Sntc April 2: Decrease Network Risk with Alert Management Draft v2Sntc April 2: Decrease Network Risk with Alert Management Draft v2
Sntc April 2: Decrease Network Risk with Alert Management Draft v2B2BContact
 
Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...
Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...
Sntcapril2 decreasenetworkriskwithalertmanagementdraftv2-150417114740-convers...garciathomasbic
 
Network Security
Network SecurityNetwork Security
Network SecurityMonirul Islam Dipu
 
Nagios En
Nagios EnNagios En
Nagios EnAleksey Trusov
 
SOC OEM - Datasheet EN
SOC OEM - Datasheet ENSOC OEM - Datasheet EN
SOC OEM - Datasheet ENITrust - Cybersecurity as a Service
 
Ablockplus-Annoying pop ups
Ablockplus-Annoying pop upsAblockplus-Annoying pop ups
Ablockplus-Annoying pop upsAblockplus99
 
Cyber security and ISMS
Cyber security and ISMSCyber security and ISMS
Cyber security and ISMSPhilippe Cohen
 
How to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFWHow to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFWYudi Arijanto
 
PCI 3.0 Revealed - What You Need to Know Today
PCI 3.0 Revealed - What You Need to Know TodayPCI 3.0 Revealed - What You Need to Know Today
PCI 3.0 Revealed - What You Need to Know TodayImperva
 
Kyte company profile oct 2019
Kyte company profile oct 2019Kyte company profile oct 2019
Kyte company profile oct 2019David Pereira
 
Covid 19 staying cyber secure
Covid 19 staying cyber secureCovid 19 staying cyber secure
Covid 19 staying cyber securemascot4u
 
APIdays Singapore 2019 - Rethinking security and compliance for the API ecosy...
APIdays Singapore 2019 - Rethinking security and compliance for the API ecosy...APIdays Singapore 2019 - Rethinking security and compliance for the API ecosy...
APIdays Singapore 2019 - Rethinking security and compliance for the API ecosy...apidays
 
Brochure stonegate sslvpn-x_a4x
Brochure stonegate sslvpn-x_a4xBrochure stonegate sslvpn-x_a4x
Brochure stonegate sslvpn-x_a4xRyanPaul Mandel
 
VPN encryption
VPN encryptionVPN encryption
VPN encryptionHeadAdmin
 
Plastic Surgery
Plastic SurgeryPlastic Surgery
Plastic SurgeryProfessional English Language Teaching
 
Historical Buildings
Historical BuildingsHistorical Buildings
Historical BuildingsProfessional English Language Teaching
 
刁贵鹏CV -中英版
刁贵鹏CV -中英版刁贵鹏CV -中英版
刁贵鹏CV -中英版Tewfik diao
 
Conflict management 11
Conflict management 11Conflict management 11
Conflict management 11kareem3456
 
OCAC dog Mack A1386314 KILLED
OCAC dog Mack A1386314 KILLEDOCAC dog Mack A1386314 KILLED
OCAC dog Mack A1386314 KILLEDNo Kill Shelter Alliance
 
mudassar
mudassarmudassar
mudassarmudassar shahzad
 
Mrcute
MrcuteMrcute
MrcuteProfessional English Language Teaching
 
Teaching the Flipped Classroom Photos
Teaching the Flipped Classroom PhotosTeaching the Flipped Classroom Photos
Teaching the Flipped Classroom PhotosProfessional English Language Teaching
 
Holistic Assessments
Holistic AssessmentsHolistic Assessments
Holistic AssessmentsProfessional English Language Teaching
 
Welcome to Karmsthal Sewa Sansthan
Welcome to Karmsthal Sewa SansthanWelcome to Karmsthal Sewa Sansthan
Welcome to Karmsthal Sewa SansthanKarmsthal Sewa Sansthan
 
Dexter Dog Report OCAC
Dexter Dog Report OCACDexter Dog Report OCAC
Dexter Dog Report OCACNo Kill Shelter Alliance
 
Wonders of the World
Wonders of the WorldWonders of the World
Wonders of the WorldProfessional English Language Teaching
 

More Related Content

What's hot

Ablockplus-Annoying pop ups
Ablockplus-Annoying pop upsAblockplus-Annoying pop ups
Ablockplus-Annoying pop upsAblockplus99
 
Cyber security and ISMS
Cyber security and ISMSCyber security and ISMS
Cyber security and ISMSPhilippe Cohen
 
How to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFWHow to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFWYudi Arijanto
 
PCI 3.0 Revealed - What You Need to Know Today
PCI 3.0 Revealed - What You Need to Know TodayPCI 3.0 Revealed - What You Need to Know Today
PCI 3.0 Revealed - What You Need to Know TodayImperva
 
Kyte company profile oct 2019
Kyte company profile oct 2019Kyte company profile oct 2019
Kyte company profile oct 2019David Pereira
 
Covid 19 staying cyber secure
Covid 19 staying cyber secureCovid 19 staying cyber secure
Covid 19 staying cyber securemascot4u
 
APIdays Singapore 2019 - Rethinking security and compliance for the API ecosy...
APIdays Singapore 2019 - Rethinking security and compliance for the API ecosy...APIdays Singapore 2019 - Rethinking security and compliance for the API ecosy...
APIdays Singapore 2019 - Rethinking security and compliance for the API ecosy...apidays
 
Brochure stonegate sslvpn-x_a4x
Brochure stonegate sslvpn-x_a4xBrochure stonegate sslvpn-x_a4x
Brochure stonegate sslvpn-x_a4xRyanPaul Mandel
 
VPN encryption
VPN encryptionVPN encryption
VPN encryptionHeadAdmin
 

What's hot (10)

SOC OEM - Datasheet EN
SOC OEM - Datasheet ENSOC OEM - Datasheet EN
SOC OEM - Datasheet EN
 
Ablockplus-Annoying pop ups
Ablockplus-Annoying pop upsAblockplus-Annoying pop ups
Ablockplus-Annoying pop ups
 
Cyber security and ISMS
Cyber security and ISMSCyber security and ISMS
Cyber security and ISMS
 
How to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFWHow to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFW
 
PCI 3.0 Revealed - What You Need to Know Today
PCI 3.0 Revealed - What You Need to Know TodayPCI 3.0 Revealed - What You Need to Know Today
PCI 3.0 Revealed - What You Need to Know Today
 
Kyte company profile oct 2019
Kyte company profile oct 2019Kyte company profile oct 2019
Kyte company profile oct 2019
 
Covid 19 staying cyber secure
Covid 19 staying cyber secureCovid 19 staying cyber secure
Covid 19 staying cyber secure
 
APIdays Singapore 2019 - Rethinking security and compliance for the API ecosy...
APIdays Singapore 2019 - Rethinking security and compliance for the API ecosy...APIdays Singapore 2019 - Rethinking security and compliance for the API ecosy...
APIdays Singapore 2019 - Rethinking security and compliance for the API ecosy...
 
Brochure stonegate sslvpn-x_a4x
Brochure stonegate sslvpn-x_a4xBrochure stonegate sslvpn-x_a4x
Brochure stonegate sslvpn-x_a4x
 
VPN encryption
VPN encryptionVPN encryption
VPN encryption
 

Viewers also liked

刁贵鹏CV -中英版
刁贵鹏CV -中英版刁贵鹏CV -中英版
刁贵鹏CV -中英版Tewfik diao
 
Conflict management 11
Conflict management 11Conflict management 11
Conflict management 11kareem3456
 
Seoについて
SeoについてSeoについて
Seoについてkayo92
 

Viewers also liked (20)

Plastic Surgery
Plastic SurgeryPlastic Surgery
Plastic Surgery
 
Historical Buildings
Historical BuildingsHistorical Buildings
Historical Buildings
 
刁贵鹏CV -中英版
刁贵鹏CV -中英版刁贵鹏CV -中英版
刁贵鹏CV -中英版
 
Conflict management 11
Conflict management 11Conflict management 11
Conflict management 11
 
OCAC dog Mack A1386314 KILLED
OCAC dog Mack A1386314 KILLEDOCAC dog Mack A1386314 KILLED
OCAC dog Mack A1386314 KILLED
 
mudassar
mudassarmudassar
mudassar
 
Mrcute
MrcuteMrcute
Mrcute
 
Teaching the Flipped Classroom Photos
Teaching the Flipped Classroom PhotosTeaching the Flipped Classroom Photos
Teaching the Flipped Classroom Photos
 
Holistic Assessments
Holistic AssessmentsHolistic Assessments
Holistic Assessments
 
Welcome to Karmsthal Sewa Sansthan
Welcome to Karmsthal Sewa SansthanWelcome to Karmsthal Sewa Sansthan
Welcome to Karmsthal Sewa Sansthan
 
Dexter Dog Report OCAC
Dexter Dog Report OCACDexter Dog Report OCAC
Dexter Dog Report OCAC
 
Wonders of the World
Wonders of the WorldWonders of the World
Wonders of the World
 
The Homeless
The HomelessThe Homeless
The Homeless
 
My preposterous pet
My preposterous petMy preposterous pet
My preposterous pet
 
Prepostorous Pet
Prepostorous PetPrepostorous Pet
Prepostorous Pet
 
My preposterous pet
My preposterous petMy preposterous pet
My preposterous pet
 
ELT Activities
ELT ActivitiesELT Activities
ELT Activities
 
Seoについて
SeoについてSeoについて
Seoについて
 
Preposterous pet
Preposterous petPreposterous pet
Preposterous pet
 
Remarkable Achievers
Remarkable AchieversRemarkable Achievers
Remarkable Achievers
 

Similar to Key implications of PCI DSS v3.1 update

Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingIT Governance Ltd
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)Maksim Djackov
 
Bit taka bangladeshi country owned crypto currency
Bit taka bangladeshi country owned crypto currencyBit taka bangladeshi country owned crypto currency
Bit taka bangladeshi country owned crypto currencyMohammad Salehin
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesKai Wähner
 
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceReaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceAlgoSec
 
Information Security Whitepaper
Information Security WhitepaperInformation Security Whitepaper
Information Security Whitepaperrun_frictionless
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL ProcessRocket Software
 
M1-C17-Armando una red.pptx
M1-C17-Armando una red.pptxM1-C17-Armando una red.pptx
M1-C17-Armando una red.pptxAngel Garcia
 
17 - Building small network.pdf
17 - Building small network.pdf17 - Building small network.pdf
17 - Building small network.pdfPhiliphaHaldline
 
Security Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemSecurity Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemInductive Automation
 
The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?BCS ProSoft
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data CenterCisco Canada
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 
System center 2016 10 nyheder på 60 min
System center 2016 10 nyheder på 60 minSystem center 2016 10 nyheder på 60 min
System center 2016 10 nyheder på 60 minPer Larsen
 

Similar to Key implications of PCI DSS v3.1 update (20)

PCI DSS 3.1: What Are The Changes?
PCI DSS 3.1: What Are The Changes? PCI DSS 3.1: What Are The Changes?
PCI DSS 3.1: What Are The Changes?
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failing
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
Bit taka bangladeshi country owned crypto currency
Bit taka bangladeshi country owned crypto currencyBit taka bangladeshi country owned crypto currency
Bit taka bangladeshi country owned crypto currency
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed Microservices
 
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceReaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
 
Information Security Whitepaper
Information Security WhitepaperInformation Security Whitepaper
Information Security Whitepaper
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL Process
 
M1-C17-Armando una red.pptx
M1-C17-Armando una red.pptxM1-C17-Armando una red.pptx
M1-C17-Armando una red.pptx
 
17 - Building small network.pdf
17 - Building small network.pdf17 - Building small network.pdf
17 - Building small network.pdf
 
Anshika
AnshikaAnshika
Anshika
 
Security Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemSecurity Best Practices for Your Ignition System
Security Best Practices for Your Ignition System
 
The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data Center
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
System center 2016 10 nyheder på 60 min
System center 2016 10 nyheder på 60 minSystem center 2016 10 nyheder på 60 min
System center 2016 10 nyheder på 60 min
 
MultiValue Security
MultiValue SecurityMultiValue Security
MultiValue Security
 
5787355.ppt
5787355.ppt5787355.ppt
5787355.ppt
 

Recently uploaded

How I opened a fake bank account and didn't go to prison
How I opened a fake bank account and didn't go to prisonHow I opened a fake bank account and didn't go to prison
How I opened a fake bank account and didn't go to prisonPayment Village
 
AI Imagen for data-storytelling Infographics.pdf
AI Imagen for data-storytelling Infographics.pdfAI Imagen for data-storytelling Infographics.pdf
AI Imagen for data-storytelling Infographics.pdfMichaelSenkow
 
2024 Q2 Orange County (CA) Tableau User Group Meeting
2024 Q2 Orange County (CA) Tableau User Group Meeting2024 Q2 Orange County (CA) Tableau User Group Meeting
2024 Q2 Orange County (CA) Tableau User Group MeetingAlison Pitt
 
Webinar One View, Multiple Systems No-Code Integration of Salesforce and ERPs
Webinar One View, Multiple Systems No-Code Integration of Salesforce and ERPsWebinar One View, Multiple Systems No-Code Integration of Salesforce and ERPs
Webinar One View, Multiple Systems No-Code Integration of Salesforce and ERPsCEPTES Software Inc
 
Easy and simple project file on mp online
Easy and simple project file on mp onlineEasy and simple project file on mp online
Easy and simple project file on mp onlinebalibahu1313
 
一比一原版麦考瑞大学毕业证成绩单如何办理
一比一原版麦考瑞大学毕业证成绩单如何办理一比一原版麦考瑞大学毕业证成绩单如何办理
一比一原版麦考瑞大学毕业证成绩单如何办理cyebo
 
Data Visualization Exploring and Explaining with Data 1st Edition by Camm sol...
Data Visualization Exploring and Explaining with Data 1st Edition by Camm sol...Data Visualization Exploring and Explaining with Data 1st Edition by Camm sol...
Data Visualization Exploring and Explaining with Data 1st Edition by Camm sol...ssuserf63bd7
 
Supply chain analytics to combat the effects of Ukraine-Russia-conflict
Supply chain analytics to combat the effects of Ukraine-Russia-conflictSupply chain analytics to combat the effects of Ukraine-Russia-conflict
Supply chain analytics to combat the effects of Ukraine-Russia-conflictJack Cole
 
一比一原版(Monash毕业证书)莫纳什大学毕业证成绩单如何办理
一比一原版(Monash毕业证书)莫纳什大学毕业证成绩单如何办理一比一原版(Monash毕业证书)莫纳什大学毕业证成绩单如何办理
一比一原版(Monash毕业证书)莫纳什大学毕业证成绩单如何办理pyhepag
 
Pre-ProductionImproveddsfjgndflghtgg.pptx
Pre-ProductionImproveddsfjgndflghtgg.pptxPre-ProductionImproveddsfjgndflghtgg.pptx
Pre-ProductionImproveddsfjgndflghtgg.pptxStephen266013
 
一比一原版纽卡斯尔大学毕业证成绩单如何办理
一比一原版纽卡斯尔大学毕业证成绩单如何办理一比一原版纽卡斯尔大学毕业证成绩单如何办理
一比一原版纽卡斯尔大学毕业证成绩单如何办理cyebo
 
一比一原版加利福尼亚大学尔湾分校毕业证成绩单如何办理
一比一原版加利福尼亚大学尔湾分校毕业证成绩单如何办理一比一原版加利福尼亚大学尔湾分校毕业证成绩单如何办理
一比一原版加利福尼亚大学尔湾分校毕业证成绩单如何办理pyhepag
 
Artificial_General_Intelligence__storm_gen_article.pdf
Artificial_General_Intelligence__storm_gen_article.pdfArtificial_General_Intelligence__storm_gen_article.pdf
Artificial_General_Intelligence__storm_gen_article.pdfscitechtalktv
 
Exploratory Data Analysis - Dilip S.pptx
Exploratory Data Analysis - Dilip S.pptxExploratory Data Analysis - Dilip S.pptx
Exploratory Data Analysis - Dilip S.pptxDilipVasan
 
社内勉強会資料  Mamba - A new era or ephemeral
社内勉強会資料  Mamba - A new era or ephemeral社内勉強会資料  Mamba - A new era or ephemeral
社内勉強会資料  Mamba - A new era or ephemeralNABLAS株式会社
 
一比一原版阿德莱德大学毕业证成绩单如何办理
一比一原版阿德莱德大学毕业证成绩单如何办理一比一原版阿德莱德大学毕业证成绩单如何办理
一比一原版阿德莱德大学毕业证成绩单如何办理pyhepag
 
Atlantic Grupa Case Study (Mintec Data AI)
Atlantic Grupa Case Study (Mintec Data AI)Atlantic Grupa Case Study (Mintec Data AI)
Atlantic Grupa Case Study (Mintec Data AI)Jon Hansen
 
Data Analytics for Digital Marketing Lecture for Advanced Digital & Social Me...
Data Analytics for Digital Marketing Lecture for Advanced Digital & Social Me...Data Analytics for Digital Marketing Lecture for Advanced Digital & Social Me...
Data Analytics for Digital Marketing Lecture for Advanced Digital & Social Me...Valters Lauzums
 

Recently uploaded (20)

How I opened a fake bank account and didn't go to prison
How I opened a fake bank account and didn't go to prisonHow I opened a fake bank account and didn't go to prison
How I opened a fake bank account and didn't go to prison
 
AI Imagen for data-storytelling Infographics.pdf
AI Imagen for data-storytelling Infographics.pdfAI Imagen for data-storytelling Infographics.pdf
AI Imagen for data-storytelling Infographics.pdf
 
2024 Q2 Orange County (CA) Tableau User Group Meeting
2024 Q2 Orange County (CA) Tableau User Group Meeting2024 Q2 Orange County (CA) Tableau User Group Meeting
2024 Q2 Orange County (CA) Tableau User Group Meeting
 
Webinar One View, Multiple Systems No-Code Integration of Salesforce and ERPs
Webinar One View, Multiple Systems No-Code Integration of Salesforce and ERPsWebinar One View, Multiple Systems No-Code Integration of Salesforce and ERPs
Webinar One View, Multiple Systems No-Code Integration of Salesforce and ERPs
 
Easy and simple project file on mp online
Easy and simple project file on mp onlineEasy and simple project file on mp online
Easy and simple project file on mp online
 
一比一原版麦考瑞大学毕业证成绩单如何办理
一比一原版麦考瑞大学毕业证成绩单如何办理一比一原版麦考瑞大学毕业证成绩单如何办理
一比一原版麦考瑞大学毕业证成绩单如何办理
 
Data Visualization Exploring and Explaining with Data 1st Edition by Camm sol...
Data Visualization Exploring and Explaining with Data 1st Edition by Camm sol...Data Visualization Exploring and Explaining with Data 1st Edition by Camm sol...
Data Visualization Exploring and Explaining with Data 1st Edition by Camm sol...
 
Supply chain analytics to combat the effects of Ukraine-Russia-conflict
Supply chain analytics to combat the effects of Ukraine-Russia-conflictSupply chain analytics to combat the effects of Ukraine-Russia-conflict
Supply chain analytics to combat the effects of Ukraine-Russia-conflict
 
一比一原版(Monash毕业证书)莫纳什大学毕业证成绩单如何办理
一比一原版(Monash毕业证书)莫纳什大学毕业证成绩单如何办理一比一原版(Monash毕业证书)莫纳什大学毕业证成绩单如何办理
一比一原版(Monash毕业证书)莫纳什大学毕业证成绩单如何办理
 
Pre-ProductionImproveddsfjgndflghtgg.pptx
Pre-ProductionImproveddsfjgndflghtgg.pptxPre-ProductionImproveddsfjgndflghtgg.pptx
Pre-ProductionImproveddsfjgndflghtgg.pptx
 
Slip-and-fall Injuries: Top Workers' Comp Claims
Slip-and-fall Injuries: Top Workers' Comp ClaimsSlip-and-fall Injuries: Top Workers' Comp Claims
Slip-and-fall Injuries: Top Workers' Comp Claims
 
一比一原版纽卡斯尔大学毕业证成绩单如何办理
一比一原版纽卡斯尔大学毕业证成绩单如何办理一比一原版纽卡斯尔大学毕业证成绩单如何办理
一比一原版纽卡斯尔大学毕业证成绩单如何办理
 
一比一原版加利福尼亚大学尔湾分校毕业证成绩单如何办理
一比一原版加利福尼亚大学尔湾分校毕业证成绩单如何办理一比一原版加利福尼亚大学尔湾分校毕业证成绩单如何办理
一比一原版加利福尼亚大学尔湾分校毕业证成绩单如何办理
 
Machine Learning for Accident Severity Prediction
Machine Learning for Accident Severity PredictionMachine Learning for Accident Severity Prediction
Machine Learning for Accident Severity Prediction
 
Artificial_General_Intelligence__storm_gen_article.pdf
Artificial_General_Intelligence__storm_gen_article.pdfArtificial_General_Intelligence__storm_gen_article.pdf
Artificial_General_Intelligence__storm_gen_article.pdf
 
Exploratory Data Analysis - Dilip S.pptx
Exploratory Data Analysis - Dilip S.pptxExploratory Data Analysis - Dilip S.pptx
Exploratory Data Analysis - Dilip S.pptx
 
社内勉強会資料  Mamba - A new era or ephemeral
社内勉強会資料  Mamba - A new era or ephemeral社内勉強会資料  Mamba - A new era or ephemeral
社内勉強会資料  Mamba - A new era or ephemeral
 
一比一原版阿德莱德大学毕业证成绩单如何办理
一比一原版阿德莱德大学毕业证成绩单如何办理一比一原版阿德莱德大学毕业证成绩单如何办理
一比一原版阿德莱德大学毕业证成绩单如何办理
 
Atlantic Grupa Case Study (Mintec Data AI)
Atlantic Grupa Case Study (Mintec Data AI)Atlantic Grupa Case Study (Mintec Data AI)
Atlantic Grupa Case Study (Mintec Data AI)
 
Data Analytics for Digital Marketing Lecture for Advanced Digital & Social Me...
Data Analytics for Digital Marketing Lecture for Advanced Digital & Social Me...Data Analytics for Digital Marketing Lecture for Advanced Digital & Social Me...
Data Analytics for Digital Marketing Lecture for Advanced Digital & Social Me...
 

Key implications of PCI DSS v3.1 update

  • 1. © 2016 Stickman Consulting Pty Ltd 1 PCI DSS Update Key implications of PCI DSS v3.1 By Ajay Unni, CEO, Stickman Consulting By Ajay Unni, CEO, Stickman
  • 2. © 2016 Stickman Consulting Pty Ltd 2 Agenda • Why PCI DSS v3.1 • Summary of PCI DSS v3.1 • How to know if your using SSL/early TLS • What you should do if using SSL/early TLS • Is your organisation using SSL/early TLS? • Key implications for merchants • Key implications for small merchants • What should e-commerce websites do? • Steps to migrate safely • About Stickman 2
  • 3. © 2016 Stickman Consulting Pty Ltd 3 Why PCI DSS v3.1? • PCI DSS v3.1 was released in April 2015. • Released early due to identified threats to Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) protocols. • POODLE browser attack and vulnerabilities like FREAK and WinShock also expedited it’s release. 3
  • 4. © 2016 Stickman Consulting Pty Ltd 4 Why PCI DSS v3.1 cont’d • SSL and early versions of TLS are no longer considered strong encryption protocols to send cardholder information between web servers and browsers. 4
  • 5. © 2016 Stickman Consulting Pty Ltd 5 Summary of PCI DSSv3.1 • Key requirements affected by PCI DSS v3.1 are: – 2.2.3: Requires encryption for services and protocols such as VPNs, FTP, Telnet and file share. – 2.3: Requires encryption for non-console administrative access. – 4.1: Requires encryption and implementation of security protocols to protect cardholder data during transmission over open, public networks. 5
  • 6. © 2016 Stickman Consulting Pty Ltd 6 How to know if your using SSL/early TLS? • Contact your network vendor to determine what version is being used. • Conduct internal and external vulnerability scans to identify any unsecured SSL-based applications. 6
  • 7. © 2016 Stickman Consulting Pty Ltd 7 What you should do if using SSL/early TLS • Reconfigure and disable SSL 3.0 in your software by following instructions from the vendor’s website or by getting help from online forums and blogs. • Upgrade by buying the latest software version from the vendor and configure it for the latest version of TLS. • Encrypt your data by using strong cryptography such as application or field-level encryption before transmitting data over SSL/Early TLS. • Set up an encrypted session such as IPsec tunnel, and send the data over SSL through the encrypted tunnel. 7
  • 8. © 2016 Stickman Consulting Pty Ltd 8 Key implications for merchants • Merchants cannot use SSL and early versions of TLS in any new technology. • SSL and TLS cannot be deployed as security controls for cardholder data after 30 June 2016. • Merchants with existing technology must implement a risk mitigation and migration plan prior to 30 June 2016. • POS terminals not exposed to vulnerabilities can be used after 30 June 2016. 8
  • 9. © 2016 Stickman Consulting Pty Ltd 9 Key actions for small merchants • Small merchants must also eliminate SSL/early TLS from their cardholder data environment. • Assess security of Point of Sale terminals for SSL vulnerability. • Identify areas (servers, computers, POS terminals) where SSL/early TLS is implemented and upgrade or reconfigure prior to 30 June 2016. 9
  • 10. © 2016 Stickman Consulting Pty Ltd 10 What should e-commerce websites do? • Create a risk mitigation and migration plan. • Before migration, reduce the number of servers to avoid exposure to vulnerabilities.
  • 11. © 2016 Stickman Consulting Pty Ltd 11 Steps to migrate safely 1. Identify data flows and system components that support vulnerable protocols. 2. Identify the business or technical need to use the vulnerable protocol for each data flow or system component. 3. Remove all such occurrences of vulnerable protocols which are not supported by a business or a technical need. 4. Identify which technologies can replace the protocols and also develop complete documentation of secure configurations that are planned for implementation. 5. Document the migration plan that outlines steps and timeframes of each update. 6. Deploy controls of risk reduction to counter the effect of known vulnerabilities till all vulnerable protocols are permanently removed. 7. Follow the change control procedures to make sure that all updates are authorised. 8. Upgrade system configuration standards after migration process is complete. 11
  • 12. © 2016 Stickman Consulting Pty Ltd 12 Our clients
  • 13. © 2016 Stickman Consulting Pty Ltd 13 The Payment Card Industry Landscape
  • 14. © 2016 Stickman Consulting Pty Ltd 14 12 months cycle Phase I Assess Phase II Remedia te Phase III Certify Phase IV Maintain PCI Lifecycle Action Plan
  • 15. © 2016 Stickman Consulting Pty Ltd 15 P: 1800 785 626 E: ajay.unni@stickman.com.au www.stickman.com.au Level 11, Suite 2, 210 George Street, Sydney NSW 2000 Thank you!

Editor's Notes

  1. THANK YOU FOR PARTICIPANT PATIENCE and ACKNOWLEDGE THEM FOR TAKING THE TIME OUT TO BE WITH US TODAY INTRODUCE SPEAKERS AND WHAT THEIR ROLES IS AND WHAT a QSA AND PCI IS READ TOPIC and WHAT TO EXPECT Webinar for 30-45 minutes Facts and reality about data breaches Risk Mitigation for a secure business Register to take Action to mitigate your risk LAUNCH POLL S003: Do you know what data is most wanted by cyber criminals? CLOSE POLL Jump to next slide – data sought after by cyber criminals
  2. WELL IT IS CREDIT CARD DATA EXPLAIN VARIOUS BUSINESS TYPES ONLINE BUSINESS ACROSS THE COUNTER – GROCERY STORES MAIL / FAX ORDER OR PHONE ORDER – GIFT SHOPS SERVICE PROVIDER FOR CREDIT CARD PAYMENT BANK WHO PROVIDES MERCHANT FACILITY OR ISSUER OF CREDIT CARDS PAUSE FOR QUESTIONS NEXT SLIDE MAIN CAUSE OF A DATA BREACH
  3. PAUSE FOR QUESTIONS Next Service Providers