• Overview of changes and clarification
• Additional requirements for service providers
• Additional requirements for change control processes
• Multifactor authentication
• Penetration testing changes
• SSL/TLS changes and implications
• Timing of changes
4. What is PCI DSS?
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or
transmitting payment card account data
• Established by leading payment card issuers
• Maintained by the PCI Security Standards Council
(PCI SSC)
2
5. PCI DSS Requirements
Control Objectives Requirements
Build and maintain a secure network 1. Install and maintain a firewall configuration to protect
cardholder data
2. Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect cardholder data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public
networks
Maintain a vulnerability
management program
5. Use and regularly update anti-virus software on all systems
commonly affected by malware
6. Develop and maintain secure systems and applications
Implement strong access control
measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and
cardholder data
11. Regularly test security systems and processes
Maintain an information security
policy
12. Maintain a policy that addresses information security
3
6. Important Dates for PCI DSS v3.2
•Final DSS 3.2
released
April 2016
•V3.2 can be
used
May 1, 2016
•Sunset date for
v3.1
Oct 31, 2016
•v3.2 is must to
use
Nov 1, 2016
•Controls marked as
“New Requirements”
becomes mandatory
Feb 1, 2018
4
8. Overview
5
SSL/early TLS
• Work towards remediation
• No new SSL/early TLS
• Service provider offering by June 30, 2016
• No SSL/early TLS after June 30, 2018
• Some exceptions for POS POI terminals
Display of PAN
• Permits display of PAN beyond first 6/last 4
• Justification and business need must exist
• Only the digits needed by business need must be displayed
9. Overview contd…
6
Multifactor Authentication
• All remote access must be multifactor
• All non console admin access to CDE must be multifactor effective Jan 31,
2018
• Multifactor can be at system or application layer
New Service Provider Requirements
• Maintain documented description of cryptographic architecture
• Detect and report on failures of critical security control systems
• Quarterly review to ensure personnel following security procedures
• Perform segmentation penetration test once every six months (Effective
Feb 2018)
• Executive management to establish responsibilities (Effective Feb 2018)
11. Requirement 1 – Firewall Configuration
• Install personal firewall software or equivalent
functionality on any portable computing
devices (including company and/or employee-
owned) that connect to the Internet when
outside the network (for example, laptops
used by employees), and which are also used
to access the CDE.
7
12. Requirement 3 - Encryption
• 3.4.1 - If disk encryption is used (rather than
file- or column-level database encryption),
logical access must be managed separately
and independently of native operating system
authentication and access control mechanisms
Note: This requirement applies in addition to all
other PCI DSS encryption and key-management
requirements.
8
13. Requirement 3 - Encryption
3.5.1 Additional requirement for service providers only:
Maintain a documented description of the cryptographic
architecture that includes:
• Details of all algorithms, protocols, and keys used for
the protection of cardholder data, including key
strength and expiry date
• Description of the key usage for each key
• Inventory of any HSMs and other SCDs used for key
management
Note: This requirement is a best practice until January 31,
2018, after which it becomes a requirement.
9
14. Requirement 6 – Secure Applications
• 6.2 Ensure that all system components and
software are protected from known
vulnerabilities by installing applicable vendor-
supplied security patches. Install critical
security patches within one month of release.
• This requirement applies to applicable patches
for all installed software, including payment
applications (both those that are PA-DSS
validated and those that are not).
10
15. Requirement 6 – Secure Application
• 6.4.6 Upon completion of a significant change,
all relevant PCI DSS requirements must be
implemented on all new or changed systems
and networks, and documentation updated as
applicable.
Note: This requirement is a best practice until
January 31, 2018, after which it becomes a
requirement.
11
16. Requirement 8 – Access Control
• 8.3.1 Incorporate multi-factor authentication
for all non-console access into the CDE for
personnel with administrative access.
Note: This requirement is a best practice until
January 31, 2018, after which it becomes a
requirement.
12
17. Requirement 10 – Logging and Monitoring
• 10.8 Additional requirement for service providers
only: Implement a process for the timely detection and
reporting of failures of critical security control systems,
including but not limited to failure of:
Firewalls
IDS/IPS
FIM
Anti-virus
Physical access controls
Logical access controls
Audit logging mechanisms
Segmentation controls (if used)
• Note: This requirement is a best practice until January
31, 2018, after which it becomes a requirement.
13
18. Requirement 11 – Security Testing
11.3.4.1 Additional requirement for service
providers only: If segmentation is used, confirm
PCI DSS scope by performing penetration testing
on segmentation controls at least every six
months and after any changes to segmentation
controls/methods.
Note: This requirement is a best practice until
January 31, 2018, after which it becomes a
requirement.
14
19. Requirement 12 – Policies and Procedures
12.4.1 Additional requirement for service providers only:
Executive management shall establish responsibility for
the protection of cardholder data and a PCI DSS
compliance program to include:
Overall accountability for maintaining PCI DSS
compliance
Defining a charter for a PCI DSS compliance program
and communication to executive management
Note: This requirement is a best practice until January 31,
2018, after which it becomes a requirement.
15
20. Requirement 12 – Policies and Procedures
12.11 Additional requirement for service providers only:
Perform reviews at least quarterly to confirm personnel
are following security policies and operational
procedures. Reviews must cover the following processes:
Daily log reviews
Firewall rule-set reviews
Applying configuration standards to new systems
Responding to security alerts
Change management processes
Note: This requirement is a best practice until January 31,
2018, after which it becomes a requirement.
16
21. Requirement 12 – Policies and Procedures
12.11.1 Additional requirement for service
providers only: Maintain documentation of
quarterly review process to include:
Documenting results of the reviews
Review and sign-off of results by personnel
assigned responsibility for the PCI DSS
compliance program
Note: This requirement is a best practice until
January 31, 2018, after which it becomes a
requirement.
17
22. Appendix A2: Additional PCI DSS Requirements for Entities using
SSL/early TLS
• New implementations must not use SSL or early TLS as a security
control.
• All service providers must provide a secure service offering by June
30, 2016.
• After June 30, 2018, all entities must have stopped use of SSL/early
TLS as a security control, and use only secure versions of the
protocol (an allowance for certain POS POI terminals is described in
the last bullet below).
• Prior to June 30, 2018, existing implementations that use SSL
and/or early TLS must have a formal Risk Mitigation and Migration
Plan in place.
• POS POI terminals (and the SSL/TLS termination points to which
they connect) that can be verified as not being susceptible to any
known exploits for SSL and early TLS, may continue using these as a
security control after June 30, 2018.
18
23. Appendix A3: Designated Entities Supplemental Validation (DESV)
This Appendix applies only to entities designated by a
payment brand(s) or acquirer as requiring additional
validation of existing PCI DSS requirements. Examples of
entities that this Appendix could apply to include:
• Those storing, processing, and/or transmitting large
volumes of cardholder data,
• Those providing aggregation points for cardholder
data, or
• Those that have suffered significant or repeated
breaches of cardholder data.
Note: An entity is required to undergo an assessment
according to this Appendix ONLY if instructed to do so by
an acquirer or a payment brand.
19