SlideShare ist ein Scribd-Unternehmen logo

PCI DSS 3.0 – What You Need to Know

Als PPTX, PDF herunterladen
Terra Verde
Terra Verde

WIth the version 3.0 of PCI DSS now available, it's time to review your compliance strategy and make a plan for adapting to the revised requirements.

Technologie
1 von 25
PCI 3.0 WHAT YOU NEED TO KNOW Carlos Alberto Villalba Franco Director of Security Services carlos.villalba@TerraVerdeServices.com 877-707-7997 (x 21) Scottsdale, Arizona
Agenda • PCI - Overview • Part II - What’s new in PCI DSS 3.0 • Part III – Q&A
A PRIMER ON PCI DSS
The Payment Card Industry (PCI) • American Express, Discover, JCB, MasterCard, and Visa created the Security Standards Council (SSC). • The PCI SSC has created a number of security and certification standards for: • Merchants • Financial Institutions • Hardware/Software vendors • Service Professionals
Data Security Standard (DSS) • The PCI Data Security Standard (PCI DSS) is in its second version. • The third version was made available in November 2013 • It applies to any entity that stores, use, processes, or transmits cardholder data (CHD). • Those entities that process/stores many credit card transactions each year, e.g. over 6 million, must undergo an annual audit by a QSA. • Twelve requirements
The 12 domains of PCI DSS 2.0
WHAT’S NEW IN 3.0
Important dates PCI DSS 3.0 released in November 2013 RetirementTransitionReadyRelease 2014 Transition year, PCI DSS 2.0 is valid in 2014 Effective on January 1. PCI DSS 3.0 to be retired December 31, 2017
Version 3 Beginning with version 2, the PCI Council established a three-year cycle for new versions
What did they want to fix • Divergent interpretations of the standard • Weak or default passwords • Slow detection of compromise • Security problems introduced by 3rd parties and various areas • Inconsistency in Assessments
Highlights Descriptions of tests are more precise More rigor in determining scope of assessment More guidance on log reviews Some sub-requirements added The twelve domains remain More rigorous penetration testing
Eschew Ambiguity Too much variance in interpretation among QSAs Clients get different interpretations. PCI Counsel’s Quality Control sees too much variance in the Reports on Compliance (ROC).
Eschew Ambiguity Remove ambiguities in the specification that result in inconsistent interpretations of a requirement.
Eschew Ambiguity The challenge is to improve the clarity of the requirement and the specificity of the tests without being so prescriptive that it excludes methods and technology that also meet the goal of the requirement.
Eschew Ambiguity There is a natural tension between stating a requirement precisely enough to prevent divergent interpretations and having the language loose enough to allow that requirement to be satisfied by a variety of methods and technology.
Guidance for each requirement
A Penetration Test Methodology • Based on industry-accepted approaches, e.g. NIST SP800-115 • A new clause 11.3 • Test entire perimeter of CDE & all critical systems • Validate all scope-reduction controls—segmentation • Test from inside and from outside of the network • Test network-function components and OSs • As a minimum, perform application tests for the vulnerabilities listed in Requirement 6.5
Updated Vulnerabilities • Programmers of internally-developed and bespoke applications must be trained to avoid known vulnerabilities • List expanded to include new requirements for • coding practices to protect against broken authentication and session management • coding practices to document how PAN and SAD are handled in memory • Combating memory scraping is a good idea for PA-DSS • This was a bit contentious for PCI-DSS
Authentication • Requirement text recognizes methods other than password/passphrases, e.g. certificates • Authentication credentials • Minimum password length is still 7 characters • “Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above.” • A service provider must use a different password for each of its clients. • Educate users
Default Passwords • Default passwords • Change those being used • Change and disable those not being used • Change all the default passwords including • systems • applications • security software • terminals
Quicker detection of compromise Deploy a change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files • configure the software to perform critical file comparisons at least weekly. New requirement, 11.5.1, mandates the implementation of a process to respond to any alerts generated by that mechanism.
Manage Service Providers • New requirement, 12.8.5, mandates the documentation of which DSS requirements are managed by the 3rd party. • New requirement, 12.9, mandates that 3rd parties must acknowledge in writing that they will comply with the DSS to protect CHD entrusted to them or, if managing some aspect of the CDE, state they will comply with the DSS in performing that management.
Et cetera • Must have a data flow diagram. • Maintain inventory of all systems in scope. • Monitor new threats to systems not normally susceptible to malware. • Control onsite staff’s access to sensitive areas. • Establish incident response procedures to handle detection of unauthorized wireless. • Separate security functions from operations.
More acronyms • BTW VCD END • By the way “Vayan con Dios” the end.
? Carlos A. Villalba Director of Security Services carlos.villalba@TerraVerdeServices.com 877-707-7997 (x 21)

Empfohlen

PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder data
InMobi Technology
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
Calyptix Security
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
AlienVault
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
Kim Jensen
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Ariel Ben-Harosh
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance Strategy
AlienVault
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
okrantz
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
Duy Do Phan
 

Empfohlen

PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder data
InMobi Technology
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
Calyptix Security
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
AlienVault
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
Kim Jensen
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Ariel Ben-Harosh
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance Strategy
AlienVault
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
okrantz
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
Duy Do Phan
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
sameh Abulfotooh
 
PA-DSS
PA-DSSPA-DSS
PA-DSS
Christian Heinrich
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
Saumya Vishnoi
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certification
Alexander Polyakov
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
Kimberly Simon MBA
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
Mohammad Makchudul Alam (Arif)
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
Anton Chuvakin
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
Saumya Vishnoi
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
Kimberly Simon MBA
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
Mark Akins
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
VISTA InfoSec
 
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
Anton Chuvakin
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
himalya sharma
 
PCI-DSS explained
PCI-DSS explainedPCI-DSS explained
PCI-DSS explained
Edwin_Bos
 
Webinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableWebinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicable
VISTA InfoSec
 
Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationAlcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance Presentation
Bhargav Upadhyay
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...
John Baines
 
Card fraud and compliance training
Card fraud and compliance trainingCard fraud and compliance training
Card fraud and compliance training
ethnos
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should care
Sean D. Goodwin
 
PCI 3.0 – What You Need to Know
PCI 3.0 – What You Need to KnowPCI 3.0 – What You Need to Know
PCI 3.0 – What You Need to Know
Terra Verde
 
Securing Your Customers' Credit Card Information
Securing Your Customers' Credit Card InformationSecuring Your Customers' Credit Card Information
Securing Your Customers' Credit Card Information
Skoda Minotti
 

Weitere ähnliche Inhalte

Was ist angesagt?

Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certification
Alexander Polyakov
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
Anton Chuvakin
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
Mark Akins
 
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
Anton Chuvakin
 
PCI-DSS explained
PCI-DSS explainedPCI-DSS explained
PCI-DSS explained
Edwin_Bos
 
Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationAlcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance Presentation
Bhargav Upadhyay
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...
John Baines
 
Card fraud and compliance training
Card fraud and compliance trainingCard fraud and compliance training
Card fraud and compliance training
ethnos
 

Was ist angesagt? (20)

PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
 
PA-DSS
PA-DSSPA-DSS
PA-DSS
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certification
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
 
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
 
PCI-DSS explained
PCI-DSS explainedPCI-DSS explained
PCI-DSS explained
 
Webinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableWebinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicable
 
Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationAlcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance Presentation
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...
 
Card fraud and compliance training
Card fraud and compliance trainingCard fraud and compliance training
Card fraud and compliance training
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should care
 

Ähnlich wie PCI DSS 3.0 – What You Need to Know

Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
Risk Crew
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
Risk Crew
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
Cloud Standards Customer Council
 

Ähnlich wie PCI DSS 3.0 – What You Need to Know (20)

PCI 3.0 – What You Need to Know
PCI 3.0 – What You Need to KnowPCI 3.0 – What You Need to Know
PCI 3.0 – What You Need to Know
 
Securing Your Customers' Credit Card Information
Securing Your Customers' Credit Card InformationSecuring Your Customers' Credit Card Information
Securing Your Customers' Credit Card Information
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
Balancing performance accuracy and precision for secure cloud transactions
Balancing performance accuracy and precision for secure cloud transactionsBalancing performance accuracy and precision for secure cloud transactions
Balancing performance accuracy and precision for secure cloud transactions
 
Update to PCI DSS v3.2
Update to PCI DSS v3.2Update to PCI DSS v3.2
Update to PCI DSS v3.2
 
Update to PCI DSS v3.2
Update to PCI DSS v3.2Update to PCI DSS v3.2
Update to PCI DSS v3.2
 
Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]
 
Balancing performance, accuracy, and precision for secure cloud transactions
Balancing performance, accuracy, and precision for secure cloud transactionsBalancing performance, accuracy, and precision for secure cloud transactions
Balancing performance, accuracy, and precision for secure cloud transactions
 
Key New Requirements Added to PCI DSS 3.0
Key New Requirements Added to PCI DSS 3.0Key New Requirements Added to PCI DSS 3.0
Key New Requirements Added to PCI DSS 3.0
 
PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0
 
Compliance at Velocity with Chef
Compliance at Velocity with ChefCompliance at Velocity with Chef
Compliance at Velocity with Chef
 
AL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_webAL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_web
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital Forensics
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
 
PCI DSS and PA DSS Version 3.0 Changes
PCI DSS and PA DSS Version 3.0 Changes PCI DSS and PA DSS Version 3.0 Changes
PCI DSS and PA DSS Version 3.0 Changes
 

Kürzlich hochgeladen

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Kürzlich hochgeladen (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

PCI DSS 3.0 – What You Need to Know

  • 1. PCI 3.0 WHAT YOU NEED TO KNOW Carlos Alberto Villalba Franco Director of Security Services carlos.villalba@TerraVerdeServices.com 877-707-7997 (x 21) Scottsdale, Arizona
  • 2. Agenda • PCI - Overview • Part II - What’s new in PCI DSS 3.0 • Part III – Q&A
  • 4. The Payment Card Industry (PCI) • American Express, Discover, JCB, MasterCard, and Visa created the Security Standards Council (SSC). • The PCI SSC has created a number of security and certification standards for: • Merchants • Financial Institutions • Hardware/Software vendors • Service Professionals
  • 5. Data Security Standard (DSS) • The PCI Data Security Standard (PCI DSS) is in its second version. • The third version was made available in November 2013 • It applies to any entity that stores, use, processes, or transmits cardholder data (CHD). • Those entities that process/stores many credit card transactions each year, e.g. over 6 million, must undergo an annual audit by a QSA. • Twelve requirements
  • 6. The 12 domains of PCI DSS 2.0
  • 8. Important dates PCI DSS 3.0 released in November 2013 RetirementTransitionReadyRelease 2014 Transition year, PCI DSS 2.0 is valid in 2014 Effective on January 1. PCI DSS 3.0 to be retired December 31, 2017
  • 9. Version 3 Beginning with version 2, the PCI Council established a three-year cycle for new versions
  • 10. What did they want to fix • Divergent interpretations of the standard • Weak or default passwords • Slow detection of compromise • Security problems introduced by 3rd parties and various areas • Inconsistency in Assessments
  • 11. Highlights Descriptions of tests are more precise More rigor in determining scope of assessment More guidance on log reviews Some sub-requirements added The twelve domains remain More rigorous penetration testing
  • 12. Eschew Ambiguity Too much variance in interpretation among QSAs Clients get different interpretations. PCI Counsel’s Quality Control sees too much variance in the Reports on Compliance (ROC).
  • 13. Eschew Ambiguity Remove ambiguities in the specification that result in inconsistent interpretations of a requirement.
  • 14. Eschew Ambiguity The challenge is to improve the clarity of the requirement and the specificity of the tests without being so prescriptive that it excludes methods and technology that also meet the goal of the requirement.
  • 15. Eschew Ambiguity There is a natural tension between stating a requirement precisely enough to prevent divergent interpretations and having the language loose enough to allow that requirement to be satisfied by a variety of methods and technology.
  • 16. Guidance for each requirement
  • 17. A Penetration Test Methodology • Based on industry-accepted approaches, e.g. NIST SP800-115 • A new clause 11.3 • Test entire perimeter of CDE & all critical systems • Validate all scope-reduction controls—segmentation • Test from inside and from outside of the network • Test network-function components and OSs • As a minimum, perform application tests for the vulnerabilities listed in Requirement 6.5
  • 18. Updated Vulnerabilities • Programmers of internally-developed and bespoke applications must be trained to avoid known vulnerabilities • List expanded to include new requirements for • coding practices to protect against broken authentication and session management • coding practices to document how PAN and SAD are handled in memory • Combating memory scraping is a good idea for PA-DSS • This was a bit contentious for PCI-DSS
  • 19. Authentication • Requirement text recognizes methods other than password/passphrases, e.g. certificates • Authentication credentials • Minimum password length is still 7 characters • “Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above.” • A service provider must use a different password for each of its clients. • Educate users
  • 20. Default Passwords • Default passwords • Change those being used • Change and disable those not being used • Change all the default passwords including • systems • applications • security software • terminals
  • 21. Quicker detection of compromise Deploy a change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files • configure the software to perform critical file comparisons at least weekly. New requirement, 11.5.1, mandates the implementation of a process to respond to any alerts generated by that mechanism.
  • 22. Manage Service Providers • New requirement, 12.8.5, mandates the documentation of which DSS requirements are managed by the 3rd party. • New requirement, 12.9, mandates that 3rd parties must acknowledge in writing that they will comply with the DSS to protect CHD entrusted to them or, if managing some aspect of the CDE, state they will comply with the DSS in performing that management.
  • 23. Et cetera • Must have a data flow diagram. • Maintain inventory of all systems in scope. • Monitor new threats to systems not normally susceptible to malware. • Control onsite staff’s access to sensitive areas. • Establish incident response procedures to handle detection of unauthorized wireless. • Separate security functions from operations.
  • 24. More acronyms • BTW VCD END • By the way “Vayan con Dios” the end.
  • 25. ? Carlos A. Villalba Director of Security Services carlos.villalba@TerraVerdeServices.com 877-707-7997 (x 21)

Hinweis der Redaktion

  1. Descriptions of tests are more precise Aligned language of requirement and test Clarified what to do to verify compliance