PCI 3.0 Revealed - What You Need to Know Today

PCI-DSS v3.0:
What You Need to Know Today
Barry Shteiman – Director of Security Strategy

1

© 2013 Imperva, Inc. All rights reserved.

Confidential

Agenda

§  PCI-DSS Themes and Drivers
§  Dates and Deadlines
§  New Requirements
§  Web App Compliance

2


Confidential

Today’s Speaker - Barry Shteiman

§  Director of Security Strategy
§  Security Researcher working
with the CTO office
§  Author of several application
security tools, including HULK
§  Open source security projects
code contributor
§  CISSP
§  Twitter @bshteiman

3


Confidential

Introducing PCI-DSS 3.0

4


Confidential

PCI-DSS
Payment Card Industry (PCI) Data Security Standard (DSS)

§  Industry driven
•  From conception to enforcement

§  Evolving
•  4th version over 7 years
•  Rate of releases has slowed – 3 years since v2.0 release

§  Concise and Pragmatic
•  Does not avoid naming technologies
•  Calls out threats by name
•  Very specific about data scope

5


Confidential

PCI-DSS Evolution
§  PCI 1.2
§  PCI 1.0
•  December 2004
12 major sections

•  October 2010
•  Definition of scope,
clarifications

•  September 2006
•  App security,
compensating
controls

6

2006

•  November 2013
•  Consistency for
assessors, risk based
approach, flexibility

§  PCI 2.0

§  PCI 1.1

2005

§  PCI 3.0

•  October 2008
•  Risk based approach,
emphasis on wireless

2007


2008

2009

Confidential

2010

2011

2012

2013

PCI-DSS 3.0 Key Drivers

§  Lack of education and awareness
§  Weak passwords, authentication
§  Third-party security challenges
§  Slow self-detection, malware
§  Inconsistency in assessments

7


Confidential

General Themes
§  Penetration testing gets real
•  More explicitly-defined penetration test guidelines

§  Skimmers, skimmers and more skimmers
•  New requirement to maintain list of POS devices,
periodically inspect devices and train personnel
•  Inclusion of POS devices in other sections

§  Service provider accountability
§  PCI requirement clarifications and details

8


Confidential

Why Protect Point-of-Sale Devices?
Physical data theft incidents from 2013 Verizon Data
Breach Incident Report

Source: http://www.verizonenterprise.com/DBIR/
9


Confidential

Service Providers Accountability
Third-party awareness at the compliance level

Source: http://www.bankinfosecurity.com/bofa-confirms-third-party-breach-a-5582
10


Confidential

PCI DSS 3.0 Dates and Deadlines
§  Publication Date: November 7, 2013
§  Effective Date: January 1, 2014
•  Version 2.0 will remain active until December 31, 2014

§  Deadline for New Requirements: June 30, 2015

11


Confidential

What’s New?
New Requirements Added in PCI-DSS 3.0

12


Confidential

New Req. 6.5.6
Insecure handling of credit card and
authentication data in memory.
Compliance:
•  document how PAN/SAD
is handled in memory to
minimize exposure

13


Confidential

New Req. 6.5.11
Broken authentication & session management.

Compliance:
• 
• 
• 
• 

14

Flag session tokens
Don’t expose session ID in URL
Implement time-outs
Prevent User ID manipulation


Confidential

New Req. 8.5.1
Service providers with access to customer
environments must use a unique authentication
credential for each customer
Compliance:
•  Authentication policies and
procedures to mandate different
authentication is used to access
each customer environment
** Only mandated for service providers

15


Confidential

New Req. 9.9
Protect POS devices that capture payment card
data from tampering
Compliance:
•  Maintain a list of POS devices
•  Periodical inspection for
tampering/substitution
•  Training for awareness

Note: PCI-DSS now addresses skimmers.
16


Confidential

New Req. 11.3
Develop penetration testing methodology based
on industry guidelines like NIST
Compliance:
•  Implement a penetration testing
approach based on an industry
standard (like NIST SP800-115)
•  Define pen-test for all layers
•  Specify retention and
remediation activity

17


Confidential

New Req. 12.9
Service providers must document in writing they
will adhere to PCI DSS standards
Compliance:
•  Acknowledge in writing to
customers that service provider
will maintain PCI DSS in full on
behalf of the customer

** Only mandated for service providers

18


Confidential

Web Application Compliance
Using a WAF to Close the Compliance Gap

19


Confidential

Web Application Relevant Requirements

20


Confidential

[6.5.11] Broken Auth. & Session Mgmt.

Authentication/Session attacks
• 
• 
• 
• 
• 
• 
• 

21


Cookie Tampering
Cookie Poisoning
Session Hijacking
Session Reuse
Parameter Tampering
SSL Reuse
Brute Force

Confidential

[11.3] Pen Testing and Remediation

Source: http://www.imperva.com/docs/SB_Imperva_WhiteHat.pdf
22


Confidential

PCI-DSS Carry-ons

Req 6.6: Protect public-facing Web applications
Req 10: Audit all access to cardholder data
Req 7: Limit access to systems and data on a business need to know
Req 8.5: Identify and disable dormant user accounts and access rights
Req 11.5: Alert personnel to unauthorized modification of files
Source: http://www.imperva.com/PCI/
23


Confidential

Learn More

24


Confidential

PCI

PCI-DSS Council
http://www.pcisecuritystandards.org

Imperva’s PCI Resource Center
http://www.imperva.com/PCI/

25


Confidential

Skimmers

KrebsOnSecurity
http://krebsonsecurity.com/category/all-about-skimmers/

26


Confidential

Third-Party Breaches
Imperva’s January 2013 HII and Imperva’s CMS Hacking Webinar
http://www.imperva.com/resources/overview.html

27


Confidential

www.imperva.com

28


Confidential

PCI 3.0 Revealed - What You Need to Know Today

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a PCI 3.0 Revealed - What You Need to Know Today

Similar a PCI 3.0 Revealed - What You Need to Know Today (20)

Más de Imperva

Más de Imperva (20)

Último

Último (20)

PCI 3.0 Revealed - What You Need to Know Today