Más contenido relacionado La actualidad más candente (20) Similar a PCI 3.0 Revealed - What You Need to Know Today (20) PCI 3.0 Revealed - What You Need to Know Today1. PCI-DSS v3.0:
What You Need to Know Today
Barry Shteiman – Director of Security Strategy
1
© 2013 Imperva, Inc. All rights reserved.
Confidential
2. Agenda
§ PCI-DSS Themes and Drivers
§ Dates and Deadlines
§ New Requirements
§ Web App Compliance
2
© 2013 Imperva, Inc. All rights reserved.
Confidential
3. Today’s Speaker - Barry Shteiman
§ Director of Security Strategy
§ Security Researcher working
with the CTO office
§ Author of several application
security tools, including HULK
§ Open source security projects
code contributor
§ CISSP
§ Twitter @bshteiman
3
© 2013 Imperva, Inc. All rights reserved.
Confidential
5. PCI-DSS
Payment Card Industry (PCI) Data Security Standard (DSS)
§ Industry driven
• From conception to enforcement
§ Evolving
• 4th version over 7 years
• Rate of releases has slowed – 3 years since v2.0 release
§ Concise and Pragmatic
• Does not avoid naming technologies
• Calls out threats by name
• Very specific about data scope
5
© 2013 Imperva, Inc. All rights reserved.
Confidential
6. PCI-DSS Evolution
§ PCI 1.2
§ PCI 1.0
• December 2004
12 major sections
• October 2010
• Definition of scope,
clarifications
• September 2006
• App security,
compensating
controls
6
2006
• November 2013
• Consistency for
assessors, risk based
approach, flexibility
§ PCI 2.0
§ PCI 1.1
2005
§ PCI 3.0
• October 2008
• Risk based approach,
emphasis on wireless
2007
© 2013 Imperva, Inc. All rights reserved.
2008
2009
Confidential
2010
2011
2012
2013
7. PCI-DSS 3.0 Key Drivers
§ Lack of education and awareness
§ Weak passwords, authentication
§ Third-party security challenges
§ Slow self-detection, malware
§ Inconsistency in assessments
7
© 2013 Imperva, Inc. All rights reserved.
Confidential
8. General Themes
§ Penetration testing gets real
• More explicitly-defined penetration test guidelines
§ Skimmers, skimmers and more skimmers
• New requirement to maintain list of POS devices,
periodically inspect devices and train personnel
• Inclusion of POS devices in other sections
§ Service provider accountability
§ PCI requirement clarifications and details
8
© 2013 Imperva, Inc. All rights reserved.
Confidential
9. Why Protect Point-of-Sale Devices?
Physical data theft incidents from 2013 Verizon Data
Breach Incident Report
Source: http://www.verizonenterprise.com/DBIR/
9
© 2013 Imperva, Inc. All rights reserved.
Confidential
10. Service Providers Accountability
Third-party awareness at the compliance level
Source: http://www.bankinfosecurity.com/bofa-confirms-third-party-breach-a-5582
10
© 2013 Imperva, Inc. All rights reserved.
Confidential
11. PCI DSS 3.0 Dates and Deadlines
§ Publication Date: November 7, 2013
§ Effective Date: January 1, 2014
• Version 2.0 will remain active until December 31, 2014
§ Deadline for New Requirements: June 30, 2015
11
© 2013 Imperva, Inc. All rights reserved.
Confidential
13. New Req. 6.5.6
Insecure handling of credit card and
authentication data in memory.
Compliance:
• document how PAN/SAD
is handled in memory to
minimize exposure
13
© 2013 Imperva, Inc. All rights reserved.
Confidential
14. New Req. 6.5.11
Broken authentication & session management.
Compliance:
•
•
•
•
14
Flag session tokens
Don’t expose session ID in URL
Implement time-outs
Prevent User ID manipulation
© 2013 Imperva, Inc. All rights reserved.
Confidential
15. New Req. 8.5.1
Service providers with access to customer
environments must use a unique authentication
credential for each customer
Compliance:
• Authentication policies and
procedures to mandate different
authentication is used to access
each customer environment
** Only mandated for service providers
15
© 2013 Imperva, Inc. All rights reserved.
Confidential
16. New Req. 9.9
Protect POS devices that capture payment card
data from tampering
Compliance:
• Maintain a list of POS devices
• Periodical inspection for
tampering/substitution
• Training for awareness
Note: PCI-DSS now addresses skimmers.
16
© 2013 Imperva, Inc. All rights reserved.
Confidential
17. New Req. 11.3
Develop penetration testing methodology based
on industry guidelines like NIST
Compliance:
• Implement a penetration testing
approach based on an industry
standard (like NIST SP800-115)
• Define pen-test for all layers
• Specify retention and
remediation activity
17
© 2013 Imperva, Inc. All rights reserved.
Confidential
18. New Req. 12.9
Service providers must document in writing they
will adhere to PCI DSS standards
Compliance:
• Acknowledge in writing to
customers that service provider
will maintain PCI DSS in full on
behalf of the customer
** Only mandated for service providers
18
© 2013 Imperva, Inc. All rights reserved.
Confidential
21. [6.5.11] Broken Auth. & Session Mgmt.
Authentication/Session attacks
•
•
•
•
•
•
•
21
© 2013 Imperva, Inc. All rights reserved.
Cookie Tampering
Cookie Poisoning
Session Hijacking
Session Reuse
Parameter Tampering
SSL Reuse
Brute Force
Confidential
22. [11.3] Pen Testing and Remediation
Source: http://www.imperva.com/docs/SB_Imperva_WhiteHat.pdf
22
© 2013 Imperva, Inc. All rights reserved.
Confidential
23. PCI-DSS Carry-ons
Req 6.6: Protect public-facing Web applications
Req 10: Audit all access to cardholder data
Req 7: Limit access to systems and data on a business need to know
Req 8.5: Identify and disable dormant user accounts and access rights
Req 11.5: Alert personnel to unauthorized modification of files
Source: http://www.imperva.com/PCI/
23
© 2013 Imperva, Inc. All rights reserved.
Confidential
27. Third-Party Breaches
Imperva’s January 2013 HII and Imperva’s CMS Hacking Webinar
http://www.imperva.com/resources/overview.html
27
© 2013 Imperva, Inc. All rights reserved.
Confidential