Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
Overview……………………………….……3
Background & Drivers……………….……7
PCI DSS 3.0 Updates…………………...…22
3.0 Updates Effective July 1, 201...
OVERVIEW
Payment Card Industry Data Security
Standards (PCI DSS)
A set of requirements designed to ensure that all
companies that s...
Payment Card Industry Security
Standards Council (PCI SSC)
An independent body created by the major
payment card brands in...
History of PCI DSS Revisions
OVERVIEW
2004
Version 1.0
2006
Version 1.1
2008
Version 1.2
2010
Version 2.0
2009
Version 1.2...
BACKGROUND
& DRIVERS
Several standards introduced new
versions for 2014 including:
– SOC 2 (Trust Services Principles)
Several standards introduced new
versions for 2014 including:
– SOC 2 (Trust Services Principles)
– ISO 27001 (2013)
Several standards introduced new
versions for 2014 including:
– SOC 2 (Trust Services Principles)
– ISO 27001 (2013)
– Fed...
Several standards introduced new
versions for 2014 including:
– SOC 2 (Trust Services Principles)
– ISO 27001 (2013)
– Fed...
Several standards introduced new
versions for 2014 including:
– SOC 2 (Trust Services Principles)
– ISO 27001 (2013)
– Fed...
WHY UPDATE TO 3.0?
The PCI Security Standards Council’s (“SSC”)
three year update schedule
WHY UPDATE TO 3.0?
The PCI Security Standards Council’s (“SSC”)
three year update schedule
Consistency in assessments
WHY UPDATE TO 3.0?
The PCI Security Standards Council’s (“SSC”)
three year update schedule
Consistency in assessments
Stre...
WHY UPDATE TO 3.0?
The PCI Security Standards Council’s (“SSC”)
three year update schedule
Consistency in assessments
Stre...
WHY UPDATE TO 3.0?
The PCI Security Standards Council’s (“SSC”)
three year update schedule
Consistency in assessments
Stre...
January 1, 2014
PCI DSS 3.0 is effective
(Merchant or service provider’s choice)
WHEN TO UPDATE?
January 1, 2015
(Required for all assessments)
WHEN TO UPDATE?
BrightLine recommends for any
merchant or service provider preparing
for the first time
WHEN TO UPDATE?
BrightLine recommends use of 3.0
for clients performing assessments
after August
WHEN TO UPDATE?
PCI DSS 3.0
UPDATES
• Breadth and depth of requirements
• Systems inventory
• Dataflow diagrams
• Detailed access needs for each role
• Servic...
• Antivirus definition
• Additional application security vectors
– e.g. memory scraping
• Additional validation testing re...
• SAQ A vs. SAQ A-EP
– SAQ A: 14 questions
– SAQ A-EP: ~ 150 questions
• Of note - a properly formed iFrame can use SAQ-A
...
3.0 UPDATES
EFFECTIVE JULY 1, 2015
• In a shared hosting environment, unique
authentication credentials to each environment
• Physical protection of payment ...
Pen Testing Special Interest Group (SIG) to release an Information Supplement by the end of 2014
PENETRATION
TESTING
• Imp...
• Acknowledgement of responsibility from
service providers
• Define which requirements are managed by
service providers an...
SUMMARY
In summary,
the PCI DSS is:
MATURING
In summary,
the PCI DSS is:
FACILITATING
CONSISTENCY
In summary,
the PCI DSS is:
INSISTING
CONTINUOUS
COMPLIANCE
THANK YOU!
www.brightline.com/PCI
PCI DSS 3.0 Overview and Key Updates
Próxima SlideShare
Cargando en…5
×

PCI DSS 3.0 Overview and Key Updates

1.045 visualizaciones

Publicado el

Educate your organization on the practical impacts of performing a PCI assessment under the new standard.

This SlideShare will focus on the following learning objectives:
• Provide an overview of PCI v3.0
• Discuss the background and the drivers
• Identify the immediate updates
• Discuss the updates for 2015

Publicado en: Tecnología
  • Inicia sesión para ver los comentarios

PCI DSS 3.0 Overview and Key Updates

  1. 1. Overview……………………………….……3 Background & Drivers……………….……7 PCI DSS 3.0 Updates…………………...…22 3.0 Updates Effective July 1, 2015…......26 Summary………………………………...….30 CONTENTS
  2. 2. OVERVIEW
  3. 3. Payment Card Industry Data Security Standards (PCI DSS) A set of requirements designed to ensure that all companies that store, process or transmit credit card information maintain a secure environment OVERVIEW
  4. 4. Payment Card Industry Security Standards Council (PCI SSC) An independent body created by the major payment card brands in 2006 to administor and manage the ongoing evolution of the PCI DSS OVERVIEW
  5. 5. History of PCI DSS Revisions OVERVIEW 2004 Version 1.0 2006 Version 1.1 2008 Version 1.2 2010 Version 2.0 2009 Version 1.2.1 2013 Version 3.0
  6. 6. BACKGROUND & DRIVERS
  7. 7. Several standards introduced new versions for 2014 including: – SOC 2 (Trust Services Principles)
  8. 8. Several standards introduced new versions for 2014 including: – SOC 2 (Trust Services Principles) – ISO 27001 (2013)
  9. 9. Several standards introduced new versions for 2014 including: – SOC 2 (Trust Services Principles) – ISO 27001 (2013) – FedRAMP - NIST 800-53 Rev 4
  10. 10. Several standards introduced new versions for 2014 including: – SOC 2 (Trust Services Principles) – ISO 27001 (2013) – FedRAMP - NIST 800-53 Rev 4 – CSA STAR
  11. 11. Several standards introduced new versions for 2014 including: – SOC 2 (Trust Services Principles) – ISO 27001 (2013) – FedRAMP - NIST 800-53 Rev 4 – CSA STAR – PCI DSS 3.0
  12. 12. WHY UPDATE TO 3.0? The PCI Security Standards Council’s (“SSC”) three year update schedule
  13. 13. WHY UPDATE TO 3.0? The PCI Security Standards Council’s (“SSC”) three year update schedule Consistency in assessments
  14. 14. WHY UPDATE TO 3.0? The PCI Security Standards Council’s (“SSC”) three year update schedule Consistency in assessments Streamline certain requirements
  15. 15. WHY UPDATE TO 3.0? The PCI Security Standards Council’s (“SSC”) three year update schedule Consistency in assessments Streamline certain requirements Align with technology trends
  16. 16. WHY UPDATE TO 3.0? The PCI Security Standards Council’s (“SSC”) three year update schedule Consistency in assessments Streamline certain requirements Align with technology trends Cooperate with “business as usual”
  17. 17. January 1, 2014 PCI DSS 3.0 is effective (Merchant or service provider’s choice) WHEN TO UPDATE?
  18. 18. January 1, 2015 (Required for all assessments) WHEN TO UPDATE?
  19. 19. BrightLine recommends for any merchant or service provider preparing for the first time WHEN TO UPDATE?
  20. 20. BrightLine recommends use of 3.0 for clients performing assessments after August WHEN TO UPDATE?
  21. 21. PCI DSS 3.0 UPDATES
  22. 22. • Breadth and depth of requirements • Systems inventory • Dataflow diagrams • Detailed access needs for each role • Service provider due diligence ADDITIONAL DOCUMENTATION REQUIREMENTS
  23. 23. • Antivirus definition • Additional application security vectors – e.g. memory scraping • Additional validation testing required for: – Access control and authentication – More flexibility for ‘daily’ log monitoring TECHNICAL UPDATES
  24. 24. • SAQ A vs. SAQ A-EP – SAQ A: 14 questions – SAQ A-EP: ~ 150 questions • Of note - a properly formed iFrame can use SAQ-A • All e-commerce providers have to meet all applicable requirements regardless of SAQ form SELF ASSESSMENT QUESTIONNAIRE & E-COMMERCE IMPLICATIONS
  25. 25. 3.0 UPDATES EFFECTIVE JULY 1, 2015
  26. 26. • In a shared hosting environment, unique authentication credentials to each environment • Physical protection of payment devices • Web application vulnerability testing for broken authentication and session management ACCESS CONTROL & TECHNICAL
  27. 27. Pen Testing Special Interest Group (SIG) to release an Information Supplement by the end of 2014 PENETRATION TESTING • Implement a methodology • Emphasis on external AND internal network and application testing • Validate segmentation and scope-reduction controls
  28. 28. • Acknowledgement of responsibility from service providers • Define which requirements are managed by service providers and which are managed by the entity SERVICE PROVIDER MANAGEMENT
  29. 29. SUMMARY
  30. 30. In summary, the PCI DSS is: MATURING
  31. 31. In summary, the PCI DSS is: FACILITATING CONSISTENCY
  32. 32. In summary, the PCI DSS is: INSISTING CONTINUOUS COMPLIANCE
  33. 33. THANK YOU! www.brightline.com/PCI

×