Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
Overview……………………………….……3 Background & Drivers……………….……7 PCI DSS 3.0 Updates…………………...…22 3.0 Updates Effective July 1, 201...
OVERVIEW
Payment Card Industry Data Security Standards (PCI DSS) A set of requirements designed to ensure that all companies that s...
Payment Card Industry Security Standards Council (PCI SSC) An independent body created by the major payment card brands in...
History of PCI DSS Revisions OVERVIEW 2004 Version 1.0 2006 Version 1.1 2008 Version 1.2 2010 Version 2.0 2009 Version 1.2...
BACKGROUND & DRIVERS
Several standards introduced new versions for 2014 including: – SOC 2 (Trust Services Principles)
Several standards introduced new versions for 2014 including: – SOC 2 (Trust Services Principles) – ISO 27001 (2013)
Several standards introduced new versions for 2014 including: – SOC 2 (Trust Services Principles) – ISO 27001 (2013) – Fed...
Several standards introduced new versions for 2014 including: – SOC 2 (Trust Services Principles) – ISO 27001 (2013) – Fed...
Several standards introduced new versions for 2014 including: – SOC 2 (Trust Services Principles) – ISO 27001 (2013) – Fed...
WHY UPDATE TO 3.0? The PCI Security Standards Council’s (“SSC”) three year update schedule
WHY UPDATE TO 3.0? The PCI Security Standards Council’s (“SSC”) three year update schedule Consistency in assessments
WHY UPDATE TO 3.0? The PCI Security Standards Council’s (“SSC”) three year update schedule Consistency in assessments Stre...
WHY UPDATE TO 3.0? The PCI Security Standards Council’s (“SSC”) three year update schedule Consistency in assessments Stre...
WHY UPDATE TO 3.0? The PCI Security Standards Council’s (“SSC”) three year update schedule Consistency in assessments Stre...
January 1, 2014 PCI DSS 3.0 is effective (Merchant or service provider’s choice) WHEN TO UPDATE?
January 1, 2015 (Required for all assessments) WHEN TO UPDATE?
BrightLine recommends for any merchant or service provider preparing for the first time WHEN TO UPDATE?
BrightLine recommends use of 3.0 for clients performing assessments after August WHEN TO UPDATE?
PCI DSS 3.0 UPDATES
• Breadth and depth of requirements • Systems inventory • Dataflow diagrams • Detailed access needs for each role • Servic...
• Antivirus definition • Additional application security vectors – e.g. memory scraping • Additional validation testing re...
• SAQ A vs. SAQ A-EP – SAQ A: 14 questions – SAQ A-EP: ~ 150 questions • Of note - a properly formed iFrame can use SAQ-A ...
3.0 UPDATES EFFECTIVE JULY 1, 2015
• In a shared hosting environment, unique authentication credentials to each environment • Physical protection of payment ...
Pen Testing Special Interest Group (SIG) to release an Information Supplement by the end of 2014 PENETRATION TESTING • Imp...
• Acknowledgement of responsibility from service providers • Define which requirements are managed by service providers an...
SUMMARY
In summary, the PCI DSS is: MATURING
In summary, the PCI DSS is: FACILITATING CONSISTENCY
In summary, the PCI DSS is: INSISTING CONTINUOUS COMPLIANCE
THANK YOU! www.brightline.com/PCI
PCI DSS 3.0 Overview and Key Updates
Próxima SlideShare
Cargando en…5
×

PCI DSS 3.0 Overview and Key Updates

1.045 visualizaciones

Publicado el

Educate your organization on the practical impacts of performing a PCI assessment under the new standard.

This SlideShare will focus on the following learning objectives:
• Provide an overview of PCI v3.0
• Discuss the background and the drivers
• Identify the immediate updates
• Discuss the updates for 2015

Publicado en: Tecnología
no profile picture user

  • Inicia sesión para ver los comentarios

PCI DSS 3.0 Overview and Key Updates

  1. 1. Overview……………………………….……3 Background & Drivers……………….……7 PCI DSS 3.0 Updates…………………...…22 3.0 Updates Effective July 1, 2015…......26 Summary………………………………...….30 CONTENTS
  2. 2. OVERVIEW
  3. 3. Payment Card Industry Data Security Standards (PCI DSS) A set of requirements designed to ensure that all companies that store, process or transmit credit card information maintain a secure environment OVERVIEW
  4. 4. Payment Card Industry Security Standards Council (PCI SSC) An independent body created by the major payment card brands in 2006 to administor and manage the ongoing evolution of the PCI DSS OVERVIEW
  5. 5. History of PCI DSS Revisions OVERVIEW 2004 Version 1.0 2006 Version 1.1 2008 Version 1.2 2010 Version 2.0 2009 Version 1.2.1 2013 Version 3.0
  6. 6. BACKGROUND & DRIVERS
  7. 7. Several standards introduced new versions for 2014 including: – SOC 2 (Trust Services Principles)
  8. 8. Several standards introduced new versions for 2014 including: – SOC 2 (Trust Services Principles) – ISO 27001 (2013)
  9. 9. Several standards introduced new versions for 2014 including: – SOC 2 (Trust Services Principles) – ISO 27001 (2013) – FedRAMP - NIST 800-53 Rev 4
  10. 10. Several standards introduced new versions for 2014 including: – SOC 2 (Trust Services Principles) – ISO 27001 (2013) – FedRAMP - NIST 800-53 Rev 4 – CSA STAR
  11. 11. Several standards introduced new versions for 2014 including: – SOC 2 (Trust Services Principles) – ISO 27001 (2013) – FedRAMP - NIST 800-53 Rev 4 – CSA STAR – PCI DSS 3.0
  12. 12. WHY UPDATE TO 3.0? The PCI Security Standards Council’s (“SSC”) three year update schedule
  13. 13. WHY UPDATE TO 3.0? The PCI Security Standards Council’s (“SSC”) three year update schedule Consistency in assessments
  14. 14. WHY UPDATE TO 3.0? The PCI Security Standards Council’s (“SSC”) three year update schedule Consistency in assessments Streamline certain requirements
  15. 15. WHY UPDATE TO 3.0? The PCI Security Standards Council’s (“SSC”) three year update schedule Consistency in assessments Streamline certain requirements Align with technology trends
  16. 16. WHY UPDATE TO 3.0? The PCI Security Standards Council’s (“SSC”) three year update schedule Consistency in assessments Streamline certain requirements Align with technology trends Cooperate with “business as usual”
  17. 17. January 1, 2014 PCI DSS 3.0 is effective (Merchant or service provider’s choice) WHEN TO UPDATE?
  18. 18. January 1, 2015 (Required for all assessments) WHEN TO UPDATE?
  19. 19. BrightLine recommends for any merchant or service provider preparing for the first time WHEN TO UPDATE?
  20. 20. BrightLine recommends use of 3.0 for clients performing assessments after August WHEN TO UPDATE?
  21. 21. PCI DSS 3.0 UPDATES
  22. 22. • Breadth and depth of requirements • Systems inventory • Dataflow diagrams • Detailed access needs for each role • Service provider due diligence ADDITIONAL DOCUMENTATION REQUIREMENTS
  23. 23. • Antivirus definition • Additional application security vectors – e.g. memory scraping • Additional validation testing required for: – Access control and authentication – More flexibility for ‘daily’ log monitoring TECHNICAL UPDATES
  24. 24. • SAQ A vs. SAQ A-EP – SAQ A: 14 questions – SAQ A-EP: ~ 150 questions • Of note - a properly formed iFrame can use SAQ-A • All e-commerce providers have to meet all applicable requirements regardless of SAQ form SELF ASSESSMENT QUESTIONNAIRE & E-COMMERCE IMPLICATIONS
  25. 25. 3.0 UPDATES EFFECTIVE JULY 1, 2015
  26. 26. • In a shared hosting environment, unique authentication credentials to each environment • Physical protection of payment devices • Web application vulnerability testing for broken authentication and session management ACCESS CONTROL & TECHNICAL
  27. 27. Pen Testing Special Interest Group (SIG) to release an Information Supplement by the end of 2014 PENETRATION TESTING • Implement a methodology • Emphasis on external AND internal network and application testing • Validate segmentation and scope-reduction controls
  28. 28. • Acknowledgement of responsibility from service providers • Define which requirements are managed by service providers and which are managed by the entity SERVICE PROVIDER MANAGEMENT
  29. 29. SUMMARY
  30. 30. In summary, the PCI DSS is: MATURING
  31. 31. In summary, the PCI DSS is: FACILITATING CONSISTENCY
  32. 32. In summary, the PCI DSS is: INSISTING CONTINUOUS COMPLIANCE
  33. 33. THANK YOU! www.brightline.com/PCI

×