4. What is PCI DSS?
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or
transmitting payment card account data
• Established by leading payment card issuers
• Maintained by the PCI Security Standards Council
(PCI SSC)
2
5. PCI DSS Requirements
Control Objectives
Requirements
Build and maintain a secure network
1. Install and maintain a firewall configuration to protect
cardholder data
2. Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect cardholder data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public
networks
Maintain a vulnerability
management program
5. Use and regularly update anti-virus software on all systems
commonly affected by malware
6. Develop and maintain secure systems and applications
Implement strong access control
measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks
10. Track and monitor all access to network resources and
cardholder data
11. Regularly test security systems and processes
Maintain an information security
policy
12. Maintain a policy that addresses information security
3
6. Timeline of PCI DSS 3.0
•
•
•
•
The new PCI DSS 3.0 have been published
Effective Jan 1st, 2014
Can comply to PCI DSS 2.0 or 3.0 in 2014
Must comply to PCI DSS 3.0 starting 2015
4
8. Overview
Segmentation
• Adequacy of segmentation
• Penetration test
Third parties/Service providers
• Must validate PCI DSS compliance; OR
• Must participate is customers PCI DSS
compliance audit
5
9. Overview contd…
PCI DSS as Business as Usual
•
•
•
•
•
Monitoring of security controls
Review changes to environment
Review changes to org structure
Periodic review of controls vs. during audit
Separation of duties (operational vs. security)
Physical protection of POS, ATM and Kiosks
• Maintain inventory
• Periodic inspection for tampering
• Train personnel
6
11. Firewalls
• Network Diagram
› Must include cardholder data flows
› Must include clear boundary showing PCI DSS CDE scope
7
12. Configuration Standards
• Maintain an inventory of system components
› Business as usual function
› Inventory of hardware and software must be maintained
› Function of systems must be maintained
8
15. Antivirus
• Intent to prevent malware in addition to viruses
› Evaluate malware threats against systems EVEN if it is not a
system commonly affected by viruses/malicious software,
for e.g. AS/400
› Anti-virus should be running in an active mode AND
cannot be disabled by regular users without management
approval
11
16. Secure Applications
• Test applications for broken authentication and session
management flaws
• Renamed “Web Application Firewall” to “Automated Technical
Solution” to detect flaws
12
17. Access Control and User IDs
• Provides for flexibility is password controls
›
›
›
›
Minimum of 7 characters
Alphanumeric
Alternatives are acceptable as long as objective is met
Allows for alternative mechanisms such as tokens and
certificates
• Service Providers with access to customer
environments MUST ensure unique password per
customer
13
18. Physical Security
• Physical security access to “sensitive areas” must
be implemented for onsite personnel
› Data center
› Computer room
› Telecommunications room
• Protect physical devices such as POS
› Maintain a list
› Periodically inspect for tampering of device
› Train personnel to be aware of suspicious behavior
14
19. Logging and Monitoring
• Clarified what is meant by identification and
authentication logging
› Elevation of privileges must be logged
› Changes, addition or deletion to root or admin must be
logged
• Logging the audit logs
› Initialization of audit logs must be captured
› Stopping or pausing of audit logs must be captured
15
20. Vulnerability Management
• Maintain an inventory of authorized wireless
access points
• Penetration testing MUST validate segmentation
› Testing must be done to prove conclusively that a
compromise in non CDE network will not result in a breach
to the CDE network (if segmentation was implemented)
• Critical files must be compared at least weekly
AND an individual must evaluate and investigate
change to a critical files.
16
21. Policies and Procedures
• Third Party/Service provider requirements have
been enhanced
› Must maintain an inventory of which requirements are
dependent upon service provider
› Written acknowledgement required from service providers
attesting to PCI DSS requirements
› Third parties to provide PCI DSS certificate OR be willing to
be a part of customers PCI DSS audit
17
22. PCI DSS Requirements
Control Objectives
Requirements
Build and maintain a secure network
1. Install and maintain a firewall configuration to protect
cardholder data
2. Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect cardholder data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public
networks
Maintain a vulnerability
management program
5. Use and regularly update anti-virus software on all systems
commonly affected by malware
6. Develop and maintain secure systems and applications
Implement strong access control
measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks
10. Track and monitor all access to network resources and
cardholder data
11. Regularly test security systems and processes
Maintain an information security
policy
12. Maintain a policy that addresses information security
18
24. Key Takeaways as you Make Cloud Decisions
• Revisit segmentation for adequacy
• Focus on third party compliance
• Identify GRC technology for business as usual
implementation
• Revisit penetration testing methodology
• Identify how to secure physical devices such as
POS, ATM and Kiosks
19
26. ControlCase PCI 3.0 transition package
PCI DSS 3.0 change assessment
Implement business as usual using ControlCase GRC
Third party PCI DSS data collection program
Review of penetration test methodology
20
27. To Learn More About PCI Compliance…
• Visit www.ControlCase.com
• Call +1.703.483.6383 (US)
• Call +91.9820293399 (India)
21