PCI DSS v4 - ControlCase Update Webinar Final.pdf

1. 1 PCI DSS v4.0 ControlCase Update YOUR IT COMPLIANCE PARTNER GO BEYOND THE CHECKLIST

2. Speakers 2 Pramod Deshmane, PCI QSA, P2PE QSA, CISA, CISM, CDPSE Having worked for ControlCase for the past 13 years, Pramod leads the US Retail, Technology, BPO and Payments verticals, overseeing all US based certifications. Kishor Vaswani, ControlCase Founder and Advisory Board Member Kishor founded ControlCase (an IT Security and Compliance company) in 2004 and scaled it through its expansion to more than 1,000 customers in 40 countries.

3. About ControlCase PCI DSS v4.0 Timeline PCI DSS v4.0 Goals PCI DSS v4.0 Updates Stand Alone PCI DSS v4.0 Methodology Consolidated PCI DSS v3.2.1/4.0 Methodology Next Steps Q&A Agenda 3 1 2 3 4 5 6 8 7

5. ControlCase Snapshot 5 CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES Go beyond the auditor’s checklist to: Dramatically cut the time, cost and burden from becoming certified and maintaining IT compliance. • Demonstrate compliance more efficiently and cost effectively (cost certainty) • Improve efficiencies ⁃ Do more with less resources and gain compliance peace of mind • Free up your internal resources to focus on their priorities • Offload much of the compliance burden to a trusted compliance partner 1,000+ 275+ 10,000+ CLIENTS IT SECURITY CERTIFICATIONS SECURITY EXPERTS

6. Solution 6 Certification and Continuous Compliance Services “ I’ve worked on both sides of auditing. I have not seen any other firm deliver the same product and service with the same value. No other firm provides that continuous improvement and the level of detail and responsiveness. — Security and Compliance Manager, Data Center

7. ISO27001/ 2 CMMC RPO SOC 1,2,3,& Cybersecurity HITRUST CSF HIPAA PCI DSS GDPR NIST 800-53 PCI PIN PCI PA-DSS FedRAMP PCI 3DS One Audit™ Assess Once. Comply to Many. Certification Services 7 “ You have 27 seconds to make a first impression. And after our initial meeting, it became clear that they were more interested in helping our business and building a relationship, not just getting the business. — Sr. Director, Information Risk & Compliance, Large Merchant

8. ControlCase Compliance Hub™ 8

10. Transition timeline for PCI DSS 4.0 10 • PCI DSS v3.2.1 is valid for assessment until March 31, 2024, upon which it will be retired. • Until March 31, 2024, the organizations can use either the v3.2.1 or v4.0 standards for the assessments. • From April 1, 2024, only v4.0 will be the active PCI DSS standard that can be used for the assessments. • All the future-dated new requirements will have additional 12 months (i.e., until March 31, 2025) before they become effective. Source – PCI SSC

12. Goals for PCI DSS v4.0 12 - Continue to meet the security needs of the payment industry - Security practices must evolve to continue to meet the security needs of the payments industry as threats change. Example: o Made new updates to multi-factor authentication (MFA) requirements. o Updated password requirements in-line with current industry best practices. o Added new e-commerce and phishing standards to address the ongoing threats. o Updated requirements for Sensitive Authentication Data (SAD) secure handling. o Added authenticated internal vulnerability scanning requirement for a greater insight into organizations vulnerability landscape.

13. Goals for PCI DSS v4.0 13 - Promote security as continuous process - Promote security as a continuous process as ongoing security is crucial to protect payment data Example: o Clearly assigned roles and responsibilities for personnel working on each requirement. o Added guidance across requirements to help organizations better understand how to implement and maintain security. o Added new reporting option to highlight areas for improvement and provides greater transparency for report reviewers.

14. Goals for PCI DSS v4.0 14 - Increase flexibility for organizations using different methods to achieve security objectives - Provide more options and different validation methods to increase flexibility for organizations to achieve security objectives and supports payment technology innovation Example: o Allowed the use of group, shared, and public accounts with exceptions. o Introduced targeted risk analyses that empower organizations to determine the frequency of performing certain activities. o Introduced a new customized approach method to validate PCI DSS requirements, gives organizations another option to consider innovative methods to achieve their security objectives.

15. Goals for PCI DSS v4.0 15 - Enhance validation methods and procedures - Improve validation methods and procedures with Clear validation and reporting options to support transparency and granularity Example: o Increased alignment between information reported in a Report on Compliance or Self-Assessment Questionnaire and information summarized in an Attestation of Compliance

17. Highlights of PCI DSS v4.0 Changes 17 Several small updates are done across the requirements with added clarification or guidance. Renumbered requirements and testing procedures and reorganized requirements due to the addition of numbered requirement description headings. Introduction of a customized approach that provides greater flexibility for entities using different ways to achieve a requirement’s security objective. Introduction of targeted risk analysis for various frequency- based requirements and requirements met with the customized approach. Introduction of 64 new evolving requirements with 51 future dated (best practice until 31 March 2025) and 13 immediate requirements.

18. PCI DSS v4.0 – New Requirements 18 PCI DSS v4.0 includes several new requirements to meet the security needs of the payments industry and promote security as a continuous process. PCI Requirement Ref. Requirements All PCI Requirements Documented roles and responsibilities for all PCI activities Req. 3.4.2 Technical controls prevent copy and/or relocation of PAN, when accessed using remote-access technology Req. 3.5.1.1 Keyed cryptographic hashing for PAN Req. 5.4.1 Mechanisms to detect and protect personnel against phishing attacks Req. 6.4.2 Implementation of automated technical solution for public-facing web applications to prevent web-based attacks Req. 6.4.3 Manage all payment page scripts that are loaded and executed in the consumer’s browser Req. 8.3.6 Updated password requirements (A minimum password length of 12 characters) Req. 8.4.2 & 8.5.1 MFA (Multi-Factor Authentication) for all access to CDE and MFA system secure configuration Req. 10.4.1.1 Automated mechanisms to review audit logs for all CDE and critical systems Req. 11.3.1.2 Internal vulnerability scans via authenticated scanning Req. 11.6.1 A change-and-tamper-detection mechanism for payment pages Req. 12.3.1, 12.3.2 A targeted risk analysis for requirements that provide flexibility and met with a customized approach

20. Option 1 – Standalone v4.0 Assessment 20 • The client environment will be assessed against PCI DSS v4.0 for a standalone gap or certification assessment. • For PCI v4.0 assessment, the Compliance Hub will have a total of 100 or 105 questions (based on the entity type). Deliverables • PCI DSS v4.0 Gap Assessment Report OR • PCI DSS v4.0 ROC, AOC, COC

22. Option 2 – PCI DSS v3.2.1/v4.0 Consolidated Assessment 22 • The client environment will be assessed for PCI DSS v3.2.1 and v4.0 in parallel as a consolidated assessment effort. • For the combined assessment, the Compliance Hub will have a total of 110 or 115 questions (based on the entity type) to answer with an option to maintain the independent review status for the questions at the PCI DSS version level. Deliverables • PCI DSS v3.2.1 ROC, AOC, COC • PCI DSS v4.0 Gap Assessment Report with an update on: • Where do you stand as per PCI DSS v4 • Status of Immediate Controls readiness • Status of Future Dated Controls readiness • Customized Approach suited (Yes/No)

23. PCI DSS v3.2.1/4.0 Consolidated Assessment Questionnaire 23

24. PCI DSS v3.2.1/4.0 Consolidated Assessment 24 Standalone v3.2.1 is 96 questions Standalone v4.0 is 105 questions Consolidated assessment is 115 questions Estimated 25% extra effort gets v4.0 completed in parallel with 3.2.1. or using ControlCase Compliance HubTM

25. PCI DSS v3.2.1/4.0 Consolidated Assessment Status 25

27. Deliverable: • v3.2.1 Record of Compliance • v3.2.1 Attestation of Compliance • v3.2.1 to 4.0 Gap Assessment Haven’t started 2023 PCI DSS 3.2.1 Assessment yet? © ControlCase. All Rights Reserved. 27 If you haven’t started PCI DSS v3.2.1, Ask ControlCase to perform the Consolidated Assessment.

28. Recently started 2023 PCI DSS 3.2.1 Assessment? © ControlCase. All Rights Reserved. 28 If you have started PCI DSS v3.2.1, and are in the Scoping phase, ask ControlCase for the: • Add-on v4.0 Gap Assessment Deliverable: • v3.2.1 Record of Compliance • v3.2.1 Attestation of Compliance • v3.2.1 to 4.0 Gap Assessment

29. Standalone v4.0 Gap Assessment © ControlCase. All Rights Reserved. 29 If you have started PCI DSS v3.2.1 and are beyond scoping phase, engage ControlCase for v3.2.1 to 4.0 Gap Assessment • Or (new customer) want to engage ControlCase just for Gap Assessment • Reach out to ControlCase to decide how (contact@controlcase.com) Deliverable: • v3.2.1 to 4.0 Gap Assessment

30. PCI DSS v4.0 Certification © ControlCase. All Rights Reserved. 30 Engage ControlCase for a PCI DSS v4.0 Stand Alone Assessment • Or (new customer) want to engage ControlCase just for v4.0 Certification Deliverable: • PCI DSS v4.0 Record of Compliance • PCI DSS v4.0 Attestation of Compliance

31. THANK YOU FOR THE OPPORTUNITY TO CONTRIBUTE TO YOUR IT COMPLIANCE PROGRAM. www.controlcase.com contact@controlcase.com Download PCI DSS 4.0 Cheat Sheet Schedule PCI DSS Certification Discussion

PCI DSS v4 - ControlCase Update Webinar Final.pdf

PCI DSS v4 - ControlCase Update Webinar Final.pdf

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente(20)

Similar a PCI DSS v4 - ControlCase Update Webinar Final.pdf

Similar a PCI DSS v4 - ControlCase Update Webinar Final.pdf(20)

Más de ControlCase

Más de ControlCase(20)

Último

Último(15)

PCI DSS v4 - ControlCase Update Webinar Final.pdf