Walter Conway, QSA
403 Labs, LLC
Sneak Preview:What to Expect from PCI DSS v. 2.0
Changes
Clarifications
Guidance
University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 2010 2
Agenda
PCI DSS in context
New PCI version in October – “fine tuning”- Lifecycle- Cardholder data discovery- Clarifications- SAQ revisions- Emerging technology guidance
What this means for you
University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 2010 3
403 Labs, LLC
Information security consulting firm
Payment Card Industry:- Qualified Security Assessor (QSA)- Payment Application QSA (PA-QSA)- Approved Scanning Vendor (ASV)
Work with service providers and merchants of all sizes
University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 2010 4
PCI DSS: 6 Goals, 12 Requirements
University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 2010 5
Some PCI DSS Basics
Payment Card Industry Data Security Standard
Goal is to protect Cardholder Data - And to keep you out of the headlines
If you take plastic, PCI applies to you- “Store, process, or transmit” cardholder data
Whole of PCI DSS apples to all merchants
New PCI release due October 2010 - Reflect latest attack vectors, technology, practices
PCI does not make you secure
University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 2010 6
Some PCI DSS Basics (cont.)
Each card brand has its own security program - Merchant levels - Validation (e.g., MasterCard’s new rules) - Penalties, fees
Safe harbor – can it exist?
Compliance - People, process, technology- No “silver bullet”
University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 2010 7
PCI DSS v. 2.0 – Lifecycle
3-Year Lifecycle- Announced in June- Consistency: PCI DSS, PA-DSS, PCI PTS - Interim versions for errata, new threats- FAQ, supplements to continue
Benefits - Fewer new requirements- More time for implementation and feedback - Version 1.2 sunset December 2011
University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 2010 8
PCI DSS v. 2.0 – Lifecycle
University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 2010 9
PCI DSS v. 2.0 – Data Discovery
Cardholder data discovery “methodology” Find all your electronic
cardholder data “Data leakage” Data breaches and
“unknown unknowns”
University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 2010 10
PCI DSS v. 2.0 – Hashing
Hashing Produces unique fixed
length output for each unique input
Hash functions are not keyed/reversible
Hash may include a “salt”
University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 2010 11
PCI DSS v. 2.0 – Segmentation
Network segmentation is not required, but recommended Isolate systems that “store,
process, or transmit” CHD Limit PCI scope
University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 2010 12
PCI DSS v. 2.0 – SAQs
Goal is to remove ambiguities
Expect minor but critical changes clarifying who can use them
Will we see new SAQ(s)?
University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 2010 13
PCI DSS v. 2.0 – Guidance
Emerging technologies Virtualization Tokenization End-to-end encryption EMV standard (chip cards)
PCI Council guidance for compliance Impact on PCI Map to PCI requirements
University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 2010 14
PCI DSS v. 2.0 – Tokenization
A data security technology in which strings of random characters called tokens can be used in lieu of other, more valuable data, such as PANs
Vendor and in-house solutions
Tokenization can reduce (not eliminate) PCI scope- Everything depends on implementation
Plaintext CiphertextTokenization
Engine4123 4567 8901 2345 8894 7296 6294 0598
SecureRepository
University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 2010 15
PCI DSS v. 2.0 – End-to-End Encryption Encryption: a cryptographic process for disguising data by applying
a series of complex mathematical operations to data to render it unreadable to anyone without the proper decryption key
Encryption is a keyed, reversible function
Security depends on the key- A big number that if compromised, bye-bye security
Encrypted data are still in PCI scope
Plaintext Ciphertext
Key
Encryption
4123 4567 8901 2345
7693398720684553
8894 7296 6294 0598
University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 2010 16
PCI DSS v. 2.0 – End-to-End Encryption
Really “point-to-point”
End-to-End encryption- PAN encrypted from POS terminal all the way through
the payment processing cycle - CHD always stored and transmitted as ciphertext - Critical element: merchant cannot decrypt
For more information- PCI Council guidance documents, FAQ - Visa’s best practices for data field encryption
University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 2010 17
PANs, Hashes, Encryption, Tokens
PAN (card number) 5647 8377 8388 2299
Truncated PAN 5647 83XX XXXX 2299
Hashed PAN(Renders PAN unreadable; one way) 2fd4e1c6 7a2d28fc
Encrypted PAN(More characters than the PAN and is structurally different)
9Ojr73h3d^&hh#&HFH&##ED*HD#*
Format-preserving encryption(Structurally similar to the PAN) 8734 6392 8581 9284
Token(Like the PAN in length and character type, but randomly derived)
9483 7266 3928 9819
University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 2010 18
PCI DSS v. 2.0 – Emerging Technologies
Encryption, tokenization are still maturing- May not work with all applications, systems- Standards? - Lots of marketing hype
Encryption security depends on protecting key
Look for guidance from PCI Council- Don’t expect specifics on implementation
Read Visa’s best practices document
As of today, only truncation and hashing remove CHD from scope
University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 2010 19
PCI DSS v. 2.0 – Get Smart
PCI Council FAQ
PCI Council courses Standards training Independent Security
Assessor (ISA)
Other PCI training options
University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 2010 20
PCI DSS v. 2.0 – Conclusions
Expect refinements, not major changes
3-year lifecycle for each standard
Find your CHD…all of it!
Revised SAQs should help
Guidance on emerging technologies
Announcements, webinars over the summer
DSS v. 2.0 not unveiled until September?
University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 2010 21
What to Expect from PCI DSS v. 2.0
Questions? Comments? Thoughts?
Thank you!
See my PCI column at StorefrontBacktalk.com
Higher Ed PCI blog: treasuryinstitutepcidss.blogspot.com