PCI 3.0 Revealed - What You Need to Know Today

© 2013 Imperva, Inc. All rights reserved.

PCI-DSS v3.0: What You Need to Know Today

Confidential 1

Barry Shteiman – Director of Security Strategy


Agenda

Confidential 2

§  PCI-DSS Themes and Drivers

§  Dates and Deadlines

§  New Requirements

§  Web App Compliance


Today’s Speaker - Barry Shteiman

3

§ Director of Security Strategy § Security Researcher working

with the CTO office § Author of several application

security tools, including HULK § Open source security projects

code contributor § CISSP §  Twitter @bshteiman

Confidential


Introducing PCI-DSS 3.0

4 Confidential


PCI-DSS

Payment Card Industry (PCI) Data Security Standard (DSS)

§  Industry driven •  From conception to enforcement

§ Evolving •  4th version over 7 years •  Rate of releases has slowed – 3 years since v2.0 release

§ Concise and Pragmatic •  Does not avoid naming technologies •  Calls out threats by name •  Very specific about data scope

5 Confidential


PCI-DSS Evolution

§  PCI 2.0 •  October 2010 •  Definition of scope,

clarifications

2005 2006

2007 2009

2008

2011 2010

2013 2012

§  PCI 1.0 •  December 2004

12 major sections

§  PCI 1.1 •  September 2006 •  App security,

compensating controls

§  PCI 1.2 •  October 2008 •  Risk based approach,

emphasis on wireless

§  PCI 3.0 •  November 2013 •  Consistency for

assessors, risk based approach, flexibility

Confidential 6


PCI-DSS 3.0 Key Drivers

§  Lack of education and awareness

§ Weak passwords, authentication

§  Third-party security challenges

§ Slow self-detection, malware

§  Inconsistency in assessments

7 Confidential


General Themes

§ Penetration testing gets real

•  More explicitly-defined penetration test guidelines

§ Skimmers, skimmers and more skimmers

•  New requirement to maintain list of POS devices, periodically inspect devices and train personnel

•  Inclusion of POS devices in other sections

§ Service provider accountability

§ PCI requirement clarifications and details

8 Confidential


Why Protect Point-of-Sale Devices?

Physical data theft incidents from 2013 Verizon Data Breach Incident Report

9

Source: http://www.verizonenterprise.com/DBIR/

Confidential


Service Providers Accountability

Third-party awareness at the compliance level

10

Source: http://www.bankinfosecurity.com/bofa-confirms-third-party-breach-a-5582

Confidential


PCI DSS 3.0 Dates and Deadlines

§ Publication Date: November 7, 2013 § Effective Date: January 1, 2014

•  Version 2.0 will remain active until December 31, 2014

§ Deadline for New Requirements: June 30, 2015

11 Confidential


What’s New?

12

New Requirements Added in PCI-DSS 3.0

Confidential


New Req. 6.5.6

13

Insecure handling of credit card and authentication data in memory.

Compliance: •  document how PAN/SAD

is handled in memory to minimize exposure

Confidential


New Req. 6.5.11

14

Broken authentication & session management.

Compliance: •  Flag session tokens •  Don’t expose session ID in URL •  Implement time-outs •  Prevent User ID manipulation

Confidential


New Req. 8.5.1

15

Service providers with access to customer environments must use a unique authentication credential for each customer

Compliance: •  Authentication policies and

procedures to mandate different authentication is used to access each customer environment

** Only mandated for service providers

Confidential


New Req. 9.9

16

Protect POS devices that capture payment card data from tampering

Compliance: •  Maintain a list of POS devices •  Periodical inspection for

tampering/substitution •  Training for awareness

Note: PCI-DSS now addresses skimmers.

Confidential


New Req. 11.3

17

Develop penetration testing methodology based on industry guidelines like NIST

Compliance: •  Implement a penetration testing

approach based on an industry standard (like NIST SP800-115)

•  Define pen-test for all layers •  Specify retention and

remediation activity

Confidential


New Req. 12.9

18

Service providers must document in writing they will adhere to PCI DSS standards

Compliance: •  Acknowledge in writing to

customers that service provider will maintain PCI DSS in full on behalf of the customer

** Only mandated for service providers

Confidential


Web Application Compliance

19

Using a WAF to Close the Compliance Gap

Confidential


Web Application Relevant Requirements

20 Confidential


[6.5.11] Broken Auth. & Session Mgmt.

21

Authentication/Session attacks •  Cookie Tampering •  Cookie Poisoning •  Session Hijacking •  Session Reuse •  Parameter Tampering •  SSL Reuse •  Brute Force

Confidential


[11.3] Pen Testing and Remediation

22

Source: http://www.imperva.com/docs/SB_Imperva_WhiteHat.pdf

Confidential


PCI-DSS Carry-ons

23

Source: http://www.imperva.com/PCI/

Req 6.6: Protect public-facing Web applications Req 10: Audit all access to cardholder data Req 7: Limit access to systems and data on a business need to know Req 8.5: Identify and disable dormant user accounts and access rights Req 11.5: Alert personnel to unauthorized modification of files

Confidential


Learn More

24 Confidential


PCI

25

PCI-DSS Council http://www.pcisecuritystandards.org

Imperva’s PCI Resource Center http://www.imperva.com/PCI/

Confidential


Skimmers

26

KrebsOnSecurity http://krebsonsecurity.com/category/all-about-skimmers/

Confidential


Third-Party Breaches

27

Imperva’s January 2013 HII and Imperva’s CMS Hacking Webinar http://www.imperva.com/resources/overview.html

Confidential


www.imperva.com

28 Confidential

Technology

PCI 3.0 Revealed - What You Need to Know Today