Upload
online-business-systems
View
217
Download
1
Embed Size (px)
Citation preview
PCI DSS v3.2The sooner you fall behind, the more time you have to
catch up
Online Business SystemsSteve LevinsonMark Hannah
This SlideShare summarizes a few of the key changes from PCI Data Security Standard Version 3.1 to 3.2. It provides a high level view of the impact of the changes on organizations subject to PCI requirements, based on Online Business Systems’ QSA viewpoint. Many of the new sub-requirements will remain as best practices until February 1, 2018.
PCI DSS v3.2
• Slide 3: Change Drivers for v3.2• Slide 4: Important Dates• Slide 5: SSL & TLS 1.0 – What we know• Slide 6: SSL & TLS 1.0 – Mitigation
Strategy• Slides 7-10: PCI Changes• Slide 11: Six practical tips for avoiding
PCI failure
Table of Contents
Change Drivers for v3.2
• Improves prescriptiveness • Scoping, data flow, and inventory
inconsistencies• SSL TLS • Third-party security challenges• Slow self-detection, malware• You’re only one change away from being out
of compliance• Recent breaches
April
28,
201
6Summary of changes document, PCI DSS 3.2, and ROC reporting template are available on the PCI SSC website
Oct
ober
31,
201
6Version 3.1 will be retiredAll assessments completed after this date require:• New 3.2 ROC
reporting template and reporting instructions
• New 3.2 AOCs• Version 3.2 SAQs
Febr
uary
1, 2
018Final date to
implement the “Evolving Requirements”
Important Dates
June
30,
201
6All service providers must provide a secure TLS service offering
June
30,
201
6All entities must have stopped use of SSL/early TLS as a security control, and use only secure versions of the protocol.
SSL & TLS 1.0 – What we Know
SSL & TLS 1.0 – Mitigation StrategyPlan A – Eradicate or target datePlan B – Document, analyze and plan• Inventory of all locations it is in use• Data being transmitted for each implementation• Documented risk assessment and RRMP
• May include compensating or mitigating controls• Potential re-scoping issues
• Vigilance• Change Control• Appendix A2 – SSL/TLS Additional RequirementsPCI Council - INFORMATION SUPPLEMENT Migrating from SSL and Early TLS Version 1.1 Date: April 2016
2.1 – Changing vendor defaults and passwordsUpdated to clarify payment applications are included in this requirement.
3.5.1 – Documentation of their cryptographic architectureService Providers must create documentation of their cryptographic architecture – this is a new requirement that is considered a best practice until 2/1/2018.
6.2 – Payment applications
Security patches for all software including payment applications.
PCI Changes
6.4.6 – Infuse PCI DSS impact analysis into your change management procedures
This new requirement (best practice until 2/1/2018) applies to ALL assessed entities.
8.3.1 – All administrative access will require multi-factor authentication (“MFA”)
This new requirement is probably the most robust change, and is a best practice until 2/1/2018.
10.8 – Service providers must identify any critical security control failures and respond accordingly
This new requirement will raise the bar for Service Providers (not merchants) to improve their security event monitoring capabilities, including monitoring the health of these functions.
11.3.4.1 – More frequent segmentation pen testing for Service Providers
Increases the periodicity from once a year (or after ‘significant’ changes) to twice a year.
12.4 – Accountability!Requires executive management to document PCI accountability, create a charter for a PCI compliance program, and report updates to executive management/board annually.
12.10.2 – Fine tune Incident Response PlanRequires you to ensure that your annual IR test plan includes a thorough review of all sub-elements from requirement.
12.11 – Service Providers must perform and document quarterly reviews, best practice until 2/1/2018
12.11 Additional requirement for service providers only: Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes: • Daily log reviews • Firewall rule-set reviews • Applying configuration standards to new systems • Responding to security alerts • Change management processes
Six Practical Tips for Avoiding PCI FailureSlide from 2008 Presentation on DSS v1.2
The more things change the more they stay the same1. Store less data, and encrypt
or tokenize! 2. Understand your data flows3. Address app and network
vulnerabilities4. Improve security awareness5. Monitor systems for
intrusions6. Segment credit card networks
• Contact info:• Steve Levinson• Managing Director• [email protected]• 619.701.8614
• Mark Hannah• PCI Practice Lead• [email protected]• 951.587.7991
To learn more visit our resource center: http://info.obsglobal.com/online-business-systems-pci-3.2-resource-center
PCI Website: https://www.pcisecuritystandards.org