PCI 2013: Past, Present, Future - · PDF fileIncorporating PCI DSS into risk management...

The Unique Alternative to the Big Four®

PCI for 2013: The Past, Present, and Future August 19, 2013


© 2012 Crowe Horwath LLP 2 Audit | Tax | Advisory | Risk | Performance

Agenda Challenges From the Past Issues You Are Currently Facing Technologies Standards Guidance

What Can You Expect to See Over the Next Year? Q&A



Polling Question Over the past year, what has been the most challenging issue your organization

has faced in maintaining PCI compliance? Scoping requirements of PCI-DSS 2.0 Mobile payments Cloud service providers Risk assessment Other



Scoping of the Cardholder Data Environment The Payment Card Industry Data Security Standard (PCI DSS) version 2.0,

required after Jan. 1, 2012, states that organizations subject to the DSS are required to at least annually “confirm that accuracy and appropriateness of PCI DSS scope.”

Special Interest Group (SIG) in 2011

People, process, and technology



Challenges in Scoping Network architecture Third-party service providers Virtualization Tokenization Business processes



Mobile Point of Sale (POS) Council halted approving mobile applications under the Payment Application

Data Security Standard (PA-DSS) Merchants using these applications face a number of challenges: Encrypted communication and storage Hardening devices Vulnerability scanning Penetration testing



Cloud Service Providers Outsourcing has outpaced the development of PCI DSS Servers and virtualization Infrastructure Managed security Hosted applications Call centers

Requirements lack guidance on how to address: Responsibilities Validating provider compliance Shared storage



Other Challenges From the Past Risk assessment eCommerce



Polling Question As the third year of assessments on PCI-DSS 2.0 comes to a close, has

compliance become any easier? Yes No Not sure In our first year of 2.0



PCI in 2012 PCI-DSS 2.0 in its second full year of implementation Reduced effort in meeting new requirements Focus placed on improving security for hard-to-meet requirements Vulnerability management Penetration testing Logging

Evolving business models New business units and ways of accepting payments New technologies



PCI’s Changes in 2012 PCI Security Standards Council (SSC) added new programs in 2012 Qualified Integrator and Reseller (QIR) Program Point-to-Point Encryption (P2PE) Program



Qualified Integrator or Reseller (QIR) QIR Supplements Payment Application (PA-DSS) Security Standards PA-DSS ensures applications are capable of meeting PCI standards Does not ensure PA-DSS applications are implemented and/or configured

QIR Responsibilities Ensuring PA-DSS applications are properly implemented Provide customers a QIR Implementation Statement upon completion Documenting risks identified during the implementation Support any PCI Forensic Investigator (PFI) investigations



Point-to-Point Encryption (P2PE) Used to reduce scope of PCI DSS assessments Validated P2PE solutions are designed to meet the standard and are approved

by card brands

Six Domains Encryption device management Application security Encryption environment Transmissions between encryption and decryption environments (currently not

applicable) Decryption environment and device management P2PE cryptographic key operations



Point-to-Point Encryption (P2PE) Merchants Must: Maintain valid Point of Interaction (POI) device Segment the P2PE environment



Guidance Provided by the Council Mobile payment acceptance security Wireless Tokenization Telephone-based payments



Mobile Payment Acceptance Security Guidelines provided September 2012 The security addresses mobile applications: Operating on handheld devices Devices not solely dedicated to payment-acceptance transaction processing Access to clear text data



Mobile Payment (cont’d.): Securing the Transaction Must prevent: Account data from being intercepted when entered into a mobile device Account data from compromise while processed or stored Account data from interception upon transmission



Mobile Payment (cont’d.): Guidelines for Supporting the Environment Unauthorized logical device access Server-side controls and unauthorized access Escalation of privileges Remotely disable the application Detect theft or loss Harden supporting operating system No store and forward Secure coding practices Known vulnerabilities and malware Unauthorized applications Secure receipts Secure state



Telephone-Based Payments Call recording software creates challenges Cannot store authentication data Encryption is not sufficient Can it be queried?



Polling Question What changes are you hoping to see the PCI Council deliver in 2013? Mobile payment requirements Scoping guidelines Updated PCI Data Security Standard Updated PA Data Security Standard Not sure



What We Can Expect in 2013 Release of 2012 Special Interest Group (SIG) Guidance New PCI DSS PA DSS expiration New SIGs PIN Transaction Security (PTS)



2012 SIGs Cloud Computing Identifies common types of cloud environments (SaaS, PaaS, IaaS) Risks and security challenges for using various models Recommendations for overcoming challenges Guidance on responsibilities between merchants and cloud providers



2012 SIGs eCommerce Defines eCommerce Third-party entities eCommerce infrastructure eCommerce components Implementations

Common vulnerabilities and security misconfigurations Recommendations and best practices

Risk Assessment Effective risk assessments Understanding and documenting results Shared risk management responsibilities Incorporating PCI DSS into risk management strategy



PCI DSS 3.0 Version 3.0 expected to be finalized on November 7, 2013

Change Drivers Lack of education and awareness Weak passwords, authentication Third-party security challenges Slow self-detection, malware Inconsistency in assessments

Key Themes Education and awareness Increased flexibility Security as a shared responsibility



PCI DSS 3.0 Requirement 1 Data flow diagrams

Requirement 2 Maintain an inventory of in scope system components Changing default passwords for application/service accounts

Requirement 3 Flexibility in secure key storage Clarification of split knowledge and dual control

Requirement 5 Evolving threats for systems not commonly affected by malware



PCI DSS 3.0 Requirement 6 Update list of common vulnerabilities in alignment with OWASP, NIST, SANS, etc.

Requirement 8 Allow for password alternatives (tokens, smart cards, certificates, etc.) Flexibility in password strength and complexity (passphrases)

Requirement 9 Protect POS terminals and devices from tampering or substitution

Requirement 10 Clarification of intent and scope of log review



PCI DSS 3.0 Requirement 11 Penetration testing methodology and verification segmentation is operational and

effective

Requirement 12 Maintain which requirements are managed by service providers

General Sensitive authentication data cannot be stored (even if PAN not present) Business as usual (maintaining compliance) Additional guidance in Navigating PCI DSS ROC reporting template Clarification of testing procedures Incorporating security policies and procedures into each requirement



PA DSS v.1.2 Expiration Expires on October 28, 2013 What does it mean?



PA DSS v3.0 Expect on November 7, 2013 Will take effect on January 1, 2014 Mandatory after January 1, 2015



New SIGs New groups announced in early 2013 Third-Party Security Assurance Compliance Best Practices

Guidance provided by end of 2013 Other Suggested topics: PCI Guidance for Issuers Cardholder Data Discovery External Penetration Testing Internal Scanning and Vulnerability Management Logging



Longer Vision of PCI Council is creating a Bridge of Compliance POS Payment applications Cloud providers Service providers Merchants

The Bridge can be shortened PTS PA-DSS Outsourcing Removing Encrypting



Questions?



Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. © 2012 Crowe Horwath LLP

For more information, contact: Jeff Palgon Direct 678.362.6218 [email protected]

PCI 2013: Past, Present, Future - · PDF fileIncorporating PCI DSS into risk management...

Documents

Transcript of PCI 2013: Past, Present, Future - · PDF fileIncorporating PCI DSS into risk management...