PCI 3.0 Revealed - What You Need to Know Today
-
Upload
imperva -
Category
Technology
-
view
704 -
download
0
Transcript of PCI 3.0 Revealed - What You Need to Know Today
© 2013 Imperva, Inc. All rights reserved.
PCI-DSS v3.0: What You Need to Know Today
Confidential 1
Barry Shteiman – Director of Security Strategy
© 2013 Imperva, Inc. All rights reserved.
Agenda
Confidential 2
§ PCI-DSS Themes and Drivers
§ Dates and Deadlines
§ New Requirements
§ Web App Compliance
© 2013 Imperva, Inc. All rights reserved.
Today’s Speaker - Barry Shteiman
3
§ Director of Security Strategy § Security Researcher working
with the CTO office § Author of several application
security tools, including HULK § Open source security projects
code contributor § CISSP § Twitter @bshteiman
Confidential
© 2013 Imperva, Inc. All rights reserved.
PCI-DSS
Payment Card Industry (PCI) Data Security Standard (DSS)
§ Industry driven • From conception to enforcement
§ Evolving • 4th version over 7 years • Rate of releases has slowed – 3 years since v2.0 release
§ Concise and Pragmatic • Does not avoid naming technologies • Calls out threats by name • Very specific about data scope
5 Confidential
© 2013 Imperva, Inc. All rights reserved.
PCI-DSS Evolution
§ PCI 2.0 • October 2010 • Definition of scope,
clarifications
2005 2006
2007 2009
2008
2011 2010
2013 2012
§ PCI 1.0 • December 2004
12 major sections
§ PCI 1.1 • September 2006 • App security,
compensating controls
§ PCI 1.2 • October 2008 • Risk based approach,
emphasis on wireless
§ PCI 3.0 • November 2013 • Consistency for
assessors, risk based approach, flexibility
Confidential 6
© 2013 Imperva, Inc. All rights reserved.
PCI-DSS 3.0 Key Drivers
§ Lack of education and awareness
§ Weak passwords, authentication
§ Third-party security challenges
§ Slow self-detection, malware
§ Inconsistency in assessments
7 Confidential
© 2013 Imperva, Inc. All rights reserved.
General Themes
§ Penetration testing gets real
• More explicitly-defined penetration test guidelines
§ Skimmers, skimmers and more skimmers
• New requirement to maintain list of POS devices, periodically inspect devices and train personnel
• Inclusion of POS devices in other sections
§ Service provider accountability
§ PCI requirement clarifications and details
8 Confidential
© 2013 Imperva, Inc. All rights reserved.
Why Protect Point-of-Sale Devices?
Physical data theft incidents from 2013 Verizon Data Breach Incident Report
9
Source: http://www.verizonenterprise.com/DBIR/
Confidential
© 2013 Imperva, Inc. All rights reserved.
Service Providers Accountability
Third-party awareness at the compliance level
10
Source: http://www.bankinfosecurity.com/bofa-confirms-third-party-breach-a-5582
Confidential
© 2013 Imperva, Inc. All rights reserved.
PCI DSS 3.0 Dates and Deadlines
§ Publication Date: November 7, 2013 § Effective Date: January 1, 2014
• Version 2.0 will remain active until December 31, 2014
§ Deadline for New Requirements: June 30, 2015
11 Confidential
© 2013 Imperva, Inc. All rights reserved.
What’s New?
12
New Requirements Added in PCI-DSS 3.0
Confidential
© 2013 Imperva, Inc. All rights reserved.
New Req. 6.5.6
13
Insecure handling of credit card and authentication data in memory.
Compliance: • document how PAN/SAD
is handled in memory to minimize exposure
Confidential
© 2013 Imperva, Inc. All rights reserved.
New Req. 6.5.11
14
Broken authentication & session management.
Compliance: • Flag session tokens • Don’t expose session ID in URL • Implement time-outs • Prevent User ID manipulation
Confidential
© 2013 Imperva, Inc. All rights reserved.
New Req. 8.5.1
15
Service providers with access to customer environments must use a unique authentication credential for each customer
Compliance: • Authentication policies and
procedures to mandate different authentication is used to access each customer environment
** Only mandated for service providers
Confidential
© 2013 Imperva, Inc. All rights reserved.
New Req. 9.9
16
Protect POS devices that capture payment card data from tampering
Compliance: • Maintain a list of POS devices • Periodical inspection for
tampering/substitution • Training for awareness
Note: PCI-DSS now addresses skimmers.
Confidential
© 2013 Imperva, Inc. All rights reserved.
New Req. 11.3
17
Develop penetration testing methodology based on industry guidelines like NIST
Compliance: • Implement a penetration testing
approach based on an industry standard (like NIST SP800-115)
• Define pen-test for all layers • Specify retention and
remediation activity
Confidential
© 2013 Imperva, Inc. All rights reserved.
New Req. 12.9
18
Service providers must document in writing they will adhere to PCI DSS standards
Compliance: • Acknowledge in writing to
customers that service provider will maintain PCI DSS in full on behalf of the customer
** Only mandated for service providers
Confidential
© 2013 Imperva, Inc. All rights reserved.
Web Application Compliance
19
Using a WAF to Close the Compliance Gap
Confidential
© 2013 Imperva, Inc. All rights reserved.
[6.5.11] Broken Auth. & Session Mgmt.
21
Authentication/Session attacks • Cookie Tampering • Cookie Poisoning • Session Hijacking • Session Reuse • Parameter Tampering • SSL Reuse • Brute Force
Confidential
© 2013 Imperva, Inc. All rights reserved.
[11.3] Pen Testing and Remediation
22
Source: http://www.imperva.com/docs/SB_Imperva_WhiteHat.pdf
Confidential
© 2013 Imperva, Inc. All rights reserved.
PCI-DSS Carry-ons
23
Source: http://www.imperva.com/PCI/
Req 6.6: Protect public-facing Web applications Req 10: Audit all access to cardholder data Req 7: Limit access to systems and data on a business need to know Req 8.5: Identify and disable dormant user accounts and access rights Req 11.5: Alert personnel to unauthorized modification of files
Confidential
© 2013 Imperva, Inc. All rights reserved.
PCI
25
PCI-DSS Council http://www.pcisecuritystandards.org
Imperva’s PCI Resource Center http://www.imperva.com/PCI/
Confidential
© 2013 Imperva, Inc. All rights reserved.
Skimmers
26
KrebsOnSecurity http://krebsonsecurity.com/category/all-about-skimmers/
Confidential
© 2013 Imperva, Inc. All rights reserved.
Third-Party Breaches
27
Imperva’s January 2013 HII and Imperva’s CMS Hacking Webinar http://www.imperva.com/resources/overview.html
Confidential