PCI DSS 3.0 and You-Are You Ready
description
Transcript of PCI DSS 3.0 and You-Are You Ready
-
Property of CampusGuard
PCI DSS 3.0 and You Are You Ready?
2014 STUDENT FINANCIAL
SERVICES CONFERENCE
Ron King
Linda Combs
-
Property of CampusGuard
AGENDA
PCI and Bursar Office Role
Key Themes in v3.0
Timelines
Changes
What Will Affect You the Most
Best Practices and Conclusions
Q&A
-
Property of CampusGuard
BURSAR OFFICE
Historical keeper of rules and regulations
May also have PCI responsibility
Administrative and Physical Inventory roles
RFP/purchase committee software w/ payment options
-
Property of CampusGuard
The Target Breach
40 million+ customers
Insider ?
POS was the vector
Lessons for all
-
Property of CampusGuard
PCI DSS Version 3.0
11/07/2013 Released
01/01/2014 Effective
12/31/2014 v2.0 Retired
Lets talk about it
-
Property of CampusGuard
PCI DSS Life Cycle
12/31/2014
We are here
1/01/2014
Interim Period?
-
Property of CampusGuard
PCI DSS: 12 Requirements No change
1. Build and maintain a secure
network
1. Install and maintain a firewall configuration to protect data
2. Change vendor-supplied defaults for system passwords and other
security parameters
2. Protect cardholder data
3. Protect stored data
4. Encrypt transmission of cardholder magnetic-stripe data and
sensitive information across public networks
3. Maintain a vulnerability
management program
5. Use and regularly update antivirus software
6. Develop and maintain secure systems and applications
4. Implement strong access
control measures
7. Restrict access to data to a need-to-know basis
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
5. Regularly monitor and test
networks
10. Track and monitor all access to network resources and
cardholder data
11. Regularly test security systems and processes
6. Maintain an information
security policy
12. Maintain a policy that addresses information security
Control Objective Requirements
-
Property of CampusGuard
Merchant Levels No change
Level
1 > 6 million Visa/MC txns/yr > 2.5 million transactions/yr
2 1 to 6 million Visa/MC txns/yr 50,000 to 2.5 million txns/yr
3 20,000 to 1 million Visa/MC
ecommerce txns/yr All other Amex Merchants
4 All other Visa/MC merchants N/A
Most Colleges and Universities
-
Property of CampusGuard
Level
1 Annual on-site assessment (QSA)
Quarterly network scan (ASV)
Annual penetration test (ASV)
Annual on-site assessment (QSA)
Quarterly network scan (ASV)
Annual penetration test (ASV)
2 Annual on-site assessment (QSA)
Quarterly network scan (ASV)
Annual penetration test (ASV)
Quarterly network scan (ASV)
Annual penetration test (ASV)
3
Annual Self-Assessment
Questionnaire (SAQ)
Quarterly network scan (ASV)
Annual penetration test (ASV)
Quarterly network scan (ASV)
Annual penetration test (ASV)
4
At discretion of acquirer
Annual SAQ
Quarterly network scan (ASV)
Annual penetration test (ASV)
N/A
Validation Requirements No change
-
Property of CampusGuard
SAQs No change*
Card-Not
Present, All
Cardholder Data
Functions
Outsourced
Imprint Only, No
Cardholder Data
Storage
Standalone Dial
Out Terminal, No
Cardholder Data
Storage
Payment
Application
Systems
Connected to
the Internet
All other
methods
SAQ A
(11 questions)
SAQ B
(29 questions)
SAQ B
(29 questions)
SAQ C / VT
(80/51 questions)
SAQ D
(244 questions)
11 244 Move as far to the left as possible!
-
Property of CampusGuard
Drivers for Changes
Education and Awareness
Malware Self-Detection
POS Physical Security
Third-Party Challenges
v3.0
-
Property of CampusGuard
Key Themes
Education and Awareness
Evolving Scope
Increased Flexibility
Security as a Shared Responsibility
Encourage a focus on security,
not just compliance
-
Property of CampusGuard
Security
Compliance
Compliance vs. Security
-
Property of CampusGuard
Compliance vs. Security
"Every person operating a motorcycle shall
wear a face shield, safety glasses or
goggles, or have his motorcycle equipped
with safety glass or a windshield at all
times while operating the vehicle, and
operators and any passengers thereon
shall wear protective helmets. . .
-
Property of CampusGuard
Compliant
Helmet
Windshield
-
Property of CampusGuard
Secure!
-
Property of CampusGuard
3.0 Major Changes
Requirement 3.0 Update Purpose
1 Current cardholder data flow diagram Clarify importance
2 Inventory of in-scope components Effective scoping practices
5 Evaluate ALL malware threats Promote ongoing awareness and due diligence
6 Update list of common vulnerabilities Keep current with emerging threats
8 Security for authentication mechanisms Authentication methods other than passwords
9 Protect POS terminals Physical security of terminals
11 Pen testing changes More details for pen tests and scoping verification
12 Stronger Service Provider management Stronger management
-
Property of CampusGuard
What Will Affect You The Most?
Cardholder Data Flow Diagrams
In-Scope Systems
Physical Protection of POS Terminals and Systems
Common Vulnerabilities
Pen Testing Methodology
Increased Audit Reporting and Methodology
Managing Service Providers
-
Property of CampusGuard
Terminals and Software
Physical Protection of POS Terminals and Systems
Centralized control vs. Department control
PCI compliant equipment vs. non-supported
Random check of compliance vs self audit
Managing Service Providers
Procurement coordination on RFPs and approvals
Centralized control vs. Department control
Large vendors vs. Garage types
-
Property of CampusGuard
3rd Parties and Merchant Responsibilities
Organizations that outsource their CDE or payment operations are responsible for ensuring that the account data is protected by the third party per the applicable PCI DSS requirements
Must maintain documentation about which PCI DSS requirements are managed by service providers and which are managed by the customer
Service providers to acknowledge responsibility for
maintaining applicable PCI DSS requirements
-
Property of CampusGuard
Other Changes
Clarification of the intent of segmentation
Clarified that Sensitive Authentication Data (SAD) cannot be stored after processing even if PAN is not
Recommendations for the limiting of wireless
Destruction of CHD clarification Shred Vendors
Web servers with Pay Now button
Mobility is not addressed watch this space
-
Property of CampusGuard
MOBILE PAYMENTS?
Mobile POS Terminals
Few are certified compliant
Check with your bank
Card Readers: Smart Phone/Tablets
Square and others
None are certified compliant!
-
Property of CampusGuard
MOBILE PAYMENTS?
Who Needs Mobile?
Fundraising off campus events
Student Groups
Athletic Events
What they will say.
Other schools use it
PCI Council addresses Mobile
Dont tell, but do you ask?
None are certified compliant!
-
Property of CampusGuard
Business as Usual
Business as Usual (BAU) approach
Daily log reviews
Review changes to the environment
Periodic communication
Periodic reviews of systems, technologies and software
To insure scope hasnt changed
-
Property of CampusGuard
Additional Requirements
5.1.2- Evaluate evolving malware threats
8.2.3- Flexibility for alternative passwords
8.5.1- Service providers to use unique authentication credentials for
each customer*
8.6- other authentication mechanisms must be linked to individuals.
9.3-control physical access to sensitive areas for onsite personnel.
9.9-protect POS devices from tampering and substitution*
11.3 and 11.3.4-implement a methodology for penetration testing;
11.5.1 Implement a process to alert on changes to systems
12.8.5 Maintain information about what Service Providers responsibilities
12.9 (Service Providers) must maintain written acknowledgement about responsibilities and portions of PCI DSS covered.
-
Property of CampusGuard
Best Practices
PCI DSS should be implemented into business-as-usual activities (BAU)
Monitoring of security controls for effectiveness
Ensure all failures are detected and responded to
Review changes in the environment
Organizational structure changes
Periodic reviews and communication to confirm controls continue to be in place
Review hardware and software technologies
-
Property of CampusGuard
Closing Thoughts
V3.0 is an important improvement, but doesnt change what you should be doing to comply with PCI, nor how QSAs will conduct reviews
Promotes understanding that PCI is a shared responsibility
Aimed a making compliance a part of Business as Usual
More definitive information about the intent of the requirements and how they should be applied
Helps colleges and universities adopt a framework of continuous security, and move closer to the true intent of the Standard
-
Property of CampusGuard
PCI Workshop
April 27-30, 2014
Chicago Palmer House
www.treasuryinstitute.org
-
Property of CampusGuard
Ron King
Questions?
Linda Combs