Confidential1 © 2013 Imperva, Inc. All rights reserved.
PCI-DSS v3.0: What You Need to Know
Barry Shteiman – Director of Security Strategy04/07/2023
© 2013 Imperva, Inc. All rights reserved.
PCI-DSS Themes and Drivers
Dates and Deadlines
New Requirements
Web App Compliance
Agenda
© Copyright 2012 Imperva, Inc. All rights reserved. 2
© 2013 Imperva, Inc. All rights reserved. Confidential
Today’s Speaker - Barry Shteiman
3
Director of Security Strategy Security Researcher working
with the CTO office Author of several application
security tools, including HULK Open source security projects
code contributor CISSP Twitter @bshteiman
© 2013 Imperva, Inc. All rights reserved. Confidential
Introducing PCI-DSS 3.0
4
© 2013 Imperva, Inc. All rights reserved.
PCI-DSS
Payment Card Industry (PCI) Data Security Standard (DSS)
“A set of control requirements created to help protect cardholder data.”
Industry driven
• From conception to enforcement
Evolving
• 4th version over 7 years
• Rate of releases has slowed – 3 years since v2.0 release
Concise and Pragmatic
• Does not avoid naming technologies
• Calls out threats by name
• Very specific about data scope
5
© 2013 Imperva, Inc. All rights reserved.
PCI-DSS Evolution
PCI 2.0• October 2010• Definition of scope,
clarifications
6
20052006
2007
20092008
20112010
20132012
PCI 1.0• December 2004
12 major sections
PCI 1.1• September 2006• App security,
compensating controls
PCI 1.2• October 2008• Risk based approach,
emphasis on wireless
PCI 3.0• November 2013• Consistency for
assessors, risk based approach, flexibility
© 2013 Imperva, Inc. All rights reserved.
PCI-DSS 3.0 Key Drivers
Lack of education and awareness
Weak passwords, authentication
Third-party security challenges
Slow self-detection, malware
Inconsistency in assessments
7
© 2013 Imperva, Inc. All rights reserved.
General Themes
Penetration testing gets real
• More explicitly-defined penetration test guidelines
Skimmers, skimmers and more skimmers
• New requirement to maintain list of POS devices, periodically inspect devices and train personnel
• Inclusion of POS devices in other sections
Service provider accountability
PCI requirement clarifications and details
8
© 2013 Imperva, Inc. All rights reserved.
Why Protect Point-of-Sale Devices?
Physical data theft incidents from 2013 Verizon Data Breach Incident Report
9
Source: http://www.verizonenterprise.com/DBIR/
© 2013 Imperva, Inc. All rights reserved.
Service Providers accountability
Third-party awareness at the compliance level
10
Source: http://www.bankinfosecurity.com/bofa-confirms-third-party-breach-a-5582
© 2013 Imperva, Inc. All rights reserved.
PCI DSS 3.0 Dates and Deadlines
Publication Date: November 7, 2013 Effective Date: January 1, 2014
• Version 2.0 will remain active until December 31, 2014
Deadline for New Requirements: June 30, 2015
11
© 2013 Imperva, Inc. All rights reserved.
What’s New?
12
New requirements added in PCI-DSS 3.0
© 2013 Imperva, Inc. All rights reserved.
New Req. 6.5.6
13
Insecure handling of credit card and authentication data in memory.
Compliance:• document how PAN/SAD
is handled in memory to minimize exposure
© 2013 Imperva, Inc. All rights reserved.
New Req. 6.5.11
14
Broken authentication & session management.
Compliance:• Flag session tokens• Don’t expose session ID in URL• Implement time-outs• Prevent User ID manipulation
© 2013 Imperva, Inc. All rights reserved.
New Req. 8.5.1
15
Service providers with access to customer environments must use a unique authentication credential for each customer
Compliance:• Authentication policies and
procedures to mandate different authentication is used to access each customer environment
** Only mandated for service providers
© 2013 Imperva, Inc. All rights reserved.
New Req. 9.9
16
Protect POS devices that capture payment card data from tampering
Compliance:• Maintain a list of POS devices• Periodical inspection for
tampering/substitution• Training for awareness
Note: PCI-DSS now addresses skimmers.
© 2013 Imperva, Inc. All rights reserved.
New Req. 11.3
17
Develop penetration testing methodology based on industry guidelines like NIST
Compliance:• Implement a penetration testing
approach based on an industry standard (like NIST SP800-115)
• Define pen-test for all layers• Specify retention and
remediation activity
© 2013 Imperva, Inc. All rights reserved.
New Req. 12.9
18
Service providers must document in writing they
will adhere to PCI DSS standards
Compliance:• Acknowledge in writing to
customers that service provider will maintain PCI DSS in full on behalf of the customer
** Only mandated for service providers
© 2013 Imperva, Inc. All rights reserved.19
Web Application Compliance
Using a WAF to close the compliance gap
© 2013 Imperva, Inc. All rights reserved.
Web application relevant requirements
20
© 2013 Imperva, Inc. All rights reserved.
[6.5.11] Broken Auth & Session Mgmt
21
Authentication/Session attacks
• Cookie Tampering• Cookie Poisoning• Session Hijacking• Session Reuse• Parameter Tampering• SSL Reuse• Brute Force
© 2013 Imperva, Inc. All rights reserved.
[11.3] Pen Testing and Remediation
22
Source: http://www.imperva.com/docs/SB_Imperva_WhiteHat.pdf
© 2013 Imperva, Inc. All rights reserved.
PCI-DSS Carry-ons
23
Source: http://www.imperva.com/PCI/
Req 6.6: Protect public-facing Web applicationsReq 10: Audit all access to cardholder dataReq 7: Limit access to systems and data on a business need to knowReq 8.5: Identify and disable dormant user accounts and access rightsReq 11.5: Alert personnel to unauthorized modification of files
© 2013 Imperva, Inc. All rights reserved.24
Where can I learn more?
© 2013 Imperva, Inc. All rights reserved.
PCI
25
PCI-DSS Councilhttp://www.pcisecuritystandards.org
Imperva’s PCI Resource Centerhttp://www.imperva.com/PCI/
© 2013 Imperva, Inc. All rights reserved.
Skimmers
26
KrebsOnSecurityhttp://krebsonsecurity.com/category/all-about-skimmers/
© 2013 Imperva, Inc. All rights reserved.
Third-Party Breaches
27
Imperva’s January 2013 HII and Imperva’s CMS Hacking Webinarhttp://www.imperva.com/resources/overview.html
Confidential28 © 2013 Imperva, Inc. All rights reserved.
Post-Webinar Discussions
Answers to Attendee
Questions
Webinar Recording Link Join Group
Join Imperva LinkedIn Group,Imperva Data Security Direct, for…
Webinar Materials
28
© 2013 Imperva, Inc. All rights reserved. Confidential
Questions?
29
www.imperva.com
© 2013 Imperva, Inc. All rights reserved.30 Confidential
Thank You
Top Related