pci dss 3.0 and you-are you ready

Property of CampusGuard

PCI DSS 3.0 and You Are You Ready?

2014 STUDENT FINANCIAL

SERVICES CONFERENCE

Ron King

[email protected]

Linda Combs

[email protected]


AGENDA

PCI and Bursar Office Role

Key Themes in v3.0

Timelines

Changes

What Will Affect You the Most

Best Practices and Conclusions

Q&A


BURSAR OFFICE

Historical keeper of rules and regulations

May also have PCI responsibility

Administrative and Physical Inventory roles

RFP/purchase committee software w/ payment options


The Target Breach

40 million+ customers

Insider ?

POS was the vector

Lessons for all


PCI DSS Version 3.0

11/07/2013 Released

01/01/2014 Effective

12/31/2014 v2.0 Retired

Lets talk about it


PCI DSS Life Cycle

12/31/2014

We are here

1/01/2014

Interim Period?


PCI DSS: 12 Requirements No change

1. Build and maintain a secure

network

1. Install and maintain a firewall configuration to protect data

2. Change vendor-supplied defaults for system passwords and other

security parameters

2. Protect cardholder data

3. Protect stored data

4. Encrypt transmission of cardholder magnetic-stripe data and

sensitive information across public networks

3. Maintain a vulnerability

management program

5. Use and regularly update antivirus software

6. Develop and maintain secure systems and applications

4. Implement strong access

control measures

7. Restrict access to data to a need-to-know basis

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

5. Regularly monitor and test

networks

10. Track and monitor all access to network resources and

cardholder data

11. Regularly test security systems and processes

6. Maintain an information

security policy

12. Maintain a policy that addresses information security

Control Objective Requirements


Merchant Levels No change

Level

1 > 6 million Visa/MC txns/yr > 2.5 million transactions/yr

2 1 to 6 million Visa/MC txns/yr 50,000 to 2.5 million txns/yr

3 20,000 to 1 million Visa/MC

ecommerce txns/yr All other Amex Merchants

4 All other Visa/MC merchants N/A

Most Colleges and Universities


Level

1 Annual on-site assessment (QSA)

Quarterly network scan (ASV)

Annual penetration test (ASV)

Annual on-site assessment (QSA)



2 Annual on-site assessment (QSA)





3

Annual Self-Assessment

Questionnaire (SAQ)





4

At discretion of acquirer

Annual SAQ



N/A

Validation Requirements No change


SAQs No change*

Card-Not

Present, All

Cardholder Data

Functions

Outsourced

Imprint Only, No

Cardholder Data

Storage

Standalone Dial

Out Terminal, No

Cardholder Data

Storage

Payment

Application

Systems

Connected to

the Internet

All other

methods

SAQ A

(11 questions)

SAQ B

(29 questions)

SAQ B

(29 questions)

SAQ C / VT

(80/51 questions)

SAQ D

(244 questions)

11 244 Move as far to the left as possible!


Drivers for Changes

Education and Awareness

Malware Self-Detection

POS Physical Security

Third-Party Challenges

v3.0


Key Themes

Education and Awareness

Evolving Scope

Increased Flexibility

Security as a Shared Responsibility

Encourage a focus on security,

not just compliance


Security

Compliance

Compliance vs. Security


Compliance vs. Security

"Every person operating a motorcycle shall

wear a face shield, safety glasses or

goggles, or have his motorcycle equipped

with safety glass or a windshield at all

times while operating the vehicle, and

operators and any passengers thereon

shall wear protective helmets. . .


Compliant

Helmet

Windshield


Secure!


3.0 Major Changes

Requirement 3.0 Update Purpose

1 Current cardholder data flow diagram Clarify importance

2 Inventory of in-scope components Effective scoping practices

5 Evaluate ALL malware threats Promote ongoing awareness and due diligence

6 Update list of common vulnerabilities Keep current with emerging threats

8 Security for authentication mechanisms Authentication methods other than passwords

9 Protect POS terminals Physical security of terminals

11 Pen testing changes More details for pen tests and scoping verification

12 Stronger Service Provider management Stronger management


What Will Affect You The Most?

Cardholder Data Flow Diagrams

In-Scope Systems

Physical Protection of POS Terminals and Systems

Common Vulnerabilities

Pen Testing Methodology

Increased Audit Reporting and Methodology

Managing Service Providers


Terminals and Software

Physical Protection of POS Terminals and Systems

Centralized control vs. Department control

PCI compliant equipment vs. non-supported

Random check of compliance vs self audit

Managing Service Providers

Procurement coordination on RFPs and approvals

Centralized control vs. Department control

Large vendors vs. Garage types


3rd Parties and Merchant Responsibilities

Organizations that outsource their CDE or payment operations are responsible for ensuring that the account data is protected by the third party per the applicable PCI DSS requirements

Must maintain documentation about which PCI DSS requirements are managed by service providers and which are managed by the customer

Service providers to acknowledge responsibility for

maintaining applicable PCI DSS requirements


Other Changes

Clarification of the intent of segmentation

Clarified that Sensitive Authentication Data (SAD) cannot be stored after processing even if PAN is not

Recommendations for the limiting of wireless

Destruction of CHD clarification Shred Vendors

Web servers with Pay Now button

Mobility is not addressed watch this space


MOBILE PAYMENTS?

Mobile POS Terminals

Few are certified compliant

Check with your bank

Card Readers: Smart Phone/Tablets

Square and others

None are certified compliant!


MOBILE PAYMENTS?

Who Needs Mobile?

Fundraising off campus events

Student Groups

Athletic Events

What they will say.

Other schools use it

PCI Council addresses Mobile

Dont tell, but do you ask?

None are certified compliant!


Business as Usual

Business as Usual (BAU) approach

Daily log reviews

Review changes to the environment

Periodic communication

Periodic reviews of systems, technologies and software

To insure scope hasnt changed


Additional Requirements

5.1.2- Evaluate evolving malware threats

8.2.3- Flexibility for alternative passwords

8.5.1- Service providers to use unique authentication credentials for

each customer*

8.6- other authentication mechanisms must be linked to individuals.

9.3-control physical access to sensitive areas for onsite personnel.

9.9-protect POS devices from tampering and substitution*

11.3 and 11.3.4-implement a methodology for penetration testing;

11.5.1 Implement a process to alert on changes to systems

12.8.5 Maintain information about what Service Providers responsibilities

12.9 (Service Providers) must maintain written acknowledgement about responsibilities and portions of PCI DSS covered.


Best Practices

PCI DSS should be implemented into business-as-usual activities (BAU)

Monitoring of security controls for effectiveness

Ensure all failures are detected and responded to

Review changes in the environment

Organizational structure changes

Periodic reviews and communication to confirm controls continue to be in place

Review hardware and software technologies


Closing Thoughts

V3.0 is an important improvement, but doesnt change what you should be doing to comply with PCI, nor how QSAs will conduct reviews

Promotes understanding that PCI is a shared responsibility

Aimed a making compliance a part of Business as Usual

More definitive information about the intent of the requirements and how they should be applied

Helps colleges and universities adopt a framework of continuous security, and move closer to the true intent of the Standard


PCI Workshop

April 27-30, 2014

Chicago Palmer House

www.treasuryinstitute.org


Ron King

[email protected]

Questions?

Linda Combs

[email protected]

pci dss 3.0 and you-are you ready

Documents