PCI DSS 3.0

Branden R. Williams, 12 September 2013

Agenda

❧ Introductions❧ PCI DSS to Date❧ PCI DSS 3.0 Preview❧ Challenges & Issues❧ Keep in Touch!❧ Questions!

Introductions

❧ Branden Williams❧ PCI Board of Advisor

Member– 2011-2013– Representing RSA

❧ First assessment, 2004 (CISP/SDP at the time)

❧ 2 Books (PCI Compliance, 3e, Syngress)

❧ Built two security consulting businesses

PCI DSS to Date

❧ PCI DSS 1.0 (December 15, 2004)❧ PCI DSS 1.1 (and ASV), Council formed (September 7,

2006)❧ PCI DSS 1.2 (and PA-DSS), September 2008❧ PCI DSS 2.0, (unified PTS, PA-DSS, PFI) 2010❧ PCI DSS 3.0, November 2013❧ Notables:

– 3 year cycle– Supplemental documents– Certifications open to non QSA/PO– Community meeting in 2 weeks!

Why 2013 is PIVOTAL for PCI DSS

❧ Emerging Technologies– EMV to the US…– … but does Mobile skip it?

❧ The standard is struggling for relevance!❧ Some technologies ignored:

– Cloud– Mobile– Virtualization

❧ Universal applicability desired…– Yet nothing that flows from STD to Detail– No way to get transparency into fraud

These guys must get it right!

Yet, evidence thus far is to the contrary

❧ Current BoA/PO had limited to no input❧ Standards continue to be created in a

vacuum❧ They sit behind the times❧ BUT WHY??

– Top reasons for breach are still basic– Companies can’t get the baseline right– IT is in flux, sometimes the enemy of the

business

OK, so what do we do?

Tell me if you’ve heard this one before…

❧ Know your data flows:– Data Flows Made Easy– Do discovery as well– Consider DLP

❧ Outsource EVERYTHING!– Who told you it was a good

idea to run a pmt processor?– Double check those models!

❧ Focus on Security…❧ … and the partnership with the business!

Examples of where you can usurp PCI DSS

❧ That’s right! USURP IT!❧ PCI DSS misses so many marks❧ But don’t let it hold you back!❧ Mobile:

– Make mobile apps comply– Focus on underlying platform

❧ Cloud:– Leverage security tactics– Focus on HYBRID models

❧ Virtualization:– Infrastructure, infrastructure, infrastructure

Current challenges we hope get addressed

❧ Mobile is virtually unaddressed❧ Cloud/Virtualization is ambiguous

– They tell you not to us it!❧ Interpretation Issues

– Ever had QSA-Conflict?– Who is really to blame?

❧ A way to tie Std with Guidance❧ Ways to look forward

What we know about 3.0

Stated Drivers of Change

❧Lack of Education & Awareness

❧Weak Passwords/Auth❧Third Party Security❧Slow self-detection, malware❧Inconsistency in Assessments

Key Themes

❧Education & Awareness– Ideally this is good– Adds more detail on intent

❧Flexibility– Again, ideally this is good– Allows better threat/counter match

❧Security as Shared Responsibility– Uh oh… overstep?– Good intention, PCI must know its place

Highlighted Changes

❧ Req 1: Add cardholder data flows as a requirement to the mix

❧ Req 2: Maintain inventory of in-scope components❧ Req 5: Evaluate malware threat, on systems NOT

commonly affected by malware (yes, that is correct)❧ Req 6: Updates OWASP top 10❧ Req 8:

– Allow for flexibility in auth to create vehicle for strong passwords

– Requirements for non-password methods❧ Req 9: Physical security of terminals

Highlighted Changes (cont)

❧ Req 10: Clarifications on daily log reviews, with flexibility for less-critical log events

❧ Req 11: More details for penetration testing & scope verification

❧ Req 12: Third-party assurance work, including documentation on which third parties manage which requirements

❧ Incorporate policy/procedure requirements into each requirement (follows generally accepted principles)

❧ More intent documentation integrated with standard, including more detail on testing procedures

And the DUH moment

❧ Req 2: Yes, you must change default passwords for SERVICE accounts too…

❧ Sensitive Auth Data is still sensitive even if the PAN is not present

What’s the Timeline?

❧ PCI DSS 3.0 to be released in NOVEMBER

❧ Effective on January 1, 2015 (yes, 13 months from release)

– PCI DSS 2.0 is valid through next year

– You should do a Gap analysis ASAP

– Holiday freeze a good time!

❧ Retired December 31, 2017

Discussion!

Additional Resources

❧ www.pcisecuritystandards.org– Has all standards docs– Includes releases on updates

❧ PCI Community Meetings– Vegas, Sep 24-26– Nice, Oct 29-31– KL, Nov 19-20*

❧ Brando’s Blog & Book:– blog.brandenwilliams.com– www.pcicompliancebook.info

How about we stay in touch?

❧ If you would like a copy of these slides:

– Text b@zip.sh code isaca2013 comma, your email address

– Example: isaca2013,your@email.com

– Or use the QR code above❧ Stay up to date with things I’m

working on (opt in)!❧ Contact:

– @BrandenWilliams– brandenwilliams.com

Thank you,Any questions?