PCI DSS 3.0:Don’t shortchange your PCI readiness

PCI COMPLIANCE WEBINAR SERIESPART 1 OF 3

PCI DSS 3.0DON’T SHORTCHANGE YOUR PCI READINESS

PCI Compliance Webinar SeriesPart 1 of 3

3

About Your Presenters

Jeff Hall (@JBHall56) Security Consultant at FishNet Security

CISSP, CISM, CGEIT, PCI-QSA, PCIP

Author of the PCI Guru bloghttp://pciguru.wordpress.com/

Cindy Valladares (@cindyv) PCI Specialist at Tripwire

Author of The State of Security bloghttp://www.tripwire.com/blog

#pciwebcast

4

Agenda for Today’s Webcast

Topic 1 PCI DSS 3.0 Overview

Topic 2 8 Considerations for PCI 3.0 Preparedness

Topic 3 Q&A

Topic 4 Key PCI Resources

#pciwebcast

KEY TAKEAWAYS

PCI DSS 3.0 OVERVIEW

#pciwebcast

6

PCI DSS 3.0 OverviewKey takeaways

Lots of renumbering of requirements and tests Why? Lots of changes – reordering of requirements and new requirements

Flexibility and consistency across the entire framework Why? Provide more guidance to improve consistency between QSAs

Integration of the PCI standards into day-to-daybusiness operations Why? Because that’s what makes a security program work and be successful

PCI DSS 3.0 was officially released

November 7th, 2013

Goes into effectJanuary 1st, 2014

ROC Templates anticipated inMarch 2014

Existing PCI DSS 2.0 compliant vendors will

have until 12/31/2014 to move to the new standard

#pciwebcast

CRITICAL CHANGES YOU NEED TO START PLANNING FOR NOW

8 CONSIDERATIONS FOR PCI PREPAREDNESS

#pciwebcast

8

8 Considerations for PCI PreparednessCritical Changes You Need to Start Planning for Now

1. Begin Work On The Data Flow Diagram (1.1.3)

2. Document User Access & Business Purpose (7.1.1)

3. Get My Arms Around Sensitive Authentication Data (6.5.6)

4. Protect My Point-of-Sales Terminals (9.9)

5. Take Inventory of Wireless Access Points (11.1.1)

6. Maintain An Inventory Of In-Scope Devices (2.4)

7. Work Through Service Provider Credentials (8.5.1)

8. Implement a Pen Testing Methodology (11.3)

The mission of the PCI DSS has not changed since its introduction in 2004 -- to help merchants protect payment card data wherever and however it's stored, processed or transmitted -- but the theme of PCI DSS 3.0 is to make PCI compliance "business as usual," or, more specifically, increase the importance for merchants to integrate PCI compliance with other important day-to-day business activities.

#pciwebcast

9

#1 – Begin Work on the Data Flow Diagrams

PCI DSS 3.0 integrates the network and data flow diagrams and they make that integration mandatory

This will be one of the most challenging requirements and must be dealt with in order to successfully complete a Report on Compliance

This is required for you to understand where SAD is flowing across the network

Open PCI Scoping Toolkit - http://itrevolution.com/pci-scoping-toolkit/

Requirement 1.1.3

Recommendation: Begin internal meetings now with Application Developers, Networking and Security teams to begin to understand current state and communicate expectations

#pciwebcast

10

#2 – Document User Access & Business Purpose

Define access needs for each role, including:

System components and data resources that each role needsto access for their job function

Level of privilege required (for example, user, administrator, etc.) for accessing resources

PCI is expecting organizations to document each class of user, the devices they have access to, the data they have access to, the level of privilege required for access and business purpose for that access

Requirement 7.1.1

Recommendation: Work across development and IT operations to clearly define access rights based on business purpose

Only 34% of the retail sector measure the reduction in access and authentication violations to assess risk management efforts

#pciwebcast

11

#3 – Take Inventory of Wireless Access Points

Maintain an inventory of authorized wireless access points including a documented business justification

This is not an inventory of wireless access points that are in-scope, this is an inventory of all wireless access

For organizations that have invested heavily in wireless this could be an issue and take a while to produce

Requirement 11.1.1

Recommendation: Start to centrally manage (discover, monitor, report) on your wireless infrastructure periodically to get visibility

#pciwebcast

12

#4 – Maintain An Inventory of In-Scope Devices

Goes beyond just your wireless access points and now requires you to “maintain an inventory of system components that are in scope for PCI DSS”

Refers to all hardware (virtual or physical hosts andnetwork devices), as well as software components(custom or commercial, off-the-shelf applications, whether internal or external) within the cardholder data environment

Compounded when virtualization is thrown into the mix or when the environment sprawls out in multiple geographic locations

Requirement 2.4

Recommendation: Accept that this is really difficult to do and begin to hone and develop ways to create and manage these inventories

#pciwebcast

13

#5 – Get My Arms Around Sensitive Authentication DataRequirement 6.5.6

This is being driven by BlackPOS, vSkimmerand similar memory scraping threats

Has resulted in a new requirement being added

Big push to ensure that sensitive authentication data is secured and deleted

Memory Scraping MalwareAttackers used memory-scraping malware to probe system memory and steal sensitive data in about 50% of investigations where malware had data collection functionality. Attackers used malicious PDF files, targeting Adobe Reader vulnerabilities in 61% of all client-side attacks.

Recommendation: Get this essential book Hacking Point of Sales: Payment Application Secrets, Threats, and Solutions to help you address this serious problem

#pciwebcast

14

#6 – Protect My Point of Sale TerminalsRequirement 9.9

Mounting terminals in a locked cradle

Placing serialized security tape over the seams of the card terminal& over the wires or connectors inside of card readers

Reviewing and logging, at least daily, the serialized security tapefor tampering and taking questionable equipment out of service

Video monitoring of all terminals for tampering including hourswhen the retail operation is closed

Replacing card equipment only with the approval of management outsideof the retail facility

Recommendation: Focus on security awareness training at the endpoint to train non-technical resources of what to look for and be clear as to what your expectations are

There are more than a billion active credit and debit cards in the U.S.,

and nearly 48% of those are breached annually at

the point of sale!

#pciwebcast

15

#7 – Work Through Service Provider Credentials

A best practice until July 1, 2015

Requirement 8 added that they must use unique credentials per customer

Requirement 12 makes them acknowledge responsibility

The driver behind this requirement is that too many breaches were determined to have been caused by a vendor having remote access to customers’ equipment and using the same credentials to gain access to every customer.

Requirement 8.5.1

Recommendation: Kick start conversations with your MSSP, vendors and service providers to ask them to document scoping and enter into a formal, written agreement about it

#pciwebcast

16

#8 – Implement a Penetration Testing Methodology

One of those best practices that organizations will need to take some time to prepare for are the changes to requirement 11.3

11.3 implement a methodology

11.3.4 if segmentation is used on the network, use pen testing to verify that segmentation methods are operational and effective

You now must begin to develop a true vulnerability management program

This requirement is going to require your organization to finally truly implement requirement 6.1 (was 6.2 in v2.0) of the PCI DSS

Requirement 11.3

Only 41 percent of the retail sector uses penetration testingto identify security risks

Recommendation: Immediately begin to document and keep track of all threats and vulnerabilities to your environment for the last 12 months

#pciwebcast

17

Top 3 Things to Focus Your Attention OnJuly 1, 2015 is just around the corner

Protect My Point-of-Sales Terminals (9.9)

Work Through Service Provider Credentials (8.5.1)

Implement a Pen Testing Methodology (11.3)

1

2

3

#pciwebcast

18

Key PCI ResourcesGet Started Now

Infographic

http://www.tripwire.com/state-of-security/regulatory-compliance/pci-dss-3-0-whats-new-infographic/

Solution Information

http://www.tripwire.com/regulatory-compliance/pci-dss-compliance/

http://www.fishnetsecurity.com/sites/default/files/service-attach/PRC-SL0015_PCI-Solutions_WEB.pdf

Market Research

http://www.tripwire.com/ponemon/2013/

PCI DSS 3.0

https://www.pcisecuritystandards.org/security_standards/documents.php

http://www.tripwire.com/register/how-pci-dss-30-impacts-your-organization/

Webcast Series

PCI Scoping Toolkit

http://itrevolution.com/pci-scoping-toolkit/

You’re Already Registered!!!

#pciwebcast

19

Join us for our next webcast!Tuesday, December 17th, 10:00am PST/1:00pm EST

Vulnerability Voodoo: The Convergence of Foundational Security Controls

http://www.tripwire.com/register/vulnerability-voodoo-the-convergence-of-foundational-security-controls/ 

PCI Series Webcast #2: January 22, 2014, 10:00am PST/1:00pm EST

Speaker: Adrian Sanabria, of 451 Group

tripwire.com | @TripwireInc

JEFF HALLJEFF.HALL@FISHNETSECURITY.COM

@JBHALL56

CINDY VALLADARES

CVALLADARES@TRIPWIRE.COM@CINDYV

THANK YOU