PCI DSS 3.2By Kishor Vaswani – CEO, ControlCase

Agenda

• About PCI DSS

• Overview of changes in PCI DSS 3.2

• Changes by requirement number

• About ControlCase

• Q&A

1

About PCI DSS

What is PCI DSS?

Payment Card Industry Data Security Standard:

• Guidelines for securely processing, storing, or transmitting payment card account data

• Established by leading payment card issuers• Maintained by the PCI Security Standards Council

(PCI SSC)

2

PCI DSS RequirementsControl Objectives Requirements

Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data 3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public

networks

Maintain a vulnerability management program

5. Use and regularly update anti-virus software on all systems commonly affected by malware

6. Develop and maintain secure systems and applications

Implement strong access control measures

7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an information security policy

12. Maintain a policy that addresses information security

3

Important Dates for PCI DSS v3.2

• Final DSS 3.2 released

April 2016

• V3.2 can be used

May 1, 2016• Sunset date for

v3.1

Oct 31, 2016

• v3.2 is must to use

Nov 1, 2016•Controls marked as “New Requirements” becomes mandatory

Feb 1, 2018

4

Overview of changes in PCI 3.2

Overview

5

SSL/early TLS• Work towards remediation• No new SSL/early TLS• Service provider offering by June 30, 2016• No SSL/early TLS after June 30, 2018• Some exceptions for POS POI terminals

Display of PAN• Permits display of PAN beyond first 6/last 4• Justification and business need must exist• Only the digits needed by business need must be displayed

Overview contd…

6

Multifactor Authentication• All remote access must be multifactor• All non console admin access to CDE must be multifactor effective Jan 31,

2018• Multifactor can be at system or application layer

New Service Provider Requirements• Maintain documented description of cryptographic architecture• Detect and report on failures of critical security control systems• Quarterly review to ensure personnel following security procedures• Perform segmentation penetration test once every six months (Effective

Feb 2018)• Executive management to establish responsibilities (Effective Feb 2018)

Changes by requirement

Requirement 1 – Firewall Configuration

• Install personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE.

7

Requirement 3 - Encryption

• 3.4.1 - If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms

Note: This requirement applies in addition to all other PCI DSS encryption and key-management requirements.

8

Requirement 3 - Encryption

3.5.1 Additional requirement for service providers only: Maintain a documented description of the cryptographic architecture that includes: • Details of all algorithms, protocols, and keys used for the

protection of cardholder data, including key strength and expiry date

• Description of the key usage for each key • Inventory of any HSMs and other SCDs used for key

management

Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.

9

Requirement 6 – Secure Applications

• 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.

• This requirement applies to applicable patches for all installed software, including payment applications (both those that are PA-DSS validated and those that are not).

10

Requirement 6 – Secure Application

• 6.4.6 Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.

Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.

11

Requirement 8 – Access Control

• 8.3.1 Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.

Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.

12

Requirement 10 – Logging and Monitoring

• 10.8 Additional requirement for service providers only: Implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of:

Firewalls IDS/IPS FIM Anti-virus Physical access controls Logical access controls Audit logging mechanisms Segmentation controls (if used)

• Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.

13

Requirement 11 – Security Testing

11.3.4.1 Additional requirement for service providers only: If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods. Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.

14

Requirement 12 – Policies and Procedures

12.4.1 Additional requirement for service providers only: Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include: Overall accountability for maintaining PCI DSS

compliance Defining a charter for a PCI DSS compliance program

and communication to executive management

Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.

15

Requirement 12 – Policies and Procedures

12.11 Additional requirement for service providers only: Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes:

Daily log reviews Firewall rule-set reviews Applying configuration standards to new systems Responding to security alerts Change management processes

Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.

16

Requirement 12 – Policies and Procedures

12.11.1 Additional requirement for service providers only: Maintain documentation of quarterly review process to include: Documenting results of the reviews Review and sign-off of results by personnel

assigned responsibility for the PCI DSS compliance program

Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.

17

Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS

• New implementations must not use SSL or early TLS as a security control.

• All service providers must provide a secure service offering by June 30, 2016.

• After June 30, 2018, all entities must have stopped use of SSL/early TLS as a security control, and use only secure versions of the protocol (an allowance for certain POS POI terminals is described in the last bullet below).

• Prior to June 30, 2018, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place.

• POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS, may continue using these as a security control after June 30, 2018.

18

Appendix A3: Designated Entities Supplemental Validation (DESV)

This Appendix applies only to entities designated by a payment brand(s) or acquirer as requiring additional validation of existing PCI DSS requirements. Examples of entities that this Appendix could apply to include: • Those storing, processing, and/or transmitting large

volumes of cardholder data, • Those providing aggregation points for cardholder data, or • Those that have suffered significant or repeated breaches

of cardholder data. Note: An entity is required to undergo an assessment according to this Appendix ONLY if instructed to do so by an acquirer or a payment brand.

19

ControlCase Products and Solutions

Learn more about continual compliance ….

20

Complianceas a Service

(Caas)

Integrated compliance

21

Question. No.

Question PCI DSS 2.0 Reference PCI DSS 3.0 ISO 27002: 2013 SOC2 HIPAA NIST 800-53

37

Provide data Encryption policy explaining encryption controls implemented for Cardholder data data secure storage (e.g. encryption, truncation, masking etc.) – applicable for application, database and backup tapes

- Screenshots showing full PAN data is encrypted with strong encryption while stored (database tables or files) . The captured details should also show the encryption algorithm and strength used - For Backup tapes, screenshot showing the encryption applied (algorithm and strength – e.g. AES 256 bit) through backup solution

Security Posture QA: QSA to verify that encryption is appropriate OR compensating controls are per ControlCase standard.

3.4.a, 3.4.b, 3.4.c, 3.4.d 3.4 10.1.1, 18.1.5 164.312(a)(1)

38

If Disk encryption used for card data data, then is the logical access to encrypted file-system is separate from native operating system user access? (Provide the adequate evidences showing the logical access for local operating system and encrypted file system is with separate user authentication)

Security Posture QA: QSA to verify that encryption is appropriate OR compensating controls are per ControlCase standard.

3.4.1.a 3.4.1 10.1.2 164.312(a)(1)

39

Provide evidence showing restricted access control for Data Encryption Keys (DEK) and Key Encryption Keys (KEK) at store

Security Posture QA: QSA to verify that encryption is appropriate OR compensating controls are per ControlCase standard.

3.5 3.5.2 10.1.2 164.312(a)(1)

40Provide the evidence showing the exact locations where encryption keys are stored (keys should be stored at fewest possible locations)

3.5.3 10.1.2 164.312(a)(1)

Why Choose ControlCase?

• Global Reach

› Serving more than 400 clients in 40 countries and rapidly growing

• Certified Resources

› PCI DSS Qualified Security Assessor (QSA)

› QSA for Point-to-Point Encryption (QSA P2PE)

› Certified ASV vendor

› Certified ISO 27001 Assessment Department

› EI3PA Assessor

› HIPAA Assessor

› HITRUST Assessor

› SOC1, SOC2, SOC3 Assessor

› Shared Assessments AUP/SIG

22

To Learn More About PCI Compliance…

• Visit www.controlcase.com

• contact@controlcase.com

Thank You for Your Time