PCI-DSS v3.0 TECHNICAL DISCUSSION

NUMBER OF CREDIT CARD TRANSACTIONS – 10,000 TRANSACTIONS PER SECOND

NUMBER OF NON CASH PAYMENTS IN 2013 – 333 BILLION

CARD PAYMENTS – 181 BILLION

IF EACH OF THE 7 BILLION ON THE PLANET HAD A CARD

THEY WOULD HAVE USED IT ATLEAST 19 TIMES

CARD SPENDING IN SEPTEMBER IN UK – 8.4 BILLION POUNDS

TOP INHIBITIONS FOR BUYING ONLINE

3 YEAR LIFE CYCLE

Feedback on v2.0

Clarification on requirements

Key Change Drivers

Education and Awareness Increased Flexibility and Tailored Approach More rigorous testing procedures will be applied by the QSA Shared Responsibilities Uniform Reporting

So, What's New !!!!

Clarity and explanation of requirements - Previously on the navdoc

More elaborate testing procedures for QSAs

Updated section to focus on assessment process rather than

documentation.

Focus is on Security Beyond Compliance (remember we said it first !! )

Scoping Segmentation and Sampling Scope - Any system component or device located

within or connected to the CDE

Segmentation - Segmentation is not filtering based

on router/switch rules. It is actual isolation

Sampling – Emphasis on ‘Representative Sampling’

Requirements 1 and 2 – Networks and Systems

Representation of CHD flow which means correct identification of all areas

where CHD is stored, processed and transmitted.

Efforts to minimize PCI scope are better conducted.

PCI Risk Assessment is more structured - Identification of assets, threats and

vulnerabilities in the CDE

Inventory – Networks and Systems

Requirement 3 - Encryption Emphasis on split control in Key Management – DEK/KEK, HSM, Key Shares

Testing procedures to verify implementation of cryptographic key

management procedures.

Documentation and implementation mandate for key management

Requirement 5 and 6 – AV, Patching and Dev

Protect all systems against malware – This requirement is no longer about antivirus

applications

Emphasis on protection of personal computers and servers

Risk Ranking > Patching

Secure Dev – Internal and Bespoke Apps – Session Management and Authentication

Address current and emerging coding vulnerabilities

Requirement 7,8, 9 – Logical and Physical Access Control

Binding users to authentication mechanisms – User certificate VPN

Requirement to control access to sensitive areas – includes access

provisioning areas

Requirement to physically protect devices capturing payment card data – POS,

ATM, Kiosk from tampering and substitution

Why the clarification Increase in frauds committed through POS device tampering (eg. attaching a

skimming device) or substitution with a replica device that routes transaction

information to the criminal, including card data.

Lack of awareness amongst merchant’s staff who handle these devices

Requirement 10

Log Reviews – To detect malicious activity

False positives vetting – additional requirements

Requirement 11

Methods to include inventory of authorized wireless access points

Perform penetration tests to verify that the segmentation methods

are operational and effective.

Penetration Testing Methodology

Why this change

Intent of PT is not being achieved.

Emphasis on manual testing more than automated testing

Emphasis on the tester’s knowledge of systems and environment to

penetrate them

Requirement 12 – Documentation

Maintain information about which PCI DSS requirements are

managed by service providers with whom CHD is shared, and which

are managed by the entity.

Service providers to acknowledge responsibility for maintaining

applicable PCI DSS requirements.

SECURITY AND NOT JUST COMPLIANCE