pci-dss v3 · 2020. 1. 21. · top inhibitions for buying online . 3 year life cycle . ... user...
TRANSCRIPT
PCI-DSS v3.0 TECHNICAL DISCUSSION
NUMBER OF CREDIT CARD TRANSACTIONS – 10,000 TRANSACTIONS PER SECOND
NUMBER OF NON CASH PAYMENTS IN 2013 – 333 BILLION
CARD PAYMENTS – 181 BILLION
IF EACH OF THE 7 BILLION ON THE PLANET HAD A CARD
THEY WOULD HAVE USED IT ATLEAST 19 TIMES
CARD SPENDING IN SEPTEMBER IN UK – 8.4 BILLION POUNDS
TOP INHIBITIONS FOR BUYING ONLINE
3 YEAR LIFE CYCLE
Feedback on v2.0
Clarification on requirements
Key Change Drivers
Education and Awareness Increased Flexibility and Tailored Approach More rigorous testing procedures will be applied by the QSA Shared Responsibilities Uniform Reporting
So, What's New !!!!
Clarity and explanation of requirements - Previously on the navdoc
More elaborate testing procedures for QSAs
Updated section to focus on assessment process rather than
documentation.
Focus is on Security Beyond Compliance (remember we said it first !! )
Scoping Segmentation and Sampling Scope - Any system component or device located
within or connected to the CDE
Segmentation - Segmentation is not filtering based
on router/switch rules. It is actual isolation
Sampling – Emphasis on ‘Representative Sampling’
Requirements 1 and 2 – Networks and Systems
Representation of CHD flow which means correct identification of all areas
where CHD is stored, processed and transmitted.
Efforts to minimize PCI scope are better conducted.
PCI Risk Assessment is more structured - Identification of assets, threats and
vulnerabilities in the CDE
Inventory – Networks and Systems
Requirement 3 - Encryption Emphasis on split control in Key Management – DEK/KEK, HSM, Key Shares
Testing procedures to verify implementation of cryptographic key
management procedures.
Documentation and implementation mandate for key management
Requirement 5 and 6 – AV, Patching and Dev
Protect all systems against malware – This requirement is no longer about antivirus
applications
Emphasis on protection of personal computers and servers
Risk Ranking > Patching
Secure Dev – Internal and Bespoke Apps – Session Management and Authentication
Address current and emerging coding vulnerabilities
Requirement 7,8, 9 – Logical and Physical Access Control
Binding users to authentication mechanisms – User certificate VPN
Requirement to control access to sensitive areas – includes access
provisioning areas
Requirement to physically protect devices capturing payment card data – POS,
ATM, Kiosk from tampering and substitution
Why the clarification Increase in frauds committed through POS device tampering (eg. attaching a
skimming device) or substitution with a replica device that routes transaction
information to the criminal, including card data.
Lack of awareness amongst merchant’s staff who handle these devices
Requirement 10
Log Reviews – To detect malicious activity
False positives vetting – additional requirements
Requirement 11
Methods to include inventory of authorized wireless access points
Perform penetration tests to verify that the segmentation methods
are operational and effective.
Penetration Testing Methodology
Why this change
Intent of PT is not being achieved.
Emphasis on manual testing more than automated testing
Emphasis on the tester’s knowledge of systems and environment to
penetrate them
Requirement 12 – Documentation
Maintain information about which PCI DSS requirements are
managed by service providers with whom CHD is shared, and which
are managed by the entity.
Service providers to acknowledge responsibility for maintaining
applicable PCI DSS requirements.
SECURITY AND NOT JUST COMPLIANCE