Date post: | 18-Nov-2014 |
Category: |
Technology |
Upload: | qualys |
View: | 3,568 times |
Download: | 3 times |
PCI Compliance 2008What You Need To Know
Sumedh ThakarPCI Solutions Manager
2 of 13
Agenda
What’s PCI / Key Terms
What’s new with PCI in 2008?
What’s coming later this year?
Quick Tips for PCI compliance
Q & A(Please send questions online via Q&A Chat)
3 of 13
What’s PCI? / Key Terms
PCI SSCPayment Card Industry Security Standards Council
PCI DSSPayment Card Industry Data Security Standard
QSAQualified Security Assessor
ASVApproved Scanning Vendor
4 of 13
The Standard - PCI DSS v1.1Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and other security
parametersProtect Cardholder Data
3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program5. Use and regularly update anti-virus software6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes
Maintain an Information Security Policy12. Maintain a policy that addresses information security
5 of 13
PCI DSS Validation
6 of 13
PCI Changes in 2008Self Assessment Questionnaires
New Self Assessment Questionnaires v1.1– Questionnaire version now in line with DSS version– 4 Questionnaires to acknowledge different type of Merchants– Effective as of April 30, 2008
Validation Type Description SAQ Number
1 Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
A 11
2 Imprint-only merchants with no electronic cardholder data storage B 21
3 Stand-alone terminal merchants, no electronic cardholder data storage B 21
4 Merchants with POS systems connected to the Internet, no electronic cardholder data storage C 38
5 All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ. D 226
7 of 13
PCI Changes in 2008Requirement 6.6
Security of web applications– For Organizations who have web applications processing payments– Requirement as of June 30, 2008
6.6 - Ensure that all web-facing applications are protected against known attacks
Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security.Installing an application layer firewall in front of web-facing applications.
Options to get there…Manual review of application source codeProper use of automated application source code analyzer (scanning) toolsManual web application security vulnerability assessmentProper use of automated web application security vulnerability assessment (scanning) toolsUse appropriate Web application firewall
8 of 13
PCI Changes in 2008Use of CVSS v2.0 scores
External Vulnerability Scans Performed by ASV– See www.pcisecuritystandards.org for list of ASVs
CVSS ScoringCommon Vulnerability Scoring System
PCI SSC Requirement– As of July 1, 2008 all ASVs must use CVSS v2.0 scoring– CVSS scores 4.0 and above should cause host to fail compliance
9 of 13
PCI Changes in 2008New Standard – PA DSS
PA DSSPayment Application Data Security Standard
– Designed to secure applications processing payments for merchants– Based on PCI DSS– Successor of VISA’s PABP program
Applicability – Commercial payment applications– Generally bought off the shelves with little or no customization– Not for custom/in-house developed payment applications
Rollout of PA DSS– Special auditors approved by PCI SSC will audit applications– PCI SSC will maintain list of approved Payment Applications and versions– First list to be published Oct 1, 2008
Compliance– Dates for merchants to comply with PA DSS decided by payment brands– Check with your vendor if the application you bought is PA DSS compliant
10 of 13
PCI Changes in 2008PCI DSS Revision to 1.2
Update from 1.1 to 1.2
Same 12 requirements as 1.1
More clarifications on existing requirements
New Questionnaires v1.2
Publication date – Oct 1, 2008
Effective date – Oct 1, 2008
Sunset date for 1.1 – TBD
11 of 13
Quick Tips for PCI Compliance
PCI Compliance is ongoing
Do the right things… it’s for your own good!
Use your trusted vendors
Use of Automation & Technology is key
12 of 13
Automated tools are the best place to start……and will eliminate 80-90% of your headaches!
Use automated tools where possible– If you have basic security knowledge then signup for automated scanning
portals like QualysGuard PCI– Use automated web application scanner– Use automated wireless analyzer and log analyzer– Use of automated internal scanner appliance will be cheaper than dedicating
resource to perform internal scanning
Quick Tips for PCI ComplianceUse of Automation & Technology