Date post: | 24-Jan-2015 |
Category: |
Technology |
Upload: | tripwire |
View: | 2,273 times |
Download: | 0 times |
PCI DSS 3.0:Don’t shortchange your PCI readiness
PCI COMPLIANCE WEBINAR SERIESPART 1 OF 3
PCI DSS 3.0DON’T SHORTCHANGE YOUR PCI READINESS
PCI Compliance Webinar SeriesPart 1 of 3
3
About Your Presenters
Jeff Hall (@JBHall56) Security Consultant at FishNet Security
CISSP, CISM, CGEIT, PCI-QSA, PCIP
Author of the PCI Guru bloghttp://pciguru.wordpress.com/
Cindy Valladares (@cindyv) PCI Specialist at Tripwire
Author of The State of Security bloghttp://www.tripwire.com/blog
#pciwebcast
4
Agenda for Today’s Webcast
Topic 1 PCI DSS 3.0 Overview
Topic 2 8 Considerations for PCI 3.0 Preparedness
Topic 3 Q&A
Topic 4 Key PCI Resources
#pciwebcast
KEY TAKEAWAYS
PCI DSS 3.0 OVERVIEW
#pciwebcast
6
PCI DSS 3.0 OverviewKey takeaways
Lots of renumbering of requirements and tests Why? Lots of changes – reordering of requirements and new requirements
Flexibility and consistency across the entire framework Why? Provide more guidance to improve consistency between QSAs
Integration of the PCI standards into day-to-daybusiness operations Why? Because that’s what makes a security program work and be successful
PCI DSS 3.0 was officially released
November 7th, 2013
Goes into effectJanuary 1st, 2014
ROC Templates anticipated inMarch 2014
Existing PCI DSS 2.0 compliant vendors will
have until 12/31/2014 to move to the new standard
#pciwebcast
CRITICAL CHANGES YOU NEED TO START PLANNING FOR NOW
8 CONSIDERATIONS FOR PCI PREPAREDNESS
#pciwebcast
8
8 Considerations for PCI PreparednessCritical Changes You Need to Start Planning for Now
1. Begin Work On The Data Flow Diagram (1.1.3)
2. Document User Access & Business Purpose (7.1.1)
3. Get My Arms Around Sensitive Authentication Data (6.5.6)
4. Protect My Point-of-Sales Terminals (9.9)
5. Take Inventory of Wireless Access Points (11.1.1)
6. Maintain An Inventory Of In-Scope Devices (2.4)
7. Work Through Service Provider Credentials (8.5.1)
8. Implement a Pen Testing Methodology (11.3)
The mission of the PCI DSS has not changed since its introduction in 2004 -- to help merchants protect payment card data wherever and however it's stored, processed or transmitted -- but the theme of PCI DSS 3.0 is to make PCI compliance "business as usual," or, more specifically, increase the importance for merchants to integrate PCI compliance with other important day-to-day business activities.
#pciwebcast
9
#1 – Begin Work on the Data Flow Diagrams
PCI DSS 3.0 integrates the network and data flow diagrams and they make that integration mandatory
This will be one of the most challenging requirements and must be dealt with in order to successfully complete a Report on Compliance
This is required for you to understand where SAD is flowing across the network
Open PCI Scoping Toolkit - http://itrevolution.com/pci-scoping-toolkit/
Requirement 1.1.3
Recommendation: Begin internal meetings now with Application Developers, Networking and Security teams to begin to understand current state and communicate expectations
#pciwebcast
10
#2 – Document User Access & Business Purpose
Define access needs for each role, including:
System components and data resources that each role needsto access for their job function
Level of privilege required (for example, user, administrator, etc.) for accessing resources
PCI is expecting organizations to document each class of user, the devices they have access to, the data they have access to, the level of privilege required for access and business purpose for that access
Requirement 7.1.1
Recommendation: Work across development and IT operations to clearly define access rights based on business purpose
Only 34% of the retail sector measure the reduction in access and authentication violations to assess risk management efforts
#pciwebcast
11
#3 – Take Inventory of Wireless Access Points
Maintain an inventory of authorized wireless access points including a documented business justification
This is not an inventory of wireless access points that are in-scope, this is an inventory of all wireless access
For organizations that have invested heavily in wireless this could be an issue and take a while to produce
Requirement 11.1.1
Recommendation: Start to centrally manage (discover, monitor, report) on your wireless infrastructure periodically to get visibility
#pciwebcast
12
#4 – Maintain An Inventory of In-Scope Devices
Goes beyond just your wireless access points and now requires you to “maintain an inventory of system components that are in scope for PCI DSS”
Refers to all hardware (virtual or physical hosts andnetwork devices), as well as software components(custom or commercial, off-the-shelf applications, whether internal or external) within the cardholder data environment
Compounded when virtualization is thrown into the mix or when the environment sprawls out in multiple geographic locations
Requirement 2.4
Recommendation: Accept that this is really difficult to do and begin to hone and develop ways to create and manage these inventories
#pciwebcast
13
#5 – Get My Arms Around Sensitive Authentication DataRequirement 6.5.6
This is being driven by BlackPOS, vSkimmerand similar memory scraping threats
Has resulted in a new requirement being added
Big push to ensure that sensitive authentication data is secured and deleted
Memory Scraping MalwareAttackers used memory-scraping malware to probe system memory and steal sensitive data in about 50% of investigations where malware had data collection functionality. Attackers used malicious PDF files, targeting Adobe Reader vulnerabilities in 61% of all client-side attacks.
Recommendation: Get this essential book Hacking Point of Sales: Payment Application Secrets, Threats, and Solutions to help you address this serious problem
#pciwebcast
14
#6 – Protect My Point of Sale TerminalsRequirement 9.9
Mounting terminals in a locked cradle
Placing serialized security tape over the seams of the card terminal& over the wires or connectors inside of card readers
Reviewing and logging, at least daily, the serialized security tapefor tampering and taking questionable equipment out of service
Video monitoring of all terminals for tampering including hourswhen the retail operation is closed
Replacing card equipment only with the approval of management outsideof the retail facility
Recommendation: Focus on security awareness training at the endpoint to train non-technical resources of what to look for and be clear as to what your expectations are
There are more than a billion active credit and debit cards in the U.S.,
and nearly 48% of those are breached annually at
the point of sale!
#pciwebcast
15
#7 – Work Through Service Provider Credentials
A best practice until July 1, 2015
Requirement 8 added that they must use unique credentials per customer
Requirement 12 makes them acknowledge responsibility
The driver behind this requirement is that too many breaches were determined to have been caused by a vendor having remote access to customers’ equipment and using the same credentials to gain access to every customer.
Requirement 8.5.1
Recommendation: Kick start conversations with your MSSP, vendors and service providers to ask them to document scoping and enter into a formal, written agreement about it
#pciwebcast
16
#8 – Implement a Penetration Testing Methodology
One of those best practices that organizations will need to take some time to prepare for are the changes to requirement 11.3
11.3 implement a methodology
11.3.4 if segmentation is used on the network, use pen testing to verify that segmentation methods are operational and effective
You now must begin to develop a true vulnerability management program
This requirement is going to require your organization to finally truly implement requirement 6.1 (was 6.2 in v2.0) of the PCI DSS
Requirement 11.3
Only 41 percent of the retail sector uses penetration testingto identify security risks
Recommendation: Immediately begin to document and keep track of all threats and vulnerabilities to your environment for the last 12 months
#pciwebcast
17
Top 3 Things to Focus Your Attention OnJuly 1, 2015 is just around the corner
Protect My Point-of-Sales Terminals (9.9)
Work Through Service Provider Credentials (8.5.1)
Implement a Pen Testing Methodology (11.3)
1
2
3
#pciwebcast
18
Key PCI ResourcesGet Started Now
Infographic
http://www.tripwire.com/state-of-security/regulatory-compliance/pci-dss-3-0-whats-new-infographic/
Solution Information
http://www.tripwire.com/regulatory-compliance/pci-dss-compliance/
http://www.fishnetsecurity.com/sites/default/files/service-attach/PRC-SL0015_PCI-Solutions_WEB.pdf
Market Research
http://www.tripwire.com/ponemon/2013/
PCI DSS 3.0
https://www.pcisecuritystandards.org/security_standards/documents.php
http://www.tripwire.com/register/how-pci-dss-30-impacts-your-organization/
Webcast Series
PCI Scoping Toolkit
http://itrevolution.com/pci-scoping-toolkit/
You’re Already Registered!!!
#pciwebcast
19
Join us for our next webcast!Tuesday, December 17th, 10:00am PST/1:00pm EST
Vulnerability Voodoo: The Convergence of Foundational Security Controls
http://www.tripwire.com/register/vulnerability-voodoo-the-convergence-of-foundational-security-controls/
PCI Series Webcast #2: January 22, 2014, 10:00am PST/1:00pm EST
Speaker: Adrian Sanabria, of 451 Group
tripwire.com | @TripwireInc
JEFF [email protected]
@JBHALL56
CINDY VALLADARES
[email protected]@CINDYV
THANK YOU