PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment...

Guiding open standards for global payment card security

PCI Security Standards Council Guiding open standards for global payment card security

Bob Russo, General Manager December 2013

Guiding open standards for global payment card security 2

Get Involved PCI DSS and EMV

Why PCI DSS 3.0?

Agenda


About the PCI Council

Open, global forum Founded 2006

Guiding open standards for payment card security

• Development • Management • Education • Awareness


Expanding Global Representation


Manufacturers

PCI PTS Pin Entry Devices

Ecosystem of payment devices, applications, infrastructure and users

Software Developers

PCI PA-DSS Payment Applications

PCI Security & Compliance

P2PE

Merchants & Service Providers

PCI DSS Secure Environments

PCI Security Standards Suite Protection of Cardholder Payment Data


PCI Community Feedback Process

Changes made per our lifecycle

•  Open standards development process

•  Feedback from our global PCI community

•  Feedback period started in Fall of 2011


Market Trends & Drivers

Weak or default passwords

Lack of employee education

Security deficiencies introduced by third parties

Slow self-detection

Source: 2013 Trustwave Global Security Report


Key Considerations

What will improve payment security?

Global applicability and local market concerns

Appropriate sunset dates for other standards or requirements

Cost/benefit of changes to infrastructure

Cumulative impact of any changes


Why PCI DSS 3.0?

Visit www.pcisecuritystandards.org to view this infographic


PCI DSS, PA-DSS 3.0 – Key Themes

Make PCI your compass, not your roadmap

Education Awareness Flexibility

Security as a Shared

Responsibility


At a Glance…

•  12 core security principles of PCI DSS remain the same

•  Several new sub-requirements that will impact PCI DSS security efforts

•  Future implementation dates provided for more significant

changes

•  Clarified PCI DSS Applicability

•  Enhanced testing procedures to clarify level of validation expected for each requirement

•  Aligned language between requirements and testing procedures for consistency

•  Instructions for Report on Compliance (ROC) reporting now separate ROC reporting template


Maintaining Compliance

Best Practices for Implementing PCI DSS into Business-as-Usual (BAU) Processes •  Focus on security not

compliance •  PCI DSS is not a once-a-year

activity •  Don’t forget about people


Understanding Intent of Requirements


Strong Authentication

8.4 Include guidance for users:

•  Selecting strong authentication credentials

•  Protecting authentication credentials

•  Not reusing previous passwords

•  Changing passwords if suspicion of compromise

8.5.7 Provide authentication procedures and policies to all users

PCI DSS v2.0 PCI DSS v3.0


Security Policies and Procedures

1.5 Security policies and operational procedures for managing firewalls are documented and in use

2.5 Security policies and operational procedures for managing vendor defaults and security parameters are documented and in use

12.1.1 Maintain a security policy that addresses all PCI DSS requirements

12.2 Develop daily operational security procedures that are consistent with requirements in the PCI DSS



Consistent Assessment Procedures

•  Enhanced testing procedures

•  Clarify what it means to “verify” a requirement has been met

Promote consistent validation methods

•  Combine template with reporting instructions

•  Clarify level of detail required

•  Reduce repetition

Improve reporting


Flexibility: PCI DSS Requirements


Log Reviews

10.6.1 Review at least daily: •  All security events •  Logs from systems that store,

process, or transmit CHD/SAD •  Logs of system components that

perform security functions

10.6.2 Review other logs periodically as determined by the organization’s annual risk assessment

10.6. Review logs for all system components at least daily



Security as a Shared Responsibility

. •  Outsourcing PCI DSS responsibilities Guidance

•  Service providers use unique credential per customer

Requirement 8

•  Service providers acknowledge responsibility

Requirement 12


Physical Security for POS Devices

9.9 Protect devices that capture payment card data from tampering and substitution

•  Maintain an up-to-date list of devices

•  Periodically inspect device surfaces to detect tampering or substitution

•  Provide training for personnel to be aware of attempted tampering or replacement of devices


Penetration Testing and Effective Scoping

11.3 Implement a penetration testing methodology

11.3.4 If segmentation is used, perform penetration tests to verify that the segmentation methods are operational and effective.


Effective Dates for v3.0 PCI DSS

V3.0 is effective on January 1st 2014

Version 2.0 is valid until December 31st 2014

Different supporting documents

Check our website for the latest documents

Do not mix and match


EMV Chip Roadmap in US

EMV Chip Helps Reduce Face-to-Face Fraud

EMV Needs PCI

EMV chip needs PCI

Even EMV Chip Needs PCI


Terminal Security


PTS Listings


And Emerging Technologies?

+People Processes Technology Security + =


Mobile Payment Acceptance

PCI Standards focus on merchant-acceptance

Mobile payment acceptance still evolving

Understand risk and use PCI SSC resources

PCI SSC is working with industry


Mobile Payment Acceptance

Guidelines published 2012-2013

•  PCI Mobile Payment Acceptance Guidelines for Developers

•  PCI Mobile Payment Acceptance Guidelines for Merchants as End-Users

•  Accepting Mobile Payments with a Smartphone or Tablet


PCI Special Interest Groups

Visit www.pcisecuritystandards.org to download this guidance


2014 Special Interest Groups

Formal Security Awareness: Best

Practices for Implementing a Formal

Security Awareness Program

Penetration Testing

Guidance


ü  Online Internal Security Assessor (ISA) Training

ü  Corporate PCI Awareness – Let Us Come To You!

ü  Online Awareness Training in Four Hours

ü  Qualified Integrators and Resellers (QIR)™ Program

ü  PCI Professional Program (PCIP)™

To learn more, visit: www.pcisecuritystandards.org/training

Training Options


Qualified Integrators and Resellers (QIR)™


I’m using a “reputable” 3rd party, so they must be doing a secure installation.

This applies only to brick and mortar establishments.

I’m using a PA-DSS validated application, so I must be OK.

QIR Addresses Common Misconceptions


Payment Card Industry Professional (PCIP)™

Support your organization

Professional credibility

Competitive advantage

Global directory

Now Available


PCI SSC Website

• Documents library • Dedicated page for

small merchants • Listings of approved

companies and providers

• Videos and webinars • Frequently asked

questions microsite


Security is a shared responsibility


Get Involved – We Need Your Input

Join Learn Input Network

Nominate Vote Share Influence


Please visit our website at www.pcisecuritystandards.org

Questions?

Date post:	17-Jun-2020
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times