An in-depth look at how to prepare for PCI 3.0. Join us as we discuss: scoping, dss, testing requirements, credit card security and threat & vulnerability management.
Law of Demand.pptxnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
Firehost Webinar: Getting Ready for PCI 3.0
1. Getting Ready for PCI 3.0
Kurt Hagerman
Chief Information Security Officer
Webinar Series: Part 1 of 6
2. What We’ll Cover
• Overview of Significant Changes
• Guidance on Addressing the Changes
• Observations on Anticipated Challenges
• Recommended Initial To-do List
• Next Time (Series Part 2)
• Address Your Questions
AGENDA
Webinar Series: Getting Ready for PCI 3.0
Submit your questions throughout the
webinar via chat. We’ll address them live
at the end or follow up offline.
3. Scoping
• More responsibility for fully defining and documenting the scope of
the CDE:
Maintain an inventory of all systems within the CDE
(NEW CONTROL)
Produce cardholder data flow diagram
(NEW CONTROL)
Perform pen testing to verify all segmentation
(STRENGTHENED CONTROL)
SIGNIFICANT CHANGES
Webinar Series: Getting Ready for PCI 3.0
4. Scoping (cont.)
• Shared responsibilities with service providers
Maintain a list of control responsibilities with each provider
(NEW CONTROL)
More specified testing of Service Provider controls (policies,
procedures, etc.) throughout the 12 control families
(NEW CONTROLS)
More acknowledgements of responsibilities - require service provider
sign written agreements with all of their customers
(NEW CONTROL) Best practice until June, 2015
SIGNIFICANT CHANGES
Webinar Series: Getting Ready for PCI 3.0
5. SIGNIFICANT CHANGES
Webinar Series: Getting Ready for PCI 3.0
Threat & Vulnerability Management
Evaluate evolving threats to systems not commonly affected by
malware (STRENGTHENED CONTROL)
More requirements to update vulnerabilities based on specific industry
sources (STRENGTHENED CONTROL)
New requirements around physical security of payment terminals (NEW
CONTROL) Best practice until June, 2015
Implement a methodology for pen testing that matches CDE design and
risks (STRENGTHENED CONTROL)
6. SIGNIFICANT CHANGES
Webinar Series: Getting Ready for PCI 3.0
Clarity & Reorganization
Further breakdown of controls with additional
testing requirements
Elimination of redundant sub-controls
More detailed guidance on logging and log review controls
Specific controls for policy and procedure documentation throughout
the 12 control families
Integrated content from guidance document into the DSS
7. Implement PCI into Business-as-Usual Processes
• Monitor security controls to ensure effective operation
• Ensure failures are detected and addressed quickly
• Review changes to the environment and address the
potential impact on scope
• Review the potential impact to scope of changes to organizational
structure (for example, a company merger or acquisition)
• Conduct periodic reviews of DSS requirements to ensure
they continue to operate as designed
• Annually review hardware and software used within the
CDE and confirm their continued vendor support
ADDITIONAL GUIDANCE
Webinar Series: Getting Ready for PCI 3.0
8. Positive Changes
• Addresses many of the well-known weaknesses in the DSS
• Reorganization and consolidation of controls makes the
DSS easier to understand
• More detailed testing procedures and inclusion of guidance for each
control provides needed clarification on how the controls apply and
what QSAs will be looking for
• Clarification of scoping requirements and responsibility will help
improve relationships between QSAs and their customers
• If the changes are embraced and QSAs do proper assessments,
there should be a measurable
improvement in credit card security
OBSERVATIONS ON CHANGES
Webinar Series: Getting Ready for PCI 3.0
9. ANTICIPATED CHALLENGES
Webinar Series: Getting Ready for PCI 3.0
Challenges
• Physical security controls for payment terminals – significant
hardship for retailers with large numbers of sites
• Detailed scoping requirements will be difficult for many smaller and
mid-sized merchants
• Delineation of responsibilities between service providers
and merchants
• Strengthened pen testing requirements will likely result in many
organizations no longer being compliant or at least increasing the
scope of their CDE
10. ANTICIPATED CHALLENGES
Webinar Series: Getting Ready for PCI 3.0
Challenges (cont.)
• Implementing PCI DSS into Business-as-Usual Processes
• PCI compliance has been seen as a once-a-year exercise
• Many organizations lack (mature) InfoSec organizations
to make this happen
• Significant inertia of the checkbox compliance movement
• Immediate impact will likely mean increased time and costs for
organizations to remain compliant
• Resistance to increased audit costs will put pressure on QSAs to
perform proper assessments
• Already strained IT budgets will see further upward pressure increasing
the difficulty security officers have to justify the costs
11. Initial To-Do List
Download the new DSS
Make notes where you have questions about how
it may impact your organization
Schedule a conversation with your QSA
Get their take on the new standard
Start developing a gap analysis of issues
Choose a qualified service provider
Validated as a VISA/MasterCard service provider
Compliance experts on staff
Transparent and auditor friendly
RECOMMENDED TO-DO LIST
Webinar Series: Getting Ready for PCI 3.0
12. What’s Next (Coming in Part 2)
• What to do in the next 12 months
• Getting more detailed with scoping
• Understanding payment terminal security
• Addressing pen testing challenges
• Don’t wait, start now
UP NEXT
Webinar Series: Getting Ready for PCI 3.0
List of significant changes
Scoping – responsibility on entity to define and document
Scoping – shared responsibilities with service providers
Threat/Vulnerability Management
Evaluate threats to systems not commonly affected by malware, more guidance around updating vulnerabilities and on the sources for info
Physical security for payment terminals
Pen testing methodology that proves scope of CDE
Clarity – further breakdown of controls with additional testing requirements, elimination of redundant sub requirements, more detailed guidance on logging, disbursed documentation controls throughout all 12 sections, integrated guidance into the DSS
Implementing DSS into Business-as-usual processes
Total number of controls DSS 3.0 = 396. DSS 2.0 = 289 107 additional controls
Bullet 3 - The more detailed testing procedures and inclusion of guidance for each control provides much needed clarification for how the controls apply and what QSAs will be looking for
Should help merchants and service providers better understand what they must do
Should help differentiate between checkbox QSAs and those who do a thorough job
Bullet 3 - Delineation of responsibilities between service providers and merchants
Many service providers are not clear about what they actually do
Merchants will need to learn how to ask the right questions and parse the information they are given
Bullet 4 - Strengthened pen testing requirements will likely result in many organizations no longer being compliant or at least increasing the scope of their CDE
Weak segmentation will be uncovered
Will potentially put a strain on the pen testing industry
How much more effort is this really going to mean for us over previous years?
How many controls were added this year, a lot more?
- Total number of controls DSS 3.0 = 396. DSS 2.0 = 289 107 additional controls