key implications of pci dss v3.1 update

© 2016 Stickman Consulting Pty Ltd 1

PCI DSS UpdateKey implications of PCI DSS v3.1

By Ajay Unni, CEO, Stickman Consulting

By Ajay Unni, CEO, Stickman


Agenda

• Why PCI DSS v3.1• Summary of PCI DSS v3.1• How to know if your using SSL/early TLS• What you should do if using SSL/early TLS• Is your organisation using SSL/early TLS?• Key implications for merchants• Key implications for small merchants• What should e-commerce websites do?• Steps to migrate safely• About Stickman

2


Why PCI DSS v3.1?

• PCI DSS v3.1 was released in April 2015.• Released early due to identified threats to

Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) protocols.

• POODLE browser attack and vulnerabilities like FREAK and WinShock also expedited it’s release.

3


Why PCI DSS v3.1 cont’d

• SSL and early versions of TLS are no longer considered strong encryption protocols to send cardholder information between web servers and browsers.

4


Summary of PCI DSSv3.1

• Key requirements affected by PCI DSS v3.1 are:– 2.2.3: Requires encryption for services and

protocols such as VPNs, FTP, Telnet and file share.

– 2.3: Requires encryption for non-console administrative access.

– 4.1: Requires encryption and implementation of security protocols to protect cardholder data during transmission over open, public networks.

5


How to know if your using SSL/early TLS?• Contact your network vendor to determine

what version is being used.• Conduct internal and external vulnerability

scans to identify any unsecured SSL-based applications.

6


What you should do if using SSL/early TLS• Reconfigure and disable SSL 3.0 in your software by

following instructions from the vendor’s website or by getting help from online forums and blogs.

• Upgrade by buying the latest software version from the vendor and configure it for the latest version of TLS.

• Encrypt your data by using strong cryptography such as application or field-level encryption before transmitting data over SSL/Early TLS.

• Set up an encrypted session such as IPsec tunnel, and send the data over SSL through the encrypted tunnel.

7


Key implications for merchants

• Merchants cannot use SSL and early versions of TLS in any new technology.

• SSL and TLS cannot be deployed as security controls for cardholder data after 30 June 2016.

• Merchants with existing technology must implement a risk mitigation and migration plan prior to 30 June 2016.

• POS terminals not exposed to vulnerabilities can be used after 30 June 2016.

8


Key actions for small merchants

• Small merchants must also eliminate SSL/early TLS from their cardholder data environment.

• Assess security of Point of Sale terminals for SSL vulnerability.

• Identify areas (servers, computers, POS terminals) where SSL/early TLS is implemented and upgrade or reconfigure prior to 30 June 2016.

9


What should e-commerce websites do?

• Create a risk mitigation and migration plan.

• Before migration, reduce the number of servers to avoid exposure to vulnerabilities.


Steps to migrate safely1. Identify data flows and system components that support vulnerable

protocols.2. Identify the business or technical need to use the vulnerable protocol for

each data flow or system component.3. Remove all such occurrences of vulnerable protocols which are not

supported by a business or a technical need.4. Identify which technologies can replace the protocols and also develop

complete documentation of secure configurations that are planned for implementation.

5. Document the migration plan that outlines steps and timeframes of each update.

6. Deploy controls of risk reduction to counter the effect of known vulnerabilities till all vulnerable protocols are permanently removed.

7. Follow the change control procedures to make sure that all updates are authorised.

8. Upgrade system configuration standards after migration process is complete.

11


Our clients


The Payment Card Industry Landscape


12 months

cycle

Phase IAssess

Phase IIRemedia

te

Phase IIICertify

Phase IVMaintain

PCI Lifecycle Action Plan


P: 1800 785 626E: [email protected]

Level 11, Suite 2,210 George Street,Sydney NSW 2000

Thank you!

key implications of pci dss v3.1 update

Data & Analytics