moscow deck final
TRANSCRIPT
Guiding open standards for global payment card security
PCI Security Standards CouncilGuiding open standards for global payment card security
Jeremy King, European DirectorNovember 2013
Guiding open standards for global payment card security
Manufacturers
PCI PTSPin Entry Devices
Ecosystem of payment devices, applications, infrastructure and users
Software Developers
PCI PA-DSSPayment Applications
PCI Security& Compliance
P2PE
Merchants & Service Providers
PCI DSSSecure Environments
PCI Security Standards SuiteProtection of Cardholder Payment Data
Guiding open standards for global payment card security
PCI DSS Feedback
Changes made per our lifecycle
• Open standards development process
• Feedback from our global PCI community
• Feedback period started in Fall of 2011
Guiding open standards for global payment card security
Why PCI DSS 3.0?
Visit www.pcisecuritystandards.org to view this infographic
Guiding open standards for global payment card security
Who’s Getting Breached?
Retail 45%Food & Beverage 24%Hospitality 9%Other 8%Financial Services 7%Nonprofit 3%Health & Beauty 2%High Technology 2%
Systems that store, process or transmit cardholder data remain primary targets for criminals
Source: Trustwave 2013 Global Security Report
Guiding open standards for global payment card security
Market Trends & Drivers
Weak or default passwords
Lack of employee education
Security deficiencies introduced by third parties
Slow self-detection
Source: 2013 Trustwave Global Security Report
Guiding open standards for global payment card security
PCI DSS, PA-DSS 3.0 – Key Themes
Make PCI your compass, not your roadmap
Education Awareness
Flexibility
Security as a Shared
Responsibility
Guiding open standards for global payment card security
At a Glance…
• 12 core security principles of PCI DSS remain the same
• Several new sub-requirements that will impact PCI DSS security efforts
• Future implementation dates provided for more significant changes
• Clarified PCI DSS Applicability
• Enhanced testing procedures to clarify level of validation expected for each requirement
• Aligned language between requirements and testing procedures for consistency
• Instructions for Report on Compliance (ROC) reporting now separate ROC reporting template
Guiding open standards for global payment card security
Maintaining Compliance
Best Practices for Implementing PCI DSS into Business-as-Usual (BAU) Processes
• Focus on security not compliance
• PCI DSS is not a once-a-year activity
• Don’t forget about people
Guiding open standards for global payment card security
Understanding Intent of Requirements
Guiding open standards for global payment card security
Strong Authentication
8.4 Include guidance for users:
• Selecting strong authentication credentials
• Protecting authentication credentials
• Not reusing previous passwords
• Changing passwords if suspicion of compromise
8.5.7 Provide authentication procedures and policies to all users
PCI DSS v2.0 PCI DSS v3.0
Guiding open standards for global payment card security
Security Policies and Procedures
1.5 Security policies and operational procedures for managing firewalls are documented and in use
2.5 Security policies and operational procedures for managing vendor defaults and security parameters are documented and in use
12.1.1 Maintain a security policy that addresses all PCI DSS requirements
12.2 Develop daily operational security procedures that are consistent with requirements in the PCI DSS
PCI DSS v2.0 PCI DSS v3.0
Guiding open standards for global payment card security
Consistent Assessment Procedures
• Enhanced testing procedures
• Clarify what it means to “verify” a requirement has been met
Promote consistent validation methods
• Combine template with reporting instructions
• Clarify level of detail required
• Reduce repetition
Improve reporting
Guiding open standards for global payment card security
Flexibility: PCI DSS Requirements
Guiding open standards for global payment card security
Log Reviews
10.6.1 Review at least daily:
• All security events
• Logs from systems that store, process, or transmit CHD/SAD
• Logs of system components that perform security functions
10.6.2 Review other logs periodically as determined by the organization’s annual risk assessment
10.6. Review logs for all system components at least daily
PCI DSS v2.0 PCI DSS v3.0
Guiding open standards for global payment card security
Security as a Shared Responsibility
.
• Outsourcing PCI DSS responsibilities
Guidance
• Service providers use unique credential per customer
Requirement 8
• Service providers acknowledge responsibility
Requirement 12
Guiding open standards for global payment card security
Physical Security for POS Devices
9.9 Protect devices that capture payment card data from tampering and substitution
• Maintain an up-to-date list of devices
• Periodically inspect device surfaces to detect tampering or substitution
• Provide training for personnel to be aware of attempted tampering or replacement of devices
Guiding open standards for global payment card security
Penetration Testing and Effective Scoping
11.3 Implement a penetration testing methodology
11.3.4 If segmentation is used, perform penetration tests to verify that the segmentation methods are operational and effective.
Guiding open standards for global payment card security
Effective Dates for v3.0 PCI DSS
V3.0 is effective on January 1st 2014
Version 2.0 is valid until December 31st 2014
Different supporting documents
Check our website for the latest documents
Do not mix and match
Guiding open standards for global payment card security20
Building on a solid foundation
• Following on from an excellent partnership
• Supported by the Central Bank of the Russian Federation
• PCI and ABISS will work together on providing a Russian Translated version of PCI DSS v3.0 and supporting documents
Guiding open standards for global payment card security
And Emerging Technologies?
+People Processes Technology Security+ =
Guiding open standards for global payment card security
Point-to-Point Encryption
Guiding open standards for global payment card security
Mobile
Guidelines published 2012-2013
• PCI Mobile Payment Acceptance Guidelines for Developers
• PCI Mobile Payment Acceptance Guidelines for Merchants as End-Users
• Accepting Mobile Payments with a Smartphone or Tablet
Guiding open standards for global payment card security
Online Internal Security Assessor (ISA) Training
Corporate PCI Awareness – Let Us Come To You!
Online Awareness Training in Four Hours
Qualified Integrators and Resellers (QIR)™ Program
PCI Professional Program (PCIP)™To learn more, visit: www.pcisecuritystandards.org/training
Training Options
Guiding open standards for global payment card security
Internal Security Assessor (ISA) Program
A comprehensive PCI DSS training and qualification program for eligible internal
audit security professionals that you asked for!
• Improves your understanding of PCI DSS and compliance procedures
• Helps your organization build internal expertise
• Teaches processes that can reduce the cost of compliance
Guiding open standards for global payment card security
PCI Awareness Training
TeamBuilding Convenience Cost
We come to you!
Guiding open standards for global payment card security
Payment Card Industry Professional (PCIP)™
Support your
organization
Professional
credibility
Competitive
advantage
Global
directory
Now Available
Guiding open standards for global payment card security
PCI SSC Website
• Documents library• Dedicated page for
small merchants• Listings of
approved companies and providers• Videos and
webinars• Frequently asked
questions microsite
Guiding open standards for global payment card security
Security is a shared responsibility
Guiding open standards for global payment card security
Please visit our website at www.pcisecuritystandards.org
Questions?