pci 2013: past, present, future - · pdf fileincorporating pci dss into risk management...
TRANSCRIPT
The Unique Alternative to the Big Four®
PCI for 2013: The Past, Present, and Future August 19, 2013
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 2 Audit | Tax | Advisory | Risk | Performance
Agenda Challenges From the Past Issues You Are Currently Facing Technologies Standards Guidance
What Can You Expect to See Over the Next Year? Q&A
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 3 Audit | Tax | Advisory | Risk | Performance
Polling Question Over the past year, what has been the most challenging issue your organization
has faced in maintaining PCI compliance? Scoping requirements of PCI-DSS 2.0 Mobile payments Cloud service providers Risk assessment Other
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 4 Audit | Tax | Advisory | Risk | Performance
Scoping of the Cardholder Data Environment The Payment Card Industry Data Security Standard (PCI DSS) version 2.0,
required after Jan. 1, 2012, states that organizations subject to the DSS are required to at least annually “confirm that accuracy and appropriateness of PCI DSS scope.”
Special Interest Group (SIG) in 2011
People, process, and technology
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 5 Audit | Tax | Advisory | Risk | Performance
Challenges in Scoping Network architecture Third-party service providers Virtualization Tokenization Business processes
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 6 Audit | Tax | Advisory | Risk | Performance
Mobile Point of Sale (POS) Council halted approving mobile applications under the Payment Application
Data Security Standard (PA-DSS) Merchants using these applications face a number of challenges: Encrypted communication and storage Hardening devices Vulnerability scanning Penetration testing
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 7 Audit | Tax | Advisory | Risk | Performance
Cloud Service Providers Outsourcing has outpaced the development of PCI DSS Servers and virtualization Infrastructure Managed security Hosted applications Call centers
Requirements lack guidance on how to address: Responsibilities Validating provider compliance Shared storage
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 8 Audit | Tax | Advisory | Risk | Performance
Other Challenges From the Past Risk assessment eCommerce
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 9 Audit | Tax | Advisory | Risk | Performance
Polling Question As the third year of assessments on PCI-DSS 2.0 comes to a close, has
compliance become any easier? Yes No Not sure In our first year of 2.0
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 10 Audit | Tax | Advisory | Risk | Performance
PCI in 2012 PCI-DSS 2.0 in its second full year of implementation Reduced effort in meeting new requirements Focus placed on improving security for hard-to-meet requirements Vulnerability management Penetration testing Logging
Evolving business models New business units and ways of accepting payments New technologies
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 11 Audit | Tax | Advisory | Risk | Performance
PCI’s Changes in 2012 PCI Security Standards Council (SSC) added new programs in 2012 Qualified Integrator and Reseller (QIR) Program Point-to-Point Encryption (P2PE) Program
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 12 Audit | Tax | Advisory | Risk | Performance
Qualified Integrator or Reseller (QIR) QIR Supplements Payment Application (PA-DSS) Security Standards PA-DSS ensures applications are capable of meeting PCI standards Does not ensure PA-DSS applications are implemented and/or configured
QIR Responsibilities Ensuring PA-DSS applications are properly implemented Provide customers a QIR Implementation Statement upon completion Documenting risks identified during the implementation Support any PCI Forensic Investigator (PFI) investigations
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 13 Audit | Tax | Advisory | Risk | Performance
Point-to-Point Encryption (P2PE) Used to reduce scope of PCI DSS assessments Validated P2PE solutions are designed to meet the standard and are approved
by card brands
Six Domains Encryption device management Application security Encryption environment Transmissions between encryption and decryption environments (currently not
applicable) Decryption environment and device management P2PE cryptographic key operations
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 14 Audit | Tax | Advisory | Risk | Performance
Point-to-Point Encryption (P2PE) Merchants Must: Maintain valid Point of Interaction (POI) device Segment the P2PE environment
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 15 Audit | Tax | Advisory | Risk | Performance
Guidance Provided by the Council Mobile payment acceptance security Wireless Tokenization Telephone-based payments
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 16 Audit | Tax | Advisory | Risk | Performance
Mobile Payment Acceptance Security Guidelines provided September 2012 The security addresses mobile applications: Operating on handheld devices Devices not solely dedicated to payment-acceptance transaction processing Access to clear text data
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 17 Audit | Tax | Advisory | Risk | Performance
Mobile Payment (cont’d.): Securing the Transaction Must prevent: Account data from being intercepted when entered into a mobile device Account data from compromise while processed or stored Account data from interception upon transmission
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 18 Audit | Tax | Advisory | Risk | Performance
Mobile Payment (cont’d.): Guidelines for Supporting the Environment Unauthorized logical device access Server-side controls and unauthorized access Escalation of privileges Remotely disable the application Detect theft or loss Harden supporting operating system No store and forward Secure coding practices Known vulnerabilities and malware Unauthorized applications Secure receipts Secure state
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 19 Audit | Tax | Advisory | Risk | Performance
Telephone-Based Payments Call recording software creates challenges Cannot store authentication data Encryption is not sufficient Can it be queried?
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 20 Audit | Tax | Advisory | Risk | Performance
Polling Question What changes are you hoping to see the PCI Council deliver in 2013? Mobile payment requirements Scoping guidelines Updated PCI Data Security Standard Updated PA Data Security Standard Not sure
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 21 Audit | Tax | Advisory | Risk | Performance
What We Can Expect in 2013 Release of 2012 Special Interest Group (SIG) Guidance New PCI DSS PA DSS expiration New SIGs PIN Transaction Security (PTS)
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 22 Audit | Tax | Advisory | Risk | Performance
2012 SIGs Cloud Computing Identifies common types of cloud environments (SaaS, PaaS, IaaS) Risks and security challenges for using various models Recommendations for overcoming challenges Guidance on responsibilities between merchants and cloud providers
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 23 Audit | Tax | Advisory | Risk | Performance
2012 SIGs eCommerce Defines eCommerce Third-party entities eCommerce infrastructure eCommerce components Implementations
Common vulnerabilities and security misconfigurations Recommendations and best practices
Risk Assessment Effective risk assessments Understanding and documenting results Shared risk management responsibilities Incorporating PCI DSS into risk management strategy
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 24 Audit | Tax | Advisory | Risk | Performance
PCI DSS 3.0 Version 3.0 expected to be finalized on November 7, 2013
Change Drivers Lack of education and awareness Weak passwords, authentication Third-party security challenges Slow self-detection, malware Inconsistency in assessments
Key Themes Education and awareness Increased flexibility Security as a shared responsibility
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 25 Audit | Tax | Advisory | Risk | Performance
PCI DSS 3.0 Requirement 1 Data flow diagrams
Requirement 2 Maintain an inventory of in scope system components Changing default passwords for application/service accounts
Requirement 3 Flexibility in secure key storage Clarification of split knowledge and dual control
Requirement 5 Evolving threats for systems not commonly affected by malware
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 26 Audit | Tax | Advisory | Risk | Performance
PCI DSS 3.0 Requirement 6 Update list of common vulnerabilities in alignment with OWASP, NIST, SANS, etc.
Requirement 8 Allow for password alternatives (tokens, smart cards, certificates, etc.) Flexibility in password strength and complexity (passphrases)
Requirement 9 Protect POS terminals and devices from tampering or substitution
Requirement 10 Clarification of intent and scope of log review
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 27 Audit | Tax | Advisory | Risk | Performance
PCI DSS 3.0 Requirement 11 Penetration testing methodology and verification segmentation is operational and
effective
Requirement 12 Maintain which requirements are managed by service providers
General Sensitive authentication data cannot be stored (even if PAN not present) Business as usual (maintaining compliance) Additional guidance in Navigating PCI DSS ROC reporting template Clarification of testing procedures Incorporating security policies and procedures into each requirement
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 28 Audit | Tax | Advisory | Risk | Performance
PA DSS v.1.2 Expiration Expires on October 28, 2013 What does it mean?
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 29 Audit | Tax | Advisory | Risk | Performance
PA DSS v3.0 Expect on November 7, 2013 Will take effect on January 1, 2014 Mandatory after January 1, 2015
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 30 Audit | Tax | Advisory | Risk | Performance
New SIGs New groups announced in early 2013 Third-Party Security Assurance Compliance Best Practices
Guidance provided by end of 2013 Other Suggested topics: PCI Guidance for Issuers Cardholder Data Discovery External Penetration Testing Internal Scanning and Vulnerability Management Logging
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 31 Audit | Tax | Advisory | Risk | Performance
Longer Vision of PCI Council is creating a Bridge of Compliance POS Payment applications Cloud providers Service providers Merchants
The Bridge can be shortened PTS PA-DSS Outsourcing Removing Encrypting
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 32 Audit | Tax | Advisory | Risk | Performance
Questions?
The Unique Alternative to the Big Four®
© 2012 Crowe Horwath LLP 33 Audit | Tax | Advisory | Risk | Performance
Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. © 2012 Crowe Horwath LLP
For more information, contact: Jeff Palgon Direct 678.362.6218 [email protected]