NUAGA May 22, 2014. IT Specialist, Utah Department of Technology Services (DTS) Assigned to Department of Alcoholic Beverage Control PCI Professional.

Updates on Payment Card Industry (PCI) Regulations

and IssuesNUAGA May 22, 2014

IT Specialist, Utah Department of Technology Services (DTS)

Assigned to Department of Alcoholic Beverage Control

PCI Professional (PCIP) and PCI Internal Security Assessor (ISA) Certification 4/2014

Annual re-certification Currently responsible for PCI security for all

44 of the DABC’s retail stores 18 Years Experience with DTS/DABC

Kevin Perry

DABC PCI Concerns

DABC PCI Concerns

DABC PCI Concerns

DABC PCI Concerns

Easton-Bell Sports Bright Horizons Bell-Canada Several major hotel chains

◦ These breaches have all occurred by exploiting weaknesses in the systems and processes of a third-party business partner.

Other Breaches Similar to Target:

The PCI DSS represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information.

The standard provides an actionable framework for developing a robust data security process - including preventing, detecting and reacting to security incidents.

Applies to any entity that stores, processes and/or transmits CHD.

What is PCI DSS?

PCI Data Security Standard RequirementsPCI DSS is the global data security standard that any business of any size must adhere to in order to accept payment cards, and to store, process, and/or transmit cardholder data. It presents common sense steps that mirror best security practices.

Goals PCI DSS Requirements – Validated by Self or Outside Assessment

Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data 3. Protect stored data4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes

Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel

Build and Maintain a Secure Network

Protect Card Holder Data

Maintain a Vulnerability Management Program

Implement Strong Access Control Measures

Regularly Monitor and Test Networks

Maintain an Information Security Policy

PCI DSS Six Goals

The updated versions of PCI DSS and PA-DSS will:

Provide stronger focus on some of the greater risk areas in the threat environment

Provide increased clarity on PCI DSS & PA-DSS requirements

Build greater understanding on the intent of the requirements and how to apply them

Improve flexibility for all entities implementing, assessing, and building to the Standards

Drive more consistency among assessors Help manage evolving risks / threats Align with changes in industry best practices Clarify scoping and reporting Eliminate redundant sub-requirements and consolidate

documentation

Change Drivers

The PCI Standards are updated based on feedback from the industry, per the standards development lifecycle as well as in response to current market needs. Common challenge areas and drivers for change include:

Lack of education and awareness Weak passwords, authentication Third-party security challenges Slow self-detection, malware Inconsistency in assessments

Summary of Changes from PCI DSS Version 2.0 to 3.0 1.1.x - Clarified that firewall and router

standards have to be both documented and implemented.

1.1.2 - Clarified what the network diagram must include and added a new requirement (1.1.3) for a current diagram that shows cardholder data flows.

2.4 - New requirement to maintain an inventory of system components in scope for PCI DSS

5.1.2 - New requirement to evaluate malware threats for any systems not considered to be commonly affected by malicious software

Summary of Changes from PCI DSS Version 2.0 to 3.0 5.3 - New requirement to ensure that anti-virus solutions

are actively running and cannot be disabled or altered by users unless specifically authorized by management on a per-case basis

6.1 -Clarified the process for identifying and risk ranking new vulnerabilities and (6.2) patching critical vulnerabilities

6.5.10 - New requirement for coding practices to protect against broken authentication and session management

7.1.1 - New requirement to cover definition of access needs for each role

8.3 - Clarified requirements for two-factor authentication applies to users, administrators, and all third parties, including vendor access for support or maintenance

Summary of Changes from PCI DSS Version 2.0 to 3.0 8.5.1 - New requirement for service providers with

remote access to customer devices, to use unique authentication credentials for each customer

9.9.x - New requirement to protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution

10.2.5 – Enhanced requirement to include changes to identification and authentication mechanisms (including creation of new account, elevation of privileges) and all changes, additions and deletions to accounts with root or admin privileges

Summary of Changes from PCI DSS Version 2.0 to 3.0 11.1.x -New requirement to include an inventory of

authorized wireless access points and scanning for unauthorized wireless devices

11.3 - New requirement to implement a methodology for penetration testing, to also include verification that segmentation methods are operational and effective (11.3.4)

12.2 - Clarified that the risk assessment should be performed at least annually and after significant changes to the environment

12.8.2 - Clarified the responsibilities for the service provider’s written agreement/acknowledgement

Summary of Changes from PCI DSS Version 2.0 to 3.0 12.8.5 - New requirement to maintain information

about which PCI requirements are managed by each service provider, and which are managed by the entity

12.9 - New requirement for service providers to provide a written agreement/acknowledgment to their customers

12.10.x - Clarified the intent for alerts from security monitoring systems to be included in the incident response plan

Implementing security into business as usual (BAU) activities

Audit ready anytime

In my opinion, the PCI Data Security Standard is not a policy or procedure. PCI-DSS is a lifestyle!

PCI Version 3.0

Kevin Perry DTS/DABC [email protected]

Questions?