PCI DSS 3.0 Branden R. Williams, 12 September 2013
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
PCI DSS 3.0
Branden R. Williams, 12 September 2013
Agenda
❧ Introductions❧ PCI DSS to Date❧ PCI DSS 3.0 Preview❧ Challenges & Issues❧ Keep in Touch!❧ Questions!
Introductions
❧ Branden Williams❧ PCI Board of Advisor
Member– 2011-2013– Representing RSA
❧ First assessment, 2004 (CISP/SDP at the time)
❧ 2 Books (PCI Compliance, 3e, Syngress)
❧ Built two security consulting businesses
PCI DSS to Date
❧ PCI DSS 1.0 (December 15, 2004)❧ PCI DSS 1.1 (and ASV), Council formed (September 7,
2006)❧ PCI DSS 1.2 (and PA-DSS), September 2008❧ PCI DSS 2.0, (unified PTS, PA-DSS, PFI) 2010❧ PCI DSS 3.0, November 2013❧ Notables:
– 3 year cycle– Supplemental documents– Certifications open to non QSA/PO– Community meeting in 2 weeks!
Why 2013 is PIVOTAL for PCI DSS
❧ Emerging Technologies– EMV to the US…– … but does Mobile skip it?
❧ The standard is struggling for relevance!❧ Some technologies ignored:
– Cloud– Mobile– Virtualization
❧ Universal applicability desired…– Yet nothing that flows from STD to Detail– No way to get transparency into fraud
These guys must get it right!
Yet, evidence thus far is to the contrary
❧ Current BoA/PO had limited to no input❧ Standards continue to be created in a
vacuum❧ They sit behind the times❧ BUT WHY??
– Top reasons for breach are still basic– Companies can’t get the baseline right– IT is in flux, sometimes the enemy of the
business
OK, so what do we do?
Tell me if you’ve heard this one before…
❧ Know your data flows:– Data Flows Made Easy– Do discovery as well– Consider DLP
❧ Outsource EVERYTHING!– Who told you it was a good
idea to run a pmt processor?– Double check those models!
❧ Focus on Security…❧ … and the partnership with the business!
Examples of where you can usurp PCI DSS
❧ That’s right! USURP IT!❧ PCI DSS misses so many marks❧ But don’t let it hold you back!❧ Mobile:
– Make mobile apps comply– Focus on underlying platform
❧ Cloud:– Leverage security tactics– Focus on HYBRID models
❧ Virtualization:– Infrastructure, infrastructure, infrastructure
Current challenges we hope get addressed
❧ Mobile is virtually unaddressed❧ Cloud/Virtualization is ambiguous
– They tell you not to us it!❧ Interpretation Issues
– Ever had QSA-Conflict?– Who is really to blame?
❧ A way to tie Std with Guidance❧ Ways to look forward
What we know about 3.0
Stated Drivers of Change
❧Lack of Education & Awareness
❧Weak Passwords/Auth❧Third Party Security❧Slow self-detection, malware❧Inconsistency in Assessments
Key Themes
❧Education & Awareness– Ideally this is good– Adds more detail on intent
❧Flexibility– Again, ideally this is good– Allows better threat/counter match
❧Security as Shared Responsibility– Uh oh… overstep?– Good intention, PCI must know its place
Highlighted Changes
❧ Req 1: Add cardholder data flows as a requirement to the mix
❧ Req 2: Maintain inventory of in-scope components❧ Req 5: Evaluate malware threat, on systems NOT
commonly affected by malware (yes, that is correct)❧ Req 6: Updates OWASP top 10❧ Req 8:
– Allow for flexibility in auth to create vehicle for strong passwords
– Requirements for non-password methods❧ Req 9: Physical security of terminals
Highlighted Changes (cont)
❧ Req 10: Clarifications on daily log reviews, with flexibility for less-critical log events
❧ Req 11: More details for penetration testing & scope verification
❧ Req 12: Third-party assurance work, including documentation on which third parties manage which requirements
❧ Incorporate policy/procedure requirements into each requirement (follows generally accepted principles)
❧ More intent documentation integrated with standard, including more detail on testing procedures
And the DUH moment
❧ Req 2: Yes, you must change default passwords for SERVICE accounts too…
❧ Sensitive Auth Data is still sensitive even if the PAN is not present
What’s the Timeline?
❧ PCI DSS 3.0 to be released in NOVEMBER
❧ Effective on January 1, 2015 (yes, 13 months from release)
– PCI DSS 2.0 is valid through next year
– You should do a Gap analysis ASAP
– Holiday freeze a good time!
❧ Retired December 31, 2017
Discussion!
Additional Resources
❧ www.pcisecuritystandards.org– Has all standards docs– Includes releases on updates
❧ PCI Community Meetings– Vegas, Sep 24-26– Nice, Oct 29-31– KL, Nov 19-20*
❧ Brando’s Blog & Book:– blog.brandenwilliams.com– www.pcicompliancebook.info
How about we stay in touch?
❧ If you would like a copy of these slides:
– Text [email protected] code isaca2013 comma, your email address
– Example: isaca2013,[email protected]
– Or use the QR code above❧ Stay up to date with things I’m
working on (opt in)!❧ Contact:
– @BrandenWilliams– brandenwilliams.com
Thank you,Any questions?
Related Documents
