PCI DSS 3.2 News Letter - Home | ISOQAR · y=pcidss&document=pci_dss How long do organizations have to implement PCI DSS 3.2? PCI DSS 3.1 will retire on 31 October 2016, and after

Alcumus ISOQAR India Pvt. Ltd. – PCI DSS QSA

PCI – DSS 3.2 News Letter

© 2016 ISOQAR India Pvt. Ltd., an Indian Registered company and a member firm of the Alcumus Group International Cooperative (“Alcumus ISOQAR”), an entity. All rights reserved.

Foreword

“The security benefits associated with maintaining

PCI compliance are vital to the long-term success of

all merchants who process card payments. This

includes continual identification of threats and

vulnerabilities that could potentially impact the

organization. Most organizations never fully recover

from data breaches because the loss is greater than

the data itself.”


The leadership team with the BIG FOUR background; focuses on delivering

performance with passion. We believe in knowledge performance integration.

With the growing demand for compliance; the team ALCUMUS ISOQAR believes in

enhancing its capability to provide value added services in the field of audits,

trainings coupled with compliances.

Our long term vision is to be the ONE STOP SHOP for all requirements related to

audit/ training/ compliances/ Tools etc. in all domains.

Our business idea supports this vision by providing wide range of audit and training

services globally utilizing domain knowledge, audit experience and utmost professional

approach.

Today we work on all standards including ISO standards in all domains; 2nd party audits;

PCI Compliances; SSAE 16 SOC compliances; HIPAA compliances; BRC; RJC compliances

etc.

ISOQAR uses the knowledge assets to drive performance. Knowledge embedded in our

services and business processes now drives what can be created and delivered to our

esteemed customers.

We are publishing a newsletter on PCI DSS which puts a finger on the pulse of various

requirements under new version of PCI DSS version 3.2.

We hope the newsletter provides you with insights that can be leveraged in shaping the

PCI DSS implementation posture in your organization.

Regards,

ISOQAR India Pvt. Ltd.

Partner – PCI DSS Compliance

Services

Executive Director – Compliance

Nishid Shivdas

Prashant Koranne

Statistics of Card Related and Identity Theft Frauds


Source: The UK Cards Association

Source: Krebsonsecurity

Statistics

What is new in PCI DSS 3.2?

Within the 12 core requirements of the PCI DSS, there are five new

sub-requirements for service providers affecting requirements 3, 10,

11 and 12. New sub-requirements have been added to

requirement 8 to ensure multi-factor authentication is used for all

non-console administrative access and all remote access in the

cardholder data environment. There are also two new

appendices. Appendix A2 incorporates new migration deadlines

for removal of Secure Sockets Layer (SSL) /early Transport Layer

Security (TLS) in line with the December 2015 bulletin. Appendix A3

incorporates the “Designated Entities Supplemental Validation”

(DESV), which was previously a separate document.

Link to get the complete summary of changes in PCI DSS Version

3.2:

https://www.pcisecuritystandards.org/document_library?categor

y=pcidss&document=pci_dss

How long do organizations have

to implement PCI DSS 3.2?

PCI DSS 3.1 will retire on 31 October 2016, and after this time all

assessments will need to use version 3.2. Between now and 31

October 2016, either PCI DSS 3.1 or 3.2 may be used for PCI DSS

assessments. The new requirements introduced in PCI DSS 3.2 are

considered best practices until 31 January 2018. Starting 1

February 2018 they are effective as requirements and must be

used.


How to prepare?

https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss

https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss

PCI DSS 3.2 marks the start of refining the payment data regulations,

rather than minor changes, and includes requirements to strengthen

encryption and multifactor authentication.

The PCI Security Standards Council (PCI SSC) has published a new

version of its data security standard (DSS), used to safeguard payment

data before, during and after a purchase is made. PCI DSS version 3.2

replaces version 3.1, which will expire on Oct. 31.

Multifactor Authentication - One significant change in PCI DSS 3.2 is

that it includes multi-factor authentication as a requirement for any

personnel with administrative access into environments handling card

data. Previously this requirement applied only to remote access from

untrusted networks.

“A password alone should not be enough to verify the administrator’s

identity and grant access to sensitive information,” said PCI Security

Standards Council CTO Troy Leach. “We’ve seen an increase in

attacks that circumvent a single point of failure, allowing criminals to

access systems undetected and to compromise card data.”

PCI DSS 3.2 focuses on

Encryption and

Multifactor Authentication


5 Platinum Principles for continual PCI

compliance

Know the Standard 1 Unlike many other compliance standards e.g. ISO 27001

(too generic) and SSAE 16 (you can define your own

frequency), PCI DSS has a definite frequency for

maintaining controls. There are multiple requirements

which could have a cascading effect on your

compliance posture if you fail to maintain the

effectiveness of the required controls.

There could be various teams involved and unless there

is a crystal clear understanding and communication

within the teams, you are most likely to face difficulties.

For example – the purchase is done by procurement

team, device hardening is done by some other team

and vulnerability scanning is someone else’s

responsibility. Unless these teams are in sync and know

the standard well, maintenance becomes difficult.



compliance

2 Get the Necessary Budgetary

Approval for the Upkeep

As a CISO, you may need to

procure stuff and outsource some

of your activities viz. Scans from

ASV and other periodic scans.

While submitting the budget, it is

advisable to include the recurring

maintenance cost as well. This will

ensure that you have necessary

funds available and you don’t

need to run at the eleventh hour

and delay the mandatory

requirements for compliance.


.

3


compliance

Develop an Annual

Compliance Calendar

A simple spreadsheet can do wonders. List the tasks as Daily

(Log Reviews), Weekly (File Integrity Checks), Monthly (Newly

Added Devices, Employee Background Checks, Recent

Infrastructure Changes etc.), Quarterly (Scans), Semi-

Annually (Network device rule set reviews) and annually

(policy reviews, risk assessment, training programs, pen tests,

incidents).Once the list is ready, name the “Owner” for each

activity. Add the column “Checker”. Circulate the calendar

to all the relevant stakeholders.


4


compliance

Assign Tasks and

Monitor Them

Once the calendar is circulated,

ask all the checkers to report the

progress on a periodic basis. My

strong recommendation – do this

on a fortnight basis. This will ensure

in initiating the immediate

corrections and corrective actions

if something is amiss and will not

come as a last minute surprise or

show spoiler. Our sincere advice –

For any challenges, take required

advice from the QSA Company.

They will guide in addressing any

bottlenecks. Remember – hiding

facts helps nobody in compliance


5


compliance

Include Vendors in

Compliance Program

Communicate your compliance

requirements to the vendors well in

advance; in fact, it needs to be a

contractual obligation. Vendors

play a vital role in maintaining the

compliance program when it

comes to PCI DSS. If you have third

party vendors, keep them well

informed. If you have outsourced

any of your activities, get the

records well in time to avoid last

minute hiccups. You’re also now

required to maintain a formal list of

PCI responsibilities shared with

vendors, down to the specific

requirements you and the vendor

handle. Vendor non-compliance

can become a big challenge for

your own maintenance and could

be a show stopper.


Alcumus PCI DSS Value

Proposition by FOUR fold

(Triple A -S) approach

Assess

•We assist clients in defining the exact scope (thus saving lot of money and efforts), identifying the gaps and propose a feasible remediation approach.

Accelerate

•Our expert consultants and QSAs are always ready to walk that extra mile for the clients and reduce the timelines in achieving the compliance goals.

Achieve

•Once the system is audit ready, our QSAs conduct a formal PCI DSS assessment onsite and release the Report On Compliance (ROC) and Attestation Of Compliance (AOC) in due course of time.

Sustain

•This is one of the highlights of ISOQAR approach. In the Achieve phase we mentor all our clients get ready for the next challenge i.e. continual maintenance of compliance. Our project team not only grooms the clients in maintenance activity, but also keeps a close watch on their PCI DSS activities and its compliance. Please check for our “PCI Protector Plan”.

We at Alcumus ISOQAR India realize the pains in

achieving any compliance and maintaining it.

Specifically, when it comes to achieving and

maintaining the PCI DSS compliance the mission is

even tougher.


PCI Compliance as a Service (P-CaaS)

We focus on all pertinent areas of PCI DSS and dive into

the details associated with each required control. Our

PCI compliance services utilize a combination of

remote and onsite interviews, documentation reviews,

walkthroughs of cardholder data processing

environments, examine process flows, supporting

systems, and all other areas associated with card-data

processing.

We also provide PCI DSS support

services and solutions.

Vulnerability Assessment and

Penetration Testing (VA/PT)

Application Security Assessment (AppSec)

Network Security Architecture Review

Firewall and Router Rule Set Reviews

Implementation of Security and Incident Management (SIEM)

tool

Implementation of File Integrity Monitoring

(FIM) tool

Identity Management Solution (IDM)

Multi-Factor Authentication

Services


How Alcumus ISOQAR can help?

You construct your business.

We Protect it.

Alcumus ISOQAR India Pvt. Ltd. was founded in 2006 & is rooted in performing security assessments

meeting compliance frameworks such as HIPAA, SOX, ISO 27001, ISO 20000, ISO 22301, ISO 33000, PCI-

DSS QSA etc.

With the rich experience of conducting compliances for various security frameworks, whether you are a

large multinational bank or a small payment processor, Alcumus ISOQAR has the ability to serve your

needs and ensure your organization is brought up to speed and into compliance with the PCI Data

Security Standard.

Alcumus ISOQAR is a Qualified Security Assessor (QSA) as certified by the PCI Standards Council and has

been qualified to perform the following PCI DSS compliance.

We have performed a wide variety of PCI related engagements and is presently involved in compliance

efforts for the following areas:

Service providers

Payment Gateway PCI Scenarios

PCI in BPOs

PCI for Banks

Issuing Operations; and

Datacenter related PCI refinements

The PCI Security Standards Council is constantly working to monitor threats and improve the industry’s

means of dealing with them, through enhancements to PCI Security Standards and by the training of

security professionals.

For many small and mid-sized businesses, getting started embracing change with the PCI DSS can be

overwhelming. The good news is that it doesn’t have to be! Let us help remove the burden by stepping

you through the compliance process and showing you where you can secure your business, validate

compliance, and save time, hassle and money over the long term.

When you’re just starting out with PCI compliance, the last thing you want to do is wade through

hundreds of pages of rules and requirements.

Our specialized services and PCI DSS experts will help you quickly identify and address your organization’s

biggest security risks and their corresponding compliance gaps so you can successfully achieve and

maintain PCI compliance.


#ISOQAR India Pvt. Ltd.

The information contained herein is of a general nature and is not intended

to address the circumstances of any particular individual or entity. Although

we endeavor to provide accurate and timely information, there can be no

guarantee that such information is accurate as of the date it is received or

that it will continue to be accurate in the future.

No one should act on such information without appropriate professional

advice after a thorough examination of the particular situation.

The views and opinions expressed herein are those of the internet based

research, they do not necessarily represent the views of ISOQAR in India.

© 2016 ISOQAR India Pvt. Ltd., an Indian Registered company and a member

firm of the Alcumus Group

International Cooperative (“Alcumus ISOQAR”), an entity. All rights reserved.

This document is meant for e-communications only.

Book a 60 minutes Virtual

Tea Consultation with

Prashant Koranne (PK)

Send us email on [email protected]

ISOQAR (INDIA) PVT. LTD.

303, Matrix, Corporate Road, Prahladnagar, Off.

S.G.Highway, Ahmedabad – 380051, Gujarat, India.

Open Invite to Discuss PCIDSS Implementation


mailto:[email protected]

PCI DSS 3.2 News Letter - Home | ISOQAR · y=pcidss&document=pci_dss How long do organizations have to implement PCI DSS 3.2? PCI DSS 3.1 will retire on 31 October 2016, and after

Documents