Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010
Jan 15, 2016
Prepared by Jerod Brennen
For ISACA – Central Ohio Chapter Meeting
12/9/2010
Overview
Summary of Changes Operational Perspective Details of Changes Observations
Summary of Changes (136) Clarifications
119 totalWording portrays intent
Additional Guidance15 totalIncrease understanding
Evolving Requirements2 totalEmerging threats and changes
https://www.pcisecuritystandards.org/pdfs/summary_of_changes_highlights.pdfhttps://www.pcisecuritystandards.org/documents/pci_dss_v2_summary_of_changes.pdf
Operational Perspective
Informational61 total
Moderate Impact41 total
Significant Impact34 total
Subjective (your mileage may vary)
Details - General Operations Staff
PCI DSS Applicability Information○ Account Data =
Cardholder Data + Sensitive Authentication Data Scope of Assessment for Compliance with PCI DSS Requirements
○ Added “virtualization components” to the definition of “system components” Policies, Procedures, Standards, etc.
Auditors Sampling of Business Facilities and System Components
○ Criteria that must be documented when sampling○ Sampling rationale must be (re)validated with each audit
Instructions and Content for Report on Compliance○ Pp 14-17 > detailed instructions for the RoC
Consistency (QSA selection)
How much will the Summary of Changes alter QSA procedures?
Details – Section 1 Moderate Impact
1 > “system components providing firewall functionality” to be treated as firewalls
1.1.5 > examples of insecure services, protocols, & ports (FTP, Telnet, POP3, IMAP, SNMP)
1.3.6 > removed specification of port scanner use1.3.7 > testing procedure applies to “any type of
cardholder data storage” (i.e., files)
Significant Impact1.4.b > “personal firewall software should not be
alterable by employee-owned computer users”○ Local admin rights?
Details – Section 2 Moderate Impact
2.1.1.a-e > removed reference to WPA○ WPA cracked in late 2008
2.2 > added sources for hardening standards○ CIS, ISO, SANS, NIST
2.2b > linked system configuration standards to vulnerabilities (was in in 6.2.b)
2.2.2.a-b > only enable “necessary and secure” services 2.3.a-c > “strong” cryptography is required
○ Need for agility (point-in-time)
Significant Impact 2.2.1 > clarified intent of “one primary function per server” and use of
virtualization○ Web, Database, DNS; functions that require different security levels
2.2.1.b > optional testing procedure for virtualization technologies
Details – Section 3 Moderate Impact
3.4 > Deleted note on compensation controls○ “may be applicable for most PCI DSS requirements”
3.4.1.c > Clarification on encryption removable media○ Rendered unreadable through encryption or some other method
3.5 > “Any” keys used to secure cardholder data must be secured 3.6.6 > Clarification around key management operations
○ “manual clear-text cryptographic key mgmt operations” 3.6.8 > Key custodians formal acknowledgment (writing or electronic)
Significant Impact 3 > Introductory Paragraph, don’t send PAN’s via end-user messaging
tech (email, IM)○ Enforcement?
3.2 > business justification for storing “sensitive authentication data” 3.6.4 > Increased frequency of key changes, per “defined cryptoperiod” 3.6.5 > New testing procedures for retired keys
Details – Section 4
Moderate Impact4.1.c > Protocol “must be implemented” to
use only secure configurations (i.e., encrypted)
Significant Impact4.1.1 > 6/3/2010 has passed; no more WEP4.2 > PANs should never be sent by end-
user messaging technologies (see section 3)
Details – Section 5
Moderate Impactnone
Significant Impact5.2 > AV must be generating audit logs, and
not just “capable of generating” logs
Details – Section 6 Moderate Impact
6.3.2 > clarified scope to include non-web applications 6.4.5.a-b > addresses security patches and software
modifications○ Details to include in change documentation
6.4.5.1 > documentation of impact is required 6.5 > broadened to include OWASP, SANS CWE, & CERT 6.5.1-9 > again, OWASP + CWE + CERT
Significant Impact * 6.2 > evolving req, rank vulnerabilities according to risk 6.3.a-d > added types of software apps to be tested (scope)
○ Security in “written software development proceses” 6.4.5.3.a-b > requires security testing for application changes * 6.5.6 > new req regarding high-risk vulnerabilities
○ Best Practice through 6/30/2012
Details – Section 7
Moderate Impactnone
Significant Impactnone
Details – Section 8 Moderate Impact
8 > POS access to one card number at a time○ Aligned with PA-DSS requirement 3.2
8.3 > clarified intent of multi-factor authentication○ Know, Have, Are○ No clarification on physical vs. virtual here
8.5.3 > password resets (unique value, immediate change) 8.5.6.a-b > clarified “access” by vendors
○ Disabled by default, enabled only when needed○ Monitored while being used
8.5.9-13 > password management for “non-consumer users”○ For service providers only
Significant Impact 8.5.2/7/8/13 > allow for authentication mechanisms outside of passwords 8.5.16.a-d > restricting user queries against databases
○ Closer review of database config
Details – Section 9 Moderate Impact
9.1.3 > restrict physical access to ”networking / communications hardware and telecommunications lines”
9.3.1 > visitors are not permitted unescorted physical access to areas that store cardholder data
9.6 > changed “paper and electronic media” to “all media”○ Computers, removable electronic media, paper receipts,
paper reports, faces, etc.
Significant Impact 9.7.1 > intent is to determine sensitivity of data on media
○ “Verify that all media is classified…”
Details – Section 10
Moderate Impact10.4.2 > changes to time settings are
authorized10.4.3 > time is received from industry
accepted sources
Significant Impact10.7.b > processes to “immediately restore”
log data (vs. “immediately available)
Details – Section 11 Moderate Impact
none
Significant Impact 11.1 > “detect unauthorized wireless access points on a
quarterly basis” (vs. real-time) 11.1.a-e > detect & alert on unauthorized wireless access points 11.2.1-3 > internal & external scans must be verified (ASV) 11.2.1.a-c > scans must be repeated & verified until all high
vulnerabilities have been resolved 11.2.2.a-b > ref to ASV Program Guide Requirements 11.2.3.a-c > keep scanning until high vulnerabilities are resolved 11.3.2 > vulnerability scanning must encompass all application
types in-scope (see 6.5) 11.4 > IDS/IPS at the perimeter and at key points inside the CDE
Details – Section 12 Moderate Impact
12.1.3 > replaced “once a year” with “annually” 12.3 > added “tablet” to example technologies 12.3.10.a-b > flexibility to limit prohibitions to those “personnel
without authorization” 12.7 > “potential personnel to be hired for certain positions”
○ Recommendation if personnel can only access one card number at a time
Significant Impact 12.1.2 > test should verify risk assessment documentation 12.8.4 > monitor service providers’ PCI compliance at least
annually 12.9.3 > designated personnel should be available 24/7 for
incident response
Details – Appendices Moderate Impact
Appendix E is now “Attestation of Compliance – Service Providers”○ options for list of services not covered by PCI DSS
assessmentAppendix D > Segmentation and Sampling of
Business Facilities / system Components○ was Appendix F○ aligns with new introduction
Significant Impactnone
Observations Perception
Revised vs. New Should vs. Must
27 vs. 77 Effective Date Risk-Based New Technologies
Wireless Virtualization Encryption (future-state)
Better Log Management Opportunities
Fresh Document Auditors can help Operations achieve compliance Budget
Questions?
Jerod Brennen
http://twitter.com/slandail
http://www.linkedin.com/in/jerodbrennen