Peter Verderber, CISSP, CISA, PCI QSA Principal Consultant Ben Rothke, CISSP, CISA, PCI QSA Senior Security Consultant Managed Security Leaders Conference What’s new with PCI? November 18, 2009 Check out the SecureThinking blog: http://bt-securethinking.blogspot.com. Follow us on Twitter: http://twitter.com/securethinking
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Peter Verderber, CISSP, CISA, PCI QSAPrincipal Consultant
Ben Rothke, CISSP, CISA, PCI QSASenior Security Consultant
Managed Security Leaders Conference
What’s new with PCI?
November 18, 2009
Check out the SecureThinking blog: http://bt-securethinking.blogspot.com. Follow us on Twitter: http://twitter.com/securethinking
Agenda
Introductions
PCI DSS Updates – Gray Areas & Emerging Trends
Evolution of the PCI DSS
PCI SSC Updates – The Impact of QA Inspections
Key messages and take-aways
Introductions
Peter Verderber
• US & Canada Security Practice Lead CISSP, CISA, PCI QSA
• 10+ years in the field Information Security
• Working with PCI Standard since its inception in 2004
Ben Rothke, CISSP, CISM, PCI QSA
• Senior Security Consultant
• In IT sector since 1988 and information security since 1994
• Author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill)
• PCI QSA since 2007
BT and PCI
PCI Environment Discovery and Scoping
Security Architecture Design
Compliance Assessments (Gap Analysis)
Remediation Planning, Support, and Integration
Compliance Validation and Reporting
Internal and External ASV Scanning
Network and Application Penetration Testing
Managed Security Event Monitoring
Managed Log Retention Services
Managed Firewall and IDP Services
Digital Security Surveillance Solutions
2001
Visa establishes CISP (Card Information Security Program)
PCI Timeline
2001
Formation of the PCI Security Standards Council (PCI SSC)
2004
PCI SSC is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.
Mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards.
Founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.
PCI Timeline
2001
PCI DSS version 1.1 released
2004 2006
PCI DSS (Data Security Standard) is a worldwide information security standard assembled by the PCI SSC.
Standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise.
PCI DSS applies to all organizations which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands.
PCI Timeline
2001
PCI DSS version 1.2 and PA-DSS 1.2 released
2004 2006 2008
PA-DSS is the Council-managed program formerly under the supervision of the Visa Inc. program known as the Payment Application Best Practices (PABP).
Goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS
PCI Timeline
2001
PCI wireless guidelines released
2004 2006 2008 2009
Wireless guidelines recommend use of Wireless Intrusion Prevention System (WIPS) to automate wireless scanning for large organizations.
Wireless guidelines clearly define how wireless security applies to PCI DSS 1.2 compliance.
Guidelines apply to the deployment of WLANs in cardholder data environments (CDE) – which is a network environment that possesses or transmits credit card data.
PCI Timeline
2001
PCI will continue to gain traction
2004 2006 2008 2009 and beyond
• Greater details
• Greater enforcement
• Increased rigor
• Federal adoption
PCI Timeline
PCI Security Standards Council Updates
What’s new in 2009?
• More breaches of “PCI Compliant” entities
• Prioritized Approach
• PCI Council QA refresh and enforcement
• New QA model and scoring matrix established
• 945 validation points (1000+ with sampling)
• Limited auditor discretion
Impact to your organization:
• Extensive documentation
• Application interaction and data flows
• Card processing &and third-party relationships
• Defensible position a must
PCI Guiding
Principles
Gray Areas Remain
• But then again, all regulations have gray areas
• Defend your interpretation
• A strong security foundation can certainly deal with every new regulation / standard
• Scoping (limit PCI scope, ASV scan and penetration testing scope)