What is PCI/DSS and What s new Presented by Brian Marshall Vanguard Professional Services

Transcription

1 What is PCI/DSS and What s new Presented by Brian Marshall Vanguard Professional Services 4/28/2016 1

2 AGENDA 1.About Vanguard/Introductions 2.What is PCI DSS History 3.High Level Overview 4.PCI DSS 3.0/3.1/3.2 5.Top PCI challenges for z/os 6.Q/A 4/28/2016 2

3 What is PCI DSS? What is PCI DSS - Payment Card Industry Data Security Standard? Set of standards created by the PCI Security Standards Council Enforced by contract with banks that provide payment card processing Applicable to everyone who stores, processes, or transmits payment card data 2015 Vanguard Integrity Professionals, Inc. 4/28/

4 What is PCI DSS? PCI Security Standards Council About the PCI Security Standards Council: Global independent open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security 2015 Vanguard Integrity Professionals, Inc. 4/28/

5 PCI DSS History A Brief History of PCI DSS The PCI Security Standards Council Formed September 7, 2006 Founded by: American Express Discover Financial Services JCB International MasterCard International VISA 2015 Vanguard Integrity Professionals, Inc. 4/28/

6 PCI DSS History Payment Card Industry Data Security Standard (PCI DSS) - Was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. - PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS applies to all entities involved in payment card processing including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) Vanguard Integrity Professionals, Inc. 4/28/

7 PCI DSS Requirements High-level overview of the 12 PCI DSS Requirements 1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across open, public networks Vanguard Integrity Professionals, Inc. 4/28/

8 PCI DSS Requirements 5. Use and regularly update antivirus software. 6. Develop and maintain secure systems and applications. 7. Restrict access to cardholder data by business need-to-know. 8. Assign a unique ID to each person with computer access Vanguard Integrity Professionals, Inc. 4/28/

9 PCI DSS Requirements 9. Restrict physical access to cardholder data. 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. 12. Maintain a policy that addresses information security Vanguard Integrity Professionals, Inc. 4/28/

10 Common PCI Terms 1. CHD - Card Holder Data 2. SAD - Sensitive Authentication Data 3. PAN Primary Account Number 4/28/

11 PCI DSS Procedures Detailed PCI DSS Requirements and Security Assessment Procedures The following defines the column headings for the PCI DSS Requirements and Security Assessment Procedures: - PCI DSS Requirements This column defines the Data Security Standard requirements; PCI DSS compliance is validated against these requirements. - Testing Procedures This column shows processes to be followed by the assessor to validate that PCI DSS requirements have been met and are in place. - Guidance This column describes the intent or security objective behind each of the PCI DSS requirements. This column contains guidance only, and is intended to assist understanding of the intent of each requirement. The guidance in this column does not replace or extend the PCI DSS Requirements and Testing Procedures. 4/28/

12 Common PCI Requirements Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 4/28/

13 Common PCI Requirements Req Configure system security parameters to prevent misuse - System configuration standards and related processes should specifically address security settings and parameters that have known security implications for each type of system in use. - In order for systems to be configured securely, personnel responsible for configuration and/or administering systems must be knowledgeable in the specific security parameters and settings that apply to the system Vanguard Integrity Professionals, Inc. 4/28/

14 Common PCI Requirements 4/28/

15 Common PCI Requirements 4/28/

16 Common PCI Requirements 4/28/

17 Common PCI Requirements 4/28/

18 Common PCI Requirements 4/28/

19 Common PCI Requirements 4/28/

20 Common PCI Requirements NIST RACF Checklist 4/28/

21 PCI non-racf Requirements Req Requirement for a current diagram that shows all cardholder data flows across systems and networks - Cardholder data-flow diagrams identify the location of all cardholder data that is stored, processed, or transmitted within the network. - Network (1.1.2) and cardholder data-flow diagrams (1.1.3) help an organization to understand and keep track of the scope of their environment, by showing how cardholder data flows across networks and between individual systems and devices 4/28/

22 PCI DSS 3.0 Changes Req procedure to verify policy is implemented for disconnecting remote access sessions after a specific period of inactivity Remote-access technologies are frequent "back doors" to critical resources and cardholder data. By disconnecting remote-access technologies when not in use (for example, those used to support your systems by your POS vendor, other vendors, or business partners), access and risk to networks is minimized Vanguard Integrity Professionals, Inc. 4/28/

23 PCI DSS 3.1 Changes PCI SSC bulletin on impending revisions to PCI DSS, PA-DSS 13 February 2015 To ensure the continued strength and integrity of PCI Standards for payment data protection, the Council has ongoing processes for monitoring threats and vulnerabilities and for updating the standards as necessary. The National Institute of Standards and Technology (NIST) has identified the Secure Socket Layers (SSL) v3.0 protocol (a cryptographic protocol designed to provide secure communications over a computer network) as no longer being acceptable for protection of data due to inherent weaknesses within the protocol. Because of these weaknesses, no version of SSL meets PCI SSC s definition of strong cryptography, and revisions to the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS) are necessary. 4/28/

24 PCI DSS 3.1 Changes What is the Issue with SSL/TLS SSL/TLS encrypts a channel between two endpoints (for example, between a web browser and web server) to provide privacy and reliability of data transmitted over the communications channel. Since the release of SSL v3.0, several vulnerabilities have been identified, most recently in late 2014 when researchers published details on a security vulnerability (CVE ) that may allow attackers to extract data from secure connections. More commonly referred to as POODLE (Padding Oracle On Downgraded Legacy Encryption), this vulnerability is a man-in-the-middle attack where it s possible to decrypt an encrypted message secured by SSL v3.0. 4/28/

25 PCI DSS 3.1 Changes The SSL protocol (all versions) cannot be fixed; there are no known methods to remediate vulnerabilities such as POODLE. SSL and early TLS no longer meet the security needs of entities implementing strong cryptography to protect payment data over public or untrusted communications channels. 4/28/

26 PCI DSS 3.1 Changes What is the Issue with SSL/TLS cont. Additionally, modern web browsers will begin prohibiting SSL connections in the very near future, preventing users of these browsers from accessing web servers that have not migrated to a more modern protocol. 4/28/

27 PCI DSS 3.1 Changes What this means for PCI DSS - In PCI DSS v3.1, SSL and early TLS are no longer examples of strong cryptography or secure protocols. The PCI DSS v3.1 requirements directly affected are: Requirement Implement additional security features for any required services, protocols, or daemons that are considered to be insecure. Requirement 2.3 strong cryptography. Encrypt all non-console administrative access using Requirement 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks. 4/28/

28 PCI DSS 3.1 Changes What is a Risk Mitigation and Migration Plan? The Risk Mitigation and Migration Plan is a document prepared by the entity that details their plans for migrating to a secure protocol, and also describes controls the entity has in place to reduce the risk associated with SSL/early TLS until the migration is complete. The Risk Mitigation and Migration Plan will need to be provided to the assessor as part of the PCI DSS assessment process. 4/28/

29 PCI DSS 3.1 Changes The following provides guidance of the type of information to be documented in the Risk Mitigation and Migration Plan: Description of how vulnerable protocols are used Risk assessment results and risk reduction controls in place Description of processes that are implemented to monitor for new vulnerabilities associated with vulnerable protocols Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new environments Overview of migration project plan including target migration completion date no later than 30 June /28/

30 PCI DSS 3.2 Changes SSC has announced that the PCI DSS has reached a point of maturity. Consequently, they no longer plan to release major revisions to the standard on a three-year cycle, but will instead issue releases more often with fewer changes between them.. 4/28/ Vanguard Integrity Professionals, Inc 30

31 PCI DSS 3.2 Changes The extension of the SSL/early TLS dates to June 30, 2018 will be reinforced. Multi-factor authentication requirements for accessing the cardholder data environment, which were already in place for remote access scenarios, will be extended to include local access. There will be some new Appendices in the DSS, including one dedicated to SSL/early TLS and one that brings DESV requirements into the DSS. Rules around displaying card numbers will be modified to accommodate an upcoming change to card number standards. 4/28/ Vanguard Integrity Professionals, Inc 31

32 PCI DSS 3.2 Changes Service providers will undergo additional scrutiny of their change management processes, and penetration testing will be required on a more frequent basis. 4/28/ Vanguard Integrity Professionals, Inc 32

33 What are the key dates for PCI DSS 3.2? April 2016: PCI DSS 3.2, as well as all supporting documents and SAQs, will be released. October 2016: PCI DSS 3.1 will retire six months after the release of PCI DSS 3.2, and all assessments or SAQs taken after that time will need to use version 3.2. This is significant for those with yearend annual assessment cycles. February 2018: All new requirements within PCI DSS 3.2 will become effective. (Prior to that they will be considered best practices. ) 4/28/ Vanguard Integrity Professionals, Inc 33

34 PCI Challenges Interpretation of PCI requirements and applicability to z/os Top PCI challenges for z/os

35 Interpreting PCI DSS for z/os What is a z/os System Component? 1st Systems Programmer 2nd Systems Programmer RACF Engineer RACF Administrator Master Catalog SDSF The RACF Database Dataset Profiles APF Authorized Datasets Session Managers Copies of the RACF database General Resource Profiles LINKLIB Datasets SYS1.UADS Dataset SETROPTS Settings User ID Attributes User Catalogs WebSphere RACF CDT Group Connect Authorities RACF Database JES2 / JES3 RACF Classes Role Based Access Parmlib Datasets OMEGAMON General Resource Profiles Database Administrator Multi-User Access Systems WebSphere MQ Encryption Keys IMS Databases z/os Security Patches DFSMS Group Membership DB2 Databases System Proclibs SVC s Privileged Userids DB2 Table Trace Started Tasks CICS System Datasets RACF Exits Oracle Databases SYS1.Parmlib DB2 System Datasets RACF Tables RACF Classes for DB2 SMF Log Files IBM Comm Server IRR Prefixed Utilities IDMS System Exits Vendor Security Products Logging Parameters QSA & Compliance Officers ICSF Encryption Keys Magnetic Tape? 4/28/

36 Identifying Not in Place Requirements Vanguard Findings Mapped to PCI Requirements Rank Vanguard s Top 10 z/os Findings Description of Finding Percent Occurrence of Finding PCI Requirement 1 Excessive Number of User IDs with No Password Interval 74% / Inappropriate Usage of z/os UNIX Superuser Privilege UID(0) 60% Sensitive Data Set Profiles with UACC Greater than NONE 54% / Critical Data Set Profiles with UACC Greater than READ 54% / Started Task IDs are not Defined as PROTECTED IDs 53% Improper Use or Lack of UNIXPRIV Profiles 52% Excessive Access to SMF Data Sets 44% / Excessive Access to APF Libraries 42% Excessive access to z/os UNIX File System Data Sets 42% RACF Database is not Adequately Protected 40% /28/

37 HELP & Questions Here are some helpful Websites: Requirements and Security Assessment Procedures PCI SSC Data Security Standards /28/ Vanguard Integrity Professionals, Inc.

38 Questions? How to Contact Us Vanguard Integrity Professionals 6625 South Eastern Ave., Suite 100 Las Vegas, NV Direct/International: (702) Toll Free: (877) /28/

39 Vanguard Security & Compliance Conference /28/

40 Title Sub-title 4/28/ Thank you!