PCI DSS 3.0 Branden R. Williams, 12 September 2013

Transcription

1 PCI DSS 3.0 Branden R. Williams, 12 September 2013

2 Agenda Introductions PCI DSS to Date PCI DSS 3.0 Preview Challenges & Issues Keep in Touch! Questions!

3 Introductions Branden Williams PCI Board of Advisor Member Representing RSA First assessment, 2004 (CISP/SDP at the time) 2 Books (PCI Compliance, 3e, Syngress) Built two security consulting businesses

4 PCI DSS to Date PCI DSS 1.0 (December 15, 2004) PCI DSS 1.1 (and ASV), Council formed (September 7, 2006) PCI DSS 1.2 (and PA-DSS), September 2008 PCI DSS 2.0, (unified PTS, PA-DSS, PFI) 2010 PCI DSS 3.0, November 2013 Notables: 3 year cycle Supplemental documents Certifications open to non QSA/PO Community meeting in 2 weeks!

5 Why 2013 is PIVOTAL for PCI DSS Emerging Technologies EMV to the US but does Mobile skip it? The standard is struggling for relevance! Some technologies ignored: Cloud Mobile Virtualization Universal applicability desired Yet nothing that flows from STD to Detail No way to get transparency into fraud

6 These guys must get it right!

7 Yet, evidence thus far is to the contrary Current BoA/PO had limited to no input Standards continue to be created in a vacuum They sit behind the times BUT WHY?? Top reasons for breach are still basic Companies can t get the baseline right IT is in flux, sometimes the enemy of the business

8 OK, so what do we do?

9 Tell me if you ve heard this one before Know your data flows: Data Flows Made Easy Do discovery as well Consider DLP Outsource EVERYTHING! Who told you it was a good idea to run a pmt processor? Double check those models! Focus on Security and the partnership with the business!

10 Examples of where you can usurp PCI DSS That s right! USURP IT! PCI DSS misses so many marks But don t let it hold you back! Mobile: Make mobile apps comply Focus on underlying platform Cloud: Leverage security tactics Focus on HYBRID models Virtualization: Infrastructure, infrastructure, infrastructure

11 Current challenges we hope get addressed Mobile is virtually unaddressed Cloud/Virtualization is ambiguous They tell you not to us it! Interpretation Issues Ever had QSA-Conflict? Who is really to blame? A way to tie Std with Guidance Ways to look forward

12 What we know about 3.0

13 Stated Drivers of Change Lack of Education & Awareness Weak Passwords/Auth Third Party Security Slow self-detection, malware Inconsistency in Assessments

14 Key Themes Education & Awareness Ideally this is good Adds more detail on intent Flexibility Again, ideally this is good Allows better threat/counter match Security as Shared Responsibility Uh oh overstep? Good intention, PCI must know its place

15 Highlighted Changes Req 1: Add cardholder data flows as a requirement to the mix Req 2: Maintain inventory of in-scope components Req 5: Evaluate malware threat, on systems NOT commonly affected by malware (yes, that is correct) Req 6: Updates OWASP top 10 Req 8: Allow for flexibility in auth to create vehicle for strong passwords Requirements for non-password methods Req 9: Physical security of terminals

16 Highlighted Changes (cont) Req 10: Clarifications on daily log reviews, with flexibility for less-critical log events Req 11: More details for penetration testing & scope verification Req 12: Third-party assurance work, including documentation on which third parties manage which requirements Incorporate policy/procedure requirements into each requirement (follows generally accepted principles) More intent documentation integrated with standard, including more detail on testing procedures

17 And the DUH moment Req 2: Yes, you must change default passwords for SERVICE accounts too Sensitive Auth Data is still sensitive even if the PAN is not present

18 What s the Timeline? PCI DSS 3.0 to be released in NOVEMBER Effective on January 1, 2015 (yes, 13 months from release) PCI DSS 2.0 is valid through next year You should do a Gap analysis ASAP Holiday freeze a good time! Retired December 31, 2017

19 Discussion!

20 Additional Resources Has all standards docs Includes releases on updates PCI Community Meetings Vegas, Sep Nice, Oct KL, Nov 19-20* Brando s Blog & Book: blog.brandenwilliams.com

21 How about we stay in touch? If you would like a copy of these slides: Text b@zip.sh code isaca2013 comma, your address Example: isaca2013,your@ .com Or use the QR code above Stay up to date with things I m working on (opt in)! brandenwilliams.com

22 Thank you, Any questions?