PCI DSS 3.2 News Letter

Transcription

1 PCI DSS 3.2 News Letter Alcumus ISOQAR India Pvt. Ltd. PCI DSS QSA

2 Foreword The leadership team with the BIG FOUR background; focuses on delivering performance with passion. We believe in knowledge performance integration. With the growing demand for compliance; the team ALCUMUS ISOQAR believes in enhancing its capability to provide value added services in the field of audits, trainings coupled with compliances. Our long term vision is to be the ONE STOP SHOP for all requirements related to audit/ training/ compliances/ Tools etc. in all domains. Our business idea supports this vision by providing wide range of audit and training services globally utilizing domain knowledge, audit experience and utmost professional approach. Today we work on all standards including ISO standards in all domains; 2 nd party audits; PCI Compliances; SSAE 16 SOC compliances; HIPAA compliances; BRC; RJC compliances etc. Nishid Shivdas Executive Director Compliance ISOQAR uses the knowledge assets to drive performance. Knowledge embedded in our services and business processes now drives what can be created and delivered to our esteemed customers. We are publishing a newsletter on PCI DSS which puts a finger on the pulse of various requirements under new version of PCI DSS version 3.2. We hope the newsletter provides you with insights that can be leveraged in shaping the PCI DSS implementation posture in your organization. Regards, Prashant Koranne Partner PCI DSS Compliance ISOQAR India Pvt. Ltd. The security benefits associated with maintaining PCI compliance are vital to the long-term success of all merchants who process card payments. This includes continual identification of threats and vulnerabilities that could potentially impact the organization. Most organizations never fully recover from data breaches because the loss is greater than the data itself.

3 Statistics Statistics of Card Related and Identity Theft Frauds Source: The UK Cards Association Source: Krebsonsecurity

4 How to prepare? What is new in PCI DSS 3.2? Within the 12 core requirements of the PCI DSS, there are five new sub-requirements for service providers affecting requirements 3, 10, 11 and 12. New sub-requirements have been added to requirement 8 to ensure multi-factor authentication is used for all non-console administrative access and all remote access in the cardholder data environment. There are also two new appendices. Appendix A2 incorporates new migration deadlines for removal of Secure Sockets Layer (SSL) /early Transport Layer Security (TLS) in line with the December 2015 bulletin. Appendix A3 incorporates the Designated Entities Supplemental Validation (DESV), which was previously a separate document. Link to get the complete summary of changes in PCI DSS Version 3.2: y=pcidss&document=pci_dss How long do organizations have to implement PCI DSS 3.2? PCI DSS 3.1 will retire on 31 October 2016, and after this time all assessments will need to use version 3.2. Between now and 31 October 2016, either PCI DSS 3.1 or 3.2 may be used for PCI DSS assessments. The new requirements introduced in PCI DSS 3.2 are considered best practices until 31 January Starting 1 February 2018 they are effective as requirements and must be used ISOQAR India Pvt. Ltd., an Indian Registered company and a member firm of the Alcumus Group International Cooperative ( Alcumus ISOQAR ), an entity. All rights reserved.

5 PCI DSS 3.2 focuses on Encryption and Multifactor Authentication PCI DSS 3.2 marks the start of refining the payment data regulations, rather than minor changes, and includes requirements to strengthen encryption and multifactor authentication. The PCI Security Standards Council (PCI SSC) has published a new version of its data security standard (DSS), used to safeguard payment data before, during and after a purchase is made. PCI DSS version 3.2 replaces version 3.1, which will expire on Oct. 31. Multifactor Authentication - One significant change in PCI DSS 3.2 is that it includes multi-factor authentication as a requirement for any personnel with administrative access into environments handling card data. Previously this requirement applied only to remote access from untrusted networks. A password alone should not be enough to verify the administrator s identity and grant access to sensitive information, said PCI Security Standards Council CTO Troy Leach. We ve seen an increase in attacks that circumvent a single point of failure, allowing criminals to access systems undetected and to compromise card data.

6 5 Platinum Principles for continual PCI Know the Standard 1 Unlike many other compliance standards e.g. ISO (too generic) and SSAE 16 (you can define your own frequency), PCI DSS has a definite frequency for maintaining controls. There are multiple requirements which could have a cascading effect on your compliance posture if you fail to maintain the effectiveness of the required controls. There could be various teams involved and unless there is a crystal clear understanding and communication within the teams, you are most likely to face difficulties. For example the purchase is done by procurement team, device hardening is done by some other team and vulnerability scanning is someone else s responsibility. Unless these teams are in sync and know the standard well, maintenance becomes difficult.

7 5 Platinum Principles for continual PCI Get the Necessary Budgetary Approval for the Upkeep 2 As a CISO, you may need to procure stuff and outsource some of your activities viz. Scans from ASV and other periodic scans. While submitting the budget, it is advisable to include the recurring maintenance cost as well. This will ensure that you have necessary funds available and you don t need to run at the eleventh hour and delay the mandatory requirements for compliance.

8 5 Platinum Principles for continual PCI Develop an Annual Compliance Calendar 3 A simple spreadsheet can do wonders. List the tasks as Daily (Log Reviews), Weekly (File Integrity Checks), Monthly (Newly Added Devices, Employee Background Checks, Recent Infrastructure Changes etc.), Quarterly (Scans), Semi- Annually (Network device rule set reviews) and annually (policy reviews, risk assessment, training programs, pen tests, incidents).once the list is ready, name the Owner for each activity. Add the column Checker. Circulate the calendar to all the relevant stakeholders..

9 5 Platinum Principles for continual PCI Assign Tasks and Monitor Them 4 Once the calendar is circulated, ask all the checkers to report the progress on a periodic basis. My strong recommendation do this on a fortnight basis. This will ensure in initiating the immediate corrections and corrective actions if something is amiss and will not come as a last minute surprise or show spoiler. Our sincere advice For any challenges, take required advice from the QSA Company. They will guide in addressing any bottlenecks. Remember hiding facts helps nobody in compliance

10 5 Platinum Principles for continual PCI Include Vendors in Compliance Program 5 Communicate your compliance requirements to the vendors well in advance; in fact, it needs to be a contractual obligation. Vendors play a vital role in maintaining the compliance program when it comes to PCI DSS. If you have third party vendors, keep them well informed. If you have outsourced any of your activities, get the records well in time to avoid last minute hiccups. You re also now required to maintain a formal list of PCI responsibilities shared with vendors, down to the specific requirements you and the vendor handle. Vendor non-compliance can become a big challenge for your own maintenance and could be a show stopper.

11 Alcumus PCI DSS Value Proposition by FOUR fold (Triple A -S) approach We at Alcumus ISOQAR India realize the pains in achieving any compliance and maintaining it. Specifically, when it comes to achieving and maintaining the PCI DSS compliance the mission is even tougher. Assess Accelerate Achieve Sustain We assist clients in defining the exact scope (thus saving lot of money and efforts), identifying the gaps and propose a feasible remediation approach. Our expert consultants and QSAs are always ready to walk that extra mile for the clients and reduce the timelines in achieving the compliance goals. Once the system is audit ready, our QSAs conduct a formal PCI DSS assessment onsite and release the Report On Compliance (ROC) and Attestation Of Compliance (AOC) in due course of time. This is one of the highlights of ISOQAR approach. In the Achieve phase we mentor all our clients get ready for the next challenge i.e. continual maintenance of compliance. Our project team not only grooms the clients in maintenance activity, but also keeps a close watch on their PCI DSS activities and its compliance. Please check for our PCI Protector Plan.

12 PCI Compliance as a Service (P-CaaS) We focus on all pertinent areas of PCI DSS and dive into the details associated with each required control. Our PCI compliance services utilize a combination of remote and onsite interviews, documentation reviews, walkthroughs of cardholder data processing environments, examine process flows, supporting systems, and all other areas associated with card-data processing. We also provide PCI DSS support services and solutions. Vulnerability Assessment and Penetration Testing (VA/PT) Application Security Assessment (AppSec) Network Security Architecture Review Firewall and Router Rule Set Reviews Implementation of Security and Incident Management (SIEM) tool Implementation of File Integrity Monitoring (FIM) tool Identity Management Solution (IDM) Multi-Factor Authentication Services

13 How Alcumus ISOQAR can help? Alcumus ISOQAR India Pvt. Ltd. was founded in 2006 & is rooted in performing security assessments meeting compliance frameworks such as HIPAA, SOX, ISO 27001, ISO 20000, ISO 22301, ISO 33000, PCI- DSS QSA etc. With the rich experience of conducting compliances for various security frameworks, whether you are a large multinational bank or a small payment processor, Alcumus ISOQAR has the ability to serve your needs and ensure your organization is brought up to speed and into compliance with the PCI Data Security Standard. Alcumus ISOQAR is a Qualified Security Assessor (QSA) as certified by the PCI Standards Council and has been qualified to perform the following PCI DSS compliance. We have performed a wide variety of PCI related engagements and is presently involved in compliance efforts for the following areas: Service providers Payment Gateway PCI Scenarios PCI in BPOs PCI for Banks Issuing Operations; and Datacenter related PCI refinements The PCI Security Standards Council is constantly working to monitor threats and improve the industry s means of dealing with them, through enhancements to PCI Security Standards and by the training of security professionals. For many small and mid-sized businesses, getting started embracing change with the PCI DSS can be overwhelming. The good news is that it doesn t have to be! Let us help remove the burden by stepping you through the compliance process and showing you where you can secure your business, validate compliance, and save time, hassle and money over the long term. When you re just starting out with PCI compliance, the last thing you want to do is wade through hundreds of pages of rules and requirements. Our specialized services and PCI DSS experts will help you quickly identify and address your organization s biggest security risks and their corresponding compliance gaps so you can successfully achieve and maintain PCI compliance. You construct your business. We Protect it.

14 Open Invite to Discuss PCIDSS Implementation Book a 60 minutes Virtual Tea Consultation with Prashant Koranne (PK) Send us on Michael@isoqarindia.com #ISOQAR India Pvt. Ltd. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. ISOQAR (INDIA) PVT. LTD. 303, Matrix, Corporate Road, Prahladnagar, Off. S.G.Highway, Ahmedabad , Gujarat, India. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. The views and opinions expressed herein are those of the internet based research, they do not necessarily represent the views of ISOQAR in India ISOQAR India Pvt. Ltd., an Indian Registered company and a member firm of the Alcumus Group International Cooperative ( Alcumus ISOQAR ), an entity. All rights reserved. This document is meant for e-communications only.