All the Latest Data Security News. Best Practices and Compliance Information From the PCI Council

Transcription

1 All the Latest Data Security News Best Practices and Compliance Information From the PCI Council 1

2 What is the PCI Security Standards Council? Collaboration Education Simplified solutions for merchants 2

3 PCI DSS 3.2 Update April Why now? Threat and Payment Landscape SSL/TLS Updates to v3.1 Impacting Changes Include: Multi-Factor Authentication Service Provider Updates SSL/TLS Sunset Dates

4 SSL to TLS Background and Timeline SSL/TLS used as example in DSS v3 and earlier Example of strong cryptography Example of additional security for insecure services Marketplace feedback Technical issues - relatively easy Business issues - complex April 2014 NIST SSL&TLS 1.0 Unsafe PCI SSC Seeks Industry Input April 2015 PCI SSC Issues PCI DSS v3.1 and Guidance Marketplace Feedback December 2015 PCI SSC Issues New Migration Dates

5 SSL and Early TLS: New Migration Dates SSL & early TLS not considered strong cryptography & not allowed as security control after 30 June 2018 All processing and third party entities including Acquirers, Payment Processors, Gateways and Service Providers must provide a TLS 1.1 or greater service offering by 30 June All entities must cutover to a secure version of TLS (as defined by NIST) by June Consistent with the existing language in PCI DSS v3.1, all new implementations must be enabled with TLS 1.1 or greater (TLS 1.2 recommended). POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to all known exploits for SSL and early TLS, can continue to use SSL/early TLS beyond June 2018 consistent with the current exception.

6 Additional Guidance Information Supplement & FAQ Clarification on new vs. existing implementations Guidance on allowances for POS POI environments Suggestions/examples of risk mitigation techniques Suggestions/examples on alternative cryptographic options to replace SSL/early TLS Best practices for proper TLS configuration

7 7 Other Changes in PCI DSS 3.2

8 Multi-factor Authentication Terminology: two-factor replaced with multi-factor More accurate terminology Two or more factors may be used Does not change intent of original requirement Still can t use one factor twice Already required for all remote access to the CDE Now also required for personnel with administrative access into the CDE 8

9 New Requirements for Service Providers New requirements adapted from DESV: Documentation of cryptographic architecture Detect and respond to failures in critical security controls More frequent penetration testing on segmentation controls Maintain a formal PCI DSS compliance program Periodically confirm personnel are following security policies and procedures All new requirements future-dated to 1 st February

10 Appendix A2 for SSL/Early TLS Separate appendix to address SSL/early TLS Clarifies intent of requirements Incorporates new migration dates New implementations must not use SSL/early TLS Service Providers must have secure service offering by 30 June, 2016 All entities must cut over to secure versions of TLS by 30 June, 2018 Risk Mitigation and Migration Plan required Allowance for POS POIs 10

11 DSS v3.2 Timelines and Sunrise/Sunset Dates All new requirements future dated to February 1 st, 2018 Provides additional time to prepare for new requirements All new requirements identified as best practices until then PCI DSS v3.1 retires 6 months after release of v3.2 Allows current assessments to complete by October 2016 Previous proposal was 3 months to complete v3.1 ROC Timeline for PCI DSS v3.2 release: Recommend soft release one week later to Participating Organizations Public release later in the month with additional collateral 11

12 PCI Point-to-Point Encryption (P2PE) v2

13 Why P2PE? Protect cardholder data throughout the transaction cycle Point of Interaction In Store Server Mgmt. Sales and Marketing Stock Control 3 rd party suppliers Merchant Data center 3 rd Party Processor The Internet Acquiring Bank Moto Ecommerce 13

14 UK Card Not Present Fraud 14

15 WHAT ARE THE MAJOR CHANGES? Consolidated two P2PE standards New function-specific domains to support P2PE Component Providers Merchant-managed solutions Simplified merchant PIM requirements 15

16 PCI P2PE Solution Benefits for Retailers Visit the PCI SSC website listing to view available solutions: and solutions/point to point encryption solutions 16

17 17 Looking Ahead

18 Future Threat Landscape Card Not Present Fraud Contactless Payments Vulnerabilities Account Takeover Extortion 18

19 Current Threat Landscape Weak Passwords SQL Injection Spear Phishing Malware Remote Attack Vector Poor Patching 19

20 What next? 20 Updates to PA-DSS Small merchant guidance Effective Daily Log Monitoring Best practices for safe e-commerce Evaluation of DSS requirements for specific environments Hoteliers and Hospitality Webinar on Data Security 15 th June Incident Response Best Practices

21 PA-DSS V3.2 21

22 SMALL MERCHANT BUSINESS TASK FORCE Simple, easy to understand & relevant to the unique needs of small merchants Helps small merchants understand their responsibility for protecting payment card data & identifies and mitigates areas of risk in their environment Provides small merchants with the information they need when assessing their own environment, working with QSA and/or making changes 22

23 23

24 24

25 Partner with the Council

26 Participating Organizations Key Benefits Advance review of standards and supporting materials before release, with the opportunity to provide feedback Complimentary attendance at annual community meetings hosted by the Council Substantial training discounts; courses are offered in instructor-led and elearning formats Nominate and vote for representatives to stand for election to the Council s Board of Advisors Drive the Special Interest Groups (SIGs) that provide the Council with understanding and guidance on particular topics or technologies To learn more, visit: PCI Council Participating Organizations

27 Board of Advisors 27

28 Trainings PCI Trainings Courses Include: Awareness Approved Scanning Vendor (ASV) Internal Security Assessor (ISA) Payment Application Qualified Security Assessor (PA-QSA) PCI Professional (PCIP) Point to Point Encryption Assessor (P2PE) Qualified Integrator/Reseller (QIR) Qualified Security Assessor (QSA) 28

29 PCI Documents available in Russian Work to commence on translation of PCI DSS V3.2 and supporting documents 29

30 Additional Resources Check Our Document Library for New Resources 30

31 31

32 PCI DSS is the Foundation 1. Keep the bad guys out 2. Set up your systems properly 3. If you must have data then protect it 4. If you must send data then encrypt it 5. Protect yourself against malware and other attacks 6. Build your software properly and securely 7. Keep access to the card data to a minimum 8. Make sure people are who they say they are 9. Physical security is just as important 10.Track who goes where and what they do 11.Test and check everything is working correctly 12.Make sure everyone knows what is required 32

33 Please visit our website at