Cipherithm LLC 2013 PCI SSC North America Community Meeting Notes

Similar documents
The Future of PCI: Securing payments in a changing world

Evolution of Cyber Attacks

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

All the Latest Data Security News. Best Practices and Compliance Information From the PCI Council

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

PCI Compliance: It's Required, and It's Good for Your Business

PCI COMPLIANCE IS NO LONGER OPTIONAL

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

Navigating the PCI DSS Challenge. 29 April 2011

Payment Card Industry Data Security Standard (PCI DSS) Payment Application Data Security Standard (PA-DSS) Summary of 2012 Feedback

Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

PCI DSS COMPLIANCE 101

Advanced Certifications PA-DSS and P2PE. Erik Winkler, VP, ControlCase

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Will you be PCI DSS Compliant by September 2010?

Managing Risk in the Digital World. Jose A. Rodriguez, Director Visa Consulting and Analytics

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Compliance

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Security Requirements and Assessment Procedures for EMV 3-D Secure Core Components: ACS, DS, and 3DS Server

Opting Out. Avoid Becoming the Next Breach Statistic. Copyright 2014 MAC. All Rights Reserved.

PCI DSS v3. Justin

The PCI Security Standards Council

PCI DSS 3.2 AWARENESS NOVEMBER 2017

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

June 2012 First Data PCI RAPID COMPLY SM Solution

Payment Card Industry (PCI) Data Security Standard

Understanding PCI DSS Compliance from an Acquirer s Perspective

Merchant Guide to PCI DSS

The PCI Security Standards Council PCI DSS Virtualization Webinar

Site Data Protection (SDP) Program Update

Payment Card Industry (PCI) Point-to-Point Encryption

A Perfect Fit: Understanding the Interrelationship of the PCI Standards

PCI compliance the what and the why Executing through excellence

Payment Card Industry (PCI) Data Security Standard

Segmentation, Compensating Controls and P2PE Summary

PCI Guidance Check-In Where are We Now? Diana

ISACA Kansas City Chapter PCI Data Security Standard v2.0 Overview

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

SAQ A AOC v3.2 Faria Systems LLC

First Data TransArmor VeriFone Edition Abbreviated Technical Assessment White Paper

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

Section 1: Assessment Information

PCI DSS Addressing Cyber-Security Threats. ETCAA June Gabriel Leperlier

Commerce PCI: A Four-Letter Word of E-Commerce

University of Sunderland Business Assurance PCI Security Policy

PCI DATA SECURITY STANDARDS VERSION 3.2. What's Next?

Payment Card Industry (PCI) Data Security Standard

Mobile Security / Mobile Payments

Payment Card Industry (PCI) Qualified Integrator and Reseller (QIR)

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0

PCI DSS Illuminating the Grey 25 August Roger Greyling

Payment Card Industry (PCI) Data Security Standard

Webinar: How to keep your hotel guest data secure

Visa Inc Investor Day. Technology at Visa. Rajat Taneja EVP, Technology and Operations

Request for Comments (RFC) Process Guide

TECHNICAL STANDARDS ASSESSMENT REPORT

Payment Card Industry (PCI) Data Security Standard

Customer Compliance Portal. User Guide V2.0

Payment Card Industry (PCI) Data Security Standard

GUIDE TO STAYING OUT OF PCI SCOPE

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Payment Application Data Security Standard. Requirements and Security Assessment Procedures. Version 2.0.

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Minimizing the PCI Footprint: Reduce Risk and Simplify Compliance

IT Audit and Risk Trends for Credit Union Internal Auditors. Blair Bautista, Director Bob Grill, Manager David Dyk, Manager

Maintaining Trust: Visa Inc. Payment Security Strategy

Payment Card Compliance and Challenges

Qualified Integrators and Resellers (QIR) TM. QIR Implementation Statement, v2.0

Introduction to the PCI DSS: What Merchants Need to Know

Attestation of Compliance for Onsite Assessments Service Providers

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

SECURITY PRACTICES OVERVIEW

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

Payment Card Industry Data Security Standard PCI DSS v3.2.1 Before and After Redline View Change Analysis Between PCI DSS v3.2 and PCI DSS v3.2.

Webinar Tokenization 101

What is PCI/DSS and What s new Presented by Brian Marshall Vanguard Professional Services

Transcription:

Cipherithm LLC 2013 PCI SSC North America Community Meeting Notes A Cipherithm White Paper Document Version 1.00 Publish date: Sept 30, 2013

DISCLAIMER This publication is proprietary and confidential to Cipherithm LLC and may not be used for any purpose other than communicating said information for the benefit of Cipherithm LLC its vendors, customers and to further its business interests. NOTICE Cipherithm LLC reserves the right to make changes at any time and without notice. The information furnished by Cipherithm LLC in this publication is believed to be accurate and reliable; however, no responsibility is assumed by Cipherithm LLC for its use. 2

Revision Control Version Date Editor Change Description 1.0 9/30/13 SS Initial release 3

Purpose This document provides the meeting notes taken by Scott Spiker at the 2013 PCI SSC North America Community meeting. The majority of the PCI SSC meetings are geared toward merchants and the PCI DSS. Cipherithm s interest in the PCI SSC meeting is more toward the device security requirements, you will find there are more details in that section of our meeting notes. Thank you to Equinox for sponsoring my attendance to this annual meeting. Feel free to submit comments, questions, and editorial suggests to info@cipheritm.com Wednesday, September 25, 2013 PCI SSC Community Meeting Mandalay Bay, Las Vegas, NV 1,400 attendees from 25 countries Bob Russo Opening remarks After 7 years of shared experience, top 10 list of where PCI is 10) Strength The PCI SSC has become a mature global forum Standards are being accepted globally Cash use is down 3.4% Check use is down 62% Card use is up 105% 9) Complexity 8) Policy 75% of data breaches are for financial gain Financial data breaches are being done by organized crime Cyber security is top priority for governments EU has new cyber policies USA has executive orders from the President for cyber security 7) EMV chip 6) Mobile Being deployed globally EMV needs PCI standards to maintain security EMV helps reduce face to face fraud Other fraud is still possible, this is where PCI can help PCI has issued EMV guidance on its web site Too early to place standards in this space Industry is moving too fast for effective standards 4

PCI has issues mobile payments guidance on its web site 5) High Risk PCI is focusing on the risk areas o Small merchants o Retail and hospitality Qualified integrators and resellers (QIR) PCI is expanding global training 4) Technology 3) Global P2PE update is coming soon Tokenization, PCI plans to produce a standard in 2014 Global card use is on the rise, therefore so is risk Huge card use growth globally 2) The Future? 1) You are the Future Indicating that the security experts represented in the PCI SSC membership and participation is the key to the future of PCI SSC. Key Note Speaker Misha Glenny Two books o McMafia o Dark Market Fireside Chat Moderated by Misha Glenny Troy Leach (CTO, PCI SSC) NIST is supposed to provide guidance on Android O/S security, possibly in October 2013 EMV migration to the USA conversation DSS version 3.0 Draft to be released in November 2013 There was a lot of feedback received Not all feedback could be implemented o Some feedback reduced security o Some feedback conflicted with other feedback There was a lot of requests for scoping guidance Additional guidance requested: o Logging 5

o Pre-authorization o Issuers Service provider attestations of compliance o Define service types o Identify service covered. Feedback groupings: o Require use of data discovery tools o Require web-malware scanning o Create a program for PCI approved penetration testing vendors o Password requirements are out of touch o Requirements are too vague o Requirements are too prescriptive o Sometimes the two above statements were addressed to the same requirement o Firewalls o Anti-virus o Many on requirement 12.8 PCI DSS is designed to be technology agnostic o PCI DSS already supports Cloud E-commerce Tokenization PCI DSS and PA-DSS 3.0 key themes o Education o Flexibility and consistency o Security as shared responsibilities o Emerging threats New section, Guidance o Best practices for implementing into business as usual Focus on security, not compliance PCI DSS is not a once a year activity Don t forget about the people involved (training and threats) Incorporated information from navigation guide to the DSS 3.0 Feedback promote consistent validation methods o Enhance testing procedures o Clarify what it means to verify a requirement o Improve reporting o Add new templates PA-DSS version 3.0 Volume of feedback as a lot less than received from DSS o Broader application eligibility o Simplify application listing process o Improve implementation guides o Move rigor needed for default passwords Greater flexibility o Allow use of wildcard in application passwords o Expand software development life cycle 6

o Enhanced requirement for training Implementation guide feedback Default accounts o Payment application must not require use of default accounts o Application default password be changed during installation o Password rendered unreadable using one way cryptographic algorithms. Open Forum for Questions There were no PTS related questions. Networking Reception Discussed with Leon Fell, Jeremy King and Tim Cormier that many of us PED vendors did not like the reduced time for PTS updates to the vendors, especially when there is a brand new version to the requirements that is much more intense than version 3. The vendors feel they have shorted out of good discussion in all previous PCI SSC meetings and now it is worse. An idea was floated to provide a PTS vendor and lab meeting on the day before the SSC meeting, like what is done with the QSA s for DSS. PCI stated that they would consider this. Thursday, September 26, 2013 Report on the Verizon Data Breach Report Threats o Small merchants are most vulnerable o 24% of incidents affect retail or food service o 72% driven by financial motives PCI standards update P2PE o One solution is currently under review o Two payment applications are listed New hybrid requirements allows the use of non-sred devices Tokenization / Mobile Mobile o PCI has provided guidance o Too early to apply standards to this technology Tokenization o In the process of developing a 4 document standard General principles Reversible tokens Irreversible tokens Implementation requirements o Released planned for 2014 o Task force started August 2013 7

PTS o ATM guidance put out 1 st quarter of 2013 o Card security guidance put out 2 nd quarter or 2013 o PTS version 4 requirements put out 2 nd quarter or 2013 Re-ordered some requirements New guidance for the labs Re-organization of the Open Protocols Combined the DTRs (Derived Test Requirements) with the DTPs (Derived Test Procedures) o Vendors must now provide a security policy to their customers and will be posted on the PCI SSC web site, this is a new requirement B20 o A new program manual went up in Sept 2013 o Estimated about 20% more tab testing is required for V4 testing o Much more robust testing is now required o MasterCard requires two devices be sent to MasterCard upon completion of an evaluation. The labs will not collect those devices and send them to MC. This is not a new requirement, but vendors were not doing this. o Prohibit use of wildcards in the model name o Expired devices will be listed on a separate page starting May 2014 o Devices can submitted for V3 until Feb 28, 2014 o Device report must be complete by April 30 o Device report must be approved by June 30, 2014 o For devices that are approved, continuation fees are billed May 1 o To cancel renewing the listing fee must be more than 90 days prior to the invoicing. The cancelation request must be in writing. Copy of the End of Life letter must be provided o Canceled devices will be listed with a footnote showing they have been approved but are EOL PTS Device Expiration o PTS version 1 devices expire April 30, 2014. o Starting May 1, 2014, expired PEDs cannot be deployed o Deployed typically means purchased from the original manufacturer. (Visa s guidance is consistent with this. o Rumor has it that no expired devices can be newly deployed, meaning those companies that have new devices in inventory as of May 1, 2014, may not install these devices for new merchant locations. These devices could be used for replacments o More information is still to come on this PTS Sunset dates o There are discussions about when to sunset PTS version 1 devices. This means when they may no longer be used for PIN entry. The rumored data is 2017 PIN Security Requirements version 2 PCI provides training material, intended for QSAs, that they can use for training clients. A license is required as well as a brand sponsor. There is a cost for the use of this material A working group has started for this effort Request for comments will be sent out the first quarter of 2014 Plan to publish version 2 sometime May 2014 8

Open Forum for Questions There were no PTS related questions. 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback