PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

Similar documents
PCI DSS 3.2 AWARENESS NOVEMBER 2017

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Will you be PCI DSS Compliant by September 2010?

Site Data Protection (SDP) Program Update

PCI COMPLIANCE IS NO LONGER OPTIONAL

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

All the Latest Data Security News. Best Practices and Compliance Information From the PCI Council

PCI DSS v3. Justin

City of Portland Audit: Follow-Up on Compliance with Payment Card Industry Data Security Standard BY ALEXANDRA FERCAK SENIOR MANAGEMENT AUDITOR

PCI compliance the what and the why Executing through excellence

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

INFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

PCI Compliance: It's Required, and It's Good for Your Business

Commerce PCI: A Four-Letter Word of E-Commerce

University of Sunderland Business Assurance PCI Security Policy

ISACA Kansas City Chapter PCI Data Security Standard v2.0 Overview

Merchant Guide to PCI DSS

Payment Card Industry Data Security Standards Version 1.1, September 2006

Evolution of Cyber Attacks

2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

6 Vulnerabilities of the Retail Payment Ecosystem

June 2012 First Data PCI RAPID COMPLY SM Solution

WHITEHAT SECURITY. T.C. NIEDZIALKOWSKI Technical Evangelist. DECEMBER 2012

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

PCI DSS COMPLIANCE 101

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

Webinar: How to keep your hotel guest data secure

PCI DATA SECURITY STANDARDS VERSION 3.2. What's Next?

Navigating the PCI DSS Challenge. 29 April 2011

Data Security Standard

Payment Card Industry Data Security Standard PCI DSS v3.2.1 Before and After Redline View Change Analysis Between PCI DSS v3.2 and PCI DSS v3.2.

Insurance Industry - PCI DSS

Security Requirements and Assessment Procedures for EMV 3-D Secure Core Components: ACS, DS, and 3DS Server

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Payment Card Industry (PCI) Data Security Standard

IT Audit and Risk Trends for Credit Union Internal Auditors. Blair Bautista, Director Bob Grill, Manager David Dyk, Manager

What is PCI/DSS and What s new Presented by Brian Marshall Vanguard Professional Services

Understanding PCI DSS Compliance from an Acquirer s Perspective

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

Payment Card Industry (PCI) Data Security Standard

PROFESSIONAL SERVICES (Solution Brief)

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

Section 1: Assessment Information

The IT Search Company

Best Practices for PCI DSS Version 3.2 Network Security Compliance

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

Payment Card Industry (PCI) Compliance

What is HIPPA/PCI? Understanding HIPAA. Understanding PCI DSS

PCI Compliance. Network Scanning. Getting Started Guide

CASE STUDY - Preparing for a PCI-DSS Audit using Cryptosense Analyzer

Comodo HackerGuardian PCI Approved Scanning Vendor

The Honest Advantage

A QUICK PRIMER ON PCI DSS VERSION 3.0

Section 1: Assessment Information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Using GRC for PCI DSS Compliance

PCI Compliance Updates

Addressing PCI DSS 3.2

Tokenisation for PCI-DSS Compliance

GUIDE TO STAYING OUT OF PCI SCOPE

Payment Card Industry (PCI) Data Security Standard

Achieving PCI-DSS Compliance with ZirMed financial services Darren J. Hobbs, CPA and James S. Lacy, JD

Payment Card Industry (PCI) Data Security Standard

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Protect Comply Thrive. The PCI DSS: Challenge or opportunity?

Assessor Company: Control Gap Inc. Contact Contact Phone: Report Date: Report Status: Final

White Paper

The Future of PCI: Securing payments in a changing world

GEARS + CounterACT. Advanced Compliance Enforcement for Healthcare. December 16, Presented by:

PCI Compliance. What is it? Who uses it? Why is it important?

Self-Assessment Questionnaire A

Payment Card Industry Data Security Standard (PCI DSS) Incident Response Plan

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Maintaining Trust: Visa Inc. Payment Security Strategy

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

PCI DSS COMPLIANCE DATA

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Managing Risk in the Digital World. Jose A. Rodriguez, Director Visa Consulting and Analytics

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.2)

VANGUARD WHITE PAPER VANGUARD GOVERNMENT INDUSTRY WHITEPAPER

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

COMPLETING THE PAYMENT SECURITY PUZZLE

Simplify PCI Compliance

SECURITY PRACTICES OVERVIEW

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Transcription:

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing 1

WhiteHat Security Application Security Company Leader in the Gartner Magic Quadrant Headquartered in Santa Clara, CA 320+ Employees 37,000+ Sites Assessed 800+ Customers 2

Agenda What is PCI DSS and does it apply to you? Payment Security and PCI Compliance Why do they keep making changes? Top 11 Changes in 3.1 Q&A 3

What is PCI DSS? Payment Card Industry Data Security Standard Developed to strengthen cardholder data security and facilitate broad adoption Baseline of technical and operational requirements to protect account data Applies to all entities involved payment card processing Merchants, processors, acquirers, issuers, service providers All other entities that store, process, or transmit cardholder data and/or sensitive authentication data 4

PCI DSS High Level Overview Source: PCI Data Security Standard v3.1 5

PCI Applicability by Industry Industry Applicability Retail In stores Over the phone Online through e-commerce sites Online through mobile applications In temporary locations Healthcare Patient payments Other goods and services Fundraising Financial Institutions Merchant Issuer Acquirer Service Provider Third-party payment card processing Web hosting Loyalty programs Credit bureaus Shopping carts Fraud and chargeback investigation Records management 6

Why Implement PCI? Reduces likelihood of breach and data loss Protect brand and customer trust Avoid fines and penalties from the PCI Security Standards Council Source: The global cost of payment fraud, BI intelligence, 2014 7

Payment Security and PCI Compliance Card usage continues to grow Breaches are escalating 783 breaches in 2014, up 28% from 2013 (Identity Theft Resource Center) Consumers reluctant to buy from breached vendors Source: 2. Radius Global Market Research, Quirk s Marketing Research Review, June 2014 6. Poll Shows Broad Impact of Cyberattacks, Wall Street Journal, December 2014 8

Window of Exposure Source: WhiteHat Security 2015 Website Security Statistics Report 9

PCI Compliance Drives Payment Security Source: WhiteHat Security 2015 Website Security Statistics Report Source: Verizon 2015 PCI Compliance Report 10

Why do they keep making changes? Payment Innovation Smarter cards, contactless payments, mobile payments IT Environment Changes Mobility, virtualization, cloud Ongoing issues Lack of education and awareness Weak passwords and authentication Third-party security challenges Inconsistency in assessments Source: Verizon 2015 PCI Compliance Report 11

Top 11 Changes in 3.1 12

Change #1 Coding Practices Requirement 6.5 Address common coding vulnerabilities in the software development process. What does that mean? Examine your SDLC to ensure vulnerabilities aren't introduced during development Train developers to: - Identify and resolve common vulnerability issues - Know about secure coding guidelines What should you do? Implement a secure coding training program that includes CBT and/or live training Implement static analysis or code review in your SDLC 13

Change #2 Risk Assessments Requirement 12.2 (Previously 12.1.12) Implement annual assessments at a minimum, and assess when significant changes are made. What does that mean? Perform assessments annually at a minimum and again any time there is a significant change What should you do? Establish a security program that performs assessments any time there are major changes Perform continuous monitoring 14

Change #3 Risk Assessments Requirement 2.2.3 / 2.3 / 4.1 / 4.1.1 SSL and early versions of TLS are no longer considered secure. What does that mean? Applications using SSL and early versions of TLS are no longer PCI compliant What should you do? Scan for SSL and outdated TLS versions being used by your applications Configure web applications to only accept connections using TLS 1.1 or 1.2 versions 15

Change #4 Inventory Requirement 2.4 Maintain a current list of all system components. What does that mean? Maintain a list of all systems and their components and understand what each component is doing What should you do? Perform quarterly discovery of environments either yourself or through a third party 16

Change #5 Attestation Requirement 12.8.5 Maintain detailed documentation about PCI DSS requirements managed by vendors and by the organization itself. What does that mean? Document what parties are handling which activities related to the different PCI requirements What should you do? Request that third parties attest to the activities they re doing and note it in your matrix 17

Change #6 Vulnerability Classes Requirement 6.5.1 6.5.10 Requirements 6.5.1 6.5.10 now apply to all internal as well as external applications. What does that mean? Internal and external applications are vulnerable and should be secure to protect cardholder data What should you do? Make sure your applications security program covers all of the above vulnerabilities for internal and external systems 18

Change #7 Insecure Cryptographic Storage Requirement 6.5.3 Prevent cryptographic flaws. Use strong cryptographic algorithms and keys. What does that mean? Ensure your data is encrypted and search for cryptographic flaws What should you do? Create a company policy on cryptographic algorithms and key generation Implement static analysis testing 19

Change #8 Broken Authentication & Session Management Requirement 6.5.10 Authentication and session management includes all aspects of handling user authentication and managing active sessions. What does that mean? Strong authentication mechanisms are not enough if credential management is flawed What should you do? Use an established framework that enforces proper session management 20

Change #9 Review Custom Code Requirement 6.3.2 Review custom code prior to the release to production. What does that mean? Review custom code for any vulnerabilities before deployment This also applies to off-the-shelf software that have had changes made What should you do? Implement a process for code review Pair automated code reviews with manual reviews 21

Change #10 Development & Test User Accounts Requirement 6.3.1 Remove development, test and/or custom application accounts, user IDs and passwords. What does that mean? Pre-production and custom application accounts are included in the definition of sensitive data and should not be in production environments What should you do? Remove all pre-production and custom accounts Search for hard-coded authentication and passwords in your assessments 22

Change #11 PCI Compliance is an Ongoing Activity Requirements 1 12 All PCI requirements now call for maintaining a regular process to ensure compliance. What does that mean? Compliance is required to be an ongoing activity What should you do? Continuously monitor your applications for changes & vulnerabilities Remediate vulnerabilities as they are found Test throughout all stages of the SDLC 23

Thank You! Questions? 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback