PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing 1
WhiteHat Security Application Security Company Leader in the Gartner Magic Quadrant Headquartered in Santa Clara, CA 320+ Employees 37,000+ Sites Assessed 800+ Customers 2
Agenda What is PCI DSS and does it apply to you? Payment Security and PCI Compliance Why do they keep making changes? Top 11 Changes in 3.1 Q&A 3
What is PCI DSS? Payment Card Industry Data Security Standard Developed to strengthen cardholder data security and facilitate broad adoption Baseline of technical and operational requirements to protect account data Applies to all entities involved payment card processing Merchants, processors, acquirers, issuers, service providers All other entities that store, process, or transmit cardholder data and/or sensitive authentication data 4
PCI DSS High Level Overview Source: PCI Data Security Standard v3.1 5
PCI Applicability by Industry Industry Applicability Retail In stores Over the phone Online through e-commerce sites Online through mobile applications In temporary locations Healthcare Patient payments Other goods and services Fundraising Financial Institutions Merchant Issuer Acquirer Service Provider Third-party payment card processing Web hosting Loyalty programs Credit bureaus Shopping carts Fraud and chargeback investigation Records management 6
Why Implement PCI? Reduces likelihood of breach and data loss Protect brand and customer trust Avoid fines and penalties from the PCI Security Standards Council Source: The global cost of payment fraud, BI intelligence, 2014 7
Payment Security and PCI Compliance Card usage continues to grow Breaches are escalating 783 breaches in 2014, up 28% from 2013 (Identity Theft Resource Center) Consumers reluctant to buy from breached vendors Source: 2. Radius Global Market Research, Quirk s Marketing Research Review, June 2014 6. Poll Shows Broad Impact of Cyberattacks, Wall Street Journal, December 2014 8
Window of Exposure Source: WhiteHat Security 2015 Website Security Statistics Report 9
PCI Compliance Drives Payment Security Source: WhiteHat Security 2015 Website Security Statistics Report Source: Verizon 2015 PCI Compliance Report 10
Why do they keep making changes? Payment Innovation Smarter cards, contactless payments, mobile payments IT Environment Changes Mobility, virtualization, cloud Ongoing issues Lack of education and awareness Weak passwords and authentication Third-party security challenges Inconsistency in assessments Source: Verizon 2015 PCI Compliance Report 11
Top 11 Changes in 3.1 12
Change #1 Coding Practices Requirement 6.5 Address common coding vulnerabilities in the software development process. What does that mean? Examine your SDLC to ensure vulnerabilities aren't introduced during development Train developers to: - Identify and resolve common vulnerability issues - Know about secure coding guidelines What should you do? Implement a secure coding training program that includes CBT and/or live training Implement static analysis or code review in your SDLC 13
Change #2 Risk Assessments Requirement 12.2 (Previously 12.1.12) Implement annual assessments at a minimum, and assess when significant changes are made. What does that mean? Perform assessments annually at a minimum and again any time there is a significant change What should you do? Establish a security program that performs assessments any time there are major changes Perform continuous monitoring 14
Change #3 Risk Assessments Requirement 2.2.3 / 2.3 / 4.1 / 4.1.1 SSL and early versions of TLS are no longer considered secure. What does that mean? Applications using SSL and early versions of TLS are no longer PCI compliant What should you do? Scan for SSL and outdated TLS versions being used by your applications Configure web applications to only accept connections using TLS 1.1 or 1.2 versions 15
Change #4 Inventory Requirement 2.4 Maintain a current list of all system components. What does that mean? Maintain a list of all systems and their components and understand what each component is doing What should you do? Perform quarterly discovery of environments either yourself or through a third party 16
Change #5 Attestation Requirement 12.8.5 Maintain detailed documentation about PCI DSS requirements managed by vendors and by the organization itself. What does that mean? Document what parties are handling which activities related to the different PCI requirements What should you do? Request that third parties attest to the activities they re doing and note it in your matrix 17
Change #6 Vulnerability Classes Requirement 6.5.1 6.5.10 Requirements 6.5.1 6.5.10 now apply to all internal as well as external applications. What does that mean? Internal and external applications are vulnerable and should be secure to protect cardholder data What should you do? Make sure your applications security program covers all of the above vulnerabilities for internal and external systems 18
Change #7 Insecure Cryptographic Storage Requirement 6.5.3 Prevent cryptographic flaws. Use strong cryptographic algorithms and keys. What does that mean? Ensure your data is encrypted and search for cryptographic flaws What should you do? Create a company policy on cryptographic algorithms and key generation Implement static analysis testing 19
Change #8 Broken Authentication & Session Management Requirement 6.5.10 Authentication and session management includes all aspects of handling user authentication and managing active sessions. What does that mean? Strong authentication mechanisms are not enough if credential management is flawed What should you do? Use an established framework that enforces proper session management 20
Change #9 Review Custom Code Requirement 6.3.2 Review custom code prior to the release to production. What does that mean? Review custom code for any vulnerabilities before deployment This also applies to off-the-shelf software that have had changes made What should you do? Implement a process for code review Pair automated code reviews with manual reviews 21
Change #10 Development & Test User Accounts Requirement 6.3.1 Remove development, test and/or custom application accounts, user IDs and passwords. What does that mean? Pre-production and custom application accounts are included in the definition of sensitive data and should not be in production environments What should you do? Remove all pre-production and custom accounts Search for hard-coded authentication and passwords in your assessments 22
Change #11 PCI Compliance is an Ongoing Activity Requirements 1 12 All PCI requirements now call for maintaining a regular process to ensure compliance. What does that mean? Compliance is required to be an ongoing activity What should you do? Continuously monitor your applications for changes & vulnerabilities Remediate vulnerabilities as they are found Test throughout all stages of the SDLC 23
Thank You! Questions? 24