pci dss 3 0 changes
play

PCI DSS 3.0 Changes & Challenges EVAN FRANCEN, CISSP CISM - PowerPoint PPT Presentation

Jan 15, 2024 •343 likes •599 views

PCI DSS 3.0 Changes & Challenges EVAN FRANCEN, CISSP CISM PRESIDENT/CO-FOUNDER FRSECURE PCI DSS 3.0 Changes & Challenges Topics FRSecure, the company Introduction to PCI-DSS Recent breaches Recent PCI-DSS changes

  1. PCI DSS 3.0 Changes & Challenges EVAN FRANCEN, CISSP CISM PRESIDENT/CO-FOUNDER FRSECURE

  2. PCI DSS 3.0 Changes & Challenges Topics • FRSecure, the company • Introduction to PCI-DSS • Recent breaches • Recent PCI-DSS changes • State of the industry • Pragmatic approach to compliance • Common mistakes • Questions

  3. PCI DSS 3.0 Changes & Challenges Our Agenda • FRSecure, the company • Introduction to PCI-DSS • Recent breaches • Recent PCI-DSS changes • State of the industry • Pragmatic approach to compliance • Common mistakes • Questions

  4. FRSecure, the company We exist “to fix a broken industry” We are an information security consulting and management company; it’s all that we do. FRSecure’s Security Ten Commandments 1. A business is in business to make money 2. Information Security is a business issue 3. Information Security is fun 4. People are the biggest risk 5. “Compliant” and “secure” are different

  5. FRSecure, the company We exist “to fix a broken industry” We are an information security consulting and management company; it’s all that we do. FRSecure’s Security Ten Commandments 6. There is no common sense in Information Security 7. “Secure” is relative 8. Information Security should drive business 9. Information Security is not one size fits all 10. There is no “easy button”

  6. FRSecure, the company We exist “to fix a broken industry” Our Services: • PCI Compliance; we are a QSA • Information Security Assessments • Regulatory Compliance; HIPAA, GLBA, etc. • Security Program Development • SOC 2 Readiness • Training & Awareness • Social Engineering • Penetration Testing

  7. Introduction to PCI-DSS History • Between 1988 – 1998 Visa and MasterCard report $750 million in credit card fraud losses • October 1999 , Visa approves the Cardholder Information Security Program ( CISP ) – the 1 st precursor to PCI-DSS • December 2004, PCI-DSS v1.0 debuts – the 1 st unified (among all five major card brands) security standard and compliance is mandatory (for 20,000 or more transactions) • September 2006, PCI-DSS v1.1 – requires independent code reviews and/or Web application firewalls (requirement 6.6), the PCI SSC is born. • December 2006, TJX data breach – insecure wireless network and 45 million TJX customers affected. • October 2008, PCI-DSS v1.2 – new requirements for wireless networks and AV for all systems. • January 2009, Heartland breach (breach actually occurred in 2008) – 130 million payment records • October 2010, PCI-DSS v2.0 – no major surprises • August 2012, Visa claims that 97% of Level 1 merchants are “compliant” • November 2013, PCI-DSS v3.0 – We’ll cover changes in v3.0 and since...

  8. Introduction to PCI-DSS PCI-DSS v3.0 • Latest version, released in November, 2013 • Change highlights - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_Summary_of_Changes.pdf • Key themes emphasized throughout Version 3.0 include: • Education and awareness • Increased flexibility • Security as a shared responsibility • Change types include “Clarification”, “Additional guidance”, and “Evolving Requirement” • Final PCI-DSS v3.0 can be found here;

  9. Introduction to PCI-DSS PCI-DSS v3.0 • Latest version, released in November, 2013 • Change highlights - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_Summary_of_Changes.pdf • Key themes emphasized throughout Version 3.0 include: • Education and awareness • Increased flexibility • Security as a shared responsibility • Change types include “Clarification”, “Additional guidance”, and “Evolving Requirement” • Final PCI-DSS v3.0 can be found here;

  10. Recent breaches Target • November, 2013 – December, 2013 • Est. 45 million credit & debit cards • Contributing factors: • Vendor access • Single-factor/weak authentication • Memory-scraping malware on registers • Target was issued a PCI Report on Compliance (ROC) by Trustwave • The breach went undetected for more than two weeks • Gathered tons of public attention and led to numerous lawsuits • CEO and CIO gone

  11. Recent breaches Home Depot • September, 2014 • Est. 56 million credit & debit cards • Contributing factors: • Vendor access • Single-factor/weak authentication • Memory-scraping malware on registers • Home Depot was issued a PCI Report on Compliance (ROC) by ??? • The breach went undetected until notification by 3 rd parties. • As many as 44 civil lawsuits, government investigations, and millions in losses. • Ricky Joe Mitchell – convicted in May, 2014 of sabotaging his former employer’s network. • “Who cares, we sell hammers”, CEO (Frank Blake) had already announced retirement (on August 21 st )

  12. Recent PCI-DSS Changes PCI-DSS v3.0 (and revisions) • Overview; there are twelve (12) requirements: • BUILD AND MAINTAIN A SECURE NETWORK • Requirement 1 : Install and maintain a firewall configuration to protect cardholder data • Requirement 2 : Do not use vendor-supplied defaults for system passwords and other security parameters • PROTECT CARDHOLDER DATA • Requirement 3: Protect stored cardholder data • Requirement 4: Encrypt transmission of cardholder data across open, public networks • MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM • Requirement 5: Use and regularly update anti-virus software • Requirement 6: Develop and maintain secure systems and applications • IMPLEMENT STRONG ACCESS CONTROL MEASURES • Requirement 7: Restrict access to cardholder data by business need-to-know • Requirement 8: Assign a unique ID to each person with computer access • Requirement 9: Restrict physical access to cardholder data • REGULARLY MONITOR AND TEST NETWORKS • Requirement 10: Track and monitor all access to network resources and cardholder data • Requirement 11: Regularly test security systems and processes • MAINTAIN AN INFORMATION SECURITY POLICY • Requirement 12: Maintain a policy that addresses information security

  13. Recent PCI-DSS Changes PCI-DSS v3.0 (and revisions) First major change: PCI – Payment Card Industry name change to PCI – Pay Cash Instead You were supposed to laugh. If you did not laugh, please do so now.

  14. Recent PCI-DSS Changes PCI-DSS v3.0 (and revisions) – Seriously… • Expect audits to be more thorough and less acceptance of mitigating controls • The goals of PCI , retailers and QSA s don't often align • PCI- DSS should be viewed as a “ base level ” of security only • PCI- DSS should be part of “Business -as- Usual Processes” • Use past breaches as a method to predict what will be coming further down the road. • More emphasis placed on: “I work at a tier 1 PCI merchant and I can tell you that it is a • Education and awareness sham. We use an external auditor but it doesn't make any • Security as a shared responsibility difference. These audits are too simple and the people • Network segmentation/isolation performing them are completely outmatched by their adversaries .”

  15. Recent PCI-DSS Changes PCI-DSS v3.0 (and revisions) – Seriously… • For all the details of the changes from v2 to v3.0, see https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_Summary_of_Chang es.pdf. There are too many for a one hour presentation. • Also see the standard itself, here: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf • The scope of what applies to PCI compliance was greatly clarified. • How audits should be conducted was greatly clarified. • If you are responsible for PCI compliance, you should definitely read the documents listed above.

  16. Recent PCI-DSS Changes PCI-DSS v3.0 (and revisions) – Seriously… Bulletins are routinely issued by the PCI-SSC; the latest is an impending revision to PCI- DSS dated 13 February 2015 “no version of SSL meets PCI SSC’s definition of “strong cryptography,” and revisions to the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS) are necessary” SSL will no longer be compliant – migrate all systems and work with vendors to replace SSL with TLS

  17. State of the industry There is plenty of confusion. • Many Level 1 Merchants are having issues under the additional scrutiny from QSAs • Additional scrutiny is being placed on smaller merchants • Smaller merchants aren’t really sure how to comply; which requirements apply and how to demonstrate compliance • Not only are merchants confused, but so are many security consultants Ever had a PCI audit or consultant show you where you’re not compliant, but not show you how you can comply?

  18. Pragmatic approach to compliance There best answer to confusion is to simplify PCI-DSS Scoping PCI-DSS Gap Analysis PCI-DSS Consulting PCI-DSS Audit 1 2 3 4 5

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

malware analysis for the enterprise jason ross yesterday: impenetrable defense today:

malware analysis for the enterprise jason ross yesterday: impenetrable defense today:

malware analysis for the enterprise jason ross yesterday: impenetrable defense today: tourist attraction obligatory narcissism worked in IT security for > 10 years employed with the BT ethical hacking team contribute to

841 views • 45 slides
Causal Inference at the Intersection of Statistics and Machine Learning Jennifer Hill presenting

Causal Inference at the Intersection of Statistics and Machine Learning Jennifer Hill presenting

Causal Inference at the Intersection of Statistics and Machine Learning Jennifer Hill presenting joint work with Vincent Dorie and Nicole Carnegie (Montana State University), Dan Cervone (L.A. Dodgers), Masataka Harada (National Graduate

1.02k views • 72 slides
American Recovery and Reinvestment Act (ARRA)- Impact of Economic Stimulus on NIH Lawrence A.

American Recovery and Reinvestment Act (ARRA)- Impact of Economic Stimulus on NIH Lawrence A.

American Recovery and Reinvestment Act (ARRA)- Impact of Economic Stimulus on NIH Lawrence A. Tabak, DDS, PhD. Acting Deputy Director National Institutes of Health NIH is grateful to President Obama and Congress for the opportunity for NIH to

471 views • 20 slides
STRATEGIC ACQUISITION CENTER MSPV-NG Program Overview Ms. Jaime Friedel U.S. Department VA of

STRATEGIC ACQUISITION CENTER MSPV-NG Program Overview Ms. Jaime Friedel U.S. Department VA of

STRATEGIC ACQUISITION CENTER MSPV-NG Program Overview Ms. Jaime Friedel U.S. Department VA of Veterans Affairs 1 MSP SPV-NG Su Supports th the MyVA STRATEGIC Transformatio ion Putti ting Veterans and th their ir A C Q U I S I T

342 views • 16 slides
From Penetrate and Patch to Building Security In Michael Hicks Professor of Computer Science

From Penetrate and Patch to Building Security In Michael Hicks Professor of Computer Science

From Penetrate and Patch to Building Security In Michael Hicks Professor of Computer Science and the UofM Institute for Advanced Computer Studies (UMIACS) Distinguished Scholar-Teacher talk September 28, 2015 Security breaches Just a few:

898 views • 74 slides
CSU WHEAT BREEDING AND GENETICS PROGRAM CHALLENGES AND OPPORTUNITIES Scott D. Haley CSU Wheat

CSU WHEAT BREEDING AND GENETICS PROGRAM CHALLENGES AND OPPORTUNITIES Scott D. Haley CSU Wheat

CSU WHEAT BREEDING AND GENETICS PROGRAM CHALLENGES AND OPPORTUNITIES Scott D. Haley CSU Wheat Breeder Soil and Crop Sciences Department Colorado State University Fort Collins, Colorado wheat.colostate.edu Outline US Wheat Production

559 views • 31 slides
Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March

Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March

Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March 2010 Overview Actively manage incident handling Be ready BEFORE an incident Based on NIST SP800-61rev1 recommendation

466 views • 32 slides
CS327E: Elements of Databases Cybersecurity and SQL Injection Dr. Bill Young Department of

CS327E: Elements of Databases Cybersecurity and SQL Injection Dr. Bill Young Department of

CS327E: Elements of Databases Cybersecurity and SQL Injection Dr. Bill Young Department of Computer Sciences University of Texas at Austin Last updated: October 31, 2016 at 12:21 CS327E SQL Injection Slideset: 1 SQL Injection What Id Like

440 views • 39 slides
PCI: A Four-Letter Word of E-Commerce Presented by Matt Kleve (vordude) h t t p : / / w

PCI: A Four-Letter Word of E-Commerce Presented by Matt Kleve (vordude) h t t p : / / w

Commerce PCI: A Four-Letter Word of E-Commerce Presented by Matt Kleve (vordude) h t t p : / / w w w . f l i c k r . c o m / p h o t o s / s h a w n z l e a / 5 2 7 8 5 7 7 8 7 / W h o i s t

1.04k views • 79 slides
Eclipse Planning Efforts July 20, 2017 Updated: 8/15/2016 Purpose Provid ide Situ ituatio

Eclipse Planning Efforts July 20, 2017 Updated: 8/15/2016 Purpose Provid ide Situ ituatio

Eclipse Planning Efforts July 20, 2017 Updated: 8/15/2016 Purpose Provid ide Situ ituatio ional l Aware reness on th the Eclips lipse Over ervi view ew of the e States 2017 Sola lar Eclips lipse Coordin dinati tion Pla

928 views • 21 slides
P5 Outdoor Adventure Camp @ MOE Labrador Adventure Centre 16 18 January 2020 Thursday to

P5 Outdoor Adventure Camp @ MOE Labrador Adventure Centre 16 18 January 2020 Thursday to

P5 Outdoor Adventure Camp @ MOE Labrador Adventure Centre 16 18 January 2020 Thursday to Saturday Overview Camp Objectives Learning Outcomes Accommodation Safety Programme Overview Things to bring

746 views • 45 slides
TITLE It depends on what you mean by title p y y 2 WOULD YOU RUN WINDOWS ON YOUR

TITLE It depends on what you mean by title p y y 2 WOULD YOU RUN WINDOWS ON YOUR

TITLE It depends on what you mean by title p y y 2 WOULD YOU RUN WINDOWS ON YOUR GRANDMOTHERS PACEMAKER? Andrew S. Tanenbaum Vrije Universiteit Amsterdam 3 LINUX IS STILL OBSOLETE Andrew S. Tanenbaum Vrije Universiteit

1.29k views • 83 slides
Introduction to Wireless Sensor Networks Marco Zennaro and Antoine Bagula ICTP and UWC Italy

Introduction to Wireless Sensor Networks Marco Zennaro and Antoine Bagula ICTP and UWC Italy

Introduction to Wireless Sensor Networks Marco Zennaro and Antoine Bagula ICTP and UWC Italy and South Africa Infrastructure-based networks Typical wireless network: Based on infrastructure (E.g., GSM, UMTS, WiFi, ) Base stations

846 views • 48 slides
FROM BETTING TO GAMING TO TRADEFAIR TO TRADEFAIR

FROM BETTING TO GAMING TO TRADEFAIR TO TRADEFAIR

FROM BETTING TO GAMING TO TRADEFAIR TO TRADEFAIR !"##$#$% &#'$(

895 views • 63 slides
Ken Birman i Cornell University. CS5410 Fall 2008. Mission Impossible Today, multicast is

Ken Birman i Cornell University. CS5410 Fall 2008. Mission Impossible Today, multicast is

Ken Birman i Cornell University. CS5410 Fall 2008. Mission Impossible Today, multicast is persona non grata in most cloud settings Amazons stories of their experience with violent load A i f h i i i h i l l d oscillations

759 views • 43 slides
AccTEE: A WebAssembly-based Two-way Sandbox for Trusted R esource Accounting MIDDLEWARE 2019 , UC

AccTEE: A WebAssembly-based Two-way Sandbox for Trusted R esource Accounting MIDDLEWARE 2019 , UC

AccTEE: A WebAssembly-based Two-way Sandbox for Trusted R esource Accounting MIDDLEWARE 2019 , UC Davis David Goltzsche, 1 Manuel Nieke, 1 Thomas Knauth, 2 and Rdiger Kapitza 1 goltzsche@ibr.cs.tu-bs.de @d_goltzsche 1 TU Braunschweig, Germany 2

502 views • 37 slides
1 Distribution of work: new functionality Distribution of work: fixes 7 8 Who reports

1 Distribution of work: new functionality Distribution of work: fixes 7 8 Who reports

The case for open source software Open Source Software Why Open Source Software / Free The process, the outcome Software (OSS/FS)? Look at the Numbers! David A. Wheeler The heat, the light Revised as of September 30 2004

464 views • 9 slides
CS378 - Mobile Computing Web - WebView and Web Services WebView A View that display web pages

CS378 - Mobile Computing Web - WebView and Web Services WebView A View that display web pages

CS378 - Mobile Computing Web - WebView and Web Services WebView A View that display web pages basis for creating your own web browser OR just display some online content inside of your Activity Uses WebKit rendering engine

383 views • 37 slides
Heat (and hexagon) plots in Stata Ben Jann University of Bern, ben.jann@soz.unibe.ch 2019 German

Heat (and hexagon) plots in Stata Ben Jann University of Bern, ben.jann@soz.unibe.ch 2019 German

Heat (and hexagon) plots in Stata Ben Jann University of Bern, ben.jann@soz.unibe.ch 2019 German Stata Users Group meeting Munich, May 24, 2019 Ben Jann (University of Bern) heatplot Munich, 24.05.2019 1 Outline Introduction 1 Syntax of

447 views • 40 slides
Heat Transfer in Dielectric Mirrors J. A. del R o, D. Estrada, F. V azquez August 21,

Heat Transfer in Dielectric Mirrors J. A. del R o, D. Estrada, F. V azquez August 21,

Introduction Model Experiments set up Results Conclusions Heat Transfer in Dielectric Mirrors J. A. del R o, D. Estrada, F. V azquez August 21, 2012 Introduction Model Experiments set up Results Conclusions 1 Introduction

301 views • 29 slides
The Atiyah-Patodi-Singer index and domain-wall fermion Dirac operators Shinichiroh Matsuo

The Atiyah-Patodi-Singer index and domain-wall fermion Dirac operators Shinichiroh Matsuo

The Atiyah-Patodi-Singer index and domain-wall fermion Dirac operators Shinichiroh Matsuo 2020-08-07 01:1002:00 UTC Nagoya University, Japan This talk is based on a joint work arXiv:1910.01987 (to appear in CMP) of three mathematicians and

519 views • 35 slides
DISCLAIMERS: Opinions and estimates offered constitute our judgment and are subject to change

DISCLAIMERS: Opinions and estimates offered constitute our judgment and are subject to change

Capital Markets Review Fourth Quarter 2017 DISCLAIMERS: Opinions and estimates offered constitute our judgment and are subject to change without notice, as are statements of financial market trends, which are based on current market conditions.

277 views • 15 slides
Examining the Impact of Prandtl Number and Heat Transport Models on

Examining the Impact of Prandtl Number and Heat Transport Models on

Examining the Impact of Prandtl Number and Heat Transport Models on Convec>ve Amplitudes Bridget OMara, Mark Miesch, Kyle Augustson, Nicholas Featherstone Regis University,

966 views • 37 slides
Jonas Bhend, Irina Mahlstein, Christoph Spirig, Jacopo Riboldi, Mark Liniger, Christof Appenzeller

Jonas Bhend, Irina Mahlstein, Christoph Spirig, Jacopo Riboldi, Mark Liniger, Christof Appenzeller

Federal Department of Home Affairs FDHA Federal Office of Meteorology and Climatology MeteoSwiss Seasonal forecasting of climate indices Jonas Bhend, Irina Mahlstein, Christoph Spirig, Jacopo Riboldi, Mark Liniger, Christof Appenzeller

665 views • 24 slides

More recommend