170 likes | 359 Views
Version 3.0 of the PCI DSS. Rob Harvey Lead Security Analyst, NIC Inc. Version 3.0 of the PCI DSS. The Standards Lifecycle. Standards are on a 3 year Lifecycle Version 3.0 was published in November 2013 2014 is a Transition year 3.0 Self Assessments published in March 2014
E N D
Version 3.0 of the PCI DSS Rob Harvey Lead Security Analyst, NIC Inc.
Version 3.0 of the PCI DSS The Standards Lifecycle • Standards are on a 3 year Lifecycle • Version 3.0 was published in November 2013 • 2014 is a Transition year • 3.0 Self Assessments published in March 2014 • Guidance for the Self Assessments was published in May 2014
Version 3.0 of the PCI DSS Organization of Changes • Additional Guidance • Clarifications • Evolving Requirements • Added New Self Assessment Types
Version 3.0 of the PCI DSS Additional Guidance Explanation, definition and/or instruction to increase understanding or provide further information or guidance on a particular topic. • Only 1 update fell into this category • ASV Scanning • Allows multiple scan reports to be merged together to obtain a compliant scan
Version 3.0 of the PCI DSS Clarification Clarifies intent of requirement. Ensures that concise wording in the standard portrays the desired intent of requirements. • 116 of the changes to the PCI DSS fell into this category • There were 25 requirements that were re-ordered • 1 requirement was collapsed and combined with another • 63 language changes • 9 Testing procedure changes
Version 3.0 of the PCI DSS Clarification (continued) • 6 New Sub-Requirements added to clarify the intent of 4 upper level requirements: • 4 Upper Level Requirements involved:
Version 3.0 of the PCI DSS Evolving Requirements Changes to ensure that the standards are up to date with emerging threats and changes in the market. • These changes are designed to keep the Standards fresh to emerging threats or changes in Technology. • 24 Total changes with 18 New Requirements
Version 3.0 of the PCI DSS Evolving Requirements • New Requirements include:
Version 3.0 of the PCI DSS Important Changes for NIC Portals and Partners Evolving Requirements • Policies, Procedures & Training for protecting Card swipe devices (4 New Requirements) (6/30/2015) • Protect card swipe devices from tampering or substitution • Maintain an up-to-date list of card swipe devices • Periodically inspect devices to detect tampering or substitution • Train personnel to be aware of tampering scenarios • Verify 3rd Party maintenance personnel • Do not install devices without management verification • Be aware of suspicious behavior • Report anything suspicious about personnel or hardware devices
Version 3.0 of the PCI DSS Important Changes for NIC Portals and Partners Evolving Requirements • Enhancement of Penetration Testing to include a methodology and testing of Network Segmentation (2 New Requirements) (6/30/2015) • Must have a defined methodology that is based on an industry best practice, covers the entire cardholder data environment, includes testing from inside, outside, network and application perspectives, performed at least annually and takes into account new vulnerabilities and threats since the last test • If Network segmentation is used to reduce scope the penetration test must validate that the segmentation methods are operational and effective
Version 3.0 of the PCI DSS Important Changes for NIC Portals and Partners Evolving Requirements • Enhancement of Service Provider management (2 New Requirements) • obtain an acknowledgment of PCI responsibility • identify which requirements the Service Provider is managing and which the Entity is managing • Also new for Service Providers (6/30/2015) • Must acknowledge in writing to their customers that they are responsible for the security of cardholder data that they transmit, process or store on behalf of the customer or to the extent that they could impact the security of the customers cardholder data environments
Version 3.0 of the PCI DSS Compliance Program The PCI DSS apply to all organizations that store, process or transmit cardholder data
Version 3.0 of the PCI DSS Focus on Security • If entities that Store, Process or Transmit Cardholder data focus on security we will all be compliant! • NIC and our Partners have a common goal to protect the personal payment data of constituents • New requirements involving the management of Service Providers demonstrates the PCI SSC intent • New requirements for security of Card Swiping devices must be addressed
Version 3.0 of the PCI DSS Compliance Validation • All Agencies and Third Parties involved in Credit Card payment flow must annually submit an Attestation of Compliance form • Attestation is based upon the flow of Card Holder Data • PCI SAQ forms may be used to accomplish this or by developing custom forms that include applicable requirements from the SAQ • SAQ A may be used by an Agency if it has fully out-sourced both application and payment processing • SAQ-EP may be used by an Agency that maintains an application that redirects to a payment processor • SAQ C may be used by an Agency that has payment flows utilizing Card Swipe devices
Version 3.0 of the PCI DSS Compliance Validation • These SAQ Forms may be submitted to and maintained by the Partner Audit team or Portal • Portal’s will assist the Agency in identifying requirements that are applicable to the Agency based on their involvement in the payment flow • Third Party Compliance • Contracts with software developers must contain language that they agree to be PCI Compliant and develop and maintain their applications to meet the appropriate PCI requirements (Liability and Indemnification clauses) • Contracts with Third Party hosting providers must contain language that they agree to be PCI Compliant and will provide evidence of their PCI compliance on an annual basis (Liability and Indemnification clauses)
Version 3.0 of the PCI DSS Compliance Validation
Version 3.0 of the PCI DSS Q & A Rob Harvey, PCI ISA Lead Security Analyst, NIC Inc. rharvey@egov.com 913-754-7031 Jayne Friedland Holland, PCI ISA Chief Security Officer and Associate General Counsel, NIC Inc. jayne@egov.com 913-754-7005