1 / 0

Sneak Preview: What to Expect from PCI DSS v. 2.0

Changes Clarifications Guidance. Sneak Preview: What to Expect from PCI DSS v. 2.0 . Agenda. PCI DSS in context New PCI version in October – “fine tuning” Lifecycle Cardholder data discovery Clarifications SAQ revisions Emerging technology guidance What this means for you.

donnel
Download Presentation

Sneak Preview: What to Expect from PCI DSS v. 2.0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Changes Clarifications Guidance

    Sneak Preview:What to Expect from PCI DSS v. 2.0

  2. Agenda PCI DSS in context New PCI version in October – “fine tuning” Lifecycle Cardholder data discovery Clarifications SAQ revisions Emerging technology guidance What this means for you
  3. 403 Labs, LLC Information security consulting firm Payment Card Industry: Qualified Security Assessor (QSA) Payment Application QSA (PA-QSA) Approved Scanning Vendor (ASV) Work with service providers and merchants of all sizes
  4. PCI DSS: 6 Goals, 12 Requirements
  5. Some PCI DSS Basics Payment Card Industry Data Security Standard Goal is to protect Cardholder Data And to keep you out of the headlines If you take plastic, PCI applies to you “Store, process, or transmit” cardholder data Whole of PCI DSS apples to all merchants New PCI release due October 2010 Reflect latest attack vectors, technology, practices PCI does not make you secure
  6. Some PCI DSS Basics (cont.) Each card brand has its own security program Merchant levels Validation (e.g., MasterCard’s new rules) Penalties, fees Safe harbor – can it exist? Compliance People, process, technology No “silver bullet”
  7. PCI DSS v. 2.0 – Lifecycle 3-Year Lifecycle Announced in June Consistency: PCI DSS, PA-DSS, PCI PTS Interim versions for errata, new threats FAQ, supplements to continue Benefits Fewer new requirements More time for implementation and feedback Version 1.2 sunset December 2011
  8. PCI DSS v. 2.0 – Lifecycle
  9. PCI DSS v. 2.0 – Data Discovery Cardholder data discovery “methodology” Find all your electronic cardholder data “Data leakage” Data breaches and “unknown unknowns”
  10. PCI DSS v. 2.0 – Hashing Hashing Produces unique fixed length output for each unique input Hash functions are not keyed/reversible Hash may include a “salt”
  11. PCI DSS v. 2.0 – Segmentation Network segmentation is not required, but recommended Isolate systems that “store, process, or transmit” CHD Limit PCI scope
  12. PCI DSS v. 2.0 – SAQs Goal is to remove ambiguities Expect minor but critical changes clarifying who can use them Will we see new SAQ(s)?
  13. PCI DSS v. 2.0 – Guidance Emerging technologies Virtualization Tokenization End-to-end encryption EMV standard (chip cards) PCI Council guidance for compliance Impact on PCI Map to PCI requirements
  14. PCI DSS v. 2.0 – Tokenization A data security technology in which strings of random characters called tokens can be used in lieu of other, more valuable data, such as PANs Vendor and in-house solutions Tokenization can reduce (not eliminate) PCI scope Everything depends on implementation TokenizationEngine Plaintext Ciphertext 4123 4567 8901 2345 8894 7296 6294 0598 SecureRepository
  15. PCI DSS v. 2.0 – End-to-End Encryption Encryption: a cryptographic process for disguising data by applying a series of complex mathematical operations to data to render it unreadable to anyone without the proper decryption key Encryption is a keyed, reversible function Security depends on the key A big number that if compromised, bye-bye security Encrypted data are still in PCI scope Plaintext Encryption Ciphertext 4123 4567 8901 2345 8894 7296 6294 0598 Key 7693398720684553
  16. PCI DSS v. 2.0 – End-to-End Encryption Really “point-to-point” End-to-End encryption PAN encrypted from POS terminal all the way through the payment processing cycle CHD always stored and transmitted as ciphertext Critical element: merchant cannot decrypt For more information PCI Council guidance documents, FAQ Visa’s best practices for data field encryption
  17. PANs, Hashes, Encryption, Tokens
  18. PCI DSS v. 2.0 – Emerging Technologies Encryption, tokenization are still maturing May not work with all applications, systems Standards? Lots of marketing hype Encryption security depends on protecting key Look for guidance from PCI Council Don’t expect specifics on implementation Read Visa’s best practices document As of today, only truncation and hashing remove CHD from scope
  19. PCI DSS v. 2.0 – Get Smart PCI Council FAQ PCI Council courses Standards training Independent Security Assessor (ISA) Other PCI training options
  20. PCI DSS v. 2.0 – Conclusions Expect refinements, not major changes 3-year lifecycle for each standard Find your CHD…all of it! Revised SAQs should help Guidance on emerging technologies Announcements, webinars over the summer DSS v. 2.0 not unveiled until September?
  21. What to Expect from PCI DSS v. 2.0 Questions? Comments? Thoughts? Thank you! wconway@403labs.com See my PCI column at StorefrontBacktalk.com Higher Ed PCI blog: treasuryinstitutepcidss.blogspot.com
More Related