Updates on Payment Card Industry (PCI) Regulations and Issues
0 likes | 133 Views
Updates on Payment Card Industry (PCI) Regulations and Issues. NUAGA May 22, 2014. Kevin Perry. IT Specialist, Utah Department of Technology Services (DTS) Assigned to Department of Alcoholic Beverage Control
Updates on Payment Card Industry (PCI) Regulations and Issues
An Image/Link below is provided (as is) to download presentationDownload Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.Content is provided to you AS IS for your information and personal use only. Download presentation by click this link.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.During download, if you can't get a presentation, the file might be deleted by the publisher.
E N D
Presentation Transcript
Updates on Payment Card Industry (PCI) Regulations and Issues
NUAGA May 22, 2014
Kevin Perry IT Specialist, Utah Department of Technology Services (DTS) Assigned to Department of Alcoholic Beverage Control PCI Professional (PCIP) and PCI Internal Security Assessor (ISA) Certification 4/2014 Annual re-certification Currently responsible for PCI security for all 44 of the DABC’s retail stores 18 Years Experience with DTS/DABC
DABC PCI Concerns
DABC PCI Concerns
DABC PCI Concerns
DABC PCI Concerns
Other Breaches Similar to Target: Easton-Bell Sports Bright Horizons Bell-Canada Several major hotel chains These breaches have all occurred by exploiting weaknesses in the systems and processes of a third-party business partner.
What is PCI DSS? The PCI DSS represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. The standard provides an actionable framework for developing a robust data security process - including preventing, detecting and reacting to security incidents. Applies to any entity that stores, processes and/or transmits CHD.
PCI Data Security Standard Requirements PCI DSS is the global data security standard that any business of any sizemust adhere to in order to accept payment cards, and to store, process, and/or transmit cardholder data. It presents common sense steps that mirror best security practices. Goals PCI DSS Requirements – Validated by Self or Outside Assessment Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel
PCI DSS Six Goals Build and Maintain a Secure Network Protect Card Holder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy
The updated versions of PCI DSS and PA-DSS will: Provide stronger focus on some of the greater risk areas in the threat environment Provide increased clarity on PCI DSS & PA-DSS requirements Build greater understanding on the intent of the requirements and how to apply them Improve flexibility for all entities implementing, assessing, and building to the Standards Drive more consistency among assessors Help manage evolving risks / threats Align with changes in industry best practices Clarify scoping and reporting Eliminate redundant sub-requirements and consolidate documentation
Change Drivers The PCI Standards are updated based on feedback from the industry, per the standards development lifecycle as well as in response to current market needs. Common challenge areas and drivers for change include: Lack of education and awareness Weak passwords, authentication Third-party security challenges Slow self-detection, malware Inconsistency in assessments
Summary of Changes from PCI DSS Version 2.0 to 3.0 1.1.x - Clarified that firewall and router standards have to be both documented and implemented. 1.1.2 - Clarified what the network diagram must include and added a new requirement (1.1.3) for a current diagram that shows cardholder data flows. 2.4 - New requirement to maintain an inventory of system components in scope for PCI DSS 5.1.2 - New requirement to evaluate malware threats for any systems not considered to be commonly affected by malicious software
Summary of Changes from PCI DSS Version 2.0 to 3.0 5.3 - New requirement to ensure that anti-virus solutions are actively running and cannot be disabled or altered by users unless specifically authorized by management on a per-case basis 6.1 -Clarified the process for identifying and risk ranking new vulnerabilities and (6.2) patching critical vulnerabilities 6.5.10 - New requirement for coding practices to protect against broken authentication and session management 7.1.1 - New requirement to cover definition of access needs for each role 8.3 - Clarified requirements for two-factor authentication applies to users, administrators, and all third parties, including vendor access for support or maintenance
Summary of Changes from PCI DSS Version 2.0 to 3.0 8.5.1 - New requirement for service providers with remote access to customer devices, to use unique authentication credentials for each customer 9.9.x - New requirement to protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution 10.2.5 – Enhanced requirement to include changes to identification and authentication mechanisms (including creation of new account, elevation of privileges) and all changes, additions and deletions to accounts with root or admin privileges
Summary of Changes from PCI DSS Version 2.0 to 3.0 11.1.x -New requirement to include an inventory of authorized wireless access points and scanning for unauthorized wireless devices 11.3 - New requirement to implement a methodology for penetration testing, to also include verification that segmentation methods are operational and effective (11.3.4) 12.2 - Clarified that the risk assessment should be performed at least annually and after significant changes to the environment 12.8.2 - Clarified the responsibilities for the service provider’s written agreement/acknowledgement
Summary of Changes from PCI DSS Version 2.0 to 3.0 12.8.5 - New requirement to maintain information about which PCI requirements are managed by each service provider, and which are managed by the entity 12.9 - New requirement for service providers to provide a written agreement/acknowledgment to their customers 12.10.x - Clarified the intent for alerts from security monitoring systems to be included in the incident response plan
PCI Version 3.0 Implementing security into business as usual (BAU) activities Audit ready anytime In my opinion, the PCI Data Security Standard is not a policy or procedure. PCI-DSS is a lifestyle!