PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS 3.2 - Business as Usual
-
Upload
kimberly-simon -
Category
Business
-
view
317 -
download
0
Transcript of PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 – Making Compliance Business As Usual
By Kishor Vaswani – CEO, ControlCase
Agenda
• About PCI DSS
• Overview of changes
• PCI BAU by requirement number
• Implementation tips
• ControlCase solution
• Q&A
1
About PCI DSS
What is PCI DSS?
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or transmitting payment card account data
• Established by leading payment card brands• Maintained by the PCI Security Standards Council
(PCI SSC)
2
PCI DSS RequirementsControl Objectives Requirements
Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data 3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public
networks
Maintain a vulnerability management program
5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement strong access control measures
7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security policy
12. Maintain a policy that addresses information security
3
Timeline of PCI DSS 3.x
4
• PCI 3.0 was effective Jan 1st, 2014• Current version is PCI DSS 3.2
Overview of changes
Overview of 3.2 changes
5
SSL/early TLS• Work towards remediation• No new SSL/early TLS• Service provider offering by June 30, 2016• No SSL/early TLS after June 30, 2018• Some exceptions for POS POI terminals
Display of PAN• Permits display of PAN beyond first 6/last 4• Justification and business need must exist• Only the digits needed by business need must be displayed
Overview contd…
6
Multifactor Authentication• All remote access must be multifactor• All non console admin access to CDE must be multifactor effective Jan 31,
2018• Multifactor can be at system or application layer
New Service Provider Requirements• Maintain documented description of cryptographic architecture• Detect and report on failures of critical security control systems• Quarterly review to ensure personnel following security procedures• Perform segmentation penetration test once every six months (Effective
Feb 2018)• Executive management to establish responsibilities (Effective Feb 2018)
PCI DSS 3.2 Business As Usual by Requirement Number
PCI Council Guidance on BAU
7
Monitoring of security controls
• Firewalls• IDS/IPS• File Integrity Monitoring (FIM)• Anti Virus
Ensuring failures in security controls are detected and responded
• Restoring the security control• Identifying the root cause• Identifying any security issues because of the failure• Mitigation• Resume monitoring of security control• Segregation of duties between detective and
preventive controls
PCI Council Guidance on BAU
8
Review changes to environment
• Addition of new systems• Changes or organizational structure• Impact of change to PCI DSS scope• Requirement applicable to new scope• Implement any additional security controls because of
change• New hardware and software (and older ones) continue
to be supported and do not impact compliance
Periodic reviews
• Configuration• Physical security• Patches and Anti Virus• Audit logs• Access rights
Requirement 1: Firewalls
9
People- PCI project manager to
escalate non-compliance- Segregation of duties
between operations performing change and compliance personnel reviewing change
Process- PCI impact analysis as part of
firewall change management process
Technology- Automated/Periodic ruleset
reviews- Weekly port scans from CDE
to Internet to verify no outbound connections
Requirement 2: Configuration Standards
10
People- PCI project manager to
escalate non-compliance
Process- Periodic update to
configuration standards- New infrastructure
onboarding process to include PCI configuration standards check
Technology- Automated/Periodic
configuration scans- Reminders to update
configuration standards quarterly
- Technology to flag new assets that have not formally undergone PCI configuration standards check
Requirement 3: Protect Stored Cardholder Data
11
People- PCI project manager to
escalate non-compliance to highest levels within organization
Process- Periodic false positive
management- Search for cardholder data
during roll out tests/quality assurance
Technology- Automated/Periodic
cardholder data scans- Alerts in case of new
cardholder data found
Requirement 4: Protect Cardholder Data in Transmission
12
People- Training to ensure personnel
do not email/chat clear text card data
- Personnel allocated to review outbound data at random
Process- Periodic review of modes of
transmission i.e. wireless, chat, email etc.
Technology- Automated technology to
monitor transmission of card data through perimeter (e.g. email, chat monitoring)
Requirement 5: Antivirus and Malware
13
People- PCI project manager to
escalate non-compliance
Process- Process to ensure all assets
are protected by antivirus- Process to implement
antivirus and anti-malware on all new systems being deployed
Technology- Technology to detect any
systems that do not have anti virus/anti malware installed
Requirement 6: Secure Applications
14
People- Segregation of development
and security duties- Periodic training of
developers to security standards such as OWASP
Process- Continuous scanning of
applications- Scanning of applications as
part of SDLC- Code review as part of SDLC- Review of QA/test cases on a
periodic basis to ensure all of them have a security checkpoint and approval
Technology- Application scanning software- Code review software- Identification of instances
where changes have occurred to applications
- Application firewalls
Requirements 7 & 8: Access Control and User IDs
15
People- Segregation of personnel
provisioning IDs and review of user access
Process- Periodic review of user access- Attestation of user access- Onboarding procedures- Termination procedures
Technology- Role based access control- Single sign on- Use of LDAP/AD/TACACS for
password management
Requirement 9: Physical Security
16
People- Designation of a person at
every site as a site coordinator
Process- Periodic walkthroughs and
random audits of physical security
- Weekly review of CCTV and badge logs
- Periodic review of scope
Technology- Alarms to report malfunction
of devices such as cameras and badge access readers
Requirement 10: Logging and Monitoring
17
People- Personnel to actively monitor
logs 24/7/365
Process- Periodic review of asset inventory- Periodic review of scope- Process to ensure logs from all
assets are feeding the SIEM solution- Restoration of logs from 12 months
back every week/month
Technology- Security and Event
Management (SIEM)- Technology to identify new
assets not covered within SIEM
Requirement 11: Vulnerability Management
18
People- Segregation of personnel
responsible for scanning vs remediation of anomalies
- PCI project manager to escalate non-compliance
Process- Ongoing review of target
assets vs asset inventory for appropriateness/change
- Periodic testing of IDS/IPS effectiveness through random penetration tests/vulnerability scans
Technology- Automated scanning
technology- Technology to manage false
positives and compensating controls
- Asset management repository- File Integrity Monitoring (FIM)
technology
Requirement 12: Policies and Procedures
19
People- Coordination between
procurement and compliance personnel
Process- PCI DSS requirements tied to
procurement process- PCI anomalies to be tracked
within vendor/third party management solution
Technology- Vendor management/Third
party management solution
PCI DSS Requirements
20
Control Objectives Requirements
Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data 3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public
networks
Maintain a vulnerability management program
5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement strong access control measures
7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security policy
12. Maintain a policy that addresses information security
Key Implementation Tips
Key Themes
21
Segregation of dutiesTechnology operating effectivelyAutomationDedicated PCI project managerRepeatabilityPeriodic Reviews
Dashboard for tracking activities
22
Calendar of reminders/tracking back to controls
23
ControlCase Solutions
ControlCase Cloud GRC
24
• Out of box tracking of PCI Controls• Out of box reminders for key BAU activities• Out of box dashboard for key compliance
tasks to be done periodically• Out of box tracking of BAU anomalies
To Learn More About PCI Compliance…
• Visit www.controlcase.com
• Call +1.703.483.6383 (US)
• Call +91.9820293399 (India)
25
Thank You for Your Time