PCI-DSS v3.0 - What you need to know

Confidential1 © 2013 Imperva, Inc. All rights reserved.

PCI-DSS v3.0: What You Need to Know

Barry Shteiman – Director of Security Strategy04/07/2023

© 2013 Imperva, Inc. All rights reserved.

PCI-DSS Themes and Drivers

Dates and Deadlines

New Requirements

Web App Compliance

Agenda

© Copyright 2012 Imperva, Inc. All rights reserved. 2

© 2013 Imperva, Inc. All rights reserved. Confidential

Today’s Speaker - Barry Shteiman

3

Director of Security Strategy Security Researcher working

with the CTO office Author of several application

security tools, including HULK Open source security projects

code contributor CISSP Twitter @bshteiman


Introducing PCI-DSS 3.0

4


PCI-DSS

Payment Card Industry (PCI) Data Security Standard (DSS)

“A set of control requirements created to help protect cardholder data.”

Industry driven

• From conception to enforcement

Evolving

• 4th version over 7 years

• Rate of releases has slowed – 3 years since v2.0 release

Concise and Pragmatic

• Does not avoid naming technologies

• Calls out threats by name

• Very specific about data scope

5


PCI-DSS Evolution

PCI 2.0• October 2010• Definition of scope,

clarifications

6

20052006

2007

20092008

20112010

20132012

PCI 1.0• December 2004

12 major sections

PCI 1.1• September 2006• App security,

compensating controls

PCI 1.2• October 2008• Risk based approach,

emphasis on wireless

PCI 3.0• November 2013• Consistency for

assessors, risk based approach, flexibility


PCI-DSS 3.0 Key Drivers

Lack of education and awareness

Weak passwords, authentication

Third-party security challenges

Slow self-detection, malware

Inconsistency in assessments

7


General Themes

Penetration testing gets real

• More explicitly-defined penetration test guidelines

Skimmers, skimmers and more skimmers

• New requirement to maintain list of POS devices, periodically inspect devices and train personnel

• Inclusion of POS devices in other sections

Service provider accountability

PCI requirement clarifications and details

8


Why Protect Point-of-Sale Devices?

Physical data theft incidents from 2013 Verizon Data Breach Incident Report

9

Source: http://www.verizonenterprise.com/DBIR/

http://www.verizonenterprise.com/DBIR/


Service Providers accountability

Third-party awareness at the compliance level

10

Source: http://www.bankinfosecurity.com/bofa-confirms-third-party-breach-a-5582

http://www.bankinfosecurity.com/bofa-confirms-third-party-breach-a-5582

http://www.bankinfosecurity.com/bofa-confirms-third-party-breach-a-5582


PCI DSS 3.0 Dates and Deadlines

Publication Date: November 7, 2013 Effective Date: January 1, 2014

• Version 2.0 will remain active until December 31, 2014

Deadline for New Requirements: June 30, 2015

11


What’s New?

12

New requirements added in PCI-DSS 3.0


New Req. 6.5.6

13

Insecure handling of credit card and authentication data in memory.

Compliance:• document how PAN/SAD

is handled in memory to minimize exposure


New Req. 6.5.11

14

Broken authentication & session management.

Compliance:• Flag session tokens• Don’t expose session ID in URL• Implement time-outs• Prevent User ID manipulation


New Req. 8.5.1

15

Service providers with access to customer environments must use a unique authentication credential for each customer

Compliance:• Authentication policies and

procedures to mandate different authentication is used to access each customer environment

** Only mandated for service providers


New Req. 9.9

16

Protect POS devices that capture payment card data from tampering

Compliance:• Maintain a list of POS devices• Periodical inspection for

tampering/substitution• Training for awareness

Note: PCI-DSS now addresses skimmers.


New Req. 11.3

17

Develop penetration testing methodology based on industry guidelines like NIST

Compliance:• Implement a penetration testing

approach based on an industry standard (like NIST SP800-115)

• Define pen-test for all layers• Specify retention and

remediation activity


New Req. 12.9

18

Service providers must document in writing they

will adhere to PCI DSS standards

Compliance:• Acknowledge in writing to

customers that service provider will maintain PCI DSS in full on behalf of the customer

** Only mandated for service providers

© 2013 Imperva, Inc. All rights reserved.19

Web Application Compliance

Using a WAF to close the compliance gap


Web application relevant requirements

20


[6.5.11] Broken Auth & Session Mgmt

21

Authentication/Session attacks

• Cookie Tampering• Cookie Poisoning• Session Hijacking• Session Reuse• Parameter Tampering• SSL Reuse• Brute Force


[11.3] Pen Testing and Remediation

22

Source: http://www.imperva.com/docs/SB_Imperva_WhiteHat.pdf

http://www.imperva.com/docs/SB_Imperva_WhiteHat.pdf


PCI-DSS Carry-ons

23

Source: http://www.imperva.com/PCI/

Req 6.6: Protect public-facing Web applicationsReq 10: Audit all access to cardholder dataReq 7: Limit access to systems and data on a business need to knowReq 8.5: Identify and disable dormant user accounts and access rightsReq 11.5: Alert personnel to unauthorized modification of files

http://www.imperva.com/PCI/



PCI

25

PCI-DSS Councilhttp://www.pcisecuritystandards.org

Imperva’s PCI Resource Centerhttp://www.imperva.com/PCI/

https://www.pcisecuritystandards.org/security_standards/




Skimmers

26

KrebsOnSecurityhttp://krebsonsecurity.com/category/all-about-skimmers/

http://krebsonsecurity.com/category/all-about-skimmers/

http://krebsonsecurity.com/category/all-about-skimmers/


Third-Party Breaches

27

Imperva’s January 2013 HII and Imperva’s CMS Hacking Webinarhttp://www.imperva.com/resources/overview.html

http://www.imperva.com/resources/overview.html



Confidential28 © 2013 Imperva, Inc. All rights reserved.

Post-Webinar Discussions

Answers to Attendee

Questions

Webinar Recording Link Join Group

Join Imperva LinkedIn Group,Imperva Data Security Direct, for…

Webinar Materials

28


Questions?

29

www.imperva.com

PCI-DSS v3.0 - What you need to know

Technology

Transcript of PCI-DSS v3.0 - What you need to know