Guiding open standards for global payment card security
PCI Security Standards Council Guiding open standards for global payment card security
Bob Russo, General Manager December 2013
Guiding open standards for global payment card security 2
Get Involved PCI DSS and EMV
Why PCI DSS 3.0?
Agenda
Guiding open standards for global payment card security
About the PCI Council
Open, global forum Founded 2006
Guiding open standards for payment card security
• Development • Management • Education • Awareness
Guiding open standards for global payment card security
Expanding Global Representation
Guiding open standards for global payment card security
Manufacturers
PCI PTS Pin Entry Devices
Ecosystem of payment devices, applications, infrastructure and users
Software Developers
PCI PA-DSS Payment Applications
PCI Security & Compliance
P2PE
Merchants & Service Providers
PCI DSS Secure Environments
PCI Security Standards Suite Protection of Cardholder Payment Data
Guiding open standards for global payment card security
PCI Community Feedback Process
Changes made per our lifecycle
• Open standards development process
• Feedback from our global PCI community
• Feedback period started in Fall of 2011
Guiding open standards for global payment card security
Market Trends & Drivers
Weak or default passwords
Lack of employee education
Security deficiencies introduced by third parties
Slow self-detection
Source: 2013 Trustwave Global Security Report
Guiding open standards for global payment card security
Key Considerations
What will improve payment security?
Global applicability and local market concerns
Appropriate sunset dates for other standards or requirements
Cost/benefit of changes to infrastructure
Cumulative impact of any changes
Guiding open standards for global payment card security
Why PCI DSS 3.0?
Visit www.pcisecuritystandards.org to view this infographic
Guiding open standards for global payment card security
PCI DSS, PA-DSS 3.0 – Key Themes
Make PCI your compass, not your roadmap
Education Awareness Flexibility
Security as a Shared
Responsibility
Guiding open standards for global payment card security
At a Glance…
• 12 core security principles of PCI DSS remain the same
• Several new sub-requirements that will impact PCI DSS security efforts
• Future implementation dates provided for more significant
changes
• Clarified PCI DSS Applicability
• Enhanced testing procedures to clarify level of validation expected for each requirement
• Aligned language between requirements and testing procedures for consistency
• Instructions for Report on Compliance (ROC) reporting now separate ROC reporting template
Guiding open standards for global payment card security
Maintaining Compliance
Best Practices for Implementing PCI DSS into Business-as-Usual (BAU) Processes • Focus on security not
compliance • PCI DSS is not a once-a-year
activity • Don’t forget about people
Guiding open standards for global payment card security
Understanding Intent of Requirements
Guiding open standards for global payment card security
Strong Authentication
8.4 Include guidance for users:
• Selecting strong authentication credentials
• Protecting authentication credentials
• Not reusing previous passwords
• Changing passwords if suspicion of compromise
8.5.7 Provide authentication procedures and policies to all users
PCI DSS v2.0 PCI DSS v3.0
Guiding open standards for global payment card security
Security Policies and Procedures
1.5 Security policies and operational procedures for managing firewalls are documented and in use
2.5 Security policies and operational procedures for managing vendor defaults and security parameters are documented and in use
12.1.1 Maintain a security policy that addresses all PCI DSS requirements
12.2 Develop daily operational security procedures that are consistent with requirements in the PCI DSS
PCI DSS v2.0 PCI DSS v3.0
Guiding open standards for global payment card security
Consistent Assessment Procedures
• Enhanced testing procedures
• Clarify what it means to “verify” a requirement has been met
Promote consistent validation methods
• Combine template with reporting instructions
• Clarify level of detail required
• Reduce repetition
Improve reporting
Guiding open standards for global payment card security
Flexibility: PCI DSS Requirements
Guiding open standards for global payment card security
Log Reviews
10.6.1 Review at least daily: • All security events • Logs from systems that store,
process, or transmit CHD/SAD • Logs of system components that
perform security functions
10.6.2 Review other logs periodically as determined by the organization’s annual risk assessment
10.6. Review logs for all system components at least daily
PCI DSS v2.0 PCI DSS v3.0
Guiding open standards for global payment card security
Security as a Shared Responsibility
. • Outsourcing PCI DSS responsibilities Guidance
• Service providers use unique credential per customer
Requirement 8
• Service providers acknowledge responsibility
Requirement 12
Guiding open standards for global payment card security
Physical Security for POS Devices
9.9 Protect devices that capture payment card data from tampering and substitution
• Maintain an up-to-date list of devices
• Periodically inspect device surfaces to detect tampering or substitution
• Provide training for personnel to be aware of attempted tampering or replacement of devices
Guiding open standards for global payment card security
Penetration Testing and Effective Scoping
11.3 Implement a penetration testing methodology
11.3.4 If segmentation is used, perform penetration tests to verify that the segmentation methods are operational and effective.
Guiding open standards for global payment card security
Effective Dates for v3.0 PCI DSS
V3.0 is effective on January 1st 2014
Version 2.0 is valid until December 31st 2014
Different supporting documents
Check our website for the latest documents
Do not mix and match
Guiding open standards for global payment card security
EMV Chip Roadmap in US
EMV Chip Helps Reduce Face-to-Face Fraud
EMV Needs PCI
EMV chip needs PCI
Even EMV Chip Needs PCI
Guiding open standards for global payment card security
Terminal Security
Guiding open standards for global payment card security
PTS Listings
Guiding open standards for global payment card security
And Emerging Technologies?
+People Processes Technology Security + =
Guiding open standards for global payment card security
Mobile Payment Acceptance
PCI Standards focus on merchant-acceptance
Mobile payment acceptance still evolving
Understand risk and use PCI SSC resources
PCI SSC is working with industry
Guiding open standards for global payment card security
Mobile Payment Acceptance
Guidelines published 2012-2013
• PCI Mobile Payment Acceptance Guidelines for Developers
• PCI Mobile Payment Acceptance Guidelines for Merchants as End-Users
• Accepting Mobile Payments with a Smartphone or Tablet
Guiding open standards for global payment card security
PCI Special Interest Groups
Visit www.pcisecuritystandards.org to download this guidance
Guiding open standards for global payment card security
2014 Special Interest Groups
Formal Security Awareness: Best
Practices for Implementing a Formal
Security Awareness Program
Penetration Testing
Guidance
Guiding open standards for global payment card security
ü Online Internal Security Assessor (ISA) Training
ü Corporate PCI Awareness – Let Us Come To You!
ü Online Awareness Training in Four Hours
ü Qualified Integrators and Resellers (QIR)™ Program
ü PCI Professional Program (PCIP)™
To learn more, visit: www.pcisecuritystandards.org/training
Training Options
Guiding open standards for global payment card security
Qualified Integrators and Resellers (QIR)™
Guiding open standards for global payment card security
I’m using a “reputable” 3rd party, so they must be doing a secure installation.
This applies only to brick and mortar establishments.
I’m using a PA-DSS validated application, so I must be OK.
QIR Addresses Common Misconceptions
Guiding open standards for global payment card security
Payment Card Industry Professional (PCIP)™
Support your organization
Professional credibility
Competitive advantage
Global directory
Now Available
Guiding open standards for global payment card security
PCI SSC Website
• Documents library • Dedicated page for
small merchants • Listings of approved
companies and providers
• Videos and webinars • Frequently asked
questions microsite
Guiding open standards for global payment card security
Security is a shared responsibility
Guiding open standards for global payment card security
Get Involved – We Need Your Input
Join Learn Input Network
Nominate Vote Share Influence
Guiding open standards for global payment card security
Please visit our website at www.pcisecuritystandards.org
Questions?