pci 3.1 changes · pci dss 3.1 – goals the pci ssc is pushing the concept of ongoing or...
TRANSCRIPT
Jon Bonham, CISA Coalfire System, Inc.
PCI 3.1 Changes
Agenda Introduction of Coalfire What does this have to do with the business office Changes to version 3.1 EMV P2PE Questions and Answers Contact Information
2
What does this have to do with business?
• Income • Easier • The decision to take cards was made in the business office. • The contracts were signed by the business office. • The part in the contract about always being PCI compliant,
was signed by the business office.
3
What you signed up for.
4
Business Office
Business Need Business Solution Business Responsibilities With help from the IT Department With help from the merchants and their
staff
5
VERSION 2.0 TO 3.1 CHANGES
6
New SAQ Validation Types
7
New SAQ Validation Types
SAQ Validation Type Description # of Questions v3.0
Change # from v2.0
ASV Scan Required v3.0
Penetration Test Required
V3.0
A Card-not-present merchants: All payment processing functions fully outsourced, no electronic cardholder data storage
14 +1 No No
A-EP E-commerce merchants re-directing to a third-party website for payment processing, no electronic cardholder data storage
139 NEW Yes Yes
B Merchants with only imprint machines or only standalone dial-out payment terminals: No e-commerce or electronic cardholder data storage
41 +12 No No
B-IP Merchants with standalone, IP-connected payment terminals: No e-commerce or electronic cardholder data storage
83 NEW Yes No
C Merchants with payment application systems connected to the Internet: No e-commerce or electronic cardholder data storage
139 +59 Yes Yes
C-VT Merchants with web-based virtual payment terminals: No e-commerce or electronic cardholder data storage 73 +22 No No
D-MER All other SAQ-eligible merchants 326 +38 Yes Yes D-SP SAQ-eligible service providers 347 NEW Yes Yes
P2PE Hardware payment terminals in a validated PCI P2PE solution only: No e-commerce or electronic cardholder data storage
35 NEW No No
8
New SAQ Validation Types SAQ Validation Type Description
A Card-not-present merchants: All payment processing functions fully outsourced, no electronic cardholder data storage
9
New SAQ Validation Types SAQ Validation Type Description Change # from
v2.0 ASV Scan
Required v3.0
Penetration Test Required
V3.0
A-EP
E-commerce merchants re-directing to a third-party website for payment processing, no electronic cardholder data storage
NEW Yes Yes
10
New SAQ Validation Types
SAQ Validation Type Description
B
Merchants with only imprint machines or only standalone dial-out payment terminals: No e-commerce or electronic cardholder data storage
11
New SAQ Validation Types SAQ Validation
Type Description Change # from v2.0
ASV Scan Required v3.0
Penetration Test Required
V3.0
B-IP
Merchants with standalone, IP-connected payment terminals: No e-commerce or electronic cardholder data storage
NEW Yes No
12
New SAQ Validation Types SAQ Validation
Type Description ASV Scan Required v3.0
Penetration Test Required
V3.0
C
Merchants with payment application systems connected to the Internet: No e-commerce or electronic cardholder data storage
Yes Yes
13
New SAQ Validation Types SAQ Validation
Type Description ASV Scan Required v3.0
Penetration Test Required
V3.0
C-VT
Merchants with web-based virtual payment terminals: No e-commerce or electronic cardholder data storage
No No
14
New SAQ Validation Types SAQ Validation
Type Description ASV Scan Required v3.0
Penetration Test Required
V3.0
D-MER All other SAQ-eligible merchants Yes Yes
15
New SAQ Validation Types
SAQ Validation Type Description Change # from
v2.0
ASV Scan Required
v3.0
Penetration Test
Required V3.0
D-SP SAQ-eligible service providers NEW Yes Yes
16
New SAQ Validation Types SAQ Validation
Type Description Change # from v2.0
ASV Scan Required
v3.0
Penetration Test Required
V3.0
P2PE
Hardware payment terminals in a validated PCI P2PE solution only: No e-commerce or electronic cardholder data storage
NEW No No
17
New SAQ Validation Types
SAQ Validation Type Description # of Questions v3.0
Change # from v2.0
ASV Scan Required v3.0
Penetration Test Required
V3.0
A Card-not-present merchants: All payment processing functions fully outsourced, no electronic cardholder data storage
14 +1 No No
A-EP E-commerce merchants re-directing to a third-party website for payment processing, no electronic cardholder data storage
139 NEW Yes Yes
B Merchants with only imprint machines or only standalone dial-out payment terminals: No e-commerce or electronic cardholder data storage
41 +12 No No
B-IP Merchants with standalone, IP-connected payment terminals: No e-commerce or electronic cardholder data storage
83 NEW Yes No
C Merchants with payment application systems connected to the Internet: No e-commerce or electronic cardholder data storage
139 +59 Yes Yes
C-VT Merchants with web-based virtual payment terminals: No e-commerce or electronic cardholder data storage 73 +22 No No
D-MER All other SAQ-eligible merchants 326 +38 Yes Yes D-SP SAQ-eligible service providers 347 NEW Yes Yes
P2PE Hardware payment terminals in a validated PCI P2PE solution only: No e-commerce or electronic cardholder data storage
35 NEW No No
18
PCI DSS 3.1 – Goals The PCI SSC is pushing the concept of ongoing or continuous
compliance management. o Monitoring of security controls o Detect and respond to failures in security controls o Review all changes to the environment o Organization structure changes o Periodic reviews o Annual hardware/software review
19
PCI DSS 3.1 – Scope and Segmentation
It’s important to review the guidance on how to accurately determine the scope of a PCI DSS engagement and the intent of segmentation. Successfully identifying the scope of your environment is always the key to a successful PCI DSS assessment.
Scope Identification Process
What is your ongoing process?
Identifying cardholder data outside of the
CDE.
Connected Systems = in-scope
Connected to the CDE and have the ability to access
cardholder data.
Systems that have the ability to impact the security of the
CDE
PCI DSS 3.1 –Critical Changes to Penetration Testing
Expanded Penetration Testing Expectations
The penetration testing requirements are
much more detailed and now require testing to validate segmentation technologies
(best practice until July, 2015).
PCI DSS 3.1 – Flexible Changes to Existing Requirements
Password Complexity Flexibility Password complexity and strength
requirements have been combined into a single requirement and the PCI SSC has now allowed for some flexibility in meeting these
requirements.
Requirement 6.6 Flexibility Added options to the interpretation of this requirement by changing “web-application firewall” to “automated technical solution
that detects and prevents web-based attacks”.
PCI DSS 3.1 –Critical Changes to Logging Requirements
New Logging Events Enhanced logging requirement to include stopping or
pausing of the audit logs Log Reviews for Critical
Daily or continuous log reviews have been split into two categories: Critical systems and “everything else”.
New Logging Events
Enhanced logging requirement to include stopping or pausing of the
audit logs.
Log Reviews for Critical Components
Daily or continuous log reviews have been split into two categories: Critical systems and
“Everything else”.
PCI DSS 3.1 – Critical Changes to Developer Training
6.5.c Sensitive Data in Memory
Organizations must now demonstrate how they train their developers to understand how
sensitive data is handled in memory.
PCI DSS 3.1 – New Requirements - Immediate impact
Requirement 1.1.3 Dataflow diagrams.
Requirement 2.4 Inventory of all in-scope system components.
Requirement 5.1.2 Risk-based malware review for systems not commonly
affected by malicious software.
Requirement 8.1.3.b Termination processes must include all physical authentication methods in addition to systems.
PCI DSS 3.1 – New Requirements - Immediate impact
Requirement 8.6.x New requirements and testing procedures around the use of
physical “Authentication Mechanisms” assigned to individuals.
Requirement 9.3 New requirement to control issuing physical access to sensitive
areas for onsite personnel.
Requirement 12.8.5 New requirement to maintain information about which PCI DSS
requirements are managed by the service provider.
PCI DSS 3.1 – Phased Requirements - 2015 These requirements were considered “best practices only” until June 30,
2015 at which time they became mandatory for all 3.1 assessments.
Requirement 6.5.10 Broken authentication and session management.
Requirement 8.5.1 New requirement for service providers to use different authentication credentials for access into different customer environments.
Requirement(s) 9.9.x New (merchant) requirements to protect point-of-sale devices that capture payment card data from tampering or unauthorized modification or substitution.
PCI DSS 3.1 – More Phased Requirements - 2015
Requirement 11.3.X Expanded requirements/expectations for penetration testing controls. PCI DSS v2.0 requirements for penetration testing may be followed until July 2015.
Requirement 12.9 Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data.
Questions about the changes
29
What is Chip and Pin or EMV?
30
EMV, which stands for Europay, MasterCard, and Visa, is a global standard for inter-operation of integrated circuit cards (IC cards or "chip cards") and IC card capable point of sale, (POS) terminals, for authenticating credit and card transactions.
Contact Cards and RFD Cards
31
• Contact cards communicate with the reader over a contact plate. The plate must come into contact with the terminal usually by inserting the card into a slot in the terminal. The card must remain inserted for the duration of the transaction.
• Contactless cards communicate via radio frequency (RF) and must contain an antenna.
• Dual interface chip cards combine both technologies and can communicate either way.
Source: Visa U.S. Merchant EMV Chip Acceptance Readiness Guide
What does this mean to you
32
• The benefit to EMV is that it is almost impossible to create a fake or fraudulent card
• Card produces a one-time use code for each transaction
• It takes special equipment to read the card • Over 80 percent of fraudulent transactions
are “Card Present” transactions • By using EMV those transactions shouldn’t
take place
October 15, 2015 Liability Shift
33
• If a magnetic strip card comes in and is read with a magnetic strip reader then, if the purchase is a counterfeit transaction, the merchant is generally not liable, just like today.
October 15, 2015 Liability Shift
34
• If a EMV card comes in and is read with a Magnetic stripe only POS terminal then, if the purchase is a counterfeit transaction, the merchant is solely liable.
October 15, 2015 Liability Shift
35
• If a EMV card comes in and is read with an activated EMV terminal then, if the purchase is a counterfeit transaction, the issuer will be liable.
Double Down
36
• If you are going to invest in the equipment, consider the business case of also buying equipment that can handle Point to Point Encryption technology.
• The Chip and Pin or what is really Chip and Signature here in the US protects the card and the card only
• P2PE protects the cardholder data as it passes through your network.
Predictions
37
• 70% of U.S. credit cards and 41% of debit cards will be EMV-enabled by the end of 2015
• The demand for new equipment will increase as the deadline gets closer.
• Many that order late will be waiting on equipment when the deadline comes
• Most will think you can just plug it in and go without the proper testing with the processor.
• They will be wrong.
