pci-dss v3.0 - what you need to know
Post on 19-Oct-2014
693 views
DESCRIPTION
Imperva webinar 11/7/2013 Covering the latest changes to the PCI-DSS standard.TRANSCRIPT
![Page 1: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/1.jpg)
Confidential1 © 2013 Imperva, Inc. All rights reserved.
PCI-DSS v3.0: What You Need to Know
Barry Shteiman – Director of Security Strategy04/07/2023
![Page 2: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/2.jpg)
© 2013 Imperva, Inc. All rights reserved.
PCI-DSS Themes and Drivers
Dates and Deadlines
New Requirements
Web App Compliance
Agenda
© Copyright 2012 Imperva, Inc. All rights reserved. 2
![Page 3: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/3.jpg)
© 2013 Imperva, Inc. All rights reserved. Confidential
Today’s Speaker - Barry Shteiman
3
Director of Security Strategy Security Researcher working
with the CTO office Author of several application
security tools, including HULK Open source security projects
code contributor CISSP Twitter @bshteiman
![Page 4: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/4.jpg)
© 2013 Imperva, Inc. All rights reserved. Confidential
Introducing PCI-DSS 3.0
4
![Page 5: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/5.jpg)
© 2013 Imperva, Inc. All rights reserved.
PCI-DSS
Payment Card Industry (PCI) Data Security Standard (DSS)
“A set of control requirements created to help protect cardholder data.”
Industry driven
• From conception to enforcement
Evolving
• 4th version over 7 years
• Rate of releases has slowed – 3 years since v2.0 release
Concise and Pragmatic
• Does not avoid naming technologies
• Calls out threats by name
• Very specific about data scope
5
![Page 6: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/6.jpg)
© 2013 Imperva, Inc. All rights reserved.
PCI-DSS Evolution
PCI 2.0• October 2010• Definition of scope,
clarifications
6
20052006
2007
20092008
20112010
20132012
PCI 1.0• December 2004
12 major sections
PCI 1.1• September 2006• App security,
compensating controls
PCI 1.2• October 2008• Risk based approach,
emphasis on wireless
PCI 3.0• November 2013• Consistency for
assessors, risk based approach, flexibility
![Page 7: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/7.jpg)
© 2013 Imperva, Inc. All rights reserved.
PCI-DSS 3.0 Key Drivers
Lack of education and awareness
Weak passwords, authentication
Third-party security challenges
Slow self-detection, malware
Inconsistency in assessments
7
![Page 8: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/8.jpg)
© 2013 Imperva, Inc. All rights reserved.
General Themes
Penetration testing gets real
• More explicitly-defined penetration test guidelines
Skimmers, skimmers and more skimmers
• New requirement to maintain list of POS devices, periodically inspect devices and train personnel
• Inclusion of POS devices in other sections
Service provider accountability
PCI requirement clarifications and details
8
![Page 9: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/9.jpg)
© 2013 Imperva, Inc. All rights reserved.
Why Protect Point-of-Sale Devices?
Physical data theft incidents from 2013 Verizon Data Breach Incident Report
9
Source: http://www.verizonenterprise.com/DBIR/
![Page 10: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/10.jpg)
© 2013 Imperva, Inc. All rights reserved.
Service Providers accountability
Third-party awareness at the compliance level
10
Source: http://www.bankinfosecurity.com/bofa-confirms-third-party-breach-a-5582
![Page 11: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/11.jpg)
© 2013 Imperva, Inc. All rights reserved.
PCI DSS 3.0 Dates and Deadlines
Publication Date: November 7, 2013 Effective Date: January 1, 2014
• Version 2.0 will remain active until December 31, 2014
Deadline for New Requirements: June 30, 2015
11
![Page 12: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/12.jpg)
© 2013 Imperva, Inc. All rights reserved.
What’s New?
12
New requirements added in PCI-DSS 3.0
![Page 13: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/13.jpg)
© 2013 Imperva, Inc. All rights reserved.
New Req. 6.5.6
13
Insecure handling of credit card and authentication data in memory.
Compliance:• document how PAN/SAD
is handled in memory to minimize exposure
![Page 14: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/14.jpg)
© 2013 Imperva, Inc. All rights reserved.
New Req. 6.5.11
14
Broken authentication & session management.
Compliance:• Flag session tokens• Don’t expose session ID in URL• Implement time-outs• Prevent User ID manipulation
![Page 15: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/15.jpg)
© 2013 Imperva, Inc. All rights reserved.
New Req. 8.5.1
15
Service providers with access to customer environments must use a unique authentication credential for each customer
Compliance:• Authentication policies and
procedures to mandate different authentication is used to access each customer environment
** Only mandated for service providers
![Page 16: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/16.jpg)
© 2013 Imperva, Inc. All rights reserved.
New Req. 9.9
16
Protect POS devices that capture payment card data from tampering
Compliance:• Maintain a list of POS devices• Periodical inspection for
tampering/substitution• Training for awareness
Note: PCI-DSS now addresses skimmers.
![Page 17: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/17.jpg)
© 2013 Imperva, Inc. All rights reserved.
New Req. 11.3
17
Develop penetration testing methodology based on industry guidelines like NIST
Compliance:• Implement a penetration testing
approach based on an industry standard (like NIST SP800-115)
• Define pen-test for all layers• Specify retention and
remediation activity
![Page 18: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/18.jpg)
© 2013 Imperva, Inc. All rights reserved.
New Req. 12.9
18
Service providers must document in writing they
will adhere to PCI DSS standards
Compliance:• Acknowledge in writing to
customers that service provider will maintain PCI DSS in full on behalf of the customer
** Only mandated for service providers
![Page 19: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/19.jpg)
© 2013 Imperva, Inc. All rights reserved.19
Web Application Compliance
Using a WAF to close the compliance gap
![Page 20: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/20.jpg)
© 2013 Imperva, Inc. All rights reserved.
Web application relevant requirements
20
![Page 21: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/21.jpg)
© 2013 Imperva, Inc. All rights reserved.
[6.5.11] Broken Auth & Session Mgmt
21
Authentication/Session attacks
• Cookie Tampering• Cookie Poisoning• Session Hijacking• Session Reuse• Parameter Tampering• SSL Reuse• Brute Force
![Page 22: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/22.jpg)
© 2013 Imperva, Inc. All rights reserved.
[11.3] Pen Testing and Remediation
22
Source: http://www.imperva.com/docs/SB_Imperva_WhiteHat.pdf
![Page 23: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/23.jpg)
© 2013 Imperva, Inc. All rights reserved.
PCI-DSS Carry-ons
23
Source: http://www.imperva.com/PCI/
Req 6.6: Protect public-facing Web applicationsReq 10: Audit all access to cardholder dataReq 7: Limit access to systems and data on a business need to knowReq 8.5: Identify and disable dormant user accounts and access rightsReq 11.5: Alert personnel to unauthorized modification of files
![Page 24: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/24.jpg)
© 2013 Imperva, Inc. All rights reserved.24
Where can I learn more?
![Page 25: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/25.jpg)
© 2013 Imperva, Inc. All rights reserved.
PCI
25
PCI-DSS Councilhttp://www.pcisecuritystandards.org
Imperva’s PCI Resource Centerhttp://www.imperva.com/PCI/
![Page 26: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/26.jpg)
© 2013 Imperva, Inc. All rights reserved.
Skimmers
26
KrebsOnSecurityhttp://krebsonsecurity.com/category/all-about-skimmers/
![Page 27: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/27.jpg)
© 2013 Imperva, Inc. All rights reserved.
Third-Party Breaches
27
Imperva’s January 2013 HII and Imperva’s CMS Hacking Webinarhttp://www.imperva.com/resources/overview.html
![Page 28: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/28.jpg)
Confidential28 © 2013 Imperva, Inc. All rights reserved.
Post-Webinar Discussions
Answers to Attendee
Questions
Webinar Recording Link Join Group
Join Imperva LinkedIn Group,Imperva Data Security Direct, for…
Webinar Materials
28
![Page 29: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/29.jpg)
© 2013 Imperva, Inc. All rights reserved. Confidential
Questions?
29
www.imperva.com
![Page 30: PCI-DSS v3.0 - What you need to know](https://reader033.vdocuments.us/reader033/viewer/2022061109/54449f1eafaf9f550d8b49d0/html5/thumbnails/30.jpg)
© 2013 Imperva, Inc. All rights reserved.30 Confidential
Thank You