what is pci/dss and what’s new

4/28/2016 1

What is PCI/DSS and What’s new

Presented by

Brian Marshall Vanguard Professional Services

4/28/2016 2

AGENDA

1.About Vanguard/Introductions

2.What is PCI DSS History

3.High Level Overview

4.PCI DSS 3.0/3.1/3.2

5.Top PCI challenges for z/OS

6.Q/A

1.About Vanguard/Introductions

2.What is PCI DSS History

3.High Level Overview

4.PCI DSS 3.0/3.1/3.2

5.Top PCI challenges for z/OS

6.Q/A

4/28/2016 3

What is PCI DSS?

What is PCI DSS - Payment Card Industry Data Security Standard?

– Set of standards created by the PCI Security Standards Council

– Enforced by contract with banks that provide payment card

processing

– Applicable to everyone who “stores, processes, or transmits”

payment card data

3©2015 Vanguard Integrity Professionals, Inc.

4/28/2016 4

What is PCI DSS?

PCI Security Standards Council

About the PCI Security Standards Council:

• Global independent open body formed to develop, enhance, disseminate and assist with

the understanding of security standards for payment account security


4/28/2016 5

PCI DSS History

A Brief History of PCI DSS

– The PCI Security Standards Council

• Formed September 7, 2006

– Founded by:

•American Express

•Discover Financial Services

•JCB International

•MasterCard International

•VISA


4/28/2016 6

PCI DSS History

Payment Card Industry Data Security Standard (PCI DSS)

- Was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.

- PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).


4/28/2016 7

PCI DSS Requirements

High-level overview of the 12 PCI DSS Requirements

1. Install and maintain a firewall configuration to protect cardholder data.

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

3. Protect stored cardholder data.

4. Encrypt transmission of cardholder data across open, public networks.


4/28/2016 8


5. Use and regularly update antivirus software.

6. Develop and maintain secure systems and applications.

7. Restrict access to cardholder data by business need-to-know.

8. Assign a unique ID to each person with computer access.


4/28/2016 9


9. Restrict physical access to cardholder data.

10. Track and monitor all access to network resources and cardholder data.

11. Regularly test security systems and processes.

12. Maintain a policy that addresses information security.


4/28/2016 10

Common PCI Terms

1. CHD - Card Holder Data2. SAD - Sensitive Authentication Data3. PAN – Primary Account Number

4/28/2016 11

PCI DSS Procedures

Detailed PCI DSS Requirements and Security Assessment Procedures

The following defines the column headings for the PCI DSS Requirements and Security Assessment Procedures:

- � PCI DSS Requirements – This column defines the Data Security

Standard requirements; PCI DSS compliance is validated against these

requirements.

- � Testing Procedures – This column shows processes to be followed by

the assessor to validate that PCI DSS requirements have been met and

are “in place.”

- � Guidance – This column describes the intent or security objective

behind each of the PCI DSS requirements. This column contains guidance

only, and is intended to assist understanding of the intent of each requirement. The guidance in this column does not replace or extend the

PCI DSS Requirements and Testing Procedures.

11

4/28/2016 12

Common PCI Requirements

12

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

4/28/2016 13


• Req. 2.2.4 – Configure system security parameters to prevent misuse

- System configuration standards and related processes should specifically address security settings and parameters that have known security implications for each type of system in use.

- In order for systems to be configured securely, personnel responsible for configuration and/or administering systems must be knowledgeable in the specific security parameters and settings that apply to the system.


4/28/2016 14


14

4/28/2016 15


15

4/28/2016 16


16

4/28/2016 17


17

4/28/2016 18


18

4/28/2016 19


4/28/2016 20


20

NIST RACF Checklist

https://web.nvd.nist.gov/view/ncp/repository/checklistDetail?id=5

4/28/2016 21

PCI non-RACF Requirements

Req. 1.1.3 - Requirement for a current diagram that shows all cardholder data flows across systems and networks

- Cardholder data-flow diagrams identify the location of all cardholder data that is stored, processed, or transmitted within the network.

- Network (1.1.2) and cardholder data-flow diagrams (1.1.3) help an organization to understand and keep track of the scope of their environment,

by showing how cardholder data flows across networks and between

individual systems and devices

21

4/28/2016 22

PCI DSS 3.0 Changes

Req. 12.3.8 – procedure to verify policy is implemented for disconnecting remote access sessions after a specific period of inactivity

� Remote-access technologies are frequent "back doors" to critical resources and cardholder data. By disconnecting remote-access technologies when not in use (for example, those used to support your

systems by your POS vendor, other vendors, or business partners),

access and risk to networks is minimized.


4/28/2016 23

PCI DSS 3.1 Changes

PCI SSC bulletin on impending revisions to PCI DSS, PA-DSS

13 February 2015

To ensure the continued strength and integrity of PCI Standards for payment data protection, the Council has ongoing processes for monitoring threats and vulnerabilities and for updating the standards as necessary. The National Institute of Standards and Technology (NIST) has identified the Secure Socket Layers (SSL) v3.0 protocol (a cryptographic protocol designed to provide secure communications over a computer network) as no longer being acceptable for protection of data due to inherent weaknesses within the protocol. Because of these weaknesses, no version of SSL meets PCI SSC’s definition of “strong cryptography,” and revisions to the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS) are necessary.

23

4/28/2016 24

PCI DSS 3.1 Changes

What is the Issue with SSL/TLS

SSL/TLS encrypts a channel between two endpoints (for example, between a web browser and web server) to provide privacy and reliability of data transmitted over the communications channel. Since the release of SSL v3.0, several vulnerabilities have been identified, most recently in late 2014 when researchers published details on a security vulnerability (CVE-2014-3566) that may allow attackers to extract data from secure connections. More commonly referred to as POODLE (Padding Oracle On Downgraded Legacy Encryption), this vulnerability is a man-in-the-middle attack where it’s possible to decrypt an encrypted message secured by SSL v3.0.

24

4/28/2016 25

PCI DSS 3.1 Changes

25

The SSL protocol (all versions) cannot be fixed; there are no known methods to remediate vulnerabilities such as POODLE. SSL and early TLS no longer meet the security needs of entities implementing strong cryptography to protect payment data over public or untrusted communications channels.

4/28/2016 26

PCI DSS 3.1 Changes

What is the Issue with SSL/TLS – cont.

� Additionally, modern web browsers will begin prohibiting SSL connections in the very near future, preventing users of these browsers from

accessing web servers that have not migrated to a more modern protocol.

26

4/28/2016 27

PCI DSS 3.1 Changes

What this means for PCI DSS

- In PCI DSS v3.1, SSL and early TLS are no longer examples of strong cryptography or secure protocols. The PCI DSS v3.1 requirements

directly affected are:

� Requirement 2.2.3 Implement additional security features for any

required services, protocols, or daemons that are considered to be

insecure.

� Requirement 2.3 Encrypt all non-console administrative access using

strong cryptography.

� Requirement 4.1 Use strong cryptography and security protocols to

safeguard sensitive cardholder data during transmission over open, public

networks.

27

4/28/2016 28

PCI DSS 3.1 Changes

What is a Risk Mitigation and Migration Plan?

The Risk Mitigation and Migration Plan is a document prepared by the

entity that details their plans for migrating to a secure protocol, and also describes controls the entity has in place to reduce the risk associated with

SSL/early TLS until the migration is complete. The Risk Mitigation and

Migration Plan will need to be provided to the assessor as part of the PCI

DSS assessment process.

28

4/28/2016 29

PCI DSS 3.1 Changes

The following provides guidance of the type of information to be documented in the Risk Mitigation and Migration Plan:

� Description of how vulnerable protocols are used

� Risk assessment results and risk reduction controls in place

� Description of processes that are implemented to monitor for new vulnerabilities associated with vulnerable protocols

� Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new environments

� Overview of migration project plan including target migration completion date no later than 30 June 2016

29

4/28/2016 30

PCI DSS 3.2 Changes

• SSC has announced that the PCI DSS has reached a point of maturity. Consequently, they no longer plan to release major revisions to the standard on a three-year cycle, but will instead issue releases more often with fewer changes between them..

30©2014 Vanguard Integrity Professionals, Inc

4/28/2016 31

PCI DSS 3.2 Changes

• The extension of the SSL/early TLS dates to June 30, 2018 will be reinforced.

• Multi-factor authentication requirements for accessing the cardholder data environment, which were already in place for remote access scenarios, will be extended to include local access.

• There will be some new Appendices in the DSS, including one dedicated to SSL/early TLS and one that brings DESV requirementsinto the DSS.

• Rules around displaying card numbers will be modified to accommodate an upcoming change to card number standards.


4/28/2016 32

PCI DSS 3.2 Changes

Service providers will undergo additional scrutiny of their change management processes, and penetration testing will be required on a more frequent basis.


4/28/2016 33

What are the key dates for PCI DSS 3.2?

• April 2016: PCI DSS 3.2, as well as all supporting documents and SAQs, will be released.

• October 2016: PCI DSS 3.1 will retire six months after the release of PCI DSS 3.2, and all assessments or SAQs taken after that time will need to use version 3.2. This is significant for those with year-

end annual assessment cycles.

• February 2018: All new requirements within PCI DSS 3.2 will become effective. (Prior to that they will be considered “best practices.”)


PCI Challenges

Interpretation of PCI requirements and applicability to z/OS

Top PCI challenges for z/OS

4/28/2016 35

“Interpreting PCI DSS for z/OS”What is a z/OS “System Component”?

1st Systems Programmer 2nd Systems Programmer RACF Engineer RACF Administrator

� Master Catalog � SDSF � The RACF Database � Dataset Profiles

� APF Authorized Datasets � Session Managers � Copies of the RACF database � General Resource Profiles

� LINKLIB Datasets � SYS1.UADS Dataset � SETROPTS Settings � User ID Attributes

� User Catalogs � WebSphere � RACF CDT � Group Connect Authorities

� RACF Database � JES2 / JES3 � RACF Classes � Role Based Access

� Parmlib Datasets � OMEGAMON � General Resource Profiles Database Administrator

� Multi-User Access Systems � WebSphere MQ � Encryption Keys � IMS Databases

� z/OS Security Patches � DFSMS � Group Membership � DB2 Databases

� System Proclibs � SVC’s � Privileged Userids � DB2 Table Trace

� Started Tasks � CICS System Datasets � RACF Exits � Oracle Databases

� SYS1.Parmlib � DB2 System Datasets � RACF Tables � RACF Classes for DB2

� SMF Log Files � IBM Comm Server � IRR Prefixed Utilities � IDMS

� System Exits � Vendor Security Products � Logging Parameters QSA & Compliance Officers

� ICSF Encryption Keys � Magnetic Tape � � ?

4/28/2016 36

Vanguard’s Top 10 z/OS Findings

Rank Description of Finding

Percent

Occurrence

of Finding

PCI

Requirement

1 Excessive Number of User IDs with No Password Interval 74% 8.2.4 / 8.5

2 Inappropriate Usage of z/OS UNIX Superuser Privilege UID(0) 60% 7.2.2

3 Sensitive Data Set Profiles with UACC Greater than NONE 54% 7.2.2 / 7.2.3

4 Critical Data Set Profiles with UACC Greater than READ 54% 7.2.2 / 7.2.3

5 Started Task IDs are not Defined as PROTECTED IDs 53% 2.2.3

6 Improper Use or Lack of UNIXPRIV Profiles 52% 7.2.2

7 Excessive Access to SMF Data Sets 44% 7.2.2 / 7.2.3

8 Excessive Access to APF Libraries 42% 7.2.2

9 Excessive access to z/OS UNIX File System Data Sets 42% 7.2.2

10 RACF Database is not Adequately Protected 40% 7.2.2

“Identifying Not in Place Requirements”Vanguard Findings Mapped to PCI Requirements

4/28/2016 37©2015 Vanguard Integrity Professionals,

Inc.

37

HELP & Questions

Here are some helpful Websites:

Requirements and Security Assessment Procedures

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf

PCI SSC Data Security Standards

https://www.pcisecuritystandards.org/security_standards/index.php

4/28/2016 38

Questions?

38

How to Contact UsVanguard Integrity Professionals6625 South Eastern Ave., Suite 100Las Vegas, NV 89119-3930

Direct/International: (702) 794-0014Toll Free: (877) 794-0014

[email protected]

4/28/2016 39

Vanguard Security & ComplianceConference 2016

4/28/2016 40

Title

Sub-title

Thank you!Thank you!

what is pci/dss and what’s new

Documents