pci dss 3.1 is here. are you ready? - issa...
TRANSCRIPT
1
Mike Goldgof
Sr. Director Product Marketing
PCI DSS 3.1 is here. Are you
ready?
2
WhiteHat Security
320+ Employees
37,000+ Sites Assessed
800+ Customers
Application Security Company
Leader in the Gartner Magic Quadrant
Headquartered in Santa Clara, CA
3
Agenda
What is PCI DSS and does it apply to you?
Payment Security and PCI Compliance
Why do they keep making changes?
Top 11 Changes in 3.1
Q&A
4
What is PCI DSS?
Payment Card Industry Data Security Standard
Developed to strengthen cardholder data security and facilitate broad adoption
Baseline of technical and operational requirements to protect account data
Applies to all entities involved
payment card processing
• Merchants, processors, acquirers,
issuers, service providers
• All other entities that store, process,
or transmit cardholder data and/or
sensitive authentication data
5
PCI DSS High Level Overview
Source: PCI Data Security Standard v3.1
6
PCI Applicability by Industry Industry Applicability
Retail In stores Over the phone Online through e-commerce sites Online through mobile applications In temporary locations
Healthcare Patient payments Other goods and services Fundraising
Financial Institutions Merchant Issuer Acquirer
Service Provider Third-party payment card processing Web hosting Loyalty programs Credit bureaus Shopping carts Fraud and chargeback investigation Records management
7
Why Implement PCI?
Reduces likelihood of breach and data
loss
Protect brand and customer trust
Avoid fines and penalties from the PCI
Security Standards Council
Source: The global cost of payment fraud, BI intelligence, 2014
8
Payment Security and PCI Compliance
Card usage continues to grow
Breaches are escalating
• 783 breaches in 2014, up 28% from
2013 (Identity Theft Resource Center)
Consumers reluctant to buy from
breached vendors
Source: 2. Radius Global Market Research, Quirk’s Marketing Research Review, June 2014 6. Poll Shows Broad Impact of Cyberattacks, Wall Street Journal, December 2014
9
Window of Exposure
Source: WhiteHat Security 2015 Website Security Statistics Report
10
PCI Compliance Drives Payment Security
Source: Verizon 2015 PCI Compliance Report Source: WhiteHat Security 2015 Website Security Statistics Report
11
Why do they keep making changes?
Payment Innovation
• Smarter cards, contactless payments, mobile payments
IT Environment Changes
• Mobility, virtualization, cloud
Ongoing issues
• Lack of education and awareness
• Weak passwords and authentication
• Third-party security challenges
• Inconsistency in assessments
Source: Verizon 2015 PCI Compliance Report
12
Top 11 Changes in 3.1
13
Change #1 – Coding Practices Requirement 6.5
“Address common coding vulnerabilities in the software – development process.”
What does that mean?
• Examine your SDLC to ensure vulnerabilities aren't introduced during development
• Train developers to: - Identify and resolve common vulnerability issues
- Know about secure coding guidelines
What should you do?
• Implement a secure coding training program that includes CBT and/or live training
• Implement static analysis or code review in your SDLC
14
Change #2 – Risk Assessments Requirement 12.2 (Previously 12.1.12)
“Implement annual assessments at a minimum, and assess when significant changes are
made.”
What does that mean?
• Perform assessments annually at a minimum and again any time there is a significant
change
What should you do?
• Establish a security program that performs assessments any time there are major changes
• Perform continuous monitoring
15
Change #3 – Risk Assessments Requirement 2.2.3 / 2.3 / 4.1 / 4.1.1
“SSL and early versions of TLS are no longer considered secure.”
What does that mean?
• Applications using SSL and early versions of TLS are no longer PCI compliant
What should you do?
• Scan for SSL and outdated TLS versions being used by your applications
• Configure web applications to only accept connections using TLS 1.1 or 1.2 versions
16
Change #4 – Inventory Requirement 2.4
“Maintain a current list of all system components.”
What does that mean?
• Maintain a list of all systems and their components and understand what each component is
doing
What should you do?
• Perform quarterly discovery of environments either yourself or through a third party
17
Change #5 – Attestation Requirement 12.8.5
“Maintain detailed documentation about PCI DSS requirements managed by vendors and
by the organization itself.”
What does that mean?
• Document what parties are handling which activities related to the different PCI requirements
What should you do?
• Request that third parties attest to the activities they’re doing and note it in your matrix
18
Change #6 – Vulnerability Classes Requirement 6.5.1 – 6.5.10
“Requirements 6.5.1 – 6.5.10 now apply to all internal as well as external applications.”
What does that mean?
• Internal and external applications are vulnerable and should be secure to protect cardholder
data
What should you do?
• Make sure your applications security program covers all of the above vulnerabilities for
internal and external systems
19
Change #7 – Insecure Cryptographic Storage Requirement 6.5.3
“Prevent cryptographic flaws. Use strong cryptographic algorithms and keys.”
What does that mean?
• Ensure your data is encrypted and search for cryptographic flaws
What should you do?
• Create a company policy on cryptographic algorithms and key generation
• Implement static analysis testing
20
Change #8 – Broken Authentication & Session Management Requirement 6.5.10
“Authentication and session management includes all aspects of handling user
authentication and managing active sessions.”
What does that mean?
• Strong authentication mechanisms are not enough if credential management is flawed
What should you do?
• Use an established framework that enforces proper session management
21
Change #9 – Review Custom Code Requirement 6.3.2
“Review custom code prior to the release to production.”
What does that mean?
• Review custom code for any vulnerabilities before deployment
• This also applies to off-the-shelf software that have had changes made
What should you do?
• Implement a process for code review
• Pair automated code reviews with manual reviews
22
Change #10 – Development & Test User Accounts Requirement 6.3.1
“Remove development, test and/or custom application accounts, user IDs and
passwords.”
What does that mean?
• Pre-production and custom application accounts are included in the definition of “sensitive
data” and should not be in production environments
What should you do?
• Remove all pre-production and custom accounts
• Search for hard-coded authentication and passwords in your assessments
23
Change #11 – PCI Compliance is an Ongoing Activity Requirements 1 – 12
“All PCI requirements now call for maintaining a regular process to ensure compliance.”
What does that mean?
• Compliance is required to be an ongoing activity
What should you do?
• Continuously monitor your applications for changes & vulnerabilities
• Remediate vulnerabilities as they are found
• Test throughout all stages of the SDLC
24
Thank You!
Questions?