PCI Compliance 2008What You Need To Know

Sumedh ThakarPCI Solutions Manager

2 of 13

Agenda

What’s PCI / Key Terms

What’s new with PCI in 2008?

What’s coming later this year?

Quick Tips for PCI compliance

Q & A(Please send questions online via Q&A Chat)

3 of 13

What’s PCI? / Key Terms

PCI SSCPayment Card Industry Security Standards Council

PCI DSSPayment Card Industry Data Security Standard

QSAQualified Security Assessor

ASVApproved Scanning Vendor

4 of 13

The Standard - PCI DSS v1.1Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and other security

parametersProtect Cardholder Data

3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program5. Use and regularly update anti-virus software6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes

Maintain an Information Security Policy12. Maintain a policy that addresses information security

5 of 13

PCI DSS Validation

6 of 13

PCI Changes in 2008Self Assessment Questionnaires

New Self Assessment Questionnaires v1.1– Questionnaire version now in line with DSS version– 4 Questionnaires to acknowledge different type of Merchants– Effective as of April 30, 2008

Validation Type Description SAQ Number

1 Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.

A 11

2 Imprint-only merchants with no electronic cardholder data storage B 21

3 Stand-alone terminal merchants, no electronic cardholder data storage B 21

4 Merchants with POS systems connected to the Internet, no electronic cardholder data storage C 38

5 All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ. D 226

7 of 13

PCI Changes in 2008Requirement 6.6

Security of web applications– For Organizations who have web applications processing payments– Requirement as of June 30, 2008

6.6 - Ensure that all web-facing applications are protected against known attacks

Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security.Installing an application layer firewall in front of web-facing applications.

Options to get there…Manual review of application source codeProper use of automated application source code analyzer (scanning) toolsManual web application security vulnerability assessmentProper use of automated web application security vulnerability assessment (scanning) toolsUse appropriate Web application firewall

8 of 13

PCI Changes in 2008Use of CVSS v2.0 scores

External Vulnerability Scans Performed by ASV– See www.pcisecuritystandards.org for list of ASVs

CVSS ScoringCommon Vulnerability Scoring System

PCI SSC Requirement– As of July 1, 2008 all ASVs must use CVSS v2.0 scoring– CVSS scores 4.0 and above should cause host to fail compliance

9 of 13

PCI Changes in 2008New Standard – PA DSS

PA DSSPayment Application Data Security Standard

– Designed to secure applications processing payments for merchants– Based on PCI DSS– Successor of VISA’s PABP program

Applicability – Commercial payment applications– Generally bought off the shelves with little or no customization– Not for custom/in-house developed payment applications

Rollout of PA DSS– Special auditors approved by PCI SSC will audit applications– PCI SSC will maintain list of approved Payment Applications and versions– First list to be published Oct 1, 2008

Compliance– Dates for merchants to comply with PA DSS decided by payment brands– Check with your vendor if the application you bought is PA DSS compliant

10 of 13

PCI Changes in 2008PCI DSS Revision to 1.2

Update from 1.1 to 1.2

Same 12 requirements as 1.1

More clarifications on existing requirements

New Questionnaires v1.2

Publication date – Oct 1, 2008

Effective date – Oct 1, 2008

Sunset date for 1.1 – TBD

11 of 13

Quick Tips for PCI Compliance

PCI Compliance is ongoing

Do the right things… it’s for your own good!

Use your trusted vendors

Use of Automation & Technology is key

12 of 13

Automated tools are the best place to start……and will eliminate 80-90% of your headaches!

Use automated tools where possible– If you have basic security knowledge then signup for automated scanning

portals like QualysGuard PCI– Use automated web application scanner– Use automated wireless analyzer and log analyzer– Use of automated internal scanner appliance will be cheaper than dedicating

resource to perform internal scanning

Quick Tips for PCI ComplianceUse of Automation & Technology

13 of 13

Q & A Session

Send your questions to PCI-Info@Qualys.com