pci dss in pictures and what to expect in pci 3.0
DESCRIPTION
Presentation summarizing PCI requirements. Also includes a sneak preview of what to expect in PCI DSS 3.0.TRANSCRIPT
![Page 1: PCI DSS in Pictures and What to Expect in PCI 3.0](https://reader033.vdocuments.net/reader033/viewer/2022052620/5575c66cd8b42a312a8b4e46/html5/thumbnails/1.jpg)
www.sisainfosec.com
Praveen Joseph Vackayil CISSP, PCI QSA, CCNA, ISO 27001 LA, MS, BE
![Page 2: PCI DSS in Pictures and What to Expect in PCI 3.0](https://reader033.vdocuments.net/reader033/viewer/2022052620/5575c66cd8b42a312a8b4e46/html5/thumbnails/2.jpg)
Introductions
![Page 3: PCI DSS in Pictures and What to Expect in PCI 3.0](https://reader033.vdocuments.net/reader033/viewer/2022052620/5575c66cd8b42a312a8b4e46/html5/thumbnails/3.jpg)
SISA
Consulting PCI DSS •PCI QSA Validation Services (PCI-DSS) •PCI ASV Scanning Services (PCI-DSS) •PCI Assurance Services (SAQ) PA DSS •PA QSA Validation Services (PA-DSS) Advisory •Risk Assessment (IS-RA) •Privacy and Standards Compliance (ISO 27001, GLBA, HIPAA, DPA, COBITFISMA, BS 25999) •Application Pen Test and Code Review •Network VA and Pen Test •Forensics
Training •CPISI – PCI DSS Implementation •CISRA – Risk Assessment Implementation •OCTAVE (SEI-CMU) Security Risk Assessment Workshop •ISO 27001 Implementation Workshop •Business Continuity Management Workshop •Secure Coding in Dot-Net •Awareness Sessions
Products •SISA Security Assistant Compliance Management Tool for
•PCI DSS •HIPAA •FFIEC •FISMA •ISO 27001 •Application Security
![Page 4: PCI DSS in Pictures and What to Expect in PCI 3.0](https://reader033.vdocuments.net/reader033/viewer/2022052620/5575c66cd8b42a312a8b4e46/html5/thumbnails/4.jpg)
•SISA Information Security Pvt Ltd, Asia •SISA Information Security Inc., Americas •SISA Information Security WLL, EMEA
Consulting– Training –Products
Customers in 25 Countries
About SISA
Our customers are some of the world’s biggest Banks, Merchants, IT, BPOs and Telecoms
![Page 5: PCI DSS in Pictures and What to Expect in PCI 3.0](https://reader033.vdocuments.net/reader033/viewer/2022052620/5575c66cd8b42a312a8b4e46/html5/thumbnails/5.jpg)
PCI DSS
![Page 6: PCI DSS in Pictures and What to Expect in PCI 3.0](https://reader033.vdocuments.net/reader033/viewer/2022052620/5575c66cd8b42a312a8b4e46/html5/thumbnails/6.jpg)
![Page 7: PCI DSS in Pictures and What to Expect in PCI 3.0](https://reader033.vdocuments.net/reader033/viewer/2022052620/5575c66cd8b42a312a8b4e46/html5/thumbnails/7.jpg)
1. Network Diagram •Formal •Comprehensive
2. Network Device Administration •Change Management •Console Connections •Remote Connections
3. Network Device Maintenance: •Business Justifications •Firewall Rule Review every 6 months
4. Placement of Firewalls: •Between Internet and DMZ •Between DMZ and Internal Network
5. Configuration of Firewalls: •Stateful Inspection •Filtering Traffic between Internal and External network •NATting for internal IP Addresses
![Page 8: PCI DSS in Pictures and What to Expect in PCI 3.0](https://reader033.vdocuments.net/reader033/viewer/2022052620/5575c66cd8b42a312a8b4e46/html5/thumbnails/8.jpg)
1. No Defaults •Username: administrator, system, cisco, infosys •Password: 0000, 1234
2. Wireless Environments •Change the default WEP keys •Change the default passwords on access points
3. Device Configurations •One primary function per server •Only required services are enabled •Systems are hardened
4. Admin access to devices: •Console access should be authenticated •Non-console access should be strongly encrypted. Eg. SSH •No Telnet
![Page 9: PCI DSS in Pictures and What to Expect in PCI 3.0](https://reader033.vdocuments.net/reader033/viewer/2022052620/5575c66cd8b42a312a8b4e46/html5/thumbnails/9.jpg)
1. Storage •Protect Stored Card Number •Do not store CVV or Track Data
2. Retention Period
• Define business period for retention •Review stored cardholder data every quarter •Remove obsolete data
3. Key Management • Generate Strong keys •Store keys securely •Distribute keys securely •Change keys at the end of their lifetime
![Page 10: PCI DSS in Pictures and What to Expect in PCI 3.0](https://reader033.vdocuments.net/reader033/viewer/2022052620/5575c66cd8b42a312a8b4e46/html5/thumbnails/10.jpg)
1. Encrypt card numbers sent over the Internet, Wireless networks, GPRS, GSM
• SSH, SSL/TLS, IPSec are acceptable
2. Never send unprotected card numbers over E-mail or chat
![Page 11: PCI DSS in Pictures and What to Expect in PCI 3.0](https://reader033.vdocuments.net/reader033/viewer/2022052620/5575c66cd8b42a312a8b4e46/html5/thumbnails/11.jpg)
1. Scope • All Windows systems
must have AV
2. AV should be •On •Updated •Running periodic scans • Getting automatic updates
3. AV Logs •At AV server end •At AV client end •Retained as per the 3 months-1 year rule
![Page 12: PCI DSS in Pictures and What to Expect in PCI 3.0](https://reader033.vdocuments.net/reader033/viewer/2022052620/5575c66cd8b42a312a8b4e46/html5/thumbnails/12.jpg)
1. Patch Management •Latest patches on all systems •Deploy Critical patches in 30 days •Risk Ranking •Refer to external sources for vulnerabilities
2. Application Development •Code Review •Change Management
3. Custom Code Should Address • SQL Injection •Buffer Overflow •Cross Site Scripting •Cross Site Request Forgery, etc
4. Public Facing Applications •WAF or •Application VA annually
![Page 13: PCI DSS in Pictures and What to Expect in PCI 3.0](https://reader033.vdocuments.net/reader033/viewer/2022052620/5575c66cd8b42a312a8b4e46/html5/thumbnails/13.jpg)
1. Assigning Access to CHD
•Job related need •Approval mechanism for access
2. Implementing Access to CHD • Automated access control system •Default deny-all setting
![Page 14: PCI DSS in Pictures and What to Expect in PCI 3.0](https://reader033.vdocuments.net/reader033/viewer/2022052620/5575c66cd8b42a312a8b4e46/html5/thumbnails/14.jpg)
1. Password
Requirements •History, Lifetime, Length, Complexity,
2. Account Lockout, Forgot Password • Password Reset Process
![Page 15: PCI DSS in Pictures and What to Expect in PCI 3.0](https://reader033.vdocuments.net/reader033/viewer/2022052620/5575c66cd8b42a312a8b4e46/html5/thumbnails/15.jpg)
1. CCTV Recordings
2. Access Card Logs
3. Visitor Management
3. Media Management
![Page 16: PCI DSS in Pictures and What to Expect in PCI 3.0](https://reader033.vdocuments.net/reader033/viewer/2022052620/5575c66cd8b42a312a8b4e46/html5/thumbnails/16.jpg)
1. Every system and
network component has to have logs
2. Things that must be logged: •Access to CHD •Admin activities •Access to logs •Use of authentication mechanisms •Initialization of logs •Creation/deletion of system level objects
3. Log Retention •3 months – 1 year rule
4. NTP 5. FIM on logs
![Page 17: PCI DSS in Pictures and What to Expect in PCI 3.0](https://reader033.vdocuments.net/reader033/viewer/2022052620/5575c66cd8b42a312a8b4e46/html5/thumbnails/17.jpg)
1. VA •Internal VA •External VA by an ASV •Every quarter
2. PT •Internal PT •External PT •Annually
3. Wireless Scans 4. IDS/IPS 5. FIM
High
Med
Low
![Page 18: PCI DSS in Pictures and What to Expect in PCI 3.0](https://reader033.vdocuments.net/reader033/viewer/2022052620/5575c66cd8b42a312a8b4e46/html5/thumbnails/18.jpg)
1. Risk Assessment • Formal methodology • Eg. ISO 27005, NIST SP
800-30, OCTAVE, etc.
2. HR •Recruitment •Background checks •NDA •Awareness •ID creation/deletion •Termination
3. Acceptable Usage Policy 4. Operational Security Policy 5. Information Security Policy
6. Service Providers 7. Incident Management
![Page 19: PCI DSS in Pictures and What to Expect in PCI 3.0](https://reader033.vdocuments.net/reader033/viewer/2022052620/5575c66cd8b42a312a8b4e46/html5/thumbnails/19.jpg)
PCI DSS 3.0
![Page 20: PCI DSS in Pictures and What to Expect in PCI 3.0](https://reader033.vdocuments.net/reader033/viewer/2022052620/5575c66cd8b42a312a8b4e46/html5/thumbnails/20.jpg)
Dates
•PCI DSS 3.0 will be published on 7 November 2013 •Version 3.0 becomes optional from 1 January 2014 onwards •Version 2.0 will remain active until 31 December 2014
![Page 21: PCI DSS in Pictures and What to Expect in PCI 3.0](https://reader033.vdocuments.net/reader033/viewer/2022052620/5575c66cd8b42a312a8b4e46/html5/thumbnails/21.jpg)
1. Updated Network
Diagram
2. Updated Hardware Inventory
![Page 22: PCI DSS in Pictures and What to Expect in PCI 3.0](https://reader033.vdocuments.net/reader033/viewer/2022052620/5575c66cd8b42a312a8b4e46/html5/thumbnails/22.jpg)
1. AV is required on
Non-Windows based systems also
![Page 23: PCI DSS in Pictures and What to Expect in PCI 3.0](https://reader033.vdocuments.net/reader033/viewer/2022052620/5575c66cd8b42a312a8b4e46/html5/thumbnails/23.jpg)
1. Update list of
application vulnerabilities as per OWASP, NIST, SANS, etc.
![Page 24: PCI DSS in Pictures and What to Expect in PCI 3.0](https://reader033.vdocuments.net/reader033/viewer/2022052620/5575c66cd8b42a312a8b4e46/html5/thumbnails/24.jpg)
1. Security Requirements for Authentication Mechanisms Other than Passwords
• Tokens • Smart Cards
![Page 25: PCI DSS in Pictures and What to Expect in PCI 3.0](https://reader033.vdocuments.net/reader033/viewer/2022052620/5575c66cd8b42a312a8b4e46/html5/thumbnails/25.jpg)
1. More Stringent Requirements for Penetration Testing
![Page 26: PCI DSS in Pictures and What to Expect in PCI 3.0](https://reader033.vdocuments.net/reader033/viewer/2022052620/5575c66cd8b42a312a8b4e46/html5/thumbnails/26.jpg)
1. Maintain a list of service providers and what services they offer
2. Service providers should maintain their applicable PCI Requirements
3. Risks pertaining to service providers
![Page 27: PCI DSS in Pictures and What to Expect in PCI 3.0](https://reader033.vdocuments.net/reader033/viewer/2022052620/5575c66cd8b42a312a8b4e46/html5/thumbnails/27.jpg)
Thank You