walter conway, qsa 403 labs, llc sneak preview: what to expect from pci dss v. 2.0 changes ...

Walter Conway, QSA

403 Labs, LLC

Sneak Preview:What to Expect from PCI DSS v. 2.0

Changes

Clarifications

Guidance

University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © 2010 2

Agenda

PCI DSS in context

New PCI version in October – “fine tuning”- Lifecycle- Cardholder data discovery- Clarifications- SAQ revisions- Emerging technology guidance

What this means for you


403 Labs, LLC

Information security consulting firm

Payment Card Industry:- Qualified Security Assessor (QSA)- Payment Application QSA (PA-QSA)- Approved Scanning Vendor (ASV)

Work with service providers and merchants of all sizes


PCI DSS: 6 Goals, 12 Requirements


Some PCI DSS Basics

Payment Card Industry Data Security Standard

Goal is to protect Cardholder Data - And to keep you out of the headlines

If you take plastic, PCI applies to you- “Store, process, or transmit” cardholder data

Whole of PCI DSS apples to all merchants

New PCI release due October 2010 - Reflect latest attack vectors, technology, practices

PCI does not make you secure


Some PCI DSS Basics (cont.)

Each card brand has its own security program - Merchant levels - Validation (e.g., MasterCard’s new rules) - Penalties, fees

Safe harbor – can it exist?

Compliance - People, process, technology- No “silver bullet”


PCI DSS v. 2.0 – Lifecycle

3-Year Lifecycle- Announced in June- Consistency: PCI DSS, PA-DSS, PCI PTS - Interim versions for errata, new threats- FAQ, supplements to continue

Benefits - Fewer new requirements- More time for implementation and feedback - Version 1.2 sunset December 2011


PCI DSS v. 2.0 – Lifecycle


PCI DSS v. 2.0 – Data Discovery

Cardholder data discovery “methodology” Find all your electronic

cardholder data “Data leakage” Data breaches and

“unknown unknowns”


PCI DSS v. 2.0 – Hashing

Hashing Produces unique fixed

length output for each unique input

Hash functions are not keyed/reversible

Hash may include a “salt”


PCI DSS v. 2.0 – Segmentation

Network segmentation is not required, but recommended Isolate systems that “store,

process, or transmit” CHD Limit PCI scope


PCI DSS v. 2.0 – SAQs

Goal is to remove ambiguities

Expect minor but critical changes clarifying who can use them

Will we see new SAQ(s)?


PCI DSS v. 2.0 – Guidance

Emerging technologies Virtualization Tokenization End-to-end encryption EMV standard (chip cards)

PCI Council guidance for compliance Impact on PCI Map to PCI requirements


PCI DSS v. 2.0 – Tokenization

A data security technology in which strings of random characters called tokens can be used in lieu of other, more valuable data, such as PANs

Vendor and in-house solutions

Tokenization can reduce (not eliminate) PCI scope- Everything depends on implementation

Plaintext CiphertextTokenization

Engine4123 4567 8901 2345 8894 7296 6294 0598

SecureRepository


PCI DSS v. 2.0 – End-to-End Encryption Encryption: a cryptographic process for disguising data by applying

a series of complex mathematical operations to data to render it unreadable to anyone without the proper decryption key

Encryption is a keyed, reversible function

Security depends on the key- A big number that if compromised, bye-bye security

Encrypted data are still in PCI scope

Plaintext Ciphertext

Key

Encryption

4123 4567 8901 2345

7693398720684553

8894 7296 6294 0598


PCI DSS v. 2.0 – End-to-End Encryption

Really “point-to-point”

End-to-End encryption- PAN encrypted from POS terminal all the way through

the payment processing cycle - CHD always stored and transmitted as ciphertext - Critical element: merchant cannot decrypt

For more information- PCI Council guidance documents, FAQ - Visa’s best practices for data field encryption


PANs, Hashes, Encryption, Tokens

PAN (card number) 5647 8377 8388 2299

Truncated PAN 5647 83XX XXXX 2299

Hashed PAN(Renders PAN unreadable; one way) 2fd4e1c6 7a2d28fc

Encrypted PAN(More characters than the PAN and is structurally different)

9Ojr73h3d^&hh#&HFH&##ED*HD#*

Format-preserving encryption(Structurally similar to the PAN) 8734 6392 8581 9284

Token(Like the PAN in length and character type, but randomly derived)

9483 7266 3928 9819


PCI DSS v. 2.0 – Emerging Technologies

Encryption, tokenization are still maturing- May not work with all applications, systems- Standards? - Lots of marketing hype

Encryption security depends on protecting key

Look for guidance from PCI Council- Don’t expect specifics on implementation

Read Visa’s best practices document

As of today, only truncation and hashing remove CHD from scope


PCI DSS v. 2.0 – Get Smart

PCI Council FAQ

PCI Council courses Standards training Independent Security

Assessor (ISA)

Other PCI training options


PCI DSS v. 2.0 – Conclusions

Expect refinements, not major changes

3-year lifecycle for each standard

Find your CHD…all of it!

Revised SAQs should help

Guidance on emerging technologies

Announcements, webinars over the summer

DSS v. 2.0 not unveiled until September?


What to Expect from PCI DSS v. 2.0

Questions? Comments? Thoughts?

Thank you!

[email protected]

See my PCI column at StorefrontBacktalk.com

Higher Ed PCI blog: treasuryinstitutepcidss.blogspot.com

walter conway, qsa 403 labs, llc sneak preview: what to expect from pci dss v. 2.0 changes ...

Documents

pci dss apples

pci map

practices pci

contextnew pci version

agendapci dss

qsa403 labs

merchants new pci release

pci pts interim versions