PCI DSS v3.2The sooner you fall behind, the more time you have to

catch up

Online Business SystemsSteve LevinsonMark Hannah

This SlideShare summarizes a few of the key changes from PCI Data Security Standard Version 3.1 to 3.2. It provides a high level view of the impact of the changes on organizations subject to PCI requirements, based on Online Business Systems’ QSA viewpoint. Many of the new sub-requirements will remain as best practices until February 1, 2018.

PCI DSS v3.2

• Slide 3: Change Drivers for v3.2• Slide 4: Important Dates• Slide 5: SSL & TLS 1.0 – What we know• Slide 6: SSL & TLS 1.0 – Mitigation

Strategy• Slides 7-10: PCI Changes• Slide 11: Six practical tips for avoiding

PCI failure

Table of Contents

Change Drivers for v3.2

• Improves prescriptiveness • Scoping, data flow, and inventory

inconsistencies• SSL TLS • Third-party security challenges• Slow self-detection, malware• You’re only one change away from being out

of compliance• Recent breaches

April

28,

201

6Summary of changes document, PCI DSS 3.2, and ROC reporting template are available on the PCI SSC website

Oct

ober

31,

201

6Version 3.1 will be retiredAll assessments completed after this date require:• New 3.2 ROC

reporting template and reporting instructions

• New 3.2 AOCs• Version 3.2 SAQs

Febr

uary

1, 2

018Final date to

implement the “Evolving Requirements”

Important Dates

June

30,

201

6All service providers must provide a secure TLS service offering

June

30,

201

6All entities must have stopped use of SSL/early TLS as a security control, and use only secure versions of the protocol.

SSL & TLS 1.0 – What we Know

SSL & TLS 1.0 – Mitigation StrategyPlan A – Eradicate or target datePlan B – Document, analyze and plan• Inventory of all locations it is in use• Data being transmitted for each implementation• Documented risk assessment and RRMP

• May include compensating or mitigating controls• Potential re-scoping issues

• Vigilance• Change Control• Appendix A2 – SSL/TLS Additional RequirementsPCI Council - INFORMATION SUPPLEMENT Migrating from SSL and Early TLS Version 1.1 Date: April 2016

2.1 – Changing vendor defaults and passwordsUpdated to clarify payment applications are included in this requirement.

3.5.1 – Documentation of their cryptographic architectureService Providers must create documentation of their cryptographic architecture – this is a new requirement that is considered a best practice until 2/1/2018.

6.2 – Payment applications

Security patches for all software including payment applications.

PCI Changes

6.4.6 – Infuse PCI DSS impact analysis into your change management procedures

This new requirement (best practice until 2/1/2018) applies to ALL assessed entities.

8.3.1 – All administrative access will require multi-factor authentication (“MFA”)

This new requirement is probably the most robust change, and is a best practice until 2/1/2018.

10.8 – Service providers must identify any critical security control failures and respond accordingly

This new requirement will raise the bar for Service Providers (not merchants) to improve their security event monitoring capabilities, including monitoring the health of these functions.

11.3.4.1 – More frequent segmentation pen testing for Service Providers

Increases the periodicity from once a year (or after ‘significant’ changes) to twice a year.

12.4 – Accountability!Requires executive management to document PCI accountability, create a charter for a PCI compliance program, and report updates to executive management/board annually.

12.10.2 – Fine tune Incident Response PlanRequires you to ensure that your annual IR test plan includes a thorough review of all sub-elements from requirement.

12.11 – Service Providers must perform and document quarterly reviews, best practice until 2/1/2018

12.11 Additional requirement for service providers only: Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes: • Daily log reviews • Firewall rule-set reviews • Applying configuration standards to new systems • Responding to security alerts • Change management processes

Six Practical Tips for Avoiding PCI FailureSlide from 2008 Presentation on DSS v1.2

The more things change the more they stay the same1. Store less data, and encrypt

or tokenize! 2. Understand your data flows3. Address app and network

vulnerabilities4. Improve security awareness5. Monitor systems for

intrusions6. Segment credit card networks

• Contact info:• Steve Levinson• Managing Director• slevinson@obsglobal.com• 619.701.8614

• Mark Hannah• PCI Practice Lead• mhannah@obsglobal.com• 951.587.7991

To learn more visit our resource center: http://info.obsglobal.com/online-business-systems-pci-3.2-resource-center

PCI Website: https://www.pcisecuritystandards.org