Transcription
PCI 3.1 ChangesJon Bonham, CISACoalfire System, Inc.
Agenda 2Introduction of CoalfireWhat does this have to do with the business officeChanges to version 3.1EMVP2PEQuestions and AnswersContact Information
What does this have to do with business? 3IncomeEasierThe decision to take cards was made in the business office.The contracts were signed by the business office.The part in the contract about always being PCI compliant,was signed by the business office.
What you signed up for.4
Business Office Business Need Business Solution Business Responsibilities With help from the IT Department With help from the merchants and theirstaff5
VERSION 2.0 TO 3.1 CHANGES6
New SAQ Validation Types7
New SAQ Validation TypesSAQ Validation ot-present merchants: All payment processingfunctions fully outsourced, no electronic cardholderdata storageE-commerce merchants re-directing to a third-partywebsite for payment processing, no electroniccardholder data storageMerchants with only imprint machines or onlystandalone dial-out payment terminals: No e-commerceor electronic cardholder data storageMerchants with standalone, IP-connected paymentterminals: No e-commerce or electronic cardholder datastorageMerchants with payment application systems connectedto the Internet: No e-commerce or electroniccardholder data storageMerchants with web-based virtual payment terminals:No e-commerce or electronic cardholder data storageAll other SAQ-eligible merchantsSAQ-eligible service providersHardware payment terminals in a validated PCI P2PEsolution only: No e-commerce or electronic cardholderdata storage# of Questions Change # fromASV Scanv2.0v3.0Required v3.0Penetration TestRequiredV3.014 1NoNo139NEWYesYes41 12NoNo83NEWYesNo139 59YesYes73 22NoNo326347 38NEWYesYesYesYes35NEWNoNo
New SAQ Validation TypesSAQ Validation TypeA9DescriptionCard-not-present merchants: All paymentprocessing functions fully outsourced, noelectronic cardholder data storage
New SAQ Validation TypesSAQ Validation TypeA-EP10DescriptionE-commerce merchantsre-directing to a thirdparty website forpayment processing, noelectronic cardholderdata storageChange # fromv2.0ASV ScanRequired v3.0Penetration TestRequiredV3.0NEWYesYes
New SAQ Validation TypesSAQ Validation TypeB11DescriptionMerchants with only imprintmachines or only standalone dialout payment terminals:No e-commerce or electroniccardholder data storage
New SAQ Validation TypesSAQ ValidationTypeB-IP12DescriptionMerchants withstandalone, IPconnected paymentterminals: No ecommerce or electroniccardholder data storageASV ScanChange #from v2.0 Required v3.0NEWYesPenetration TestRequiredV3.0No
New SAQ Validation TypesSAQ ValidationTypeC13DescriptionASV ScanRequired v3.0Merchants with paymentapplication systemsconnected to theInternet: No e-commerceor electronic cardholderdata storagePenetration TestRequiredV3.0YesYes
New SAQ Validation TypesSAQ ValidationTypeC-VT14DescriptionMerchants with webbased virtual paymentterminals: No ecommerce or electroniccardholder data storageASV ScanRequired v3.0Penetration TestRequiredV3.0NoNo
New SAQ Validation TypesSAQ ValidationTypeDescriptionAll other SAQ-eligibleD-MERmerchants15ASV ScanRequired v3.0Penetration TestRequiredV3.0YesYes
New SAQ Validation TypesSAQ ValidationTypeDescriptionSAQ-eligible serviceD-SPproviders16ASV ScanChange # 3.0Yes
New SAQ Validation TypesSAQ ValidationTypeP2PE17DescriptionHardware paymentterminals in a validatedPCI P2PE solution only:No e-commerce orelectronic cardholderdata storageChange #from v2.0ASV ScanRequiredv3.0PenetrationTest RequiredV3.0NEWNoNo
New SAQ Validation TypesSAQ Validation not-present merchants: All payment processingfunctions fully outsourced, no electronic cardholderdata storageE-commerce merchants re-directing to a third-partywebsite for payment processing, no electroniccardholder data storageMerchants with only imprint machines or onlystandalone dial-out payment terminals: No e-commerceor electronic cardholder data storageMerchants with standalone, IP-connected paymentterminals: No e-commerce or electronic cardholder datastorageMerchants with payment application systems connectedto the Internet: No e-commerce or electroniccardholder data storageMerchants with web-based virtual payment terminals:No e-commerce or electronic cardholder data storageAll other SAQ-eligible merchantsSAQ-eligible service providersHardware payment terminals in a validated PCI P2PEsolution only: No e-commerce or electronic cardholderdata storage# of Questions Change # fromASV Scanv2.0v3.0Required v3.0Penetration TestRequiredV3.014 1NoNo139NEWYesYes41 12NoNo83NEWYesNo139 59YesYes73 22NoNo326347 38NEWYesYesYesYes35NEWNoNo
PCI DSS 3.1 – Goals The PCI SSC is pushing the concept of ongoing or continuouscompliance management.oooooo19Monitoring of security controlsDetect and respond to failures in security controlsReview all changes to the environmentOrganization structure changesPeriodic reviewsAnnual hardware/software review
PCI DSS 3.1 – Scope and Segmentation It’s important to review the guidance on how to accurately determinethe scope of a PCI DSS engagement and the intent of segmentation.Successfully identifying the scope of your environment is always the keyto a successful PCI DSS assessment.Scope IdentificationProcessConnected Systems inscopeWhat is your ongoingprocess?Connected to the CDE andhave the ability to accesscardholder data.Identifying cardholderdata outside of theCDE.Systems that have the abilityto impact the security of theCDE
PCI DSS 3.1 –Critical Changes toPenetration TestingExpanded Penetration TestingExpectationsThe penetration testing requirements aremuch more detailed and now require testingto validate segmentation technologies(best practice until July, 2015).
PCI DSS 3.1 – Flexible Changes toExisting RequirementsRequirement 6.6 FlexibilityAdded options to the interpretation of thisrequirement by changing “web-applicationfirewall” to “automated technical solutionthat detects and prevents web-basedattacks”.Password Complexity FlexibilityPassword complexity and strengthrequirements have been combined into asingle requirement and the PCI SSC has nowallowed for some flexibility in meeting theserequirements.
PCI DSS 3.1 –Critical Changes toLogging Requirements New Logging Events Enhanced logging requirement to include stopping orpausing of the audit logs Log Reviews for Critical Daily or continuous log reviews have been split into twocategories: Critical systems and “everything else”.New Logging EventsLog Reviews for Critical ComponentsEnhanced logging requirement toinclude stopping or pausing of theaudit logs.Daily or continuous log reviews have been splitinto two categories: Critical systems and“Everything else”.
PCI DSS 3.1 – Critical Changes toDeveloper Training6.5.c Sensitive Data in MemoryOrganizations must now demonstrate howthey train their developers to understand howsensitive data is handled in memory.
PCI DSS 3.1 – New Requirements Immediate impactRequirement 1.1.3Dataflow diagrams.Requirement 2.4Inventory of all in-scope system components.Requirement 5.1.2Risk-based malware review for systems not commonlyaffected by malicious software.Requirement 8.1.3.bTermination processes must include all physicalauthentication methods in addition to systems.
PCI DSS 3.1 – New Requirements Immediate impactRequirement 8.6.xNew requirements and testing procedures around the use ofphysical “Authentication Mechanisms” assigned to individuals.Requirement 9.3New requirement to control issuing physical access to sensitiveareas for onsite personnel.Requirement 12.8.5New requirement to maintain information about which PCI DSSrequirements are managed by the service provider.
PCI DSS 3.1 – Phased Requirements - 2015 These requirements were considered “best practices only” until June 30,2015 at which time they became mandatory for all 3.1 assessments.Requirement 6.5.10Broken authentication and session management.Requirement 8.5.1New requirement for service providers to use different authenticationcredentials for access into different customer environments.Requirement(s) 9.9.xNew (merchant) requirements to protect point-of-sale devices that capturepayment card data from tampering or unauthorized modification orsubstitution.
PCI DSS 3.1 – More Phased Requirements - 2015Requirement 11.3.XExpanded requirements/expectations for penetration testing controls.PCI DSS v2.0 requirements for penetration testing may be followed untilJuly 2015.Requirement 12.9Service providers acknowledge in writing to customers that they areresponsible for the security of cardholder data.
Questions about the changes29
What is Chip and Pin or EMV?EMV, which stands for Europay, MasterCard, andVisa, is a global standard for inter-operation ofintegrated circuit cards (IC cards or "chip cards")and IC card capable point of sale, (POS) terminals,for authenticating credit and card transactions.30
Contact Cards and RFD Cards Contact cards communicate with the reader over a contact plate.The plate must come into contact with the terminal usually byinserting the card into a slot in the terminal. The card mustremain inserted for the duration of the transaction. Contactless cards communicate via radio frequency (RF) andmust contain an antenna. Dual interface chip cards combine both technologies and cancommunicate either way.Source: Visa U.S. Merchant EMV Chip Acceptance Readiness Guide31
What does this mean to you The benefit to EMV is that it is almostimpossible to create a fake or fraudulent card Card produces a one-time use code for eachtransaction It takes special equipment to read the card Over 80 percent of fraudulent transactionsare “Card Present” transactions By using EMV those transactions shouldn’ttake place32
October 15, 2015 Liability Shift If a magnetic strip card comes in and is read with amagnetic strip reader then, if the purchase is acounterfeit transaction, the merchant is generallynot liable, just like today.33
October 15, 2015 Liability Shift If a EMV card comes in and is read with a Magneticstripe only POS terminal then, if the purchase is acounterfeit transaction, the merchant is solelyliable.34
October 15, 2015 Liability Shift If a EMV card comes in and is read with an activatedEMV terminal then, if the purchase is a counterfeittransaction, the issuer will be liable.35
Double Down If you are going to invest in the equipment,consider the business case of also buyingequipment that can handle Point to PointEncryption technology. The Chip and Pin or what is really Chip andSignature here in the US protects the card andthe card only P2PE protects the cardholder data as it passesthrough your network.36
Predictions 70% of U.S. credit cards and 41% of debit cards willbe EMV-enabled by the end of 2015 The demand for new equipment will increase as thedeadline gets closer. Many that order late will be waiting on equipmentwhen the deadline comes Most will think you can just plug it in and gowithout the proper testing with the processor. They will be wrong.37
Thank youJon BonhamJon.bonham@coalfire.com38
C-VT . Merchants with web -based virtual payment terminals: No e-commerce or electronic cardholder data storage : 73 22 : No . No : D-MER . All other SAQ -eligible merchants : 326 38 : Yes . Yes : D-SP . SAQ-eligible service providers : 347 . NEW : Yes . Yes : P2PE . Hardware payment terminals in a validated PCI P2PE
![PCI Compliant - but are we secure -- FOR PRINTING IN GRAYSCALE [Read-Only]](/img/14/303-pci-3.jpg)
