PCI-DSS v3.0 - What you need to know
Download as PPTX, PDF0 likes1,764 views
The document summarizes key points about PCI-DSS 3.0 from a presentation given by Barry Shteiman of Imperva. It introduces new requirements in PCI-DSS 3.0 around securing payment card data in memory, broken authentication and session management, unique credentials for service providers, protecting point-of-sale devices from tampering, and penetration testing methodology. It also discusses themes of PCI-DSS 3.0 like a focus on skimmers and increased accountability for service providers. Dates are provided for when PCI-DSS 3.0 takes effect and new requirements must be complied with.
![[6.5.11] Broken Auth & Session Mgmt
Authentication/Session attacks
•
•
•
•
•
•
•
21
© 2013 Imperva, Inc. All rights reserved.
Cookie Tampering
Cookie Poisoning
Session Hijacking
Session Reuse
Parameter Tampering
SSL Reuse
Brute Force](https://image.slidesharecdn.com/pcidssv30webinar-11-7-2013-131107152321-phpapp02/85/PCI-DSS-v3-0-What-you-need-to-know-21-320.jpg)
![[11.3] Pen Testing and Remediation
Source: http://www.imperva.com/docs/SB_Imperva_WhiteHat.pdf
22
© 2013 Imperva, Inc. All rights reserved.](https://image.slidesharecdn.com/pcidssv30webinar-11-7-2013-131107152321-phpapp02/85/PCI-DSS-v3-0-What-you-need-to-know-22-320.jpg)
PCI-DSS v3.0 - What you need to know
- 1. PCI-DSS v3.0: What You Need to Know Barry Shteiman – Director of Security Strategy 11/7/2013 1 © 2013 Imperva, Inc. All rights reserved. Confidential
- 2. Agenda PCI-DSS Themes and Drivers Dates and Deadlines New Requirements Web App Compliance 2 © 2013 Imperva, Inc. All rights reserved. © Copyright 2012 Imperva, Inc. All rights reserved.
- 3. Today’s Speaker - Barry Shteiman Director of Security Strategy Security Researcher working with the CTO office Author of several application security tools, including HULK Open source security projects code contributor CISSP Twitter @bshteiman 3 © 2013 Imperva, Inc. All rights reserved. Confidential
- 4. Introducing PCI-DSS 3.0 4 © 2013 Imperva, Inc. All rights reserved. Confidential
- 5. PCI-DSS Payment Card Industry (PCI) Data Security Standard (DSS) “A set of control requirements created to help protect cardholder data.” Industry driven • From conception to enforcement Evolving • 4th version over 7 years • Rate of releases has slowed – 3 years since v2.0 release Concise and Pragmatic • Does not avoid naming technologies • Calls out threats by name • Very specific about data scope 5 © 2013 Imperva, Inc. All rights reserved.
- 6. PCI-DSS Evolution PCI 1.2 PCI 1.0 • December 2004 12 major sections PCI 1.1 • September 2006 • App security, compensating controls 2005 6 2006 2007 © 2013 Imperva, Inc. All rights reserved. PCI 3.0 • October 2008 • November 2013 • Risk based approach, • Consistency for emphasis on wireless assessors, risk based approach, PCI 2.0 flexibility • October 2010 2008 • Definition of scope, clarifications 2009 2010 2011 2012 2013
- 7. PCI-DSS 3.0 Key Drivers Lack of education and awareness Weak passwords, authentication Third-party security challenges Slow self-detection, malware Inconsistency in assessments 7 © 2013 Imperva, Inc. All rights reserved.
- 8. General Themes Penetration testing gets real • More explicitly-defined penetration test guidelines Skimmers, skimmers and more skimmers • New requirement to maintain list of POS devices, periodically inspect devices and train personnel • Inclusion of POS devices in other sections Service provider accountability PCI requirement clarifications and details 8 © 2013 Imperva, Inc. All rights reserved.
- 9. Why Protect Point-of-Sale Devices? Physical data theft incidents from 2013 Verizon Data Breach Incident Report Source: http://www.verizonenterprise.com/DBIR/ 9 © 2013 Imperva, Inc. All rights reserved.
- 10. Service Providers accountability Third-party awareness at the compliance level Source: http://www.bankinfosecurity.com/bofa-confirms-third-party-breach-a-5582 10 © 2013 Imperva, Inc. All rights reserved.
- 11. PCI DSS 3.0 Dates and Deadlines Publication Date: November 7, 2013 Effective Date: January 1, 2014 • Version 2.0 will remain active until December 31, 2014 Deadline for New Requirements: June 30, 2015 11 © 2013 Imperva, Inc. All rights reserved.
- 12. What’s New? New requirements added in PCI-DSS 3.0 12 © 2013 Imperva, Inc. All rights reserved.
- 13. New Req. 6.5.6 Insecure handling of credit card and authentication data in memory. Compliance: • document how PAN/SAD is handled in memory to minimize exposure 13 © 2013 Imperva, Inc. All rights reserved.
- 14. New Req. 6.5.11 Broken authentication & session management. Compliance: • • • • 14 Flag session tokens Don’t expose session ID in URL Implement time-outs Prevent User ID manipulation © 2013 Imperva, Inc. All rights reserved.
- 15. New Req. 8.5.1 Service providers with access to customer environments must use a unique authentication credential for each customer Compliance: • Authentication policies and procedures to mandate different authentication is used to access each customer environment ** Only mandated for service providers 15 © 2013 Imperva, Inc. All rights reserved.
- 16. New Req. 9.9 Protect POS devices that capture payment card data from tampering Compliance: • Maintain a list of POS devices • Periodical inspection for tampering/substitution • Training for awareness Note: PCI-DSS now addresses skimmers. 16 © 2013 Imperva, Inc. All rights reserved.
- 17. New Req. 11.3 Develop penetration testing methodology based on industry guidelines like NIST Compliance: • Implement a penetration testing approach based on an industry standard (like NIST SP800-115) • Define pen-test for all layers • Specify retention and remediation activity 17 © 2013 Imperva, Inc. All rights reserved.
- 18. New Req. 12.9 Service providers must document in writing they will adhere to PCI DSS standards Compliance: • Acknowledge in writing to customers that service provider will maintain PCI DSS in full on behalf of the customer ** Only mandated for service providers 18 © 2013 Imperva, Inc. All rights reserved.
- 19. Web Application Compliance Using a WAF to close the compliance gap 19 © 2013 Imperva, Inc. All rights reserved.
- 20. Web application relevant requirements 20 © 2013 Imperva, Inc. All rights reserved.
- 21. [6.5.11] Broken Auth & Session Mgmt Authentication/Session attacks • • • • • • • 21 © 2013 Imperva, Inc. All rights reserved. Cookie Tampering Cookie Poisoning Session Hijacking Session Reuse Parameter Tampering SSL Reuse Brute Force
- 22. [11.3] Pen Testing and Remediation Source: http://www.imperva.com/docs/SB_Imperva_WhiteHat.pdf 22 © 2013 Imperva, Inc. All rights reserved.
- 23. PCI-DSS Carry-ons Req 6.6: Protect public-facing Web applications Req 10: Audit all access to cardholder data Req 7: Limit access to systems and data on a business need to know Req 8.5: Identify and disable dormant user accounts and access rights Req 11.5: Alert personnel to unauthorized modification of files Source: http://www.imperva.com/PCI/ 23 © 2013 Imperva, Inc. All rights reserved.
- 24. Where can I learn more? 24 © 2013 Imperva, Inc. All rights reserved.
- 25. PCI PCI-DSS Council http://www.pcisecuritystandards.org Imperva’s PCI Resource Center http://www.imperva.com/PCI/ 25 © 2013 Imperva, Inc. All rights reserved.
- 26. Skimmers KrebsOnSecurity http://krebsonsecurity.com/category/all-about-skimmers/ 26 © 2013 Imperva, Inc. All rights reserved.
- 27. Third-Party Breaches Imperva’s January 2013 HII and Imperva’s CMS Hacking Webinar http://www.imperva.com/resources/overview.html 27 © 2013 Imperva, Inc. All rights reserved.
- 28. Webinar Materials Join Imperva LinkedIn Group, Imperva Data Security Direct, for… Post-Webinar Discussions Webinar Recording Link 28 Answers to Attendee Questions Join Group © 2013 Imperva, Inc. All rights reserved. Confidential
- 29. Questions? www.imperva.com 29 © 2013 Imperva, Inc. All rights reserved. Confidential
- 30. Thank You 30 © 2013 Imperva, Inc. All rights reserved. Confidential
Editor's Notes
- #6: Unlike CIS or SANS which are Benchmarks, PCI DSS is a mandateThis is the one standard that impacted actual information security most in the past decadeEvolution has three aspects: language, requirements, approach to deployment and process around standard evaluation.Barry : this is the regulation intro. Add the payment industry POV.
- #7: Timeline is morespead out than in the past, very mature regulation.
- #9: Theme around POS security.
- #10: Way to detect skimmers -> if someone hangs too long next to an ATM, that should raise a red flag
- #11: ClearForest Company that provides BOFA with analytics, breached -> BOFA data compromised
- #14: Coding technique to document how PAN/SAD is handled in memory to minimize potential exposure
- #20: PCI 2.0 to promote PCI in spirit. Overall security (scope, risk-based and all custom-apps)
- #21: Coding technique to document how PAN/SAD is handled in memory to minimize potential exposure
- #22: Coding technique to document how PAN/SAD is handled in memory to minimize potential exposure
- #23: Coding technique to document how PAN/SAD is handled in memory to minimize potential exposure
- #24: Coding technique to document how PAN/SAD is handled in memory to minimize potential exposure
- #25: PCI 2.0 to promote PCI in spirit. Overall security (scope, risk-based and all custom-apps)
- #26: Coding technique to document how PAN/SAD is handled in memory to minimize potential exposure
- #27: Coding technique to document how PAN/SAD is handled in memory to minimize potential exposure
- #28: http://www.imperva.com/resources/overview.html