Sneak preview what to expect from pci dss v 2 0
This presentation is the property of its rightful owner.
Sponsored Links
1 / 21

Sneak Preview: What to Expect from PCI DSS v. 2.0 PowerPoint PPT Presentation


  • 121 Views
  • Uploaded on
  • Presentation posted in: General

Changes Clarifications Guidance. Sneak Preview: What to Expect from PCI DSS v. 2.0 . Agenda. PCI DSS in context New PCI version in October – “fine tuning” Lifecycle Cardholder data discovery Clarifications SAQ revisions Emerging technology guidance What this means for you.

Download Presentation

Sneak Preview: What to Expect from PCI DSS v. 2.0

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Sneak preview what to expect from pci dss v 2 0

Changes

Clarifications

Guidance

Sneak Preview:What to Expect from PCI DSS v. 2.0


Agenda

Agenda

  • PCI DSS in context

  • New PCI version in October – “fine tuning”

    • Lifecycle

    • Cardholder data discovery

    • Clarifications

    • SAQ revisions

    • Emerging technology guidance

  • What this means for you


403 labs llc

403 Labs, LLC

  • Information security consulting firm

  • Payment Card Industry:

    • Qualified Security Assessor (QSA)

    • Payment Application QSA (PA-QSA)

    • Approved Scanning Vendor (ASV)

  • Work with service providers and merchants of all sizes


Pci dss 6 goals 12 requirements

PCI DSS: 6 Goals, 12 Requirements


Some pci dss basics

Some PCI DSS Basics

  • Payment Card Industry Data Security Standard

  • Goal is to protect Cardholder Data

    • And to keep you out of the headlines

  • If you take plastic, PCI applies to you

    • “Store, process, or transmit” cardholder data

  • Whole of PCI DSS apples to all merchants

  • New PCI release due October 2010

    • Reflect latest attack vectors, technology, practices

  • PCI does not make you secure


Some pci dss basics cont

Some PCI DSS Basics (cont.)

  • Each card brand has its own security program

    • Merchant levels

    • Validation (e.g., MasterCard’s new rules)

    • Penalties, fees

  • Safe harbor – can it exist?

  • Compliance

    • People, process, technology

    • No “silver bullet”


Pci dss v 2 0 lifecycle

PCI DSS v. 2.0 – Lifecycle

  • 3-Year Lifecycle

    • Announced in June

    • Consistency: PCI DSS, PA-DSS, PCI PTS

    • Interim versions for errata, new threats

    • FAQ, supplements to continue

  • Benefits

    • Fewer new requirements

    • More time for implementation and feedback

    • Version 1.2 sunset December 2011


Pci dss v 2 0 lifecycle1

PCI DSS v. 2.0 – Lifecycle


Pci dss v 2 0 data discovery

PCI DSS v. 2.0 – Data Discovery

  • Cardholder data discovery “methodology”

    • Find all your electronic cardholder data

    • “Data leakage”

    • Data breaches and “unknown unknowns”


Pci dss v 2 0 hashing

PCI DSS v. 2.0 – Hashing

  • Hashing

    • Produces unique fixed length output for each unique input

    • Hash functions are not keyed/reversible

    • Hash may include a “salt”


Pci dss v 2 0 segmentation

PCI DSS v. 2.0 – Segmentation

  • Network segmentation is not required, but recommended

    • Isolate systems that “store, process, or transmit” CHD

    • Limit PCI scope


Pci dss v 2 0 saqs

PCI DSS v. 2.0 – SAQs

  • Goal is to remove ambiguities

  • Expect minor but critical changes clarifying who can use them

  • Will we see new SAQ(s)?


Pci dss v 2 0 guidance

PCI DSS v. 2.0 – Guidance

  • Emerging technologies

    • Virtualization

    • Tokenization

    • End-to-end encryption

    • EMV standard (chip cards)

  • PCI Council guidance for compliance

    • Impact on PCI

    • Map to PCI requirements


Pci dss v 2 0 tokenization

PCI DSS v. 2.0 – Tokenization

  • A data security technology in which strings of random characters called tokens can be used in lieu of other, more valuable data, such as PANs

  • Vendor and in-house solutions

  • Tokenization can reduce (not eliminate) PCI scope

    • Everything depends on implementation

TokenizationEngine

Plaintext

Ciphertext

4123 4567 8901 2345

8894 7296 6294 0598

SecureRepository


Pci dss v 2 0 end to end encryption

PCI DSS v. 2.0 – End-to-End Encryption

  • Encryption: a cryptographic process for disguising data by applying a series of complex mathematical operations to data to render it unreadable to anyone without the proper decryption key

  • Encryption is a keyed, reversible function

  • Security depends on the key

    • A big number that if compromised, bye-bye security

  • Encrypted data are still in PCI scope

Plaintext

Encryption

Ciphertext

4123 4567 8901 2345

8894 7296 6294 0598

Key

7693398720684553


Pci dss v 2 0 end to end encryption1

PCI DSS v. 2.0 – End-to-End Encryption

  • Really “point-to-point”

  • End-to-End encryption

    • PAN encrypted from POS terminal all the way through the payment processing cycle

    • CHD always stored and transmitted as ciphertext

    • Critical element: merchant cannot decrypt

  • For more information

    • PCI Council guidance documents, FAQ

    • Visa’s best practices for data field encryption


Pans hashes encryption tokens

PANs, Hashes, Encryption, Tokens


Pci dss v 2 0 emerging technologies

PCI DSS v. 2.0 – Emerging Technologies

  • Encryption, tokenization are still maturing

    • May not work with all applications, systems

    • Standards?

    • Lots of marketing hype

  • Encryption security depends on protecting key

  • Look for guidance from PCI Council

    • Don’t expect specifics on implementation

  • Read Visa’s best practices document

  • As of today, only truncation and hashing remove CHD from scope


Pci dss v 2 0 get smart

PCI DSS v. 2.0 – Get Smart

  • PCI Council FAQ

  • PCI Council courses

    • Standards training

    • Independent Security Assessor (ISA)

  • Other PCI training options


Pci dss v 2 0 conclusions

PCI DSS v. 2.0 – Conclusions

  • Expect refinements, not major changes

  • 3-year lifecycle for each standard

  • Find your CHD…all of it!

  • Revised SAQs should help

  • Guidance on emerging technologies

  • Announcements, webinars over the summer

  • DSS v. 2.0 not unveiled until September?


What to expect from pci dss v 2 0

What to Expect from PCI DSS v. 2.0

  • Questions? Comments? Thoughts?

  • Thank you!

    [email protected]

    See my PCI column at StorefrontBacktalk.com

    Higher Ed PCI blog: treasuryinstitutepcidss.blogspot.com


  • Login