SlideShare une entreprise Scribd logo

PCI-DSS v3.0 - What you need to know

Télécharger en tant que PPTX, PDF
Barry Shteiman
Barry Shteiman

Imperva webinar 11/7/2013 Covering the latest changes to the PCI-DSS standard.

Technologie
1  sur  30
PCI-DSS v3.0: What You Need to Know Barry Shteiman – Director of Security Strategy 11/7/2013 1 © 2013 Imperva, Inc. All rights reserved. Confidential
Agenda  PCI-DSS Themes and Drivers  Dates and Deadlines  New Requirements  Web App Compliance 2 © 2013 Imperva, Inc. All rights reserved. © Copyright 2012 Imperva, Inc. All rights reserved.
Today’s Speaker - Barry Shteiman  Director of Security Strategy  Security Researcher working with the CTO office  Author of several application security tools, including HULK  Open source security projects code contributor  CISSP  Twitter @bshteiman 3 © 2013 Imperva, Inc. All rights reserved. Confidential
Introducing PCI-DSS 3.0 4 © 2013 Imperva, Inc. All rights reserved. Confidential
PCI-DSS Payment Card Industry (PCI) Data Security Standard (DSS) “A set of control requirements created to help protect cardholder data.”  Industry driven • From conception to enforcement  Evolving • 4th version over 7 years • Rate of releases has slowed – 3 years since v2.0 release  Concise and Pragmatic • Does not avoid naming technologies • Calls out threats by name • Very specific about data scope 5 © 2013 Imperva, Inc. All rights reserved.
PCI-DSS Evolution  PCI 1.2  PCI 1.0 • December 2004 12 major sections  PCI 1.1 • September 2006 • App security, compensating controls 2005 6 2006 2007 © 2013 Imperva, Inc. All rights reserved.  PCI 3.0 • October 2008 • November 2013 • Risk based approach, • Consistency for emphasis on wireless assessors, risk based approach,  PCI 2.0 flexibility • October 2010 2008 • Definition of scope, clarifications 2009 2010 2011 2012 2013
PCI-DSS 3.0 Key Drivers  Lack of education and awareness  Weak passwords, authentication  Third-party security challenges  Slow self-detection, malware  Inconsistency in assessments 7 © 2013 Imperva, Inc. All rights reserved.
General Themes  Penetration testing gets real • More explicitly-defined penetration test guidelines  Skimmers, skimmers and more skimmers • New requirement to maintain list of POS devices, periodically inspect devices and train personnel • Inclusion of POS devices in other sections  Service provider accountability  PCI requirement clarifications and details 8 © 2013 Imperva, Inc. All rights reserved.
Why Protect Point-of-Sale Devices? Physical data theft incidents from 2013 Verizon Data Breach Incident Report Source: http://www.verizonenterprise.com/DBIR/ 9 © 2013 Imperva, Inc. All rights reserved.
Service Providers accountability Third-party awareness at the compliance level Source: http://www.bankinfosecurity.com/bofa-confirms-third-party-breach-a-5582 10 © 2013 Imperva, Inc. All rights reserved.
PCI DSS 3.0 Dates and Deadlines  Publication Date: November 7, 2013  Effective Date: January 1, 2014 • Version 2.0 will remain active until December 31, 2014  Deadline for New Requirements: June 30, 2015 11 © 2013 Imperva, Inc. All rights reserved.
What’s New? New requirements added in PCI-DSS 3.0 12 © 2013 Imperva, Inc. All rights reserved.
New Req. 6.5.6 Insecure handling of credit card and authentication data in memory. Compliance: • document how PAN/SAD is handled in memory to minimize exposure 13 © 2013 Imperva, Inc. All rights reserved.
New Req. 6.5.11 Broken authentication & session management. Compliance: • • • • 14 Flag session tokens Don’t expose session ID in URL Implement time-outs Prevent User ID manipulation © 2013 Imperva, Inc. All rights reserved.
New Req. 8.5.1 Service providers with access to customer environments must use a unique authentication credential for each customer Compliance: • Authentication policies and procedures to mandate different authentication is used to access each customer environment ** Only mandated for service providers 15 © 2013 Imperva, Inc. All rights reserved.
New Req. 9.9 Protect POS devices that capture payment card data from tampering Compliance: • Maintain a list of POS devices • Periodical inspection for tampering/substitution • Training for awareness Note: PCI-DSS now addresses skimmers. 16 © 2013 Imperva, Inc. All rights reserved.
New Req. 11.3 Develop penetration testing methodology based on industry guidelines like NIST Compliance: • Implement a penetration testing approach based on an industry standard (like NIST SP800-115) • Define pen-test for all layers • Specify retention and remediation activity 17 © 2013 Imperva, Inc. All rights reserved.
New Req. 12.9 Service providers must document in writing they will adhere to PCI DSS standards Compliance: • Acknowledge in writing to customers that service provider will maintain PCI DSS in full on behalf of the customer ** Only mandated for service providers 18 © 2013 Imperva, Inc. All rights reserved.
Web Application Compliance Using a WAF to close the compliance gap 19 © 2013 Imperva, Inc. All rights reserved.
Web application relevant requirements 20 © 2013 Imperva, Inc. All rights reserved.
[6.5.11] Broken Auth & Session Mgmt Authentication/Session attacks • • • • • • • 21 © 2013 Imperva, Inc. All rights reserved. Cookie Tampering Cookie Poisoning Session Hijacking Session Reuse Parameter Tampering SSL Reuse Brute Force
[11.3] Pen Testing and Remediation Source: http://www.imperva.com/docs/SB_Imperva_WhiteHat.pdf 22 © 2013 Imperva, Inc. All rights reserved.
PCI-DSS Carry-ons Req 6.6: Protect public-facing Web applications Req 10: Audit all access to cardholder data Req 7: Limit access to systems and data on a business need to know Req 8.5: Identify and disable dormant user accounts and access rights Req 11.5: Alert personnel to unauthorized modification of files Source: http://www.imperva.com/PCI/ 23 © 2013 Imperva, Inc. All rights reserved.
Where can I learn more? 24 © 2013 Imperva, Inc. All rights reserved.
PCI PCI-DSS Council http://www.pcisecuritystandards.org Imperva’s PCI Resource Center http://www.imperva.com/PCI/ 25 © 2013 Imperva, Inc. All rights reserved.
Skimmers KrebsOnSecurity http://krebsonsecurity.com/category/all-about-skimmers/ 26 © 2013 Imperva, Inc. All rights reserved.
Third-Party Breaches Imperva’s January 2013 HII and Imperva’s CMS Hacking Webinar http://www.imperva.com/resources/overview.html 27 © 2013 Imperva, Inc. All rights reserved.
Webinar Materials Join Imperva LinkedIn Group, Imperva Data Security Direct, for… Post-Webinar Discussions Webinar Recording Link 28 Answers to Attendee Questions Join Group © 2013 Imperva, Inc. All rights reserved. Confidential
Questions? www.imperva.com 29 © 2013 Imperva, Inc. All rights reserved. Confidential
Thank You 30 © 2013 Imperva, Inc. All rights reserved. Confidential

Recommandé

PCI 3.0 Revealed - What You Need to Know Today
PCI 3.0 Revealed - What You Need to Know TodayPCI 3.0 Revealed - What You Need to Know Today
PCI 3.0 Revealed - What You Need to Know TodayImperva
 
Best Practices for Certificate Management
Best Practices for Certificate ManagementBest Practices for Certificate Management
Best Practices for Certificate ManagementAppViewX
 
Fortinet security ecosystem
Fortinet security ecosystemFortinet security ecosystem
Fortinet security ecosystemMark Oakton
 
Multi-Factor Authentication
Multi-Factor AuthenticationMulti-Factor Authentication
Multi-Factor AuthenticationPCN
 
Accelerate Digital Transformation with Application Delivery Automation
Accelerate Digital Transformation with Application Delivery AutomationAccelerate Digital Transformation with Application Delivery Automation
Accelerate Digital Transformation with Application Delivery AutomationAppViewX
 
Simplify Security with Ivanti Security Controls
Simplify Security with Ivanti Security ControlsSimplify Security with Ivanti Security Controls
Simplify Security with Ivanti Security ControlsIvanti
 
Ivanti uem security_webinar_cybersecurity_month_oct2020
Ivanti uem security_webinar_cybersecurity_month_oct2020Ivanti uem security_webinar_cybersecurity_month_oct2020
Ivanti uem security_webinar_cybersecurity_month_oct2020Ivanti
 
Securing Applications using WSO2 Identity Server and CASQUE
Securing Applications using WSO2 Identity Server and CASQUESecuring Applications using WSO2 Identity Server and CASQUE
Securing Applications using WSO2 Identity Server and CASQUEWSO2
 

Recommandé

PCI 3.0 Revealed - What You Need to Know Today
PCI 3.0 Revealed - What You Need to Know TodayPCI 3.0 Revealed - What You Need to Know Today
PCI 3.0 Revealed - What You Need to Know TodayImperva
 
Best Practices for Certificate Management
Best Practices for Certificate ManagementBest Practices for Certificate Management
Best Practices for Certificate ManagementAppViewX
 
Fortinet security ecosystem
Fortinet security ecosystemFortinet security ecosystem
Fortinet security ecosystemMark Oakton
 
Multi-Factor Authentication
Multi-Factor AuthenticationMulti-Factor Authentication
Multi-Factor AuthenticationPCN
 
Accelerate Digital Transformation with Application Delivery Automation
Accelerate Digital Transformation with Application Delivery AutomationAccelerate Digital Transformation with Application Delivery Automation
Accelerate Digital Transformation with Application Delivery AutomationAppViewX
 
Simplify Security with Ivanti Security Controls
Simplify Security with Ivanti Security ControlsSimplify Security with Ivanti Security Controls
Simplify Security with Ivanti Security ControlsIvanti
 
Ivanti uem security_webinar_cybersecurity_month_oct2020
Ivanti uem security_webinar_cybersecurity_month_oct2020Ivanti uem security_webinar_cybersecurity_month_oct2020
Ivanti uem security_webinar_cybersecurity_month_oct2020Ivanti
 
Securing Applications using WSO2 Identity Server and CASQUE
Securing Applications using WSO2 Identity Server and CASQUESecuring Applications using WSO2 Identity Server and CASQUE
Securing Applications using WSO2 Identity Server and CASQUEWSO2
 
Zero Trust Cybersecurity for Microsoft Azure Cloud
Zero Trust Cybersecurity for Microsoft Azure Cloud Zero Trust Cybersecurity for Microsoft Azure Cloud
Zero Trust Cybersecurity for Microsoft Azure Cloud Block Armour
 
Cyber ark training
Cyber ark trainingCyber ark training
Cyber ark trainingGlobal Online Trainings
 
FIDO in Action: Real World Development Case Studies
FIDO in Action: Real World Development Case StudiesFIDO in Action: Real World Development Case Studies
FIDO in Action: Real World Development Case StudiesFIDO Alliance
 
The how and why of patch management by N-able
The how and why of patch management by N-able The how and why of patch management by N-able
The how and why of patch management by N-able Solarwinds N-able
 
Bank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security ThreatsBank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security ThreatsMichelle Morgan-Nelsen
 
Insights into your IT Service Management - Middle East
Insights into your IT Service Management - Middle EastInsights into your IT Service Management - Middle East
Insights into your IT Service Management - Middle EastIvanti
 
Ivanti neurons - lunch and learn
Ivanti neurons - lunch and learnIvanti neurons - lunch and learn
Ivanti neurons - lunch and learnIvanti
 
The Secure laptop - intro BXL
The Secure laptop - intro BXLThe Secure laptop - intro BXL
The Secure laptop - intro BXLSectricity
 
Escrow Presentation
Escrow PresentationEscrow Presentation
Escrow Presentationlucydavidson
 
NIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO AuthenticationNIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO AuthenticationFIDO Alliance
 
Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?WSO2
 
A Primer on iOS Management and What's Changing
A Primer on iOS Management and What's ChangingA Primer on iOS Management and What's Changing
A Primer on iOS Management and What's ChangingIvanti
 
Ivanti Identity Director 2020.1.
Ivanti Identity Director 2020.1.Ivanti Identity Director 2020.1.
Ivanti Identity Director 2020.1.Ivanti
 
SOC OEM - Datasheet EN
SOC OEM - Datasheet ENSOC OEM - Datasheet EN
SOC OEM - Datasheet ENITrust - Cybersecurity as a Service
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationFIDO Alliance
 
Ivanti Momentum | What's New in User Workspace Manager 2020.2
Ivanti Momentum | What's New in User Workspace Manager 2020.2Ivanti Momentum | What's New in User Workspace Manager 2020.2
Ivanti Momentum | What's New in User Workspace Manager 2020.2Ivanti
 
CyberArk Master Policy Intro
CyberArk Master Policy IntroCyberArk Master Policy Intro
CyberArk Master Policy IntroCyberArk
 
INTRODUCTION TO IVANTI NEURONS
INTRODUCTION TO IVANTI NEURONSINTRODUCTION TO IVANTI NEURONS
INTRODUCTION TO IVANTI NEURONSIvanti
 
collateral_datasheet_sungard
collateral_datasheet_sungardcollateral_datasheet_sungard
collateral_datasheet_sungardCheryl Goldberg
 
Ekran 4.1
Ekran 4.1Ekran 4.1
Ekran 4.1Oleg Shomonko
 
Achieving PCI Compliance Long And Short Term Strategies 2009
Achieving PCI Compliance Long And Short Term Strategies 2009Achieving PCI Compliance Long And Short Term Strategies 2009
Achieving PCI Compliance Long And Short Term Strategies 2009Jason Edelstein
 
New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009
New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009
New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009Ulf Mattsson
 

Contenu connexe

Tendances

Zero Trust Cybersecurity for Microsoft Azure Cloud
Zero Trust Cybersecurity for Microsoft Azure Cloud Zero Trust Cybersecurity for Microsoft Azure Cloud
Zero Trust Cybersecurity for Microsoft Azure Cloud Block Armour
 
FIDO in Action: Real World Development Case Studies
FIDO in Action: Real World Development Case StudiesFIDO in Action: Real World Development Case Studies
FIDO in Action: Real World Development Case StudiesFIDO Alliance
 
The how and why of patch management by N-able
The how and why of patch management by N-able The how and why of patch management by N-able
The how and why of patch management by N-able Solarwinds N-able
 
Bank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security ThreatsBank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security ThreatsMichelle Morgan-Nelsen
 
Insights into your IT Service Management - Middle East
Insights into your IT Service Management - Middle EastInsights into your IT Service Management - Middle East
Insights into your IT Service Management - Middle EastIvanti
 
Ivanti neurons - lunch and learn
Ivanti neurons - lunch and learnIvanti neurons - lunch and learn
Ivanti neurons - lunch and learnIvanti
 
The Secure laptop - intro BXL
The Secure laptop - intro BXLThe Secure laptop - intro BXL
The Secure laptop - intro BXLSectricity
 
Escrow Presentation
Escrow PresentationEscrow Presentation
Escrow Presentationlucydavidson
 
NIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO AuthenticationNIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO AuthenticationFIDO Alliance
 
Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?WSO2
 
A Primer on iOS Management and What's Changing
A Primer on iOS Management and What's ChangingA Primer on iOS Management and What's Changing
A Primer on iOS Management and What's ChangingIvanti
 
Ivanti Identity Director 2020.1.
Ivanti Identity Director 2020.1.Ivanti Identity Director 2020.1.
Ivanti Identity Director 2020.1.Ivanti
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationFIDO Alliance
 
Ivanti Momentum | What's New in User Workspace Manager 2020.2
Ivanti Momentum | What's New in User Workspace Manager 2020.2Ivanti Momentum | What's New in User Workspace Manager 2020.2
Ivanti Momentum | What's New in User Workspace Manager 2020.2Ivanti
 
CyberArk Master Policy Intro
CyberArk Master Policy IntroCyberArk Master Policy Intro
CyberArk Master Policy IntroCyberArk
 
INTRODUCTION TO IVANTI NEURONS
INTRODUCTION TO IVANTI NEURONSINTRODUCTION TO IVANTI NEURONS
INTRODUCTION TO IVANTI NEURONSIvanti
 
collateral_datasheet_sungard
collateral_datasheet_sungardcollateral_datasheet_sungard
collateral_datasheet_sungardCheryl Goldberg
 

Tendances (20)

Zero Trust Cybersecurity for Microsoft Azure Cloud
Zero Trust Cybersecurity for Microsoft Azure Cloud Zero Trust Cybersecurity for Microsoft Azure Cloud
Zero Trust Cybersecurity for Microsoft Azure Cloud
 
Cyber ark training
Cyber ark trainingCyber ark training
Cyber ark training
 
FIDO in Action: Real World Development Case Studies
FIDO in Action: Real World Development Case StudiesFIDO in Action: Real World Development Case Studies
FIDO in Action: Real World Development Case Studies
 
The how and why of patch management by N-able
The how and why of patch management by N-able The how and why of patch management by N-able
The how and why of patch management by N-able
 
Bank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security ThreatsBank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security Threats
 
Insights into your IT Service Management - Middle East
Insights into your IT Service Management - Middle EastInsights into your IT Service Management - Middle East
Insights into your IT Service Management - Middle East
 
Ivanti neurons - lunch and learn
Ivanti neurons - lunch and learnIvanti neurons - lunch and learn
Ivanti neurons - lunch and learn
 
The Secure laptop - intro BXL
The Secure laptop - intro BXLThe Secure laptop - intro BXL
The Secure laptop - intro BXL
 
Escrow Presentation
Escrow PresentationEscrow Presentation
Escrow Presentation
 
NIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO AuthenticationNIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO Authentication
 
Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?
 
A Primer on iOS Management and What's Changing
A Primer on iOS Management and What's ChangingA Primer on iOS Management and What's Changing
A Primer on iOS Management and What's Changing
 
Ivanti Identity Director 2020.1.
Ivanti Identity Director 2020.1.Ivanti Identity Director 2020.1.
Ivanti Identity Director 2020.1.
 
SOC OEM - Datasheet EN
SOC OEM - Datasheet ENSOC OEM - Datasheet EN
SOC OEM - Datasheet EN
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web Authentication
 
Ivanti Momentum | What's New in User Workspace Manager 2020.2
Ivanti Momentum | What's New in User Workspace Manager 2020.2Ivanti Momentum | What's New in User Workspace Manager 2020.2
Ivanti Momentum | What's New in User Workspace Manager 2020.2
 
CyberArk Master Policy Intro
CyberArk Master Policy IntroCyberArk Master Policy Intro
CyberArk Master Policy Intro
 
INTRODUCTION TO IVANTI NEURONS
INTRODUCTION TO IVANTI NEURONSINTRODUCTION TO IVANTI NEURONS
INTRODUCTION TO IVANTI NEURONS
 
collateral_datasheet_sungard
collateral_datasheet_sungardcollateral_datasheet_sungard
collateral_datasheet_sungard
 
Ekran 4.1
Ekran 4.1Ekran 4.1
Ekran 4.1
 

En vedette

Achieving PCI Compliance Long And Short Term Strategies 2009
Achieving PCI Compliance Long And Short Term Strategies 2009Achieving PCI Compliance Long And Short Term Strategies 2009
Achieving PCI Compliance Long And Short Term Strategies 2009Jason Edelstein
 
New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009
New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009
New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009Ulf Mattsson
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyAlienVault
 
101007 How To Sell Pci Compliance (External)
101007 How To Sell Pci Compliance (External)101007 How To Sell Pci Compliance (External)
101007 How To Sell Pci Compliance (External)Greg Naderi
 
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014Amazon Web Services
 
Customer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWSCustomer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWSAmazon Web Services
 
HBL PCI DSS Remediation Case Study
HBL PCI DSS Remediation Case StudyHBL PCI DSS Remediation Case Study
HBL PCI DSS Remediation Case StudyFareed Hosain
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMAlienVault
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 1 - Segmentation
VMworld 2013: NSX PCI Reference Architecture Workshop Session 1 - SegmentationVMworld 2013: NSX PCI Reference Architecture Workshop Session 1 - Segmentation
VMworld 2013: NSX PCI Reference Architecture Workshop Session 1 - SegmentationVMworld
 
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...Docker, Inc.
 
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013Amazon Web Services
 

En vedette (13)

Achieving PCI Compliance Long And Short Term Strategies 2009
Achieving PCI Compliance Long And Short Term Strategies 2009Achieving PCI Compliance Long And Short Term Strategies 2009
Achieving PCI Compliance Long And Short Term Strategies 2009
 
New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009
New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009
New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009
 
E manual
E manualE manual
E manual
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance Strategy
 
101007 How To Sell Pci Compliance (External)
101007 How To Sell Pci Compliance (External)101007 How To Sell Pci Compliance (External)
101007 How To Sell Pci Compliance (External)
 
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
 
Customer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWSCustomer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWS
 
HBL PCI DSS Remediation Case Study
HBL PCI DSS Remediation Case StudyHBL PCI DSS Remediation Case Study
HBL PCI DSS Remediation Case Study
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 1 - Segmentation
VMworld 2013: NSX PCI Reference Architecture Workshop Session 1 - SegmentationVMworld 2013: NSX PCI Reference Architecture Workshop Session 1 - Segmentation
VMworld 2013: NSX PCI Reference Architecture Workshop Session 1 - Segmentation
 
PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016
 
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
 
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
 

Similaire à PCI-DSS v3.0 - What you need to know

PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)ControlCase
 
How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler HelpSystems
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesNowSecure
 
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...CA API Management
 
Monitoring in the DevOps Era
Monitoring in the DevOps EraMonitoring in the DevOps Era
Monitoring in the DevOps EraMike Kavis
 
PCI Compliance White Paper
PCI Compliance White PaperPCI Compliance White Paper
PCI Compliance White PaperRaz-Lee Security
 
PCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesPCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesControlCase
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM
 
PCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardPCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardJohn Bedrick
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesControlCase
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET Journal
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsHelpSystems
 
Hadoop and Financial Services
Hadoop and Financial ServicesHadoop and Financial Services
Hadoop and Financial ServicesCloudera, Inc.
 
Advanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real WorldAdvanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real WorldCisco Canada
 
The Cloud Challenge
The Cloud ChallengeThe Cloud Challenge
The Cloud ChallengeVMware Tanzu
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation servicesTariq Juneja
 
Pistoia Alliance European Conference 2015 - Stuart Robertson / Exostar
Pistoia Alliance European Conference 2015 - Stuart Robertson / ExostarPistoia Alliance European Conference 2015 - Stuart Robertson / Exostar
Pistoia Alliance European Conference 2015 - Stuart Robertson / ExostarPistoia Alliance
 

Similaire à PCI-DSS v3.0 - What you need to know (20)

PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
 
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
 
Monitoring in the DevOps Era
Monitoring in the DevOps EraMonitoring in the DevOps Era
Monitoring in the DevOps Era
 
PCI Compliance White Paper
PCI Compliance White PaperPCI Compliance White Paper
PCI Compliance White Paper
 
PCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesPCI DSS and Other Related Updates
PCI DSS and Other Related Updates
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
 
PCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardPCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The Standard
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust Principles
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power Systems
 
AL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_webAL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_web
 
Hadoop and Financial Services
Hadoop and Financial ServicesHadoop and Financial Services
Hadoop and Financial Services
 
Advanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real WorldAdvanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real World
 
The Cloud Challenge
The Cloud ChallengeThe Cloud Challenge
The Cloud Challenge
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
Pistoia Alliance European Conference 2015 - Stuart Robertson / Exostar
Pistoia Alliance European Conference 2015 - Stuart Robertson / ExostarPistoia Alliance European Conference 2015 - Stuart Robertson / Exostar
Pistoia Alliance European Conference 2015 - Stuart Robertson / Exostar
 

Dernier

DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

Dernier (20)

DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 

PCI-DSS v3.0 - What you need to know

  • 1. PCI-DSS v3.0: What You Need to Know Barry Shteiman – Director of Security Strategy 11/7/2013 1 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 2. Agenda  PCI-DSS Themes and Drivers  Dates and Deadlines  New Requirements  Web App Compliance 2 © 2013 Imperva, Inc. All rights reserved. © Copyright 2012 Imperva, Inc. All rights reserved.
  • 3. Today’s Speaker - Barry Shteiman  Director of Security Strategy  Security Researcher working with the CTO office  Author of several application security tools, including HULK  Open source security projects code contributor  CISSP  Twitter @bshteiman 3 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 4. Introducing PCI-DSS 3.0 4 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 5. PCI-DSS Payment Card Industry (PCI) Data Security Standard (DSS) “A set of control requirements created to help protect cardholder data.”  Industry driven • From conception to enforcement  Evolving • 4th version over 7 years • Rate of releases has slowed – 3 years since v2.0 release  Concise and Pragmatic • Does not avoid naming technologies • Calls out threats by name • Very specific about data scope 5 © 2013 Imperva, Inc. All rights reserved.
  • 6. PCI-DSS Evolution  PCI 1.2  PCI 1.0 • December 2004 12 major sections  PCI 1.1 • September 2006 • App security, compensating controls 2005 6 2006 2007 © 2013 Imperva, Inc. All rights reserved.  PCI 3.0 • October 2008 • November 2013 • Risk based approach, • Consistency for emphasis on wireless assessors, risk based approach,  PCI 2.0 flexibility • October 2010 2008 • Definition of scope, clarifications 2009 2010 2011 2012 2013
  • 7. PCI-DSS 3.0 Key Drivers  Lack of education and awareness  Weak passwords, authentication  Third-party security challenges  Slow self-detection, malware  Inconsistency in assessments 7 © 2013 Imperva, Inc. All rights reserved.
  • 8. General Themes  Penetration testing gets real • More explicitly-defined penetration test guidelines  Skimmers, skimmers and more skimmers • New requirement to maintain list of POS devices, periodically inspect devices and train personnel • Inclusion of POS devices in other sections  Service provider accountability  PCI requirement clarifications and details 8 © 2013 Imperva, Inc. All rights reserved.
  • 9. Why Protect Point-of-Sale Devices? Physical data theft incidents from 2013 Verizon Data Breach Incident Report Source: http://www.verizonenterprise.com/DBIR/ 9 © 2013 Imperva, Inc. All rights reserved.
  • 10. Service Providers accountability Third-party awareness at the compliance level Source: http://www.bankinfosecurity.com/bofa-confirms-third-party-breach-a-5582 10 © 2013 Imperva, Inc. All rights reserved.
  • 11. PCI DSS 3.0 Dates and Deadlines  Publication Date: November 7, 2013  Effective Date: January 1, 2014 • Version 2.0 will remain active until December 31, 2014  Deadline for New Requirements: June 30, 2015 11 © 2013 Imperva, Inc. All rights reserved.
  • 12. What’s New? New requirements added in PCI-DSS 3.0 12 © 2013 Imperva, Inc. All rights reserved.
  • 13. New Req. 6.5.6 Insecure handling of credit card and authentication data in memory. Compliance: • document how PAN/SAD is handled in memory to minimize exposure 13 © 2013 Imperva, Inc. All rights reserved.
  • 14. New Req. 6.5.11 Broken authentication & session management. Compliance: • • • • 14 Flag session tokens Don’t expose session ID in URL Implement time-outs Prevent User ID manipulation © 2013 Imperva, Inc. All rights reserved.
  • 15. New Req. 8.5.1 Service providers with access to customer environments must use a unique authentication credential for each customer Compliance: • Authentication policies and procedures to mandate different authentication is used to access each customer environment ** Only mandated for service providers 15 © 2013 Imperva, Inc. All rights reserved.
  • 16. New Req. 9.9 Protect POS devices that capture payment card data from tampering Compliance: • Maintain a list of POS devices • Periodical inspection for tampering/substitution • Training for awareness Note: PCI-DSS now addresses skimmers. 16 © 2013 Imperva, Inc. All rights reserved.
  • 17. New Req. 11.3 Develop penetration testing methodology based on industry guidelines like NIST Compliance: • Implement a penetration testing approach based on an industry standard (like NIST SP800-115) • Define pen-test for all layers • Specify retention and remediation activity 17 © 2013 Imperva, Inc. All rights reserved.
  • 18. New Req. 12.9 Service providers must document in writing they will adhere to PCI DSS standards Compliance: • Acknowledge in writing to customers that service provider will maintain PCI DSS in full on behalf of the customer ** Only mandated for service providers 18 © 2013 Imperva, Inc. All rights reserved.
  • 19. Web Application Compliance Using a WAF to close the compliance gap 19 © 2013 Imperva, Inc. All rights reserved.
  • 20. Web application relevant requirements 20 © 2013 Imperva, Inc. All rights reserved.
  • 21. [6.5.11] Broken Auth & Session Mgmt Authentication/Session attacks • • • • • • • 21 © 2013 Imperva, Inc. All rights reserved. Cookie Tampering Cookie Poisoning Session Hijacking Session Reuse Parameter Tampering SSL Reuse Brute Force
  • 22. [11.3] Pen Testing and Remediation Source: http://www.imperva.com/docs/SB_Imperva_WhiteHat.pdf 22 © 2013 Imperva, Inc. All rights reserved.
  • 23. PCI-DSS Carry-ons Req 6.6: Protect public-facing Web applications Req 10: Audit all access to cardholder data Req 7: Limit access to systems and data on a business need to know Req 8.5: Identify and disable dormant user accounts and access rights Req 11.5: Alert personnel to unauthorized modification of files Source: http://www.imperva.com/PCI/ 23 © 2013 Imperva, Inc. All rights reserved.
  • 24. Where can I learn more? 24 © 2013 Imperva, Inc. All rights reserved.
  • 25. PCI PCI-DSS Council http://www.pcisecuritystandards.org Imperva’s PCI Resource Center http://www.imperva.com/PCI/ 25 © 2013 Imperva, Inc. All rights reserved.
  • 27. Third-Party Breaches Imperva’s January 2013 HII and Imperva’s CMS Hacking Webinar http://www.imperva.com/resources/overview.html 27 © 2013 Imperva, Inc. All rights reserved.
  • 28. Webinar Materials Join Imperva LinkedIn Group, Imperva Data Security Direct, for… Post-Webinar Discussions Webinar Recording Link 28 Answers to Attendee Questions Join Group © 2013 Imperva, Inc. All rights reserved. Confidential
  • 29. Questions? www.imperva.com 29 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 30. Thank You 30 © 2013 Imperva, Inc. All rights reserved. Confidential

Notes de l'éditeur

  1. Unlike CIS or SANS which are Benchmarks, PCI DSS is a mandateThis is the one standard that impacted actual information security most in the past decadeEvolution has three aspects: language, requirements, approach to deployment and process around standard evaluation.Barry : this is the regulation intro. Add the payment industry POV.
  2. Timeline is morespead out than in the past, very mature regulation.
  3. Theme around POS security.
  4. Way to detect skimmers -> if someone hangs too long next to an ATM, that should raise a red flag
  5. ClearForest Company that provides BOFA with analytics, breached -> BOFA data compromised
  6. Coding technique to document how PAN/SAD is handled in memory to minimize potential exposure
  7. PCI 2.0 to promote PCI in spirit. Overall security (scope, risk-based and all custom-apps)
  8. Coding technique to document how PAN/SAD is handled in memory to minimize potential exposure
  9. Coding technique to document how PAN/SAD is handled in memory to minimize potential exposure
  10. Coding technique to document how PAN/SAD is handled in memory to minimize potential exposure
  11. Coding technique to document how PAN/SAD is handled in memory to minimize potential exposure
  12. PCI 2.0 to promote PCI in spirit. Overall security (scope, risk-based and all custom-apps)
  13. Coding technique to document how PAN/SAD is handled in memory to minimize potential exposure
  14. Coding technique to document how PAN/SAD is handled in memory to minimize potential exposure
  15. http://www.imperva.com/resources/overview.html