PCI DSS and Other Related Updates

© 2019 ControlCase All Rights Reserved
PCI DSS and Other Related
Updates
Your IT Compliance Partner –
Go Beyond the Checklist

Our Agenda 2
4
2
3
Your IT Compliance
Partner –
Go beyond the
checklist
ControlCase Introduction
PCI DSS ver. 4
PA DSS and SSF Update
P2PE, PCI PIN, PCI 3DS Update
Chronological Time-frame
for various standards
5
1

ControlCase Introduction1

ControlCase Snapshot 4
Certification and ContinuousCompliance Services
Go beyond the auditor’s checklist to:
Dramatically cut the time, cost and burden from becoming certified and
maintaining IT compliance
• Demonstrate compliance more efficiently
and cost effectively (cost certainty)
• Improve efficiencies
• Do more with less resources and gain
compliance peace of mind
• Free up your internal resources to focus
on their priorities
• Offload much of the compliance burden
to a trusted compliance partner
1000+
Clients
250+
Security Experts
10,000+
IT Security Certifications

Solution 5
Certification and Continuous Compliance Services
Automation
-DrivenSkyCAM
Partnership
Approach
IT Certification
Services
Continuous Compliance
Services
“I’ve worked on both sides of
auditing. I have not seen any
other firm deliver the same
product and service with the
same value. No other firm
provides that continuous
improvement and the level of
detail and responsiveness.”
Security and Compliance
Manager, Data Center

Certification Services 6
OneAudit – Collect Once, Certify Many
PCI DSS ISO 27001 &
27002
SOC 1, SOC 2, SOC 3,
& SOC for Cybersecurity HITRUST CSF
HIPAA PCI P2PE GDPR NIST 800-53
PCI PIN PCI PA-DSS FISMA PCI 3DS
“You have 27 seconds to make a
first impression. And after our
initial meeting, it became clear
that they were more interested
in helping our business and
building a relationship, not just
getting the business.”
Sr. Director, Information Risk &
Compliance, Large Merchant
Automation-
DrivenSkyCAM
Partnership
Approach
IT Certification
Services
Services

PCI DSS ver. 42

PCI Standards at a glance 8
8
 PCI DSS Security of Environments that store, process or transmit
account data
 PCI PA-DSS Secures payment applications support PCI DSS
compliance
 PCI P2PE Ensures data is encrypted at POI and can only be
decrypted by dedicated environment
 PCI TSP Requirements for token service providers for EMV
Payment tokens
 PCI Card Production Physical and logical security requirements for card
manufacturing and personalization
 PCI 3DS Physical and logical requirements for entities that
implement 3DS Payment solution
 PCI PTS – HSM Physical and logical controls for securing HSM
 PCI PTS – POI Protection of sensitive data at POI
 PCI PTS – PIN Security Secure management, processing and transmission of PIN
data

Important Disclosure
9
9
• Information provided here is ControlCase opinion and does not
represent the position of the PCI Security Standards Council
• Information for PCI DSS 4.0 is based on an early draft of the
standard that will most likely change significantly over the next
months
• For authoritative information from the Council on PCI DSS 4.0,
please visit the PCI SSC website,
• https://blog.pcisecuritystandards.org/topic/request-for-comments
• https://blog.pcisecuritystandards.org/request-for-comments-pci-dss-version-4.0

Goals for the proposed updates to PCI DSS v4.0
10
10
• Key Priorities for PCI DSS ver. 4 are security and flexibility
• Address evolving risks and threats to payment data
• Reinforce security as a continuous process
• Support use of different security technologies that meet the
intent of PCI DSS requirements
• Source
• https://blog.pcisecuritystandards.org/3-things-to-know-about-pci-dss-v4-0-development

High level areas we know so far about PCI ver. 4.0
11
11
• Not anticipated until late 2020, at the earliest
• Traditional methods for validating PCI DSS are not going away
• A new, customized validation approach which identifies the
security outcome is a new option added in ver. 4.0
• Unlike compensating controls, customized validation will not
require a business or technical justification for meeting the
requirement using alternative methods
• Source
• https://blog.pcisecuritystandards.org/5-questions-about-pci-dss-v4-0

PA DSS and Software Security Framework (PCI SSF)3

What is the PCI Software Security Framework?
13
13
• It is collection of related software security standards, and
associated validation and listing programs.
• There are currently two standards under the PCI Software
Security Framework:
• Secure Software Standard
• Secure Software Lifecycle (Secure SLC) Standard
• Source
• https://blog.pcisecuritystandards.org/just-published-new-pci-software-security-standards

About PCI Secure Software Standard
14
14
• Intent of this standard is similar to PA-DSS standard
• Applies to payment software that is sold, distributed, or licensed
to third parties
• Program will be launched in late 2019
• All current PA-DSS listings will be valid through expiry (i.e. until
2022)
• Submission of new PA-DSS will end in mid-2020

About Secure Software Lifecycle Standard
15
15
• Introduced as part of framework to enhance the methodology
for “change management” of various versions of software that
will be validated as per “Secure Software Standard”
• It is set of security requirements to validate how software vendor
properly manage the security of payment software throughout
the software lifecycle.
• NOTE: This will be a certification provided to vendors
demonstrating mature secure lifecycle

P2PE ver. 2 and ver. 34

P2PE updates and new concepts
17
17
• Current version of P2PE is ver. 2
• P2PE v3.0 is expected for publication in December 2019
• Changes to security requirements are minor
• Significant program changes in ver. 3
• Merchants considering a P2PE solution should not wait for ver. 3 as
ver. 2 provides the same level of security
• Ver. 3 provides flexibility in listing of individual components which
would provide flexibility in the ecosystem
• Source
• https://blog.pcisecuritystandards.org/3-things-to-know-about-p2pe-v3-0

PCI PIN, PCI 3DS and Card Production overview5

PCI PIN Security
19
19
• The PCI PIN Standard addresses the security controls associated with the secure management,
processing, and transmission of personal identification number (PIN) data (POS) terminals.
• Current version of PCI PIN Security is 3.0
• Applies to online and offline payment card transaction processing at ATMs
• Applies to both attended and unattended point-of-sale (POS)
• Assists all retail electronic payment system participants in establishing assurances that cardholder
PINs will not be compromised.

PCI 3DS Standard Overview
20
20
• PCI 3DS Core Security Standard defines physical and logical security requirements and assessment
procedures for entities that perform or provide the following functions, as defined in theEMV®3-D
Secure Protocol and Core Functions Specification:
• 3DS Server(3DSS)
• 3DS Directory Server (DS)
• 3DS Access Control Server (ACS)
• Current version of PCI 3DS Core Security Standard is 1.0
• It applies to environments where ACS, DS, and/or 3DSS functions are performed. Typically, this will
consist of the 3DS Environment (3DE),which contains system components involved in performing or
facilitating 3DS transactions, as well as system components supporting the 3DE

Card Production overview
21
21
• The Card Production Security Assessor (CSPA) Program will qualify companies and train security
professionals to perform assessments using the Card Production and Provisioning Logical Security
Requirements and Card Production and Provisioning Physical Security Requirements (also known as
the Card Production Security Standards).
• A Card Production Entity performs card production and provisioning activities such as data
preparation, manufacturing, pre-personalization, card embossing, chip embedding, card
personalization, chip personalization, PIN generation, PIN mailers, card carriers, and distribution.
• There are two aspects to a card production security assessment – logical and physical.

Timeframe – PCI DSS, PA DSS, PCI SSF and P2PE6

Summary Timeline : PCI, PA DSS, P2PE and PCI SSF
23
23
PCI DSS ver. 4
Anticipated
late 2020
PCI Software Security
Framework Program
Launched late 2019
PA DSS submissions
Accepted until
mid 2020
PA DSS listings
expire 2022
P2PE ver. 3 expected
to be published
Dec 2019

ControlCase Certification Services6

Certification Services 25
OneAudit – Collect Once, Certify Many
PCI DSS ISO 27001 &
27002
SOC 1, SOC 2, SOC 3,
& SOC for Cybersecurity HITRUST CSF
HIPAA PCI P2PE GDPR NIST 800-53
PCI PIN PCI PA-DSS FISMA PCI 3DS
“You have 27 seconds to make a
first impression. And after our
initial meeting, it became clear
that they were more interested
in helping our business and
building a relationship, not just
getting the business.”
Sr. Director, Information Risk &
Compliance, Large Merchant
Automation-
DrivenSkyCAM
Partnership
Approach
IT Certification
Services
Services

Summary – Why ControlCase 26
“They provide excellent service, expertise and technology. And, the
visibility into my compliance throughout the year and during the audit
process provide a lot of value to us.”
Dir. of Compliance, SaaS company
Your IT Compliance Partner –
Go beyond the auditor’s checklist
Partnership
Approach
SkyCAM
IT
Compliance
Portal
Automation
driven Continuous Compliance
Services

Email
contact@controlcase.com
Telephone
Americas +1.703-483-6383
India: +91.22.50323006
Social Media
Conection Suport
www.facebook.com/user
www.linkedin.com/user
Visit our website
www.controlcase.com
THANK YOU FOR THE OPPORTUNITY TO CONTRIBUTE
TO YOUR
IT COMPLIANCE PROGRAM

PCI DSS and Other Related Updates

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à PCI DSS and Other Related Updates

Similaire à PCI DSS and Other Related Updates (20)

Plus de ControlCase

Plus de ControlCase (16)

Dernier

Dernier (20)

PCI DSS and Other Related Updates

Notes de l'éditeur