PCI DSS: New Requirements in 2018

Nine new PCI DSS requirements will become required as of February 1, 2018. Until February 1, 2018, they will be considered best practices. While there are only nine new items, they could have a significant impact on your environment. If you have not already started to work on these items, you are likely already behind. In this webinar, Jeff Wilder will discuss how to prepare for and implement these requirements.

The new PCI DSS requirements for everyone include:

  • 6.4.6 – Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.
  • 8.3.1 – Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.

The new PCI DSS requirements for service providers include:

  • 3.5.1 – Maintain a documented description of the cryptographic architecture.
  • 10.8 – Implement a process for the timely detection and reporting of failures of critical security control systems.
  • 10.8.1 – Respond to failures of any critical security controls in a timely manner.
  • 11.3.4.1 – If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.
  • 12.11 – Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures.
  • 12.11.1 – Maintain documentation of quarterly review process.

Listen to the full webinar to learn how your organization can prepare for these changes. For additional information on PCI compliance, contact me at j.kersten@kirkpatrickprice.com.

PCI Readiness Series: PCI Requirement 12

PCI Requirement 12: Maintaining an Information Security Policy

When creating an information security policy, an organization must create a policy that addresses information security for all personnel. Let’s emphasize “all” – this policy is not just for the IT department but is for anyone that would/could be involved in some capacity with storing, processing, and transmitting cardholder data. PCI Requirement 12 helps oversee and govern an organization’s PCI DSS compliance program.

In this webinar, our panelist will discuss the 10 sub-requirements of PCI Requirement 12, which include:

Requirement 12.1 – You must keep a current set of policies accessible to all relevant personnel.

Requirement 12.2 – Risk Assessment is performed at least annually, and also performed when business objectives chance.

Requirement 12.3 – Develop usage policies for critical technologies.

Requirement 12.4 – Security policies must define responsibilities for all users.

Requirement 12.5 – Security management and activities must be formally assigned.

Requirement 12.6 – Implement a formal security awareness program.

Requirement 12.7 – Screen potential personnel prior to hire to minimize the risk of attacks from internal sources.

Requirement 12.8 – Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data.

Requirement 12.9 – Service providers must acknowledge in writing that they are responsible for the security of cardholder data they possess or store, process, transmit on behalf of the customer, or to the extent that they could impact the security of the cardholder data environment.

Requirement 12.10 – Implement an incident response plan.

The  PCI DSS isn’t just a technical standard; it includes people, processes, and technology. Furthermore, your organization’s policies and procedures are not just pieces of paper. They are an executive-level edict that define how the business will be run. It’s not enough to have policies and procedures. You must make sure that your policies and procedures are effective and actually implemented to ensure they are functioning properly and as you designed them. If your policies aren’t functioning, then you don’t have a policy.

To learn more about PCI compliance, check out our PCI Demystified video resources or contact us today.

PCI Readiness Series: PCI Requirement 11

PCI Requirement 11: Validating Your Security Program

This session in our PCI Readiness series focuses on Requirement 11. This requirement requires regular monitoring and testing of security systems and processes, which validates an organization’s risk/threat management program and determines if it’s functioning correctly. To successfully validate your system, scans should validate your risk identification and risk ranking program. Internal scan results should be used to address risk through your risk management program.

The sub-requirements of Requirement 11 include:

PCI Requirement 11.1 – Identify rogue wireless devices that may have been placed in your environment, at least quarterly. You must keep a list of what is authorized so you can define what isn’t authorized. Physical inspection is the best way to meet this objective.

PCI Requirement 11.2 – Every 90 days you are required to scan for internal and external vulnerabilities. Also, any time a significant change is made to your environment, you must perform a scan.

PCI Requirement 11.3 – You must perform a penetration test at least annually and after any time a significant change is made. It must be performed by a qualified individual, cover internal and external, cover the application and network layers, validate if the segmentation is effective, and keep the results of the test and remediation for your audit.

PCI Requirement 11.4 – Install an IPS ISD at the perimeter and at critical locations within the CDE. It needs to be configured and maintained according to the manufacturer standards. It can also be host-based IPS IDS.

PCI Requirement 11.5 – Install a File Integrity Monitoring (FIM) Solution, which needs to monitor critical files and needs to run analysis at least weekly and follow-up on any expectations.

To learn more about PCI compliance, check out our PCI Demystified video resources or contact us today.

PCI Readiness Series: PCI Requirement 10

PCI Requirement 10: Tracking and Monitoring All Access to Network Resources and Cardholder Data

This session in our PCI Readiness series spotlights PCI Requirement 10, which examines the tracking and monitoring of all access to network resources and cardholder data. Our panelist for this session, Jeff Wilder, explains each part of PCI Requirement 10 in detail, along with some of the common struggles that come along with this requirement.

Complying with PCI Requirement 10 is critical to your organization’s security. The PCI DSS states, “Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs.”

In this webinar, you will learn about topics related to PCI Requirement 10, such as:

  • Why is this a comprehensive requirement?
  • What does this requirement apply to?
  • What are the common struggles of Requirement 10?
  • Requirement 10 focuses on the ability to identify which elements of a breach?
  • Attackers are usually in your environment for weeks, if not months, and the data is long gone before you realize it.
  • The Verizon Breach Report noted that only 3% of breaches are identified by internal staff, all others were based on a third party contacting the organization.
  • All in scope devices must have logging enabled.
  • What will cause an event to be logged?
  • What must each log contain?
  • Synchronize the time on each system so that chronological events can be properly ordered.
  • Logs must be protected from unauthorized modification.
  • Logs must be reviewed at least daily.
  • Logs must be retained for a total of 1 year, at least 3 months must be immediately available.
  • Policies and procedures must be documented, in use, and communicated to all affected users.

To learn more about PCI compliance, check out our PCI Demystified video resources or contact us today.

PCI Readiness Series: What’s New in PCI DSS 3.2?

Changes You Should Know About in PCI DSS 3.2

In this webinar, our expert panelists will discuss the changes from PCI DSS 3.1 to PCI DSS 3.2, what they mean during a PCI assessment, what you can do to implement these changes, and how to minimize the impact of these changes. There are about 30 controls that we believe may had significant changes, and we try to cover as many as possible in this webinar.

 

In this webinar, we will discuss the following requirements from PCI DSS 3.2:

1.1.6 – Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.

1.3.5 – Removed reference to stateful inspection and restated as “allow only established connections”.

1.4 – Install a personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee owned) that connect to the Internet when outside the network, and which are also used to access the cardholder data environment (CDE).

2.1 – Hardening of systems now include payment applications.

3.4.1Added note: this requirement applies in addition to all other PCI DSS encryption and key management requirements.

6.4.6 – Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.

6.5 – Train developers at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities.

8.1.5 – Manage IDs used by third parties to access, support, or maintain system components via remote access.

8.3.1 – Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.

8.3.2 – Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity’s network.

9.1.1 – Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.

11.2.1 – Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all “high-risk” vulnerabilities are resolved in accordance with the entity’s vulnerability ranking (per Requirement 6.1). Scans must be performed by qualified personnel.

12.6 – Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.

12.8.1 – Maintain a list of service providers including a description of the service provided.

12.10.2Review and test the plan at least annually, including all elements listed in Requirement 12.10.1.

This webinar also covers requirement changes specifically for services providers. Note that the following requirements are considered best practice until January 31, 2018, after which they will become requirements:

3.5.1 – Maintain a documented description of the cryptographic architecture.

10.8 – Implement a process for timely detection and reporting of failures of critical security control systems.

10.8.1 – Respond to failures of any critical security controls in a timely manner.

11.3.4.1 –  If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.

12.11 – Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures.

To learn more about PCI compliance, check out our PCI Demystified video resources or contact us today.