Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

ASV

A summary of the 2013 PCI SSC North America Community Meeting by Matt Getzelman

The most valuable technical information was presented during the ‘Assessors Only’ session on Tuesday afternoon.  The SSC covered the upcoming changes to the PCI DSS and PA-DSS standards.  There was an open Q&A session with excellent insight on the industry’s concerns and the SSC’s intent with many of the proposed changes.  Some of the key announcements and observations were:

  • ASV Changes – A lot of information was presented about upcoming changes to the Approved Scanning Vendor (ASV) baseline (which is currently in progress).  The SSC has created a task group to deal with the issue around “Scan Interference”.  The task force will deal with this issue and communicate clear expectations to the rest of the industry.  A number of “hints” were dropped with regard to web-based vulnerabilities and how they will play a bigger role in ASV scans (and the revised baseline) going forward.

  • PCI DSS 3.0 – Business as Usual – Clarifications on this new section within the 3.0 standard in the sense of no assessor validation or documentation will be required.  This is merely a section on implementation best practices for continuous PCI DSS compliance.

  • PCI DSS 3.0 – Template Changes – New to the 3.0 release, the SSC has created a reporting template that they would like all QSA organizations to use.  The reporting instructions had previously been outlined in a separate document.  They are now included within the standard itself.

  • PCI DSS 3.0 – Scope – The SSC made some significant improvements to its intent around PCI DSS scope of validation.  These clarifications were covered again during the assessor and general sessions.  Most importantly the following:  Systems that affect the security of the cardholder data environment should be considered as in-scope for the assessment.  During one of the Open Forum sessions, we asked if this would include A/V servers, patching servers, DNS systems, etc…and the SSC confirmed yes.  It’s important to note that they indicated that this will include originating web-servers for ecommerce outsourcing solutions. 

  • PCI DSS 3.0 – Phase-in Requirements – There are several new requirements that will be considered best practice only until June, 2015.  It’s important to review and analyze these new requirements now to prepare your organization for the upcoming impact to your compliance efforts.  Our favorite is the change to the penetration testing requirements:

Penetration testing must now validate segmentation technologies   

  • Avoid the Silver Bullet – We heard this phrase a lot during the SSC presentations and informal discussions with the card brands.  The SSC wants to dispel the myth that so many merchants seem to be falling prey to.  There is no such thing as a “Silver Bullet” solution that eliminates all PCI DSS scope and responsibility.

  • PA-DSS Template Changes – There was very little content presented on the upcoming changes to the PA-DSS.  We met several key SSC representatives that will allow us to provide direct feedback about the draft standard.  Coalfire has concerns and questions on two major areas in the new draft that we will clarify in the near future:

Hashing requirements for passwords – SDLC guidelines

  • PCI SSC Tokenization Standards – It seems surreal, but the SSC plans on releasing four tokenization standards in 2014. These standards will cover hashing strength and other considerations for using tokenization technologies to reduce scope.  These are not to be confused with the “Tokenization” guidelines recently announced by some card brands.

The original post by Matt Getzelman, PCI Practice Director, can be found here.

Advertisements

PCI-DSS and PA-DSS Version 3.0 – the full highlights and changes

Brian Pennington

The PCI SSC considered many things when drafting Version 3.0 of the PCI DSS and PA DSS standards including:

  • What will improve payment security?
  • Global applicability and local market concerns
  • Appropriate sunset dates for other standards or requirements
  • Cost/benefit of changes to infrastructure
  • Cumulative impact of any changes

The nature of the changes reflects the growing maturity of the payment security industry since the Council’s formation in 2006, and the strength of the PCI Standards as a framework for protecting cardholder data. Cardholder data continues to be a target for criminals.

Lack of education and awareness around payment security and poor implementation and maintenance of the PCI Standards leads to many of the security breaches happening today.

The updates address these challenges by building in additional guidance and clarification on the intent of the requirements and ways to meet them. Additionally, the changes in PCI DSS and PA-DSS 3.0 focus…

View original post 1,770 more words

PCI Awareness Training – official courses are now available

The PCI Council has announced that it is offering PCI Awareness Training to anyone interested in learning more about PCI DSS.

The dates of the official council courses are

  • 2 March 11, 2011 London, England 09:00-17:30 $995 USD plus local taxes
  • 3 April 1, 2011 Sydney, Australia 09:00-17:30 $1500 USD plus local taxes

 Course Description

  • What is PCI and what does it mean to companies that must meet compliance with the DSS?  An overview of the payment card industry, the terminology used within the industry, the flow of transaction data through the various components that make up the payment card industry, and the relationships between the various organizations in the process.
  • How the credit card brands differ in their validation and reporting requirements – Detailed coverage of the classifications and compliance requirements for merchants and service providers and details about the various card brands’ compliance programs.
  • Roles and Responsibilities – Descriptions of the key actors in the compliance process including high-level overviews of the Qualified Security Assessor (QSA), Internal Security Assessor (ISA), Payment Application Qualified Security Assessor (PA-QSA) and Approved Scanning Vendor (ASV) programs.
  • PCI Data Security Standard (DSS) – An overview of the current DSS (version 2.0), the testing procedures for validating compliance, and what constitutes compliance with the requirements.
  • PCI Hardware and Communications Infrastructure – Generalized overview of the types of devices used by organizations to accept payment cards and communicate with the verification and payment facilities.
  • PCI Reporting – An overview of the different types of reports that must be submitted to the card brands or their designated agents to demonstrate compliance (or non-compliance) of the organizations filing the reports.
  • Real world examples – An overview of compliance issues and mitigation strategies including defining compensating controls, creating policies and modifying the cardholder data environment.

 

PCI often fails because of an employee’s action so it is good to see the PCI Council has launched these courses. However, there is only one course in Europe and it is on a first come first served basis which means only a few of the millions of European Merchants will gain any advantage.

I have found “general” PCI Awareness courses fail to meet the needs of organisations because:

  • The course will be pitched at differing skill levels, from beginners (hopefully there are not too many left) to experts who may have been through external Audits by a QSA.
  • It is not specific to an industry type, the needs of an e-commerce merchant are very different to a mail order/telephone merchant.
  • The individual employee has the daunting task of taking the knowledge and rehashing it for the rest of their organisation. Even if they have the slide ware they never have the gravitas of an external trainer or QSA who can handle all the questions that will be fielded.

 

There are alternative sources of training who will deliver public or bespoke courses for an organisation.

In a recent client scenario, we provided a 1-day classroom based training for senior managers, a series of ½-day road trip stop local sites for branch workers and 1-hour web-based sessions for field-based staff.

This ensured the right people gained the right knowledge when and where the client required it.

Find the details of the PCI Council courses here or ping me an email for ideas on how you can make your employees more aware of PCI.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: