SlideShare a Scribd company logo

PCI 3.0 Revealed - What You Need to Know Today

Imperva, profile picture
Imperva

The document outlines the key aspects of PCI-DSS version 3.0, including its evolution, new requirements, and deadlines for compliance. It emphasizes themes such as the importance of securing point-of-sale devices, the role of service provider accountability, and the need for explicit penetration testing guidelines. Key new requirements include secure handling of credit card data, unique authentication for service providers, and updated methodologies for penetration testing.

Technology
Related topics:
Data SecurityPCI DSS Training
1 of 28
Downloaded 63 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
PCI-DSS v3.0: What You Need to Know Today Barry Shteiman – Director of Security Strategy 1 © 2013 Imperva, Inc. All rights reserved. Confidential
Agenda §  PCI-DSS Themes and Drivers §  Dates and Deadlines §  New Requirements §  Web App Compliance 2 © 2013 Imperva, Inc. All rights reserved. Confidential
Today’s Speaker - Barry Shteiman §  Director of Security Strategy §  Security Researcher working with the CTO office §  Author of several application security tools, including HULK §  Open source security projects code contributor §  CISSP §  Twitter @bshteiman 3 © 2013 Imperva, Inc. All rights reserved. Confidential
Introducing PCI-DSS 3.0 4 © 2013 Imperva, Inc. All rights reserved. Confidential
PCI-DSS Payment Card Industry (PCI) Data Security Standard (DSS) §  Industry driven •  From conception to enforcement §  Evolving •  4th version over 7 years •  Rate of releases has slowed – 3 years since v2.0 release §  Concise and Pragmatic •  Does not avoid naming technologies •  Calls out threats by name •  Very specific about data scope 5 © 2013 Imperva, Inc. All rights reserved. Confidential
PCI-DSS Evolution §  PCI 1.2 §  PCI 1.0 •  December 2004 12 major sections •  October 2010 •  Definition of scope, clarifications •  September 2006 •  App security, compensating controls 6 2006 •  November 2013 •  Consistency for assessors, risk based approach, flexibility §  PCI 2.0 §  PCI 1.1 2005 §  PCI 3.0 •  October 2008 •  Risk based approach, emphasis on wireless 2007 © 2013 Imperva, Inc. All rights reserved. 2008 2009 Confidential 2010 2011 2012 2013
PCI-DSS 3.0 Key Drivers §  Lack of education and awareness §  Weak passwords, authentication §  Third-party security challenges §  Slow self-detection, malware §  Inconsistency in assessments 7 © 2013 Imperva, Inc. All rights reserved. Confidential
General Themes §  Penetration testing gets real •  More explicitly-defined penetration test guidelines §  Skimmers, skimmers and more skimmers •  New requirement to maintain list of POS devices, periodically inspect devices and train personnel •  Inclusion of POS devices in other sections §  Service provider accountability §  PCI requirement clarifications and details 8 © 2013 Imperva, Inc. All rights reserved. Confidential
Why Protect Point-of-Sale Devices? Physical data theft incidents from 2013 Verizon Data Breach Incident Report Source: http://www.verizonenterprise.com/DBIR/ 9 © 2013 Imperva, Inc. All rights reserved. Confidential
Service Providers Accountability Third-party awareness at the compliance level Source: http://www.bankinfosecurity.com/bofa-confirms-third-party-breach-a-5582 10 © 2013 Imperva, Inc. All rights reserved. Confidential
PCI DSS 3.0 Dates and Deadlines §  Publication Date: November 7, 2013 §  Effective Date: January 1, 2014 •  Version 2.0 will remain active until December 31, 2014 §  Deadline for New Requirements: June 30, 2015 11 © 2013 Imperva, Inc. All rights reserved. Confidential
What’s New? New Requirements Added in PCI-DSS 3.0 12 © 2013 Imperva, Inc. All rights reserved. Confidential
New Req. 6.5.6 Insecure handling of credit card and authentication data in memory. Compliance: •  document how PAN/SAD is handled in memory to minimize exposure 13 © 2013 Imperva, Inc. All rights reserved. Confidential
New Req. 6.5.11 Broken authentication & session management. Compliance: •  •  •  •  14 Flag session tokens Don’t expose session ID in URL Implement time-outs Prevent User ID manipulation © 2013 Imperva, Inc. All rights reserved. Confidential
New Req. 8.5.1 Service providers with access to customer environments must use a unique authentication credential for each customer Compliance: •  Authentication policies and procedures to mandate different authentication is used to access each customer environment ** Only mandated for service providers 15 © 2013 Imperva, Inc. All rights reserved. Confidential
New Req. 9.9 Protect POS devices that capture payment card data from tampering Compliance: •  Maintain a list of POS devices •  Periodical inspection for tampering/substitution •  Training for awareness Note: PCI-DSS now addresses skimmers. 16 © 2013 Imperva, Inc. All rights reserved. Confidential
New Req. 11.3 Develop penetration testing methodology based on industry guidelines like NIST Compliance: •  Implement a penetration testing approach based on an industry standard (like NIST SP800-115) •  Define pen-test for all layers •  Specify retention and remediation activity 17 © 2013 Imperva, Inc. All rights reserved. Confidential
New Req. 12.9 Service providers must document in writing they will adhere to PCI DSS standards Compliance: •  Acknowledge in writing to customers that service provider will maintain PCI DSS in full on behalf of the customer ** Only mandated for service providers 18 © 2013 Imperva, Inc. All rights reserved. Confidential
Web Application Compliance Using a WAF to Close the Compliance Gap 19 © 2013 Imperva, Inc. All rights reserved. Confidential
Web Application Relevant Requirements 20 © 2013 Imperva, Inc. All rights reserved. Confidential
[6.5.11] Broken Auth. & Session Mgmt. Authentication/Session attacks •  •  •  •  •  •  •  21 © 2013 Imperva, Inc. All rights reserved. Cookie Tampering Cookie Poisoning Session Hijacking Session Reuse Parameter Tampering SSL Reuse Brute Force Confidential
[11.3] Pen Testing and Remediation Source: http://www.imperva.com/docs/SB_Imperva_WhiteHat.pdf 22 © 2013 Imperva, Inc. All rights reserved. Confidential
PCI-DSS Carry-ons Req 6.6: Protect public-facing Web applications Req 10: Audit all access to cardholder data Req 7: Limit access to systems and data on a business need to know Req 8.5: Identify and disable dormant user accounts and access rights Req 11.5: Alert personnel to unauthorized modification of files Source: http://www.imperva.com/PCI/ 23 © 2013 Imperva, Inc. All rights reserved. Confidential
Learn More 24 © 2013 Imperva, Inc. All rights reserved. Confidential
PCI PCI-DSS Council http://www.pcisecuritystandards.org Imperva’s PCI Resource Center http://www.imperva.com/PCI/ 25 © 2013 Imperva, Inc. All rights reserved. Confidential
Skimmers KrebsOnSecurity http://krebsonsecurity.com/category/all-about-skimmers/ 26 © 2013 Imperva, Inc. All rights reserved. Confidential
Third-Party Breaches Imperva’s January 2013 HII and Imperva’s CMS Hacking Webinar http://www.imperva.com/resources/overview.html 27 © 2013 Imperva, Inc. All rights reserved. Confidential
www.imperva.com 28 © 2013 Imperva, Inc. All rights reserved. Confidential

More Related Content

PPTX
PCI-DSS v3.0 - What you need to know
Barry Shteiman
 
PDF
Fortinet security ecosystem
Mark Oakton
 
PPTX
Performing PCI DSS Assessments Using Zero Trust Principles
ControlCase
 
PDF
How Zero Trust Changes Identity & Access
Ivan Dwyer
 
PDF
How Google Protects Its Corporate Security Perimeter without Firewalls
Priyanka Aash
 
PPT
Panda Security2008
tswong
 
DOCX
NGFW RFP TEMPLATE - TEST PLAN
Moti Sagey מוטי שגיא
 
PDF
Guardicore - Shrink Your Attack Surface with Micro-Segmentation
CSNP
 
PCI-DSS v3.0 - What you need to know
Barry Shteiman
 
Fortinet security ecosystem
Mark Oakton
 
Performing PCI DSS Assessments Using Zero Trust Principles
ControlCase
 
How Zero Trust Changes Identity & Access
Ivan Dwyer
 
How Google Protects Its Corporate Security Perimeter without Firewalls
Priyanka Aash
 
Panda Security2008
tswong
 
NGFW RFP TEMPLATE - TEST PLAN
Moti Sagey מוטי שגיא
 
Guardicore - Shrink Your Attack Surface with Micro-Segmentation
CSNP
 

What's hot (20)

PPTX
Mind the gap_cpx2022_moti_sagey_final
Moti Sagey מוטי שגיא
 
PDF
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
ColorTokens Inc
 
DOCX
Security architecture proposal template
Moti Sagey מוטי שגיא
 
PPTX
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
AlgoSec
 
PPTX
Vpn
Lan & Wan Solutions
 
PPT
Apresentação fortinet
internetbrasil
 
PDF
CyberArk Cleveland Defend End Point Infection and Lateral Movement
Chad Bowerman
 
PPTX
Firewall
Lan & Wan Solutions
 
PDF
SDP Glossary v2.0
Shamun Mahmud
 
PDF
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Government Technology & Services Coalition
 
PPTX
BalaBit 2015: Control Your IT Staff
Sectricity
 
PPTX
PCI DSS and Other Related Updates
ControlCase
 
PPTX
Fortinet Perspectiva Coporativa
Suministros Obras y Sistemas
 
PPTX
PCI DSS Business as Usual
ControlCase
 
PPTX
F5 Offers Advanced Web Security With BIG-IP v10.1
DSorensenCPR
 
PDF
Talk2 esc2 muscl-wifi_v1_2b
Sylvain Martinez
 
PPTX
WannaCry: How to Protect Yourself
Check Point Software Technologies
 
DOC
kapil mehandiratta_CV
Kapil Mehandiratta
 
PPTX
CSA Presentation - Software Defined Perimeter
Vishwas Manral
 
PDF
Identiverse 2019-navigating nist sp-800-63-3 -x a-ls cheat sheets-rev20190624
Jean-François LOMBARDO
 
Mind the gap_cpx2022_moti_sagey_final
Moti Sagey מוטי שגיא
 
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
ColorTokens Inc
 
Security architecture proposal template
Moti Sagey מוטי שגיא
 
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
AlgoSec
 
Vpn
Lan & Wan Solutions
 
Apresentação fortinet
internetbrasil
 
CyberArk Cleveland Defend End Point Infection and Lateral Movement
Chad Bowerman
 
Firewall
Lan & Wan Solutions
 
SDP Glossary v2.0
Shamun Mahmud
 
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Government Technology & Services Coalition
 
BalaBit 2015: Control Your IT Staff
Sectricity
 
PCI DSS and Other Related Updates
ControlCase
 
Fortinet Perspectiva Coporativa
Suministros Obras y Sistemas
 
PCI DSS Business as Usual
ControlCase
 
F5 Offers Advanced Web Security With BIG-IP v10.1
DSorensenCPR
 
Talk2 esc2 muscl-wifi_v1_2b
Sylvain Martinez
 
WannaCry: How to Protect Yourself
Check Point Software Technologies
 
kapil mehandiratta_CV
Kapil Mehandiratta
 
CSA Presentation - Software Defined Perimeter
Vishwas Manral
 
Identiverse 2019-navigating nist sp-800-63-3 -x a-ls cheat sheets-rev20190624
Jean-François LOMBARDO
 
Ad

Similar to PCI 3.0 Revealed - What You Need to Know Today (20)

PPTX
How to Achieve PCI Compliance with an Enterprise Job Scheduler
HelpSystems
 
PPTX
IBM Relay 2015: Securing the Future
IBM
 
PDF
Solving for Compliance: Mobile app security for banking and financial services
NowSecure
 
PPTX
PCI DSS Business as Usual (BAU)
ControlCase
 
PPTX
Monitoring in the DevOps Era
Mike Kavis
 
PPTX
1C_-_Treasury_Managemt_in_the_Cloud_.pptx
CodyK1
 
PPTX
Getting Started with ThousandEyes Proof of Concepts
ThousandEyes
 
PDF
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Cloud Standards Customer Council
 
PPTX
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
CA API Management
 
PPTX
PCI Compliance - Delving Deeper In The Standard
John Bedrick
 
PPTX
Getting Started with ThousandEyes Proof of Concepts
ThousandEyes
 
PPTX
PCI DSS Compliance in the Cloud
ControlCase
 
PPTX
Hadoop and Financial Services
Cloudera, Inc.
 
PPTX
An Introduction to PCI Compliance on IBM Power Systems
HelpSystems
 
PPTX
PCI DSS & PA DSS Version 3.0
ControlCase
 
PPTX
PCI DSS & PA DSS Version 3.0 Changes Webinar
ControlCase
 
PDF
PCI DSS and PA DSS Version 3.0 Changes
ControlCase
 
PPTX
Getting Started With ThousandEyes Proof of Concepts: End User Digital Experience
ThousandEyes
 
PPTX
Getting Started with ThousandEyes Proof of Concepts
ThousandEyes
 
PPTX
Getting Started with ThousandEyes Proof of Concepts
ThousandEyes
 
How to Achieve PCI Compliance with an Enterprise Job Scheduler
HelpSystems
 
IBM Relay 2015: Securing the Future
IBM
 
Solving for Compliance: Mobile app security for banking and financial services
NowSecure
 
PCI DSS Business as Usual (BAU)
ControlCase
 
Monitoring in the DevOps Era
Mike Kavis
 
1C_-_Treasury_Managemt_in_the_Cloud_.pptx
CodyK1
 
Getting Started with ThousandEyes Proof of Concepts
ThousandEyes
 
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Cloud Standards Customer Council
 
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
CA API Management
 
PCI Compliance - Delving Deeper In The Standard
John Bedrick
 
Getting Started with ThousandEyes Proof of Concepts
ThousandEyes
 
PCI DSS Compliance in the Cloud
ControlCase
 
Hadoop and Financial Services
Cloudera, Inc.
 
An Introduction to PCI Compliance on IBM Power Systems
HelpSystems
 
PCI DSS & PA DSS Version 3.0
ControlCase
 
PCI DSS & PA DSS Version 3.0 Changes Webinar
ControlCase
 
PCI DSS and PA DSS Version 3.0 Changes
ControlCase
 
Getting Started With ThousandEyes Proof of Concepts: End User Digital Experience
ThousandEyes
 
Getting Started with ThousandEyes Proof of Concepts
ThousandEyes
 
Getting Started with ThousandEyes Proof of Concepts
ThousandEyes
 
Ad

More from Imperva (20)

PPTX
Cybersecurity and Healthcare - HIMSS 2018 Survey
Imperva
 
PPTX
API Security Survey
Imperva
 
PPTX
Imperva ppt
Imperva
 
PPTX
Beyond takeover: stories from a hacked account
Imperva
 
PPTX
Research: From zero to phishing in 60 seconds
Imperva
 
PDF
Making Sense of Web Attacks: From Alerts to Narratives
Imperva
 
PDF
How We Blocked a 650Gb DDoS Attack Over Lunch
Imperva
 
PPTX
Survey: Insider Threats and Cyber Security
Imperva
 
PPTX
Companies Aware, but Not Prepared for GDPR
Imperva
 
PPTX
Rise of Ransomware
Imperva
 
PDF
7 Tips to Protect Your Data from Contractors and Privileged Vendors
Imperva
 
PDF
SEO Botnet Sophistication
Imperva
 
PDF
Phishing Made Easy
Imperva
 
PDF
Imperva 2017 Cyber Threat Defense Report
Imperva
 
PDF
Combat Payment Card Attacks with WAF and Threat Intelligence
Imperva
 
PDF
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
Imperva
 
PDF
Get Going With Your GDPR Plan
Imperva
 
PDF
Cyber Criminal's Path To Your Data
Imperva
 
PDF
Combat Today's Threats With A Single Platform For App and Data Security
Imperva
 
PPTX
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Imperva
 
Cybersecurity and Healthcare - HIMSS 2018 Survey
Imperva
 
API Security Survey
Imperva
 
Imperva ppt
Imperva
 
Beyond takeover: stories from a hacked account
Imperva
 
Research: From zero to phishing in 60 seconds
Imperva
 
Making Sense of Web Attacks: From Alerts to Narratives
Imperva
 
How We Blocked a 650Gb DDoS Attack Over Lunch
Imperva
 
Survey: Insider Threats and Cyber Security
Imperva
 
Companies Aware, but Not Prepared for GDPR
Imperva
 
Rise of Ransomware
Imperva
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
Imperva
 
SEO Botnet Sophistication
Imperva
 
Phishing Made Easy
Imperva
 
Imperva 2017 Cyber Threat Defense Report
Imperva
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Imperva
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
Imperva
 
Get Going With Your GDPR Plan
Imperva
 
Cyber Criminal's Path To Your Data
Imperva
 
Combat Today's Threats With A Single Platform For App and Data Security
Imperva
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Imperva
 

Recently uploaded (20)

PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PDF
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
PDF
Beyond Automation: The Role of IoT Sensor Integration in Next-Gen Industries
Rejig Digital
 
PDF
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
PDF
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
PPT
Coupa-Kickoff-Meeting-Template presentai
annapureddyn
 
PPTX
ChatGPT's Deck on The Enduring Legacy of Fax Machines
Greg Swan
 
PPTX
IoT Sensor Integration 2025 Powering Smart Tech and Industrial Automation.pptx
Rejig Digital
 
PDF
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
PDF
BLW VOCATIONAL TRAINING SUMMER INTERNSHIP REPORT
codernjn73
 
PDF
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
PDF
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
PDF
Software Development Methodologies in 2025
KodekX
 
PDF
Event Presentation Google Cloud Next Extended 2025
minhtrietgect
 
PDF
Architecture of the Future (09152021)
EdwardMeyman
 
PDF
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
Beyond Automation: The Role of IoT Sensor Integration in Next-Gen Industries
Rejig Digital
 
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
Coupa-Kickoff-Meeting-Template presentai
annapureddyn
 
ChatGPT's Deck on The Enduring Legacy of Fax Machines
Greg Swan
 
IoT Sensor Integration 2025 Powering Smart Tech and Industrial Automation.pptx
Rejig Digital
 
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
BLW VOCATIONAL TRAINING SUMMER INTERNSHIP REPORT
codernjn73
 
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
Software Development Methodologies in 2025
KodekX
 
Event Presentation Google Cloud Next Extended 2025
minhtrietgect
 
Architecture of the Future (09152021)
EdwardMeyman
 
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 

PCI 3.0 Revealed - What You Need to Know Today

  • 1. PCI-DSS v3.0: What You Need to Know Today Barry Shteiman – Director of Security Strategy 1 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 2. Agenda §  PCI-DSS Themes and Drivers §  Dates and Deadlines §  New Requirements §  Web App Compliance 2 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 3. Today’s Speaker - Barry Shteiman §  Director of Security Strategy §  Security Researcher working with the CTO office §  Author of several application security tools, including HULK §  Open source security projects code contributor §  CISSP §  Twitter @bshteiman 3 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 4. Introducing PCI-DSS 3.0 4 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 5. PCI-DSS Payment Card Industry (PCI) Data Security Standard (DSS) §  Industry driven •  From conception to enforcement §  Evolving •  4th version over 7 years •  Rate of releases has slowed – 3 years since v2.0 release §  Concise and Pragmatic •  Does not avoid naming technologies •  Calls out threats by name •  Very specific about data scope 5 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 6. PCI-DSS Evolution §  PCI 1.2 §  PCI 1.0 •  December 2004 12 major sections •  October 2010 •  Definition of scope, clarifications •  September 2006 •  App security, compensating controls 6 2006 •  November 2013 •  Consistency for assessors, risk based approach, flexibility §  PCI 2.0 §  PCI 1.1 2005 §  PCI 3.0 •  October 2008 •  Risk based approach, emphasis on wireless 2007 © 2013 Imperva, Inc. All rights reserved. 2008 2009 Confidential 2010 2011 2012 2013
  • 7. PCI-DSS 3.0 Key Drivers §  Lack of education and awareness §  Weak passwords, authentication §  Third-party security challenges §  Slow self-detection, malware §  Inconsistency in assessments 7 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 8. General Themes §  Penetration testing gets real •  More explicitly-defined penetration test guidelines §  Skimmers, skimmers and more skimmers •  New requirement to maintain list of POS devices, periodically inspect devices and train personnel •  Inclusion of POS devices in other sections §  Service provider accountability §  PCI requirement clarifications and details 8 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 9. Why Protect Point-of-Sale Devices? Physical data theft incidents from 2013 Verizon Data Breach Incident Report Source: http://www.verizonenterprise.com/DBIR/ 9 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 10. Service Providers Accountability Third-party awareness at the compliance level Source: http://www.bankinfosecurity.com/bofa-confirms-third-party-breach-a-5582 10 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 11. PCI DSS 3.0 Dates and Deadlines §  Publication Date: November 7, 2013 §  Effective Date: January 1, 2014 •  Version 2.0 will remain active until December 31, 2014 §  Deadline for New Requirements: June 30, 2015 11 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 12. What’s New? New Requirements Added in PCI-DSS 3.0 12 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 13. New Req. 6.5.6 Insecure handling of credit card and authentication data in memory. Compliance: •  document how PAN/SAD is handled in memory to minimize exposure 13 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 14. New Req. 6.5.11 Broken authentication & session management. Compliance: •  •  •  •  14 Flag session tokens Don’t expose session ID in URL Implement time-outs Prevent User ID manipulation © 2013 Imperva, Inc. All rights reserved. Confidential
  • 15. New Req. 8.5.1 Service providers with access to customer environments must use a unique authentication credential for each customer Compliance: •  Authentication policies and procedures to mandate different authentication is used to access each customer environment ** Only mandated for service providers 15 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 16. New Req. 9.9 Protect POS devices that capture payment card data from tampering Compliance: •  Maintain a list of POS devices •  Periodical inspection for tampering/substitution •  Training for awareness Note: PCI-DSS now addresses skimmers. 16 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 17. New Req. 11.3 Develop penetration testing methodology based on industry guidelines like NIST Compliance: •  Implement a penetration testing approach based on an industry standard (like NIST SP800-115) •  Define pen-test for all layers •  Specify retention and remediation activity 17 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 18. New Req. 12.9 Service providers must document in writing they will adhere to PCI DSS standards Compliance: •  Acknowledge in writing to customers that service provider will maintain PCI DSS in full on behalf of the customer ** Only mandated for service providers 18 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 19. Web Application Compliance Using a WAF to Close the Compliance Gap 19 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 20. Web Application Relevant Requirements 20 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 21. [6.5.11] Broken Auth. & Session Mgmt. Authentication/Session attacks •  •  •  •  •  •  •  21 © 2013 Imperva, Inc. All rights reserved. Cookie Tampering Cookie Poisoning Session Hijacking Session Reuse Parameter Tampering SSL Reuse Brute Force Confidential
  • 22. [11.3] Pen Testing and Remediation Source: http://www.imperva.com/docs/SB_Imperva_WhiteHat.pdf 22 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 23. PCI-DSS Carry-ons Req 6.6: Protect public-facing Web applications Req 10: Audit all access to cardholder data Req 7: Limit access to systems and data on a business need to know Req 8.5: Identify and disable dormant user accounts and access rights Req 11.5: Alert personnel to unauthorized modification of files Source: http://www.imperva.com/PCI/ 23 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 24. Learn More 24 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 25. PCI PCI-DSS Council http://www.pcisecuritystandards.org Imperva’s PCI Resource Center http://www.imperva.com/PCI/ 25 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 27. Third-Party Breaches Imperva’s January 2013 HII and Imperva’s CMS Hacking Webinar http://www.imperva.com/resources/overview.html 27 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 28. www.imperva.com 28 © 2013 Imperva, Inc. All rights reserved. Confidential