I have been attending the PCI Community meetings since the early days. I remember each one of them. Not really the content, but about the people representing PCIco, the brands, organizations subjected to compliance, and the security communities (QSA's, ASV's, PFI's, solution providers). They are my key rational for attending such great events. Getting in touch with the community, networking, sharing and exchanging on our field experience is a great opportunity and in that matter this year was awesome.
For your eyes only, here are my key take-away from the 2013 European PCI Community meeting.
What has been said
- It's all about education, education and education - Tony Blare
- Complexity brings fantastic opportunities for criminals
- There is a link between the level of education and the probability of breaches within an organization
- PCI is the best way to protect your organization against cyber security attack
- Card-not-present is 70% of the card fraud
- PCI is not on its way to extinction
- Communication between IT and Executive stays the major issue in information security.
- There is a disruption between the cost of an attack and the associated financial impact.
- Crime on the internet attracts people who would never get involved in physical organized crime.
- 96 % of hackers are male and the majority of individuals in information security cyber security are men.
- A lot of security companies are selling material not really appropriated to protect organizations.
- We must not underestimate the capacity and willingness of black hats involved professionally in cyber crimes.
- The most difficult part of hacking is not getting into the systems but is not getting caught
- There is a new group of developers that need to be trained
- Just one tiny percent of breached organizations actually identified it by looking through their logs.
- Cheap hosting providers could have poor security. Expensive hosting service providers could also have poor security but very good lawyers - Jacob A.Ansari
- Organizations should invest in the people and effort for log analysis before looking at a fancy log analysis solution.
- Hackers don't have discussions about scoping! Anything a hacker could use against you is in scope…- Joe Pierini
- We don't lie to auditors... They just don't ask the right questions. - A merchant
- Poor encryption key management is the rule rather than the exception as per QSA
The state of PCI
- According to J. King, the state of PCI is really good.
- The importance of PCI continues to grow with the rising of global card usage and associated risks.
- DSS is now translated in 8 different languages including Russian
- Global participation: 40 countries attending the community meeting this year
- 36 participating organizations in APAC regions
- 750 organizations have at least one ISA
- Release date of DSS V3.0 and PA-DSS, Nov 07 2013.
- Updated SAQs are expected early in the first quarter 2014.
- Updated ROC V3.0 expected by Jan 2014.
- In 2014 (Jan 1st 2014 and Dec 31st 2014) both version 2.0 and 3.0 can alternatively be used for compliance. However, as of Jan 1st 2015, 3.0 would be the only valid standard.
- ASV program guide V2.0 is expected somewhere along 2014.
- ASV Validation requirements 3.0 expected by Feb 2014.
What's new in DSS V3.0?
- The 3 key focuses within the DSS V3.0 standard are Education, Flexibility and Shared responsibilities.
- In scope for V3.0 are People, processes and technologies
- A new section "Business as usual" (not subjected to the compliance) is added.
- Clarification that sampling is not an implementation option. Just for testing purpose.
- Testing procedures have been broken down
- Updated a number of testing procedures to enhance consistency and interpretation.
- The council clarified having the documentation ready is not sufficient to proof implementation.
- Security policies have been taken away from req 12 to be inserted in their relevant sections
- The scoping guidance has been incorporated.
- Emphasizes heavily on training and education.
- A new column guidance is added (currently provided through Navigating DSS).
- Improved requirements and guidance on wifi.
- New definition of service providers and new requirement addressing supplier responsibility matrix
What's new in ROC V3.0 (expected by Feb 2014)
- Testing procedures aligned with DSS V3.0
- New options for finding at the sub-requirement level: In place, not in place, in place with compensating control.
- Appendix table where auditors (QSA/ISA) must list all the reviewed documentation.
- Appendix table where auditors (QSA/ISA) must list all interviewed individuals.
What's expected in ASV Validation requirements 3.0
The ASV qualification requirements will be updated to include:
- Terminology alignment
- Requirement for internal separation of duties
- Additional Insurance coverage
- Requirement for manual quality assurance process
- Requirement for protection of the scan solution
- V3.0 requires a penetration testing methodology that is followed
- QSA/ISA must ensure that such methodology is in place and followed
- Penetration testing must now be used to test the effectiveness of network segmentation
In-scope and Out-of-scope Consideration
- PCIco clarified that to be considered out of scope a component must be isolated from the CDE and would not compromise the security of cardholder data.
- To be out of scope a component must be proved as no value for the attacker
- EMV does not protect against card-not-present transactions and are in therefore in scope for PCI DSS.
- For PCIco, Segmentation = Isolation.
- Firewall and access control can not be considered as an isolation method.
- Every DSS requirements may not apply to all in-scope systems.
- Applicable requirements may vary based on system functions.
- Because redirection is taking place at the level of the merchant web server, merchant web sites that redirect the customer to payment providers must be considered in scope even if the merchants do not see, process or store cardholder data. PCIco is working on a new SAQ for these merchants. In the meantime, merchants in such situation should inquire their payment brands about the SAQ they should complete.
Top tips for PCI scoping:
The five golden rules of scoping according to PCIco:
1. Think outside the box. Talk to all departments, consider all technologies involved.
2. Risk assessments as a scoping aid
3. Update scope as part of BAU
4. Trust vendors but verify .
5. Confirm your segmentation
- Training, education, awareness are a big focus in DSS V3.0
- Everybody within the organization must understand why security is important. Getting security right is all about training the staff.
- Weak passwords are still a big concern nowadays
- PCIco delivers/market its own awareness Elearning
- There is a need for more trainers in all local languages.
- PCIco launched a new training program called PGTN (PCI Global Training Network). A network of training partners delivering PCIco own training material around the globe. This is just about course delivery. Exams are still executed by specific PCIco third parties.
- Education of developers and end users is key
- Merchant education isn't not working
- Some organizations I talked with highlighted the ineffectiveness of information security awareness, especially with the IT guys.
- Small merchants should be helped to make them understand why PCI is important for them. In training, the WHY is key before going to the HOW.
- Qualified integrators and resellers should be trained to implement and install software securely.
- Mobile is one of the next big things for PCI. Mobile environment is changing so fast. Mobile phone is not secure.
- PCI Mobile task force (60 members) provides very good guidances on how to use and accept payment using mobile. 3 published guidelines on mobile.
- Until the time mobile would be secured, card data must be encrypted at the points of interaction and go encrypted through the mobile network. Mobile should only be used as a transmitter.
- On target for 2014
* Trusted security management
* Mobile as secured payment
- For PCIco tokenization is used in the context of PAN eradication and not to complete a financial transaction.
- Four technical standards are expected in 2014.
- General Principle
- Reversible tokens
- Irreversible tokens
- Implementation requirements
- Business relationship is complex in cloud. We see hosting provider outsourcing to other providers
- Compliance in cloud is dependent on third parties
- PCIco released a best practice on Cloud and compliance.
- Forensic investigation is used to identify common factors or trends in attacks.
- Data forensic is still at a very low level of development.
- Determining the extend of a breach is not straightforward.
- Keep IT people away from forensic investigations. Let the specialists deal with it.
- More aggressive malware are coming including on mobiles. A lot of Android malware cases have been detected.
- ATM is a recognized attack vector from organized crime
- ATM best practices released by PCICO cover basic on how ATM's work and the security principles
- The majority of ATM's runs over XP which will not be supported out of 2013.
- Inquiries associated to card production standard could be sent to Production@pcisecuritystandard
2013 SIG status
- Supplement guide for maintaining compliance scheduled for Jan 2014.
- Supplement guide for managing service providers scheduled for end Q1 2014 and will address:
- How to perform supplier due diligence.
- Responsibility matrix can be used as part of service provider contract.
- Companies should maintain a responsibility matrix for each supplier relationship
- Define contract scenarios
- Contracting with compliant vs non-compliant entities
- Monitoring service providers compliance.
- What to include in contract
Proposed 2014 SIG's
- Retail stores security. Provide best practises to retail stored easy to implement.
- PCI DSS in a mainframe environments. Provide guidances to users of mainframe and PCI auditors on how to apply DSS on mainframe.
- Best practices for small merchants: establish best practices and guidances to reduce fraud
- Encryption key management guidance: Propose new guidances and standard for key management for 3.5 and 3.6
- Penetrating scoping guide: Provide tools and framework on scoping of pen tests, guidance on preparation and validation of pen testing scope.
- Skimming prevention Best practice for merchants
- Create develop, implement and test incident response plan.
- Best practice for implementing an information security awareness program
- Guidance on the steps to obtain PCI DSS certification
2014 community meeting places:
- USA: Orlando
- Europe: Berlin
- ASIA: Sydney
What's your personal experience with these meetings?
Did you read our previous newsletter: PCI 30 seconds newsletter #32 - Money for nothing.