Tuesday, September 24, 2013

PCI / PA DSS v3.0 - Payment Card Industry / Payment Application Data Security Standard Preview Released

PCI DSS v 3.0 and PA DSS v 3.0 :

                           Payment Card Industry / Payment Application Data Security Standard Version 3 Preview released and Change Highlighted below . 

 "PCI DSS and PA-DSS 3.0 will provide organizations the framework for assessing the risk involved with technologies and platforms and the flexibility to apply these principles to their unique payment and business environments, such as e-commerce, mobile acceptance or cloud computing,"

 

 

                           PCI Security Standards Council (PCI SSC) has published a highlights document outlining the coming enhancements to the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) in version 3.0 of the two. The changes are oriented towards making PCI DSS part of companies’ business-as-usual activities rather than a yearly checkbox compliance act, by focusing on three key areas: introducing more flexibility, an increased focus on education and awareness, and security as a shared responsibility.

 

 

                                   PCI DSS applies to all organisations that process, store or transmit card holder data, whether as part of their merchant activities or as a service provider on behalf of a merchant. If as a merchant you contract all payment details to a 3rd party you still need to be compliant as you have responsibilities for ensuring the 3rd parties meet the standard.

The updated versions of PCI DSS and PA-DSS will:
  • Provide stronger focus on some of the greater risk areas in the threat environment
  • Provide increased clarity on PCI DSS & PA-DSS requirements
  • Build greater understanding on the intent of the requirements and how to apply them
  • Improve flexibility for all entities implementing, assessing, and building to the Standards
  • Drive more consistency among assessors
  • Help manage evolving risks / threats
  • Align with changes in industry best practices
  • Clarify scoping and reporting
  • Eliminate redundant sub-requirements and consolidate documentation
Over the next few months up to and including the new version of the PCI DSS we will be reviewing information from the PCI Security Standard Council and publicising the changes, so check our PCI DSS pages for updates.
Changes to the standards have been classified as Clarification, Additional Guidance and Evolving requirement. The evolving requirements are to ensure the standards are up to date with emerging threats and changes in the market such as mobile acceptance and cloud computing.
Throughout PCI DSS version 3.0 there are key themes that designed to help organisations take a proactive approach to cardholder data security:
  • Education and awareness
    Lack of education and awareness around payment security, coupled with poor implementation and maintenance of the PCI Standards, gives rise to too many of the security breaches happening today. Updates to the standards are geared towards helping organisations better understand the intent of requirements and how to properly implement and maintain controls across their business. Changes to PCI DSS and PA DSS will help drive education and build awareness internally and with business partners and customers.
  • Increased flexibility
    Changes to the standards focus on some of the most frequently seen risks that lead to incidents of cardholder data compromise - such as: weak passwords and authentication methods; malware; and poor self-detection - providing added flexibility on ways to meet the requirements. Increased flexibility will enable organisations to take a more customised approach to addressing and mitigating common risks and problem areas. At the same time, more rigorous testing procedures for validating proper implementation of requirements will help organisations drive and maintain controls across their business.
  • Security as a shared responsibility
    Securing cardholder data is a shared responsibility. Today’s payment environment has become ever more complex, creating multiple points of access to cardholder data. Changes introduced with PCI DSS and PA DSS focus on helping organisations understand their organisation’s PCI DSS responsibilities when working with different business partners to ensure cardholder data security.

Encryption and Key Management (section 3):

A lot of clarifications have been introduced in this part of the standard in order to ensure adequate protection of all encryption material. As an example of this, an additional emphasis has been put on testing procedures to specifically enforce things such as secure storage of the keys (HSM, etc.), separation of Key Encrypting Keys and Data Encrypting Keys, and to enforce Split Knowledge and Dual Control of the keys.

Secure Developments (section 6):

Again a lot of clarifications such as developers must be properly trained in secure coding techniques, developing secure applications also applies to applications developed by third parties and more stringent requirement on the use of a Web Application Firewall (WAF).It is also interesting to note that a new requirement will involve specifically protecting attacks again the PAN and SAD when insecurely handled in memory! This last requirement will be considered as best practice for the time being, before becoming mandatory on the 30th June 2015.

Role-base Access Control and User Management (sections 7 & 8):

Regarding access to systems, it is now made clear that each role must be clearly defined with all levels of privilege required for the role. We are also happy to see that an additional emphasis has been put on user IDs managed by vendors and third parties when they access their customer’s environment, yes, those account must be disabled when not in use. Also guidance on how to select strong authentication credentials (such as passwords!) must now be provided to users. 

Physical Security… now including POS devices! (section 9)

It is clearly making sense to include the protection of POS devices within the PCI DSS standard and things such as maintaining a list of such devices and training personnel on detecting tampering and substitution have now been included in the standard.

Penetration Testing (section 11)

The PCI community will be glad to know that a proper penetration testing methodology is now required. As per other requirements, it is now mandatory to ensure that those penetration tests follow industry-accepted best practices in order to ensure that their results are actually useful in evaluating the security of an environment. Interestingly, a number of new requirements are now enforcing things such as testing the efficiency of the controls used for segmentation, when segmentation is in place. 

Application Testing Boost in PCI 3.0

                     When it comes to application security, the Council will change some key requirements of the PA-DSS, according to a preview document released by the PCI SSC

Among them:

  • Requirement 5: this requirement governs development of secure applications. In Version 3.0, it will include enhanced requirements for system (read that “application”) development processes. Most important: PA-DSS version 3.0 will mandate periodic security reviews and require application threat modeling techniques and step to verify the integrity and security of application source code before an application is released to customers. The list of common vulnerabilities that application publishers must test against will also be brought into alignment with the latest version of common vulnerabilities from groups like OWASP, NIST, SANS, and so on, to make sure that that PA-DSS is aligned with current and emerging threats.
  • Requirement 7: this governs application requirements and testing procedures. It has been updated to make it clear that vendors must include release notes with each application update to help merchants determine whether the version of an application that they’re using is on the PA-DSS list of approved applications.
  • Requirement 14: this is a new requirement for the PA-DSS that will require training of integrators, resellers and vendor personnel.

 Download Link : 



 
Thanks,

RRN Technologies Team

2 comments:

  1. Too Stressed ??
    Money can bring the "Peace" in your "soul"!!
    Your life can 'Recover'!!
    Get this 100% free method, Which will earn money for you by using PayPal Hack tool and earn UP TO 500$ ADDING EVERY 5 HOURS.TOTALLY UNTRACEABLE!!!!!!!!!!!!!!!!!!!!!!
    So Download the Tool......
    Paypal Account Hack
    Paypal Money Adder
    Paypal Money Generate
    Paypal Money Hack

    ReplyDelete
  2. BlueHost is ultimately one of the best hosting provider for any hosting plans you might need.

    ReplyDelete

Open source Tools for Live Meeting(Web Conferencing)

posts. Guys the most of you find these posts a valuable resource for the e-Learning community. As a result, the following post is Free and Open Source Web Conferencing (Online Meetings, Webinars) Tools for e-Learning.




The following list contains free and open source Web Conferencing tools that are n't in particular order.



Also, you should be sure that the e-Learning community will highly appreciate:

  1. if you post a comment with your experience with these tools and/or,

  2. if you post a comment with a link to any other free and open source Web Conferencing tool.

We support Free eLearning! Do you?



I support Free eLearning




BigBluebutton* is built for Higher Education. It enables universities and colleges to deliver a high-quality learning experience to remote students. BigBlueButton is an active open source project that focuses on usability, modularity, and clean design -- both for the user and the developer. The project is hosted at Google Code. BigBlueButton is built by combining over fourteen open source components.



*note: Epignosis has created a module that provides integration of BigBlueButton conferencing in eFront Open Source Learning Management System. BigBlueButton is a free web-conferencing tool with text chat, audio and video capabilites, a virtual whiteboard and many more presentation and conferencing features.




OpenMeetings is a free browser-based software that allows you to set up instantly a conference in the Web. You can use your microphone or webcam, share documents on a white board, share your screen or record meetings. It is available as hosted service or you download and install a package on your server with no limitations in usage or users.



OpenMeetings Key Features Mini Demo





Mikogo is a free desktop sharing tool full of features to assist you in conducting the perfect online meeting or web conference. Take advantage of the opportunity to share any screen content or application over the Internet in true color quality with up to 10 participants simultaneously, while still sitting at your desk.












Yugma free web conferencing allows anyone, anywhere to instantly share their desktop and ideas online with others. To start hosting your own meetings you have to sign up for FREE. Your Yugma Free web conferencing account allows you to invite up to 20 attendees







Using WebHuddle, you have options and flexibility. Meetings can be conducted either in conjunction with an enterprise’s existing teleconferencing service, or utilizing WebHuddle’s optional voice over IP. WebHuddle also offers recording capabilities -- presentations can easily be recorded for playback over any web browser for those who missed the live meeting.










With Vyew you can give a presentation to a hundred people online or post a document you've been working on for review by your colleagues at the convenience. Vyew is extremely flexible alloying you to bring online collaboration and conferencing into your workflow on your terms.









Dimdim delivers synchronized live presentations, whiteboards and web pages while sharing your voice and video over the Internet - with no download. With the Free edition you can get 10 person meetings, 1 way video, standard support, Dimdim branded rooms, and public meetings.



*note: Epignosis has created a module that provides integration of Dimdim conferencing in eFront  Open Source Learning Management System.




Adobe® ConnectNow is a great way to share ideas, discuss details, and complete work with others all online. Reduce travel costs, save time, and increase productivity with a web conferencing solution that's easy to access and simple to use. ConnectNow operates inside a web browser. There's no installation required, so getting started is easy and Free