Wednesday, 16 May 2018

INTRODUCTION & CHANGES IN PCI-DSS v3.2


INTRODUCTION & CHANGES IN PCI-DSS V3.2


The Payment Card Industry Data Security Standard (PCI- DSS) was developed to follow the policy and standards of cardholder data security which consistent data security measures globally. PCI- DSS provides a minimum of technical and operational requirements to protect data of the cardholders. PCI -DSS applies to all operation which involved in payment card processing of cardholder data.
The below describes the changes in PCI-DSS v3.2 from version 3.1.

AREAS EMPHASISED IN V3.2:

  • CHANGE MANAGEMENT PROCESS:

    • The Change Management Process is done to perform the secure changes during the process based on the business requirement.

  • ADMINISTRATIVE ACCESSING:

    • The Administrative privilege is given only to the single user were the particular can gain the read, write and execute access to the changes in the environment.

  • INCIDENT RESPONSE:

    • Incident response is nothing but when there is an issue raised in the environment the action is taken based on the severity of the problems.

  • E-COMMERCE – A-EP ENVIRONMENTS:

    • the “Expected Testing” column is based on the testing procedures in the PCI DSS and provides a high-level description of the types of testing activities should be performed to verify that a requirement has met.

SAQ VERSION
# QUESTIONS V3.1
# QUESTIONS V3.2
DIFFERENCE

SAQ D-SP347369+22
SAQ D-MER326331+5
SAQ C139162+23
SAQ A-EP139193+54
SAQ B-IP8384+1
SAQ C-VT7380
+7
SAQ B41410
SAQ P2PE-HW3533-2
SAQ A1422+8

MASKING THE PAN NUMBER

  • DISPLAYING THE PRIMARY ACCOUNT NUMBER

    • First six and last four digits of PAN can be displayed based on the current requirement.
For a legitimate business need the pan number must be encrypted. Follow Requirement 3.3 for further reference.

CHANGE CONTROL

  • CHANGES IN CHANGE CONTROL IN V3.2

    • Maintain proper documentation when any change control issued.
    • Implement all the necessary control in all the new and existing systems or devices.
    • Change control processes must include verification of PCI DSS requirements impacted by a (significant) change. Fallow Requirement 6.4.6 which is effective from Feb 1, 2018.

HIGH-RISK VULNERABILITY MANAGEMENT

  • INTEGRATE VULNERABILITIES INTO THE RISK ASSESSMENT PROCESS

    • Ensure all “high risk” vulnerabilities must be addressed for internal scans and resolved.
    • By the vulnerability ranking as per Requirement 6.1 and 6.2 in PCI-DSS scope.
    • After resolving the vulnerabilities ensure the risk has been cleared by rescanning.

REMOTE ADMINISTRATOR ACCESS TO CDE

  • ANY NON-CONSOLE ADMINISTRATOR ACCESS TO CDE

    • All the non-console access into CDE for personnel with administrative access must implement the multi-factor authentication.
    • The current requirement for multi-factor authentication for remote access to CDE for personnel with administrative access still applies according to the PCI-DSS scope.
    • Fallow PCI-DSS scope 8.3.1 and 8.3.2 mandatorily from Jan 31, 2018.

RESOURCE

  • Refer the following document for the PCI-DSS scope.
  • LINK: pcisecuritystandards.org/document_library?category=pcidss

AUTHOR

Dharmesh B
Security Engineer
Briskinfosec Technology and Consulting Pvt Ltd.,
https://www.linkedin.com/in/dharmeshbaskaran/
Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)