Data security is an absolute requirement for any organization – large or small – that handles debit, credit and pre-paid cards. But navigating, understanding and complying with PCI-DSS (Payment Card Industry – Data Security Standards) regulations can be tough. In this webinar, we’ll examine the guidelines for securing payment card data and show you how a combined solution from DataStax and Gazzang can put you on course for compliance.
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Don’t Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Data with DataStax and Gazzang
1. Don't Get Caught in a PCI Pickle: Meet Compliance and
Protect Payment Card Data with DataStax and Gazzang
Pavan Venkatesh, Sr. Product Manager (DataStax)
Sam Heywood, VP of Product & Marketing (Gazzang)
2. DataStax: An Overview
• Founded in April 2010
• We drive Apache Cassandra™,
the popular open-source NoSQL database
• We provide DataStax Enterprise for enterprise NoSQL
implementations
• 400 customers
• 200+ employees
• Home to Apache Cassandra Chair & most committers
• Headquartered in San Francisco Bay area
• Funded by prominent venture firms
2
3. Gazzang: An Overview
• Focus on securing sensitive data in
cloud and big data environments
• We help customers meet
compliance requirements like
HIPAA, PCI, FIPS and FERPA
• Satisfy internal security mandates
• Protect valuable client information
• Headquartered in Austin, Texas
4. Today’s speakers
Pavan Venkatesh, Senior Product Manager at DataStax
Pavan oversees DataStax Enterprise and OpsCenter
products. He has more than seven years of broad database
and NoSQL experience. He also has a Master’s degree in
Computer Science from Syracuse University.
Sam Heywood, VP of Products and Marketing at Gazzang
Sam drives Gazzang's global product innovation and delivery,
corporate marketing and demand generation. A seasoned
product and marketing executive with leadership experience
at several notable technology startups, Sam is well versed in
systems management, online CRM platforms, consumer
ecommerce and security technologies.
4
5. Why DataStax?
DataStax supports both the open source community and
modern business enterprises.
Open Source/Community
Enterprise Software
• Apache Cassandra (employ
Cassandra chair and 90+% of
the committers)
• DataStax Community Edition
• DataStax OpsCenter
• DataStax DevCenter
• DataStax Drivers/Connectors
• Online Documentation
• Online Training
• Mailing lists and forums
• DataStax Enterprise Edition
• Certified Cassandra
• Built-in Analytics
• Built-in Enterprise Search
• Enterprise Security
• DataStax OpsCenter
• Expert Support
• Consultative Help
• Professional Training
5
6. What is Apache Cassandra?
• Masterless architecture with read/write anywhere design.
• Continuous availability with no single point of failure.
• Gold standard in multi-datacenter and cloud availability zone
support.
• Flexible data model perfect for time series and other data.
• Linear scale performance with online capacity expansion.
• Security with authentication and authorization.
• Operationally simple.
• CQL – SQL-like language.
100,000
txns/sec
200,000
txns/sec
6
400,000
txns/sec
7. Analyze your hot data
• HDFS storage replaced with Cassandra
(Cassandra File System – CFS)
• No single points of failure as in Apache
Hadoop distribution
• MapReduce, Hive, Pig, Sqoop, and
Mahout support
• Hadoop task tracker started on all nodes
• Able to create multiple CFSs across
multiple data centers to segregate Hadoop
data and tasks
• Can create multiple job trackers – one for
each data center
7
8. Search your hot data
• Built on Cassandra
• Automatic sharing via Cassandra
replication
• Very fast performance
• Search indexes can span multiple data
centers (regular Solr cannot)
• Provides data durability (overcomes Solr’s
lack of write-ahead log - if community Solr
node goes down, data can be lost)
• Online scalability via adding new nodes
• Built-in failover; continuously available
• Overcomes Solr write bottleneck –
can read/write to any Solr node
• CQL extended to support Solr/search
queries
8
10. Why securing data is important
‘Twas the season to be hacked...
The average cost of cybercrime hacking, phishing, Internet
fraud, corporate security breach to U.S. organizations is nearly $12
million per year.
Attacks get more sophisticated
and traditional protections such as
firewalls and antivirus are no
longer sufficient.
11. What is PCI-DSS?
• The Payment Card Industry (PCI) Data Security
Standard (DSS) was developed ten years ago to
enhance cardholder data security.
• The PCI-DSS is administered and managed by the PCI
SSC (www.pcisecuritystandards.org), an independent
body that was created by the major payment card
brands (Visa, MasterCard, American Express, Discover
and JCB).
• This council was formed to prevent such identity thefts
as described previously.
11
12. PCI - Who & Why?
• Entities (merchants) involved in
payment card processing (debit,
credit, pre-paid etc.) have to comply
with PCI-DSS standards to help avoid
any data breach.
• Compliance with PCI-DSS means
that the payment card information
(data) is very secure and customers
can
trust with their
sensitive information.
12
13. PCI & Database
Entities (Merchants) expect the underlying database to
be in compliance with PCI-DSS as this sensitive data will
eventually be stored in the data store.
13
14. Storage and access to digital,
not physical data
1. Install and maintain a firewall
2. Do not use vendor-supplied defaults for passwords; develop configuration standards
3. Protect stored data
4. Encrypt transmission of cardholder data across public networks
5. Use and regularly update antivirus software
6. Develop and maintain secure systems and applications
7. Restrict access to data by business and need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Test systems regularly to ensure security is maintained over time and through changes
12. Maintain an information security policy
14
16. PCI GUIDELINE #2
Do not use vendor supplied defaults
2.1 Always change vendorsupplied defaults and remove
or disable unnecessary
default accounts before
installing a system on the
network.
2.2 Ensure that security policies
and operational procedures for
managing vendor defaults and
other security parameters are
documented, in use, and known
to all affected parties.
DataStax Enterprise
recommends you
change the default
password
16
17. PCI GUIDELINE #3
Protect stored cardholder data
3.1 Keep cardholder data storage to a
minimum by implementing data
retention and disposal
policies, procedures and processes
3.2 Do not store sensitive
authentication data after
authorization (even if
encrypted)
3.3 Mask primary account
number (PAN) when displayed
(the first six and last four digits
are the maximum number of
digits to be displayed)
3.5 Protect any keys used to secure
cardholder data against disclosure
and misuse
3.4 Render PAN unreadable
anywhere it is stored (including on
portable digital media, backup
media, and in logs) by using any of
the following approaches: One-way
hashes based on strong
cryptography (hash must be of the
entire PAN); Truncation ……..
3.6 Fully document and implement
all key-management processes and
procedures for cryptographic keys
used for encryption of cardholder
data
17
18. WHAT’S NEW
In PCI Guideline 3.0?
• Subcontrol 3.5.1 covers restricting access to keys to the minimum
possible number of people
• Subcontrol 3.5.3 requires that keys are stored in as few places as
possible
• Subcontrols under 3.6 mandate that best practices are followed
when replacing keys when they reach the end of their life or are
compromised, and that those entrusted with managing keys
understand and accept their responsibilities.
18
19. - Verizon 2014 PCI Compliance Report: An
inside look at the business need for protecting
payment card information.
19
20. HOW WE DO IT
Transparent data encryption and key
management
• Protects sensitive data at rest from theft
• No changes needed at application level
• Keys are encrypted and secured in a software-based
vault and wrapped with several policy layers that
prevent unauthorized access
20
21. IN PRACTICE
• Encrypt PAN numbers and
customer PII for a mobile egifting platform
• Protect credit card data and
PHI for global health insurance
company
22. PCI GUIDELINE #4
Encrypt transmission of cardholder data
across public networks
4.1 Use strong cryptography and
security protocols (for
example, SSL/TLS, IPSEC. SSH, etc.) to
safeguard sensitive cardholder data
during transmission over open, public
networks, including the following:
• Only trusted keys and certificates are
accepted
• The protocol in use only supports
secure versions or configurations
• The encryption strength is
appropriate for the encryption
methodology in use
4.2 Never send unprotected PANs
by end-user messaging technologies
such as email, instant messaging or
chat
22
23. HOW WE DO IT
Client-to-Node and Node-to-Node Encryption
• DSE protects data in flight from client machines to a database cluster
Ensures data cannot be captured/stolen in route to a server
Establishes a secure channel between the client and the coordinating
node
• DSE protects data transferred between nodes in a cluster using SSL
• SSL keys are secured and managed to ensure only trusted processes
can transmit data over the network
23
24. PCI GUIDELINE #7
Restrict access to data by business and need-to-know
7.1 Limit access to system components
and cardholder data to only those
individuals whose job requires such
access
7.2 Establish an access control
system for system components with
multiple users that restricts access
based on a user’s need to know, and
is set to “deny all” unless specifically
allowed
24
25. HOW WE DO IT
Internal Authentication
• DataStax offers internal authentication using login accounts and
passwords for Cassandra and Kerberos authentication for
Cassandra, Hadoop and Solr
• Provides granular based control over who can
add/change/delete/read data
• Grants or revokes permissions to access Cassandra data
25
26. HOW WE DO IT
Access Controls
• Gazzang offers process-based access controls determine which
processes can access encrypted cardholder data
Only authorized database accounts with assigned database rights
connecting from applications on approved network clients can access
cardholder data stored on a server.
OS users that do not have a business need to read the data can be
prevented from accessing it
• Key release policies provide additional means of preventing unauthorized
access
26
27. PCI GUIDELINE #8
Assign unique IDs for access
8.1 Provide each user with an ID
that is unique and cannot be
shared with anyone
8.2 Identify and authenticate
access to system components
28. HOW WE DO IT
Single Sign-On and Super Users
• DSE offers external authentication through
Kerberos to provide single sign on capability.
• DSE also allows super user creation and can
authorize other users.
28
29. PCI GUIDELINE #10
Track and monitor all access to network resources and cardholder data
10.3 Record audit trail
entries for all system
components for each event
30. HOW WE DO IT
Data Auditing Control
• DSE supports data auditing and is being implemented as a log4j-based
integration
• Granular control to audit only what’s needed
30
31. PCI Summary
• The PCI-DSS is a set of comprehensive requirements for securing
payment data.
• Complying with PCI ensures the payment card information (sensitive
data) is very secure, and customers can trust the complying organization
with their sensitive payment card information.
• This process can avoid any data breach or hack.
• Ensures best practices for the entire infrastructure through access control
policies, reporting and monitoring.
31
32. DataStax in conjunction with Gazzang provides
comprehensive features for securing sensitive
information stored in the Cassandra database
and helps organizations comply with PCI-DSS
requirements.
32
33. Next steps
• Links to webinar recording and white paper coming to your
inbox soon
• Learn more about DataStax Enterprise
(DSE):http://www.datastax.com/what-we-offer/productsservices/datastax-enterprise/advantages - navtop
• DSE Security:
http://www.datastax.com/documentation/datastax_enterprise/3.2/datastax_
enterprise/sec/secDSE.html
• Request a demo of Gazzang+DataStax
Enterprise: http://www.gazzang.com/products/zncrypt/datastaxenterprise
33
34. Thank you – Questions?
We power the big data apps
that transform business.
Hinweis der Redaktion
As mentioned previously,PCI-DSS comprises 12 categories of regulations. Those in bold below deal directly with storage and access to digital, not physical data. PCI-DSS requires organizations to dispose of sensitive authentication data immediatelyfollowing a transaction. Because this data is never stored, this section will focus on PCI Requirements 2, 3, 4 and 7 which deal with cardholder data as it is transferred over the networkand retained in a database.
Guideline #3 is one of the most critical guidelines out there. (true/false?) Here you see the variety of sub-guidelines related to Guideline #3 that deal with data obfuscation, network encryption and data access.
Many of the changes introduced to Requirement 3 in DSS 3.0 involve improving the management of encryption keys.
DSE and Gazzang offer transparent data encryptionthat secures cardholder data against disclosure and misuse.GazzangzNcrypt™ brings transparent data encryption to DataStax Enterprise, enabling customers to secure sensitive cardholder data including names, PANs, expiration dates and other associated personally identifiable information.
Cashstar develops customer rewards programs for some of the largest retail brands in the world including Best Buy, Starbucks and GAP. Their e-gifting platform enables people to send personalized gift cards to anyone in the world. Each gift card comes with a unique Primary Account Number (PAN) that is stored in a database and encrypted by Gazzang in a manner that complies with PCI sections 3 and 7.That means that in addition to strong AES-256 data encryption, Cashstar manages the keys separate from the encrypted data and sets data retrieval access policies based on business need to know.
Section 7 of PCI-DSS requires that a company restrict access to cardholder data based on a user’s “need to know.” For data stored in DataStax Enterprise, this means only the authorized database accountswith assigned database rights connecting from applications on approved network clients should be able access cardholder data stored on a server. Operating system users, databaseand cloud administrators and other unauthorized parties should never have access to secure cardholder data.