SlideShare ist ein Scribd-Unternehmen logo

PCI DSS for Pentesting

n|u - The Open Security Community
n|u - The Open Security Community

null Mumbai Chapter - March 2013 Meet

1 von 26
Downloaden Sie, um offline zu lesen
PCI DSS for Penetration Testers K. K. Mookhey
What is PCI DSS ?  Payment Card Industry (PCI) Data Security Standard (DSS)  PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data.  PCI DSS comprises a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks
Why Is Compliance with PCI DSS Important?  A security breach and subsequent compromise of payment card data has far-reaching consequences for affected organizations, including:  Regulatory notification requirements,  Loss of reputation,  Loss of customers,  Potential financial liabilities (for example, regulatory and other fees and fines), and  Litigation.
PCI DSS Payment Card Industry Data Security Standard  Standard applies to:  Merchants  Service Providers (Third Third-party vendor, gateways)  Systems (Hardware, software)  Who:  Store cardholder data  Transmit cardholder data  Process cardholder data  Inclusive of:  Electronic Transactions  Paper Transactions
The PCI Security Standards Council (PCI SSC)  An open global forum, launched in 2006, responsible for the development, management, education, and awareness of the PCI Security Standards, including:  Data Security Standard (DSS)  Payment Application Data Security Standard (PA-DSS)  Pin Transaction Security (PTS)  Formally known as Pin-Entry Device (PED) PCI PTS PCI PA-DSS PCI DSS
PCI SSC- Standards
PIN Transaction (PTS) Security Requirements • It is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities. • The requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it. • Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI SSC. www.pcisecuritystandards.org/security_standards/ped/pedapprovallist. html
Payment Application Data Security Standard (PA-DSS) • The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties. • Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC. Validated applications are listed at: www.pcisecuritystandards.org/security_standards/pa_dss.shtml
PCI Data Security Standard (DSS) • The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. • It covers technical and operational system components included in or connected to cardholder data. • If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS.
The PCI Security Standards Founders
Data on Payment Card
Track 1 vs. Track 2 Data
Track 1 vs. Track 2 Data (cont..)  If full track (either Track 1 or Track 2, from the magnetic stripe, magnetic- stripe image in a chip, or elsewhere) data is stored, malicious individuals who obtain that data can reproduce and sell payment cards around the world.  Full track data storage also violates the payment brands' operating regulations and can lead to fines and penalties.
What to store & what not to store
Guidelines for Storage 1. One-way hash functions based on strong cryptography – converts the entire PAN into a unique, fixed-length cryptographic value. 2. Truncation – permanently removes a segment of the data (for example, retaining only the last four digits). 3. Index tokens and securely stored pads – encryption algorithm that combines sensitive plain text data with a random key or “pad” that works only once. 4. Strong cryptography – with associated key management processes and procedures. Refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations and Acronyms for the definition of “strong cryptography.”
The PCI Data Security Standard Six Goals, Twelve Requirements Build and Maintain a 1. Install and maintain a firewall configuration to protect cardholder Secure Network data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability 5. Use and regularly update anti-virus software or programs Management Program 6. Develop and maintain secure systems and applications Implement Strong Access 7. Restrict access to cardholder data by business need-to-know Control Measures 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and 10. Track and monitor all access to network resources and cardholder Test Networks data 11. Regularly test security systems and processes Maintain an Information 12. Maintain a policy that addresses information security for Security Policy employees and contractors
Other PCI Standards
PCI SSC- Standards
PIN Transaction (PTS) Security Requirements • It is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities. • The requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it. • Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI SSC. www.pcisecuritystandards.org/security_standards/ped/pedapprovallist. html
PIN Transaction (PTS) Security Requirements (cont..) • Objective 1 : PINs used in transactions governed by these requirements are processed using equipment and methodologies that ensure they are kept secure. • Objective 2 : Cryptographic keys used for PIN encryption/decryption and related key management are created using processes that ensure that it is not possible to predict any key or determine that certain keys are more probable than other keys. • Objective 3 : Keys are conveyed or transmitted in a secure manner.
PIN Transaction (PTS) Security Requirements (cont..) • Objective 4 : Key-loading to hosts and PIN entry devices is handled in a secure manner. • Objective 5 : Keys are used in a manner that prevents or detects their unauthorized usage. • Objective 6 : Keys are administered in a secure manner. • Objective 7 : Equipment used to process PINs and keys is managed in a secure manner.
Payment Application Data Security Standard (PA-DSS) • The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties. • Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC. Validated applications are listed at: www.pcisecuritystandards.org/security_standards/pa_dss.shtml
PA-DSS (cont..) • Requirement 1 : Do not retain full magnetic stripe, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data • Requirement 2 : Protect stored cardholder data • Requirement 3 : Provide secure authentication features • Requirement 4 : Log payment application activity • Requirement 5 : Develop secure payment applications • Requirement 6 : Protect wireless transmissions • Requirement 7 : Test payment applications to address vulnerabilities • Requirement 8 : Facilitate secure network implementation • Requirement 9 : Cardholder data must never be stored on a server connected to the Internet
PA-DSS (cont..) • Requirement 10 : Facilitate secure remote access to payment application • Requirement 11 : Encrypt sensitive traffic over public networks • Requirement 12 : Encrypt all non-console administrative access • Requirement 13 : Maintain instructional documentation and training programs for customers, resellers, and integrators
Thank you! Questions / Queries NETWORK INTELLIGENCE INDIA PVT. LTD. AN ISO/IEC 27001:2005 CERTIFIED COMPANY Web http://www.niiconsulting.com Email kkmookhey@niiconsulting.com Tel +91-22-2839-2628 +91-22-4005-2628 Fax +91-22-2837-5454

Empfohlen

PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
ISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness TrainingISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness Traininghimalya sharma
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI complianceJisc
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration TestingNetwork Intelligence India
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates VISTA InfoSec
 
PCI DSS
PCI DSSPCI DSS
PCI DSSDuy Do Phan
 

Empfohlen

PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
ISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness TrainingISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness Traininghimalya sharma
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI complianceJisc
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration TestingNetwork Intelligence India
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates VISTA InfoSec
 
PCI DSS
PCI DSSPCI DSS
PCI DSSDuy Do Phan
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowPECB
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
ISMS implementation challenges-KASYS
ISMS implementation challenges-KASYSISMS implementation challenges-KASYS
ISMS implementation challenges-KASYSReza Teynia ISMS, ITSM, MSc
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNA Putra
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2Kimberly Simon MBA
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam
Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam
Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam Donald E. Hester
 
Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0Kriangkrai Chumsaktrakul
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness TrainingDr Madhu Aman Sharma
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfControlCase
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
Iso 27001 2013
Iso 27001 2013Iso 27001 2013
Iso 27001 2013Magda CHELLY, Ph.D, S-CISO, CISSP®
 
ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxforam74
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Servicesmcloete
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awarenessÃsħâr Ãâlâm
 
Security review using SABSA
Security review using SABSASecurity review using SABSA
Security review using SABSAMaganathin Veeraragaloo
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
From NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfFrom NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)Maksim Djackov
 

Weitere ähnliche Inhalte

Was ist angesagt?

ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowPECB
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNA Putra
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam
Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam
Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam Donald E. Hester
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfControlCase
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxforam74
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Servicesmcloete
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 

Was ist angesagt? (20)

PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
ISMS implementation challenges-KASYS
ISMS implementation challenges-KASYSISMS implementation challenges-KASYS
ISMS implementation challenges-KASYS
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation Guide
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam
Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam
Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam
 
Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdf
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
 
Iso 27001 2013
Iso 27001 2013Iso 27001 2013
Iso 27001 2013
 
ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptx
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Services
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
Security review using SABSA
Security review using SABSASecurity review using SABSA
Security review using SABSA
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
From NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfFrom NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdf
 

Ähnlich wie PCI DSS for Pentesting

Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)Maksim Djackov
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation servicesTariq Juneja
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security StandardsAshintha Rukmal
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptgealehegn
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetSafeNet
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxgealehegn
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Crew
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard- Mark - Fullbright
 
Making Compliance Business as Usual
Making Compliance Business as UsualMaking Compliance Business as Usual
Making Compliance Business as UsualControlCase
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 

Ähnlich wie PCI DSS for Pentesting (20)

Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security Standards
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
Making Compliance Business as Usual
Making Compliance Business as UsualMaking Compliance Business as Usual
Making Compliance Business as Usual
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 

Mehr von n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

Mehr von n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

PCI DSS for Pentesting

  • 1. PCI DSS for Penetration Testers K. K. Mookhey
  • 2. What is PCI DSS ?  Payment Card Industry (PCI) Data Security Standard (DSS)  PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data.  PCI DSS comprises a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks
  • 3. Why Is Compliance with PCI DSS Important?  A security breach and subsequent compromise of payment card data has far-reaching consequences for affected organizations, including:  Regulatory notification requirements,  Loss of reputation,  Loss of customers,  Potential financial liabilities (for example, regulatory and other fees and fines), and  Litigation.
  • 4.
  • 5. PCI DSS Payment Card Industry Data Security Standard  Standard applies to:  Merchants  Service Providers (Third Third-party vendor, gateways)  Systems (Hardware, software)  Who:  Store cardholder data  Transmit cardholder data  Process cardholder data  Inclusive of:  Electronic Transactions  Paper Transactions
  • 6. The PCI Security Standards Council (PCI SSC)  An open global forum, launched in 2006, responsible for the development, management, education, and awareness of the PCI Security Standards, including:  Data Security Standard (DSS)  Payment Application Data Security Standard (PA-DSS)  Pin Transaction Security (PTS)  Formally known as Pin-Entry Device (PED) PCI PTS PCI PA-DSS PCI DSS
  • 8. PIN Transaction (PTS) Security Requirements • It is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities. • The requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it. • Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI SSC. www.pcisecuritystandards.org/security_standards/ped/pedapprovallist. html
  • 9. Payment Application Data Security Standard (PA-DSS) • The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties. • Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC. Validated applications are listed at: www.pcisecuritystandards.org/security_standards/pa_dss.shtml
  • 10. PCI Data Security Standard (DSS) • The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. • It covers technical and operational system components included in or connected to cardholder data. • If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS.
  • 11. The PCI Security Standards Founders
  • 13. Track 1 vs. Track 2 Data
  • 14. Track 1 vs. Track 2 Data (cont..)  If full track (either Track 1 or Track 2, from the magnetic stripe, magnetic- stripe image in a chip, or elsewhere) data is stored, malicious individuals who obtain that data can reproduce and sell payment cards around the world.  Full track data storage also violates the payment brands' operating regulations and can lead to fines and penalties.
  • 15. What to store & what not to store
  • 16. Guidelines for Storage 1. One-way hash functions based on strong cryptography – converts the entire PAN into a unique, fixed-length cryptographic value. 2. Truncation – permanently removes a segment of the data (for example, retaining only the last four digits). 3. Index tokens and securely stored pads – encryption algorithm that combines sensitive plain text data with a random key or “pad” that works only once. 4. Strong cryptography – with associated key management processes and procedures. Refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations and Acronyms for the definition of “strong cryptography.”
  • 17. The PCI Data Security Standard Six Goals, Twelve Requirements Build and Maintain a 1. Install and maintain a firewall configuration to protect cardholder Secure Network data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability 5. Use and regularly update anti-virus software or programs Management Program 6. Develop and maintain secure systems and applications Implement Strong Access 7. Restrict access to cardholder data by business need-to-know Control Measures 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and 10. Track and monitor all access to network resources and cardholder Test Networks data 11. Regularly test security systems and processes Maintain an Information 12. Maintain a policy that addresses information security for Security Policy employees and contractors
  • 20. PIN Transaction (PTS) Security Requirements • It is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities. • The requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it. • Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI SSC. www.pcisecuritystandards.org/security_standards/ped/pedapprovallist. html
  • 21. PIN Transaction (PTS) Security Requirements (cont..) • Objective 1 : PINs used in transactions governed by these requirements are processed using equipment and methodologies that ensure they are kept secure. • Objective 2 : Cryptographic keys used for PIN encryption/decryption and related key management are created using processes that ensure that it is not possible to predict any key or determine that certain keys are more probable than other keys. • Objective 3 : Keys are conveyed or transmitted in a secure manner.
  • 22. PIN Transaction (PTS) Security Requirements (cont..) • Objective 4 : Key-loading to hosts and PIN entry devices is handled in a secure manner. • Objective 5 : Keys are used in a manner that prevents or detects their unauthorized usage. • Objective 6 : Keys are administered in a secure manner. • Objective 7 : Equipment used to process PINs and keys is managed in a secure manner.
  • 23. Payment Application Data Security Standard (PA-DSS) • The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties. • Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC. Validated applications are listed at: www.pcisecuritystandards.org/security_standards/pa_dss.shtml
  • 24. PA-DSS (cont..) • Requirement 1 : Do not retain full magnetic stripe, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data • Requirement 2 : Protect stored cardholder data • Requirement 3 : Provide secure authentication features • Requirement 4 : Log payment application activity • Requirement 5 : Develop secure payment applications • Requirement 6 : Protect wireless transmissions • Requirement 7 : Test payment applications to address vulnerabilities • Requirement 8 : Facilitate secure network implementation • Requirement 9 : Cardholder data must never be stored on a server connected to the Internet
  • 25. PA-DSS (cont..) • Requirement 10 : Facilitate secure remote access to payment application • Requirement 11 : Encrypt sensitive traffic over public networks • Requirement 12 : Encrypt all non-console administrative access • Requirement 13 : Maintain instructional documentation and training programs for customers, resellers, and integrators
  • 26. Thank you! Questions / Queries NETWORK INTELLIGENCE INDIA PVT. LTD. AN ISO/IEC 27001:2005 CERTIFIED COMPANY Web http://www.niiconsulting.com Email kkmookhey@niiconsulting.com Tel +91-22-2839-2628 +91-22-4005-2628 Fax +91-22-2837-5454