SlideShare ist ein Scribd-Unternehmen logo

PCI Compliance (for developers)

Als PPTX, PDF herunterladen
Maksim Djackov
Maksim Djackov

My first version of the presentation on PCI security standards. Targeted for developers with relevant information.

Software
1 von 16
PCI COMPLIANCE Introduction for developers mostly
• Goal of the standard is to protect cardholder data • Statistics for US and Europe: • 81% store payment card numbers • 73% store payment card expiration dates • 71% store payment card verification codes • 16% store other personal data • Internet • Public Networks • Wireless POS • Internet • Public Networks • Wireless Merchant • Internet • Public Networks • Wireless Service Provider • Internet • Public Networks • Wireless Acquirer
• PCI DSS compliance process Repair Report Assess
• PAYMENT CARD INDUSTRY SECURITY STANDARDS Manufacturers PCI PTS PIN Transaction Security Software Developers PCI PA-DSS Payment Application Vendors Merchants & Processors PCI DSS Data Security Standard
• PCI DSS version 1.2 common sense steps that mirror best security practices Goals PCI DSS Requirements Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to- know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for employees and contractors
• Do NOT request, send or accept payment card information by email • If you receive cardholder data via email, do NOT process the transaction • Make the sender aware that, for their safety, they should never email credit card information • Remove the cardholder data when responding and direct them to an approved processing method • Delete the email containing cardholder data completely from your email account. • Many of the above practices can be applied to Personal Information or PI (SSN, home address, anything that can uniquely identify a person)
In majority of the cases we can use cryptographic primitives, methods and protocols (refer to my previous presentation on the topic) to ensure secure path our data travels (card data and PI) from initiator (data storage, POS, etc.) to the end-point. Sometimes we need to make sure we also reflect country or project specific legal requirements. Always think of where your data might end-up and do NOT STORE or TRANSMIT it without strong business reasons ! If you absolutely need to do it think of tokenizing sensitive data.
• The PA-DSS is a standard for developers of payment applications. • Its goal is to help development of secure commercial payment applications that do not store prohibited data, and ensure that payment applications support compliance with the PCI DSS. • Merchants and service providers should ensure that they are using Council-approved payment applications; check with your acquiring financial institution to understand requirements and associated timeframes for implementing approved applications. • PA-DSS has 14 requirements: For details and a list of approved Payment Applications, see PCI website. Why building applications with PA-DSS in mind is important even if your applications is not going to participate in the PCI pipeline? Because it might! And chances are it will if you work with financial industries.
When should we comply with the PCI requirements? • We accept payments (credit card or debit card) in-person • -”- over the phone • -”- over the internet • -”- over mail • We act as a service providers (accept payments for others) PCI standard applies to all actors that store, process or transmit cardholder data.
Extract from the PCI guide: “Requirement 3: Protect stored cardholder data In general, no cardholder data should ever be stored unless it’s necessary to meet the needs of the business. Sensitive data on the magnetic stripe or chip must never be stored. If your organization stores PAN, it is crucial to render it unreadable (see 3.4, and table below for guidelines). 3.1 Limit cardholder data storage and retention time to that required for business, legal, and/or regulatory purposes, as documented in your data retention policy. 3.2 Do not store sensitive authentication data after authorization (even if it is encrypted). See guidelines in table below. 3.3 Mask PAN when displayed; the first six and last four digits are the maximum number of digits you may display. Not applicable for authorized people with a legitimate business need to see the full PAN. Does not supersede stricter requirements in place for displays of cardholder data such as on a point-of-sale receipt. 3.4 Render PAN, at minimum, unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks. Technology solutions for this requirement may include strong one-way hash functions, truncation, index tokens, securely stored pads, or strong cryptography. (See PCI DSS Glossary for definition of strong cryptography.) 3.5 Protect cryptographic keys used for encryption of cardholder data from disclosure and misuse. 3.6 Fully document and implement all appropriate key management processes and procedures for cryptographic keys used for encryption of cardholder data.”
Extract from the PCI guide: “Requirement 4: Encrypt transmission of cardholder data across open, public networks Cyber criminals may be able to intercept transmissions of cardholder data over open, public networks so it is important to prevent their ability to view these data. Encryption is a technology used to render transmitted data unreadable by any unauthorized person. 4.1 Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks (e.g. Internet, wireless technologies, global systems for communications [GSM], general packet radio systems [GPRS]). Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment use industry best practices (e.g., IEEE 802.11ix) to implement strong encryption for authentication and transmission. For new wireless implementations, it is prohibited to implement WEP after March 31, 2009. For current implementations, it is prohibited to use WEP after June 30, 2010. 4.2 Never send unencrypted PANs by end user messaging technologies.”
Regarding developing and maintaining secure systems and applications PA-DSS certified applications will have an Implementation Guide. In general there are many secure software development and deployment guidelines, for example OWASP for web applications, or Microsoft security checklists, and it is a good idea to pick any and follow it.
Annual penetration testing and quarterly wireless and vulnerability testing is a part of testing efforts and should be performed. Remember, using penetration testing frameworks during development phase builds a solid foundation for your software!
If you don’t have to comply with the PCI standards, breaching your application will bring you unsatisfaction with the clients and will hurt your reputation, at the very least. The real trouble begins when your organization and your software do need to comply. In that case: “Breach Consequences- Even if a company is 100% PCI compliant and validated, a breach in cardholder data may still occur. Cardholder Breaches can result in the following losses for a merchant.$50-$90 fine per cardholder data compromised Suspension of credit card acceptance by a merchant’s credit card account provider Loss of reputation with customers, suppliers, and partners Possible civil litigation from breached customers Loss of customer trust which effects future sales” And these are just a small part if the forthcoming troubles.
Project implementation examples
Questions?

Empfohlen

Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
Mohammad Makchudul Alam (Arif)
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed Introduction
ControlCase
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
Jisc
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
sameh Abulfotooh
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…
Rochester Security Summit
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
Saumya Vishnoi
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
okrantz
 

Empfohlen

Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
Mohammad Makchudul Alam (Arif)
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed Introduction
ControlCase
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
Jisc
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
sameh Abulfotooh
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…
Rochester Security Summit
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
Saumya Vishnoi
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
okrantz
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
Saumya Vishnoi
 
P0 Pcidss Overview
P0 Pcidss OverviewP0 Pcidss Overview
P0 Pcidss Overview
b28stu
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
Kimberly Simon MBA
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...
John Baines
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
Kimberly Simon MBA
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
Kimberly Simon MBA
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should care
Sean D. Goodwin
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
webhostingguy
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
leon bonilla
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
Kimberly Simon MBA
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
VISTA InfoSec
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSS
Kimberly Simon MBA
 
Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationAlcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance Presentation
Bhargav Upadhyay
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
AlienVault
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSS
Kimberly Simon MBA
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certification
Alexander Polyakov
 
PA-DSS
PA-DSSPA-DSS
PA-DSS
Christian Heinrich
 
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
TokenEx
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
himalya sharma
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 
9. lo que nunca barrí
9. lo que nunca barrí9. lo que nunca barrí
9. lo que nunca barrí
Chepe Jrmr
 
Жінки в буддизмі
Жінки в буддизмі Жінки в буддизмі
Жінки в буддизмі
Zoya79
 

Weitere ähnliche Inhalte

Was ist angesagt?

P0 Pcidss Overview
P0 Pcidss OverviewP0 Pcidss Overview
P0 Pcidss Overview
b28stu
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...
John Baines
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
webhostingguy
 
Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationAlcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance Presentation
Bhargav Upadhyay
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
AlienVault
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certification
Alexander Polyakov
 

Was ist angesagt? (20)

Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
P0 Pcidss Overview
P0 Pcidss OverviewP0 Pcidss Overview
P0 Pcidss Overview
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should care
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSS
 
Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationAlcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance Presentation
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSS
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certification
 
PA-DSS
PA-DSSPA-DSS
PA-DSS
 
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 

Andere mochten auch

9. lo que nunca barrí
9. lo que nunca barrí9. lo que nunca barrí
9. lo que nunca barrí
Chepe Jrmr
 

Andere mochten auch (11)

9. lo que nunca barrí
9. lo que nunca barrí9. lo que nunca barrí
9. lo que nunca barrí
 
Жінки в буддизмі
Жінки в буддизмі Жінки в буддизмі
Жінки в буддизмі
 
Ordinador
OrdinadorOrdinador
Ordinador
 
CMS Development – Empowering Ecommerce Website
CMS Development – Empowering Ecommerce WebsiteCMS Development – Empowering Ecommerce Website
CMS Development – Empowering Ecommerce Website
 
馬英九總統101年言論選集 05
馬英九總統101年言論選集 05馬英九總統101年言論選集 05
馬英九總統101年言論選集 05
 
碧桂园·森林城市项目介绍
碧桂园·森林城市项目介绍碧桂园·森林城市项目介绍
碧桂园·森林城市项目介绍
 
El derecho concursal
El derecho concursalEl derecho concursal
El derecho concursal
 
The1980s Hw Bush Bio
The1980s Hw Bush BioThe1980s Hw Bush Bio
The1980s Hw Bush Bio
 
What would Dame Cicely do? | My biggest comms inspiration seminar | 29 Septem...
What would Dame Cicely do? | My biggest comms inspiration seminar | 29 Septem...What would Dame Cicely do? | My biggest comms inspiration seminar | 29 Septem...
What would Dame Cicely do? | My biggest comms inspiration seminar | 29 Septem...
 
Rediseño de licenciatura en comunicación. Caso de estudio Modalidad a Distanc...
Rediseño de licenciatura en comunicación. Caso de estudio Modalidad a Distanc...Rediseño de licenciatura en comunicación. Caso de estudio Modalidad a Distanc...
Rediseño de licenciatura en comunicación. Caso de estudio Modalidad a Distanc...
 
Online vehicle showroom DB project
Online vehicle showroom DB projectOnline vehicle showroom DB project
Online vehicle showroom DB project
 

Ähnlich wie PCI Compliance (for developers)

Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
Risk Crew
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National Certification
Mark Pollard
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
SafeNet
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCI
Kelly Lam
 
PCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline CompliancePCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline Compliance
TokenEx
 

Ähnlich wie PCI Compliance (for developers) (20)

PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
5 Key Requirements for PCI DSS Compliance.pdf
5 Key Requirements for PCI DSS Compliance.pdf5 Key Requirements for PCI DSS Compliance.pdf
5 Key Requirements for PCI DSS Compliance.pdf
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National Certification
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCI
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
PCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline CompliancePCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline Compliance
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
 

Kürzlich hochgeladen

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
masabamasaba
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 

Kürzlich hochgeladen (20)

%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 

PCI Compliance (for developers)

  • 2. • Goal of the standard is to protect cardholder data • Statistics for US and Europe: • 81% store payment card numbers • 73% store payment card expiration dates • 71% store payment card verification codes • 16% store other personal data • Internet • Public Networks • Wireless POS • Internet • Public Networks • Wireless Merchant • Internet • Public Networks • Wireless Service Provider • Internet • Public Networks • Wireless Acquirer
  • 3. • PCI DSS compliance process Repair Report Assess
  • 4. • PAYMENT CARD INDUSTRY SECURITY STANDARDS Manufacturers PCI PTS PIN Transaction Security Software Developers PCI PA-DSS Payment Application Vendors Merchants & Processors PCI DSS Data Security Standard
  • 5. • PCI DSS version 1.2 common sense steps that mirror best security practices Goals PCI DSS Requirements Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to- know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for employees and contractors
  • 6. • Do NOT request, send or accept payment card information by email • If you receive cardholder data via email, do NOT process the transaction • Make the sender aware that, for their safety, they should never email credit card information • Remove the cardholder data when responding and direct them to an approved processing method • Delete the email containing cardholder data completely from your email account. • Many of the above practices can be applied to Personal Information or PI (SSN, home address, anything that can uniquely identify a person)
  • 7. In majority of the cases we can use cryptographic primitives, methods and protocols (refer to my previous presentation on the topic) to ensure secure path our data travels (card data and PI) from initiator (data storage, POS, etc.) to the end-point. Sometimes we need to make sure we also reflect country or project specific legal requirements. Always think of where your data might end-up and do NOT STORE or TRANSMIT it without strong business reasons ! If you absolutely need to do it think of tokenizing sensitive data.
  • 8. • The PA-DSS is a standard for developers of payment applications. • Its goal is to help development of secure commercial payment applications that do not store prohibited data, and ensure that payment applications support compliance with the PCI DSS. • Merchants and service providers should ensure that they are using Council-approved payment applications; check with your acquiring financial institution to understand requirements and associated timeframes for implementing approved applications. • PA-DSS has 14 requirements: For details and a list of approved Payment Applications, see PCI website. Why building applications with PA-DSS in mind is important even if your applications is not going to participate in the PCI pipeline? Because it might! And chances are it will if you work with financial industries.
  • 9. When should we comply with the PCI requirements? • We accept payments (credit card or debit card) in-person • -”- over the phone • -”- over the internet • -”- over mail • We act as a service providers (accept payments for others) PCI standard applies to all actors that store, process or transmit cardholder data.
  • 10. Extract from the PCI guide: “Requirement 3: Protect stored cardholder data In general, no cardholder data should ever be stored unless it’s necessary to meet the needs of the business. Sensitive data on the magnetic stripe or chip must never be stored. If your organization stores PAN, it is crucial to render it unreadable (see 3.4, and table below for guidelines). 3.1 Limit cardholder data storage and retention time to that required for business, legal, and/or regulatory purposes, as documented in your data retention policy. 3.2 Do not store sensitive authentication data after authorization (even if it is encrypted). See guidelines in table below. 3.3 Mask PAN when displayed; the first six and last four digits are the maximum number of digits you may display. Not applicable for authorized people with a legitimate business need to see the full PAN. Does not supersede stricter requirements in place for displays of cardholder data such as on a point-of-sale receipt. 3.4 Render PAN, at minimum, unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks. Technology solutions for this requirement may include strong one-way hash functions, truncation, index tokens, securely stored pads, or strong cryptography. (See PCI DSS Glossary for definition of strong cryptography.) 3.5 Protect cryptographic keys used for encryption of cardholder data from disclosure and misuse. 3.6 Fully document and implement all appropriate key management processes and procedures for cryptographic keys used for encryption of cardholder data.”
  • 11. Extract from the PCI guide: “Requirement 4: Encrypt transmission of cardholder data across open, public networks Cyber criminals may be able to intercept transmissions of cardholder data over open, public networks so it is important to prevent their ability to view these data. Encryption is a technology used to render transmitted data unreadable by any unauthorized person. 4.1 Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks (e.g. Internet, wireless technologies, global systems for communications [GSM], general packet radio systems [GPRS]). Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment use industry best practices (e.g., IEEE 802.11ix) to implement strong encryption for authentication and transmission. For new wireless implementations, it is prohibited to implement WEP after March 31, 2009. For current implementations, it is prohibited to use WEP after June 30, 2010. 4.2 Never send unencrypted PANs by end user messaging technologies.”
  • 12. Regarding developing and maintaining secure systems and applications PA-DSS certified applications will have an Implementation Guide. In general there are many secure software development and deployment guidelines, for example OWASP for web applications, or Microsoft security checklists, and it is a good idea to pick any and follow it.
  • 13. Annual penetration testing and quarterly wireless and vulnerability testing is a part of testing efforts and should be performed. Remember, using penetration testing frameworks during development phase builds a solid foundation for your software!
  • 14. If you don’t have to comply with the PCI standards, breaching your application will bring you unsatisfaction with the clients and will hurt your reputation, at the very least. The real trouble begins when your organization and your software do need to comply. In that case: “Breach Consequences- Even if a company is 100% PCI compliant and validated, a breach in cardholder data may still occur. Cardholder Breaches can result in the following losses for a merchant.$50-$90 fine per cardholder data compromised Suspension of credit card acceptance by a merchant’s credit card account provider Loss of reputation with customers, suppliers, and partners Possible civil litigation from breached customers Loss of customer trust which effects future sales” And these are just a small part if the forthcoming troubles.

Hinweis der Redaktion

  1. Payment Card Industry Data Security Standards (PCI DSS) are administered by the PCI Security Standards Council, which was founded by VISA, MC, AMEX, DISCOVER, and JCB.
  2. Issuer Bank or other financial institution that issues payment cards to consumers (cardholders) Acquirer Contracts for payment services with merchant; merchant must validate PCI DSS compliance with its “acquirer”; acquirer reports compliance status to card associations Merchant Entity that sells goods/services and accepts cards; responsible for safeguarding credit card data and complying with the PCI DSS Service Provider Entity that provides all or some of the payment services for the merchant; responsible for safeguarding credit card data and complying with the PCI DSS Merchant-based vulnerabilities may appear almost anywhere in the card-processing ecosystem including point-of-sale devices; personal computers or servers; wireless hotspots or Web shopping applications; in paper-based storage systems; and unsecured transmission of cardholder data to service providers. Vulnerabilities may even extend to systems operated by service providers and acquirers, which are the financial institutions that initiate and maintain the relationships with merchants that accept payment cards.
  3. There are three ongoing steps for adhering to the PCI DSS: Assess — identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that could expose cardholder data. Remediate — fixing vulnerabilities and not storing cardholder data unless you need it. Report — compiling and submitting required remediation validation records (if applicable), and submitting compliance reports to the acquiring bank and card brands you do business with.
  4. PCI Data Security Standard (DSS) The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS. PIN Transaction (PTS) Security Requirements PCI PTS (formerly PCI PED) is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities. The requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it. Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI SSC (www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html). Payment Application Data Security Standard (PA-DSS) The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties. Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC. Validated applications are listed at: www.pcisecuritystandards.org/security_standards/pa_dss.shtml
  5. It is not always necessary to use cryptographic primitives to ensure data secrecy and consistency. For example, do we need to calculate hash of the files we transfer between server while using trusted VPN network?