achieving pci compliance with mysql
play

Achieving PCI Compliance with MySQL Ryan Lowe & Fernando Ipar - PowerPoint PPT Presentation

Mar 23, 2024 •30 likes •580 views

Achieving PCI Compliance with MySQL Ryan Lowe & Fernando Ipar 2010 OReilly MySQL C&E -2- Agenda Overview of PCI Which requirements apply to us? Requirement-by-requirement discussion Questions -3- PCI DSS

  1. Achieving PCI Compliance with MySQL Ryan Lowe & Fernando Ipar 2010 O’Reilly MySQL C&E

  2. -2- Agenda • Overview of PCI • Which requirements apply to us? • Requirement-by-requirement discussion • Questions

  3. -3- PCI DSS • History • Goals • Common Myths

  4. -4- Merchant Responsibility * Recommended ** Qualified Independent Scan Vendor *** Merchant

  5. -5- PCI DSS v1.2 • Build and Maintain a Secure Network • Protect Cardholder Data • Maintain a Vulnerability Management Program • Implement Strong Access Control Measures • Regularly Monitor and Test Networks • Maintain an Information Security Policy

  6. PCI DSS v1.2 -6- REQ 12 MAINTAIN AN INFORMATION SECURITY POLICY REQ 9 PHYSICAL ACCESS CONTROL

  7. PCI DSS v1.2 -7- REQ 12 MAINTAIN AN INFORMATION SECURITY POLICY REQ 9 PHYSICAL ACCESS CONTROL

  8. PCI DSS v1.2 -8- REQ 12 MAINTAIN AN INFORMATION SECURITY POLICY REQ 9 PHYSICAL ACCESS CONTROL

  9. PCI DSS v1.2 -9- REQ 12 MAINTAIN AN INFORMATION SECURITY POLICY REQ 9 PHYSICAL ACCESS CONTROL

  10. PCI DSS v1.2 -10- REQ 12 MAINTAIN AN INFORMATION SECURITY POLICY REQ 9 PHYSICAL ACCESS CONTROL

  11. PCI DSS v1.2 -11- REQ 12 MAINTAIN AN INFORMATION SECURITY POLICY REQ 9 PHYSICAL ACCESS CONTROL

  12. PCI DSS v1.2 -12- REQ 12 MAINTAIN AN INFORMATION SECURITY POLICY REQ 9 PHYSICAL ACCESS CONTROL

  13. PCI DSS v1.2 -13- REQ 12 MAINTAIN AN INFORMATION SECURITY POLICY REQ 9 PHYSICAL ACCESS CONTROL

  14. PCI DSS v1.2 -14- REQ 12 MAINTAIN AN INFORMATION SECURITY POLICY REQ 9 PHYSICAL ACCESS CONTROL

  15. PCI DSS v1.2 -15- REQ 12 MAINTAIN AN INFORMATION SECURITY POLICY REQ 9 PHYSICAL ACCESS CONTROL

  16. PCI DSS v1.2 -16- REQ 12 MAINTAIN AN INFORMATION SECURITY POLICY REQ 9 PHYSICAL ACCESS CONTROL

  17. PCI DSS v1.2 -17- REQ 12 MAINTAIN AN INFORMATION SECURITY POLICY REQ 9 PHYSICAL ACCESS CONTROL

  18. PCI DSS v1.2 -18- REQ 12 MAINTAIN AN INFORMATION SECURITY POLICY REQ 9 PHYSICAL ACCESS CONTROL

  19. PCI DSS v1.2 -19- REQ 12 MAINTAIN AN INFORMATION SECURITY POLICY REQ 9 PHYSICAL ACCESS CONTROL

  20. PCI DSS v1.2 -20- REQ 12 MAINTAIN AN INFORMATION SECURITY POLICY

  21. PCI DSS v1.2 -21- REQ 12 MAINTAIN AN INFORMATION SECURITY POLICY REQ 9 PHYSICAL ACCESS CONTROL

  22. PCI DSS v1.2 -22- REQ 12 MAINTAIN AN INFORMATION SECURITY POLICY

  23. PCI DSS v1.2 -23- REQ 12 MAINTAIN AN INFORMATION SECURITY POLICY

  24. PCI DSS v1.2 -24- REQ 12 MAINTAIN AN INFORMATION SECURITY POLICY REQ 9 PHYSICAL ACCESS CONTROL

  25. -25- Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters “Malicious individuals (external and internal to a company) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known by hacker communities and are easily determined via public information.”

  26. -26- Requirement 2 mysql> SELECT user, host, password FROM mysql.user; +------+-----------+----------+ | user | host | password | +------+-----------+----------+ | root | localhost | | | root | testbox1 | | | root | 127.0.0.1 | | | | localhost | | | | testbox1 | | +------+-----------+----------+ 5 rows in set (0.28 sec)

  27. -27- Requirement 2 %> mysql_secure_installation … Set root password? [Y/n] Y … Remove anonymous users? [Y/n] Y … Disallow root login remotely? [Y/n] Y … Remove test database and access to it? [Y/n] Y … Reload privilege tables now? [Y/n] Y …

  28. -28- Requirement 2 mysql> SELECT user, host, password FROM mysql.user; +------+-----------+-------------------------------------------+ | user | host | password | +------+-----------+-------------------------------------------+ | root | localhost | *F169C0AFEEC30BFF924130B124E6AE3E875D5F60 | +------+-----------+-------------------------------------------+ 1 row in set (0.00 sec) mysql> SHOW GLOBAL VARIABLES LIKE 'old_passwords'; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | old_passwords | OFF | +---------------+-------+ 1 row in set (0.00 sec)

  29. -29- Password Hash is NOT Secure %> strings user.MYD localhost root*F169C0AFEEC30BFF924130B124E6AE3E875D5F60 %> • Permissions for datadir, tmpdir, etc Название презентации или конференции (заполняется в колонтитулах)

  30. -30- Requirement 2 2.2.3 – Configure system security parameters to prevent misuse • Be judicious with your GRANTs • Disable local_infile • Disable old_passwords • Set read_only=ON • Enable secure_auth

  31. -31- Requirement 3 Protect Stored Cardholder Data “Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person…”

  32. -32- Requirement 3 – Data

  33. Requirement 3 -33- MySQL Encryption Functions

  34. -34- Requirement 3 - Example mysql> CREATE TABLE `cc_info` ( -> `id` int unsigned NOT NULL auto_increment, -> `cc_num` varbinary(32) NOT NULL, -> `service_code` varbinary(32) NOT NULL, -> `name_on_card` varbinary(48) NOT NULL, -> PRIMARY KEY (`id`)) -> ENGINE=InnoDB; Query OK, 0 rows affected (0.01 sec) (16*(CEILING(string_length/16)+1))

  35. -35- Requirement 3 - Example mysql> INSERT INTO `cc_info` -> (`cc_num`, `service_code`, `name_on_card`) -> VALUES ( -> AES_ENCRYPT('1234123412341234’,'secret_key'), -> AES_ENCRYPT('1234', 'secret_key'), -> AES_ENCRYPT('John Doe', 'secret_key')); Query OK, 1 row affected (0.35 sec)

  36. -36- Requirement 3 - Example mysql> SELECT id, cc_num, service_code, name_on_card -> FROM cc_info\G ***************** 1. row ************************** id: 1 cc_num: ?? ? q$?!~c?3Pg?"xu&3?:?,am? service_code: y.??A?? ?? ?a?? name_on_card: ?93s?!? X?8?|nZ 1 row in set (0.00 sec)

  37. -37- Requirement 3 - Example mysql> SELECT id, -> AES_DECRYPT(`cc_num`,'secret_key’) -> AS `cc_num`, -> AES_DECRYPT(`service_code`, 'secret_key') -> AS `service_code`, -> AES_DECRYPT(`name_on_card`, 'secret_key') -> AS `name_on_card` -> FROM `cc_info`\G *************** 1. row *************************** id: 1 cc_num: 1234123412341234 service_code: 1234 name_on_card: John Doe 1 row in set (0.00 sec)

  38. -38- Requirement 3 – The Binary Log %> mysqlbinlog log-bin.000001 ... #100406 16:35:31 server id 1 end_log_pos 461 Query thread_id=1 exec_time=0 error_code=0 use cc/*!*/; SET TIMESTAMP=1270596931/*!*/; INSERT INTO `cc_info` (`cc_num`, `service_code`, `name_on_card`) VALUES ( AES_ENCRYPT('1234123412341234', 'secret_key'), AES_ENCRYPT('1234', 'secret_key'), AES_ENCRYPT('John Doe', 'secret_key')) # at 461 #100406 16:35:31 server id 1 end_log_pos 488 Xid = 6

  39. -39- Requirement 3 – The Binary Log %> mysqlbinlog -v log-bin.000001 ... BINLOG ' Msa7SxMBAAAANQAAAN0DAAAAAA8AAAAAAAAAAmNjAAdjY19pbmZvAAQD/g8PBv4gIAA wAAA= Msa7SxcBAAAAZQAAAEIEAAAQAA8AAAAAAAEABP/wBAAAACCY3AusAHEkreUIIX5jyzNQ Z90ieHUm M8Y6BgflLGFtjxB5Lo7nQeK6zQr+wQCVYabiELI5M3P+IYoAWOo4iHxuWhI= '/*!*/; ### INSERT INTO cc.cc_info ### SET ### @1=1 ### @2='??\x0b?\x00q$??\x08!~c?3Pg?"xu&3?:\x06\x07?,am?' ### @3='y.??A??\x0a??\x00?a??' ### @4='?93s?!?\x00X?8?|nZ\x12' # at 1090 #100406 16:39:30 server id 1 end_log_pos 1117 Xid = 23 COMMIT/*!*/

  40. -40- Requirement 3 – Alternatives • Full Disk Encryption – Logical access must be managed independently of native operating system access control mechanisms • Encrypt in the Application Layer – Key Handling & Management Issues

  41. -41- Requirement 3 – Additional • 3.1 – Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy. • 3.2 – Do not store sensitive authentication data after authorization (even if encrypted). • 3.3 – Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). Don’t Forget Your Backups

  42. -42- Requirement 4 Encrypt transmission of cardholder data across open, public networks • The traffic between datacenters is encrypted at the network layer (secure VPN, for example) • Applicable data is encrypted before being inserted into the database (encrypting in the application layer or using RBR). • You use MySQL Replication over SSL

  43. -43- Requirement 6 Develop and maintain secure systems and applications “…All critical systems must have the most recently released, appropriate software patches to protect against exploitation and compromise of cardholder data by malicious individuals and malicious software.”

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Achieving Compliance through Strategic Compliance Planning Symposium on Strategic Compliance in

Achieving Compliance through Strategic Compliance Planning Symposium on Strategic Compliance in

Achieving Compliance through Strategic Compliance Planning Symposium on Strategic Compliance in Indonesia through the Labour Inspection System Nancy Leppink Chief Labour Administration/Labour Inspection/ Occupational Safety and Health

605 views • 28 slides
MySQL Replication Update MySQL 5.5 (GA) & MySQL 5.6.2 (Dev. Milestone) Lars Thalmann

MySQL Replication Update MySQL 5.5 (GA) & MySQL 5.6.2 (Dev. Milestone) Lars Thalmann

<Insert Picture Here> MySQL Replication Update MySQL 5.5 (GA) & MySQL 5.6.2 (Dev. Milestone) Lars Thalmann Development Director MySQL Replication, Backup & Connectors O'Reilly MySQL Users Conference, April 2011 MySQL Releases

456 views • 42 slides
MySQL Proxy Making MySQL more flexible Jan Kneschke jan@mysql.com MySQL Proxy proxy-servers

MySQL Proxy Making MySQL more flexible Jan Kneschke jan@mysql.com MySQL Proxy proxy-servers

MySQL Proxy Making MySQL more flexible Jan Kneschke jan@mysql.com MySQL Proxy proxy-servers forward requests to backends and can transform, handle or block them released under the GPL see http://forge.mysql.com/wiki/MySQL_Proxy

945 views • 27 slides
PHP and MySQL Dr. E. Benoist Winter Term 2006-2007 PHP and MySQL 1 PHP and MySQL Introduction

PHP and MySQL Dr. E. Benoist Winter Term 2006-2007 PHP and MySQL 1 PHP and MySQL Introduction

Berner Fachhochschule - HTI PHP and MySQL Dr. E. Benoist Winter Term 2006-2007 PHP and MySQL 1 PHP and MySQL Introduction Basics of MySQL Create a Table See the content of a DB Tables: Change rows and Insert data Select

637 views • 53 slides
MySQL Proxy meets: binlogs Jan Kneschke MySQL Enterprise Tools mailto: jan@mysql.com What is

MySQL Proxy meets: binlogs Jan Kneschke MySQL Enterprise Tools mailto: jan@mysql.com What is

MySQL Proxy meets: binlogs Jan Kneschke MySQL Enterprise Tools mailto: jan@mysql.com What is MySQL Proxy Started Feb 2007 Current: MySQL Proxy 0.7.0 Source available on launchpad.net $ bzr branch lp:mysql-proxy Foundation of

308 views • 17 slides
Achieving the Goal of Compliance with the Government Tax Laws How to Achieve the Goal Athlete

Achieving the Goal of Compliance with the Government Tax Laws How to Achieve the Goal Athlete

Achieving the Goal of Compliance with the Government Tax Laws How to Achieve the Goal Athlete Finance Officer Program: Schedule Identify and Practice Prioritize Issues Diet / Sleep Plan: Win Local Establish an Win Regional

1k views • 73 slides
MySQL Group Replication & MySQL InnoDB Cluster Production Ready? Kenny Gryp MySQL Practice

MySQL Group Replication & MySQL InnoDB Cluster Production Ready? Kenny Gryp MySQL Practice

MySQL Group Replication & MySQL InnoDB Cluster Production Ready? Kenny Gryp MySQL Practice Manager Table of Contents Group Replication MySQL Shell (AdminAPI) MySQL Group Replication MySQL Router Best Practices Limitations Production?

993 views • 72 slides
ADA Construction Training Achieving Compliance on SHA Projects Presented by Norie Calvert John

ADA Construction Training Achieving Compliance on SHA Projects Presented by Norie Calvert John

ADA Construction Training Achieving Compliance on SHA Projects Presented by Norie Calvert John Gover Statutory Authority Americans with Disabilities Act (ADA) of 1990 is a civil rights law that requires equal access to all individuals

946 views • 69 slides
Forecasting MySQL Scalability Baron Schwartz O'Reilly MySQL Conference & Expo 2011

Forecasting MySQL Scalability Baron Schwartz O'Reilly MySQL Conference & Expo 2011

Forecasting MySQL Scalability Baron Schwartz O'Reilly MySQL Conference & Expo 2011 Consulting Support Training Development For MySQL Percona Server Replaces MySQL Faster Queries More Consistent More Measurable More

670 views • 41 slides
PHP + MySQL MySQL on the command line is great and all well not its not really that great

PHP + MySQL MySQL on the command line is great and all well not its not really that great

PHP + MySQL MySQL on the command line is great and all well not its not really that great Using MySQL in PHP is somewhat similar to the command line: Set up a connection to a MySQL database Issue a bunch of commands to the

944 views • 43 slides
SQL & MySQL Jeff Siarto - TC 361 Whats the Difference? MySQL is a database SQL is

SQL & MySQL Jeff Siarto - TC 361 Whats the Difference? MySQL is a database SQL is

SQL & MySQL Jeff Siarto - TC 361 Whats the Difference? MySQL is a database SQL is a language to interact with the database SQL is used with other databases: Access, Oracle, Portage SQL, MS SQL, etc... MySQL Open source

391 views • 7 slides
Percona MySQL About Me Qunar.com DB Director

Percona MySQL About Me Qunar.com DB Director

Percona MySQL About Me Qunar.com DB Director MySQL Inception MySQL ACMUG Oracle MySQL ACE Director What do we need to do for MySQL in

320 views • 20 slides
Achieving ISO 17025 Compliance Using LIMS Arun Apte Chief Executjve Offjcer, CloudLIMS.com Key

Achieving ISO 17025 Compliance Using LIMS Arun Apte Chief Executjve Offjcer, CloudLIMS.com Key

Achieving ISO 17025 Compliance Using LIMS Arun Apte Chief Executjve Offjcer, CloudLIMS.com Key Talking Points Why ISO 17025 accreditatjon? ISO 17025: 2017 standards and regulatory requirements for environmental testjng laboratories

447 views • 29 slides
MySQL Cluster und MySQL Proxy Alles Online Diese Slides gibt es auch unter:

MySQL Cluster und MySQL Proxy Alles Online Diese Slides gibt es auch unter:

MySQL Cluster und MySQL Proxy Alles Online Diese Slides gibt es auch unter: http://rt.fm/s4p Agenda (Don't) Panic Web- und MySQL-Server MySQL Master-Master Cluster MySQL Proxy und Cluster MySQL

1.83k views • 31 slides
More on gdb for MySQL DBAs or Using gdb to study MySQL internals and as a last resort Valerii

More on gdb for MySQL DBAs or Using gdb to study MySQL internals and as a last resort Valerii

More on gdb for MySQL DBAs or Using gdb to study MySQL internals and as a last resort Valerii Kravchuk, MySQL Support Engineer vkravchuk@gmail.com Who am I? Valerii (aka Valeriy ) Kravchuk : MySQL Support Engineer in MySQL AB, Sun and

376 views • 20 slides
Reducing Risk When Upgrading Your MySQL Environment Kenny Gryp MySQL Practice Manager My

Reducing Risk When Upgrading Your MySQL Environment Kenny Gryp MySQL Practice Manager My

Reducing Risk When Upgrading Your MySQL Environment Kenny Gryp MySQL Practice Manager My Experience as MySQL Consultant On Upgrading MySQL it's quite complex... Kenny Gryp MySQL Practice Manager Table of Contents The Ocial Documentation

1.13k views • 77 slides
Digital Forensics of Data Theft on the Google Cloud Platform TJEERD SLOKKER | FRANK WIERSMA

Digital Forensics of Data Theft on the Google Cloud Platform TJEERD SLOKKER | FRANK WIERSMA

Digital Forensics of Data Theft on the Google Cloud Platform TJEERD SLOKKER | FRANK WIERSMA SUPERVISOR: KORSTIAAN STAM Monday February 3 th Introduction MITRE ATT&CK Matrix 2 Research questions What design, utilizing exclusively GCP

737 views • 20 slides
Central Desktop Online Collaboration Tool Christina Boyce Gregory Marchini

Central Desktop Online Collaboration Tool Christina Boyce Gregory Marchini

Central Desktop Online Collaboration Tool Christina Boyce Gregory Marchini solutions-support@standards.ieee.org Introducing Central Desktop! The SA is making available Central Desktop to working groups for standard development, Industry

158 views • 14 slides
Tribal TANF Audit Supplement Guide For each common audit finding, the Guide is organized as

Tribal TANF Audit Supplement Guide For each common audit finding, the Guide is organized as

Tribal TANF Audit Supplement Guide For each common audit finding, the Guide is organized as follows: Common Finding : The auditors funding is stated. Federal Regulation : The federal regulation with which the grantee has not complied

981 views • 23 slides
Virtual Audit Room Minnesota Department of Revenue Introductions Why a Virtual Audit Room?

Virtual Audit Room Minnesota Department of Revenue Introductions Why a Virtual Audit Room?

Virtual Audit Room Minnesota Department of Revenue Introductions Why a Virtual Audit Room? Expand our audit presence Cost savings Work-Life balance What is a Virtual Audit Room? An online file exchange application used to manage

472 views • 31 slides
Page 1 The Georgia Voting System February, 2014 Interac3on of

Page 1 The Georgia Voting System February, 2014 Interac3on of

Page 1 The Georgia Voting System February, 2014 Interac3on of Vo3ng and Elec3on Systems Page 2 (re)Distric<ng Candidate VR System Qualifying Audits

455 views • 41 slides
ACCOUNTING CONSIDERATIONS FOR THE CANNABIS INDUSTRY WEST MICHIGAN CANNABIS EXPO LC SOLUTIONS

ACCOUNTING CONSIDERATIONS FOR THE CANNABIS INDUSTRY WEST MICHIGAN CANNABIS EXPO LC SOLUTIONS

ACCOUNTING CONSIDERATIONS FOR THE CANNABIS INDUSTRY WEST MICHIGAN CANNABIS EXPO LC SOLUTIONS MICHIGAN PLLC OCTOBER 5, 2019 ABOUT LC SOLUTIONS MICHIGAN PLLC LC Solutions Michigan PLLC is a full service accounting, CPA and advisory firm focused

304 views • 8 slides
IEC/ISO 17025 Accreditation: Preparing for Your Cannabis Testing Laboratory Audit Using a

IEC/ISO 17025 Accreditation: Preparing for Your Cannabis Testing Laboratory Audit Using a

IEC/ISO 17025 Accreditation: Preparing for Your Cannabis Testing Laboratory Audit Using a Cloud-based LIMS Arun Apte Chief Executive Officer, CloudLIMS.com Agenda What! is a How! to achieve Cannabis Lab ISO 17025 Q & A Audit

430 views • 39 slides
What we will cover today Broad overview of the regulation How did it come about? Who

What we will cover today Broad overview of the regulation How did it come about? Who

4/1/2017 CYBERSECURITY WHAT YOU NEED TO KNOW March 30, 2017 Independent Insurance Agents Assoc of Western NY What we will cover today Broad overview of the regulation How did it come about? Who does it apply to? What do I have

464 views • 15 slides

More recommend