PCI: A Four-Letter Word of E-Commerce Presented by Matt Kleve - - PowerPoint PPT Presentation

Commerce

Presented by Matt Kleve (vordude)

PCI: A Four-Letter Word of E-Commerce

h t t p : / / w w w . f l i c k r . c

• m

/ p h

• t
• s

/ s h a w n z l e a / 5 2 7 8 5 7 7 8 7 /

W h

• i

s t h i s g u y ?

• 5

y e a r s

• f

D r u p a l

• B

e e n i n t h e P C I ' t r e n c h e s '

• D

r u p a l S e c u r i t y T e a m

• S

e n i

• r

D e v e l

• p

e r , L u l l a b

• t

W a r n i n g , t h i s g u y i s n

• t

:

• A PCI Qualified Security Assessor (QSA)
• A lawyer
• Willing to provide references or

suggestions for web hosting, scanning vendors, consultants, etc.

O n c e u p

• n

a t i m e . . .

h t t p : / / w w w . f l i c k r . c

• m

/ p h

• t
• s

/ 7 6 2 9 3 5 @ N 2 / 6 8 2 9 4 3 8 7 5

h t t p : / / w w w . f l i c k r . c

• m

/ p h

• t
• s

/ s l w

• r

k i n g / 3 8 3 2 2 6 7 1 4

h t t p : / / w w w . f l i c k r . c

• m

/ p h

• t
• s

/ d r e w l e a v y / 3 3 9 4 8 9 7 7 6

h t t p : / / w w w . f l i c k r . c

• m

/ p h

• t
• s

/ d r e w l e a v y / 3 3 9 4 8 9 5 2 4 6

h t t p : / / w w w . f l i c k r . c

• m

/ p h

• t
• s

/ d r e w l e a v y / 3 3 9 4 8 9 2 5 8 4

h t t p : / / w w w . f l i c k r . c

• m

/ p h

• t
• s

/ d u k e e n e r g y / 4 7 5 5 9 9 4 4

W h a t i s t h i s P C I T h i n g ?

• P

a y m e n t C a r d I n d u s t r y

• D

a t a S e c u r i t y S t a n d a r d ( P C I

• D

S S )

( N

• t

t h e P A

• D

S S )

W h a t i s t h i s P C I T h i n g ?

A r e y

• u

T r a n s mi t t i n g , P r

• c

e s s i n g ,

• r

S t

• r

i n g C r e d i t C a r d D a t a ?

I t a p p l i e s t

• y
• u

.

W h a t i s t h i s P C I T h i n g ?

“ B u t I d

• n

' t h a n d l e 5 %

• f

t h e p a y m e n t s t h e b i g g u y s d

• ”

W h a t i s t h i s P C I T h i n g ?

• >

8 %

• f

t h e i n s t a n c e s

• f

u n a u t h

• r

i z e d a c c e s s t

• c

a r d d a t a h a v e i n v

• l

v e d s m a l l m e r c h a n t s

• T

h e s e b u s i n e s s e s a c c

• u

n t f

• r

8 5 %

• f

t h e t

• t

a l n u m b e r

• f

m e r c h a n t s

I n D a t a L e a k s , C u l p r i t s O f t e n A r e M

• m

, P

• p

W a l l S t r e e t J

• u

r n a l , 9 / 2 2 / 7

W h a t i s t h i s P C I T h i n g ?

• M

a l i c i

• u

s a t t a c k s w e r e t h e r

• t

c a u s e

• f

3 1 %

• f

t h e d a t a b r e a c h e s

• A

v e r a g e c

• s

t i s $ 2 1 4 p e r c

• m

p r

• m

i s e d r e c

• r

d

2 1 A n n u a l S t u d y : U . S . C

• s

t

• f

a D a t a B r e a c h S y m a n t e c a n d t h e P

• n

e m

• n

I n s t i t u t e

W h a t i s t h i s P C I T h i n g ?

“ T h e c r e d i t c a r d p r

• v

i d e r i s g e n e r a l l y l i a b l e

• n

l y i f t h e r e t a i l e r w a s P C I

• c
• m

p l i a n t a t t h e t i m e t h e s e c u r i t y b r e a c h

• c

c u r r e d . ”

P r

• t

e c t i n g C r e d i t C a r d D a t a : H

• w

t

• A

c h i e v e P C I C

• m

p l i a n c e M

• t
• r
• l

a W h i t e P a p e r

W h a t i s t h i s P C I T h i n g ?

F i n a n c i a l R i s k R e p u t a t i

• n

R i s k

W h a t i s t h i s P C I T h i n g ?

1 2 R e q u i r e m e n t s “ T h e D i r t y D

• z

e n ”

W h a t i s t h i s P C I T h i n g ?

R e q u i r e me n t 1 : I n s t a l l a n d m a i n t a i n a f i r e w a l l c

• n

f i g u r a t i

• n

t

• p

r

• t

e c t c a r d h

• l

d e r d a t a

W h a t i s t h i s P C I T h i n g ?

R e q u i r e me n t 2 : D

• n
• t

u s e v e n d

• r
• s

u p p l i e d d e f a u l t s f

• r

s y s t e m p a s s w

• r

d s a n d

• t

h e r s e c u r i t y p a r a m e t e r s

W h a t i s t h i s P C I T h i n g ?

R e q u i r e me n t 3 : P r

• t

e c t s t

• r

e d c a r d h

• l

d e r d a t a

W h a t i s t h i s P C I T h i n g ?

R e q u i r e me n t 4 : E n c r y p t t r a n s m i s s i

• n
• f

c a r d h

• l

d e r d a t a a c r

• s

s

• p

e n , p u b l i c n e t w

• r

k s

W h a t i s t h i s P C I T h i n g ?

R e q u i r e me n t 5 : U s e a n d r e g u l a r l y u p d a t e a n t i

• v

i r u s s

• f

t w a r e

• r

p r

• g

r a m s

W h a t i s t h i s P C I T h i n g ?

R e q u i r e me n t 6 : D e v e l

• p

a n d m a i n t a i n s e c u r e s y s t e m s a n d a p p l i c a t i

• n

s

W h a t i s t h i s P C I T h i n g ?

R e q u i r e me n t 7 : R e s t r i c t a c c e s s t

• c

a r d h

• l

d e r d a t a b y b u s i n e s s n e e d t

• k

n

• w

W h a t i s t h i s P C I T h i n g ?

R e q u i r e me n t 8 : A s s i g n a u n i q u e I D t

• e

a c h p e r s

• n

w i t h c

• m

p u t e r a c c e s s

W h a t i s t h i s P C I T h i n g ?

R e q u i r e me n t 9 : R e s t r i c t p h y s i c a l a c c e s s t

• c

a r d h

• l

d e r d a t a

W h a t i s t h i s P C I T h i n g ?

R e q u i r e me n t 1 : T r a c k a n d m

• n

i t

• r

a l l a c c e s s t

• n

e t w

• r

k r e s

• u

r c e s a n d c a r d h

• l

d e r d a t a

W h a t i s t h i s P C I T h i n g ?

R e q u i r e me n t 1 1 : R e g u l a r l y t e s t s e c u r i t y s y s t e m s a n d p r

• c

e s s e s .

W h a t i s t h i s P C I T h i n g ?

R e q u i r e me n t 1 2 : M a i n t a i n a p

• l

i c y t h a t a d d r e s s e s i n f

• r

m a t i

• n

s e c u r i t y f

• r

a l l p e r s

• n

n e l

B a s i c P C I D S S P r i n c i p l e s

• D
• n
• t

s t

• r

e c a r d h

• l

d e r d a t a u n l e s s i t ’ s a b s

• l

u t e l y n e c e s s a r y

• N

e v e r s t

• r

e “ V e r i f i c a t i

• n

C

• d

e , ” “ F u l l T r a c k , ”

• r

“ P I N ”

• T

h e f i r s t s i x a n d l a s t f

• u

r d i g i t s a r e t h e m a x i m u m n u m b e r

• f

d i g i t s t

• b

e d i s p l a y e d .

B a s i c P C I D S S P r i n c i p l e s

D

• c

u m e n t e v e r y t h i n g

B a s i c P C I D S S P r i n c i p l e s

G e t i t i n w r i t i n g f r

• m

y

• u

r v e n d

• r

s

• r

s e r v i c e p r

• v

i d e r s .

B a s i c P C I D S S P r i n c i p l e s

Y

• u

a r e n e v e r d

• n

e

A s s e s s R e me d i a t e R e p

• r

t → →

http://www.flickr.com/photos/merelymel/2824506032

http://www.flickr.com/photos/attercop311/3088780713

M e r c h a n t , K n

• w

T h y s e l f

Wh i c h S A Q ?

• S

A Q

• A
• S

A Q

• B
• S

A Q

• C
• S

A Q

• C
• V

T

• S

A Q

• D

M e r c h a n t , K n

• w

T h y s e l f

Wh i c h S A Q ?

• S

A Q

• A

– A l l s e n s i t i v e d a t a h a n d l i n g

• f

f l

• a

d e d

• S

A Q

• B

– M a n u a l P a p e r P u s h i n g , n

• I

n t e r n e t

• S

A Q

• C

– “ S t a n d a r d ” e

• c
• m

m e r c e s e t u p

• S

A Q

• C
• V

T – “ V i r t u a l T e r m i n a l ”

• S

A Q

• D

– “ O t h e r ”

M e r c h a n t , K n

• w

T h y s e l f

Wh i c h S A Q ?

• S

A Q

• A

– A l l s e n s i t i v e d a t a h a n d l i n g

• f

f l

• a

d e d

• S

A Q

• C

– “ S t a n d a r d ” e

• c
• m

m e r c e s e t u p

• S

A Q

• D

– “ O t h e r ”

S A Q

• A
• 1

4 Q u e s t i

• n

s ( 2

• f

t h e 1 2 R e q u i r e me n t s )

• P

h y s i c a l S e c u r i t y

• I

n f

• r

ma t i

• n

S e c u r i t y P

• l

i c y

S A Q

• A

S A Q

• A

S A Q

• C
• 8

5 Q u e s t i

• n

s ( 1 1

• f

t h e 1 2 R e q u i r e me n t s )

• S

e c u r i n g S e n s i t i v e D a t a

• M
• n

i t

• r

i n g a n d T e s t i n g

S A Q

• A

S A Q

• D
• ~

2 2 5 Q u e s t i

• n

s ( 1 2

• f

t h e 1 2 r e q u i r e me n t s )

• I

n t e n s e r e v i e w

• f

e v e r y t h i n g

• S

e n s i t i v e d a t a s t

• r

a g e

M e r c h a n t , K n

• w

T h y s e l f

M e r c h a n t “ L e v e l s ”

• “

L e v e l ” 1

• 4
• E

a c h c a r d b r a n d s e t s i t s

• w

n r u l e s

• “

L e v e l R e c i p r

• c

i t y ” a m

• n

g t h e b r a n d s

( H i g h e s t c

• m

m

• n

d e n

• m

i n a t

• r

)

M e r c h a n t , K n

• w

T h y s e l f

http://lb.cm/pci-visa

M e r c h a n t , K n

• w

T h y s e l f

L e v e l 1

• A

n n u a l R e p

• r

t

• n

C

• m

p l i a n c e ( b y a Q S A )

• F

u l l s e c u r i t y a s s e s s m e n t

• f

p r

• c

e d u r e s

• >

6 m i l l i

• n

t r a n s a c t i

• n

s ( p e r t y p e )

• P

r e v i

• u

s d a t a b r e a c h

M e r c h a n t , K n

• w

T h y s e l f

L e v e l 2

• 1
• 6

M i l l i

• n

t r a n s a c t i

• n

s ( p e r t y p e )

• J

u n e 3 , 2 1 2 d e a d l i n e .

( M a s t e r c a r d ) S A Q m u s t b e d

• n

e b y a Q S A

• r

a c e r t i f i e d I S A

M e r c h a n t , K n

• w

T h y s e l f

L e v e l 3

• 4
• Q

u a r t e r l y S e c u r i t y S c a n s

• C
• m

p l e t e S e l f A s s e s s m e n t Q u e s t i

• n

n a i r e

http://www.flickr.com/photos/qiaomeng/419958205 http://www.flickr.com/photos/59937401@N07/5856793551

M e r c h a n t , K n

• w

T h y s e l f

T h e B

• t

t

• m

L i n e : Y

• u

r p a y me n t p r

• c

e s s

• r

( a c q u i r e r )

h a s t h e f i n a l s a y .

Y e s , b u t w h a t a b

• u

t D r u p a l ?

• I

t ' s

• p

e n s

• u

r c e .

• Y
• u

' v e c u s t

• m

i z e d i t .

• Y
• u

n e e d t

• t

r e a t i t l i k e i t ' s 1 % y

• u

r c

• d

e .

• G

e t v e r y f a m i l i a r w i t h R e q u i r e m e n t # 6 .

http://www.flickr.com/photos/hryckowian/2846922559

Y e s , b u t w h a t a b

• u

t D r u p a l ?

c a c h e _ f

• r

m

Y e s , b u t w h a t a b

• u

t D r u p a l ?

D

• i

n g I t W r

• n

g

http://www.flickr.com/photos/0x0000org/5260347788

Y e s , b u t w h a t a b

• u

t D r u p a l ?

$ _ S E S S I O N

Y e s , b u t w h a t a b

• u

t D r u p a l ?

S e s s i

• n

H i j a c k

( m i x e d H T T P / H T T P S )

http://www.flickr.com/photos/dasqfamily/2092755140/

Y e s , b u t w h a t a b

• u

t D r u p a l ?

X S S , S Q L I n j e c t i

• n

, C S R F

a n d

• t

h e r v u l n e r a b i l i t i e s

www.flickr.com/photos/akbar2/6405553485

Y

• u

r n e w T O D O l i s t :

• h

t t p s : / / w w w . p c i s e c u r i t y s t a n d a r d s .

• r

g /

• D
• w

n l

• a

d a n d r e a d t h e s t a n d a r d

• A

l s

• R

e a d “ N a v i g a t i n g P C I D S S ”

• K

e e p t h e “ G l

• s

s a r y

• f

T e r m s A b b r e v i a t i

• n

s a n d A c r

• n

y m s ” c l

• s

e b y .

Q u e s t i

• n

s ?

What did you think?

Click the “Take the Survey” link.

http://denver2012.drupal.org/program

Locate this session on the DrupalCon Denver website

Thank You!