PCI Compliance Updates E-Commerce / Cloud Security Adam Goslin, - - PowerPoint PPT Presentation

pci compliance updates
SMART_READER_LITE
LIVE PREVIEW

PCI Compliance Updates E-Commerce / Cloud Security Adam Goslin, - - PowerPoint PPT Presentation

May 31, 2023 105 likes •331 views

PCI Compliance Updates E-Commerce / Cloud Security Adam Goslin, Chief Operations Officer AGoslin@HighBitSecurity.com www.HighBitSecurity.com Direct: 248.388.4328 PCI Guidance Google: PCI e - commerce guidance

slide-1
SLIDE 1

PCI Compliance Updates

E-Commerce / Cloud Security

Adam Goslin, Chief Operations Officer AGoslin@HighBitSecurity.com www.HighBitSecurity.com Direct: 248.388.4328

slide-2
SLIDE 2

PCI Guidance

  • Google: “PCI e-commerce guidance”
  • https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf
  • Provides explanations of e-commerce environment and merchant
  • bligations from a PCI-DSS compliance perspective
  • The intent of this document is to provide supplemental information.

Information provided here does not replace or supersede requirements in the PCI Data Security Standard (PCI DSS)

  • Google: “PCI SSC cloud guidance”
  • https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf
  • Provides explanation of cloud implementation options and guidance

for responsibilities

Source for all images and some content is acknowledged as coming from the above guidelines documents.

www.HighBitSecurity.com

slide-3
SLIDE 3

E-Commerce - What’s New?

  • Mostly clarification and additional explanation
  • However:
  • No option completely removes a merchant’s PCI DSS

responsibilities

  • Regardless of the extent of outsourcing to third parties, the merchant retains

responsibility for ensuring that payment card data is protected. Connections and redirections between the merchant and the third party can be compromised, and the merchant should monitor its systems to ensure that no unexpected changes have occurred and that the integrity of the connection/redirection is maintained.

  • There is no one-size-fits-all method or solution for e-commerce

environments to meet PCI DSS requirements

  • To minimize the chance of attack in these scenarios, merchants

should apply extra due diligence to ensure the web application is developed securely and undergoes thorough penetration testing.

  • Covers B2C E-Commerce implementation styles…

www.HighBitSecurity.com

slide-4
SLIDE 4

First Steps To PCI:

  • Data flow – mapping all cardholder data flow
  • Electronic
  • Connections with partners
  • Vendors
  • Phone **
  • Mail **
  • Fax **
  • In-Person **

** These are not specifically covered in the guidance doc

www.HighBitSecurity.com

slide-5
SLIDE 5

Cloud – What’s New?

  • Cloud Service Models:
  • Software as a Service (SaaS) – Capability for clients to use the

provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser, or a program interface.

  • Platform as a Service (PaaS) – Capability for clients to deploy their

applications (created or acquired) onto the cloud infrastructure, using programming languages, libraries, services, and tools supported by the provider.

  • Infrastructure as a Service (IaaS) – Capability for clients to utilize the

provider’s processing, storage, networks, and other fundamental computing resources to deploy and run operating systems, applications and other software on a cloud infrastructure.

www.HighBitSecurity.com

slide-6
SLIDE 6

Cloud – Responsibilities

  • Responsibility Sharing
  • IaaS
  • Client = encryption / antivirus ; Cloud Service Provider (CSP) = Physical
  • Remainder = Both
  • PaaS
  • CSP = Physical
  • Remainder = Both
  • SaaS
  • Both = Secure systems, restrict to right to know, unique ID
  • Remainder = CSP
  • On a per instance basis, evaluation of CSP offering, and ultimately

merchant PCI responsibility

  • Written agreements with CSP, clear definition of responsibilities
  • Validate PCI compliance of cloud providers

www.HighBitSecurity.com

slide-7
SLIDE 7

E-Commerce - Third Parties

  • Payment Gateway / Processor
  • Web-hosting Provider
  • General Infrastructure Hosting Provider

Keep in mind – decision on what is best for your

  • rganization from the above list depends on

many factors. This is the time to obtain guidance

  • nce data flow is clearly identified.

www.HighBitSecurity.com

slide-8
SLIDE 8

Typical 3 Tier Model

www.HighBitSecurity.com

1)

presentation layer (web)

2)

processing layer (application)

3)

data-storage layer

slide-9
SLIDE 9

Typical Components

  • Shopping cart software (PA-DSS compliant)
  • Secure Sockets Layer/Transport Layer Security
  • SSL / TLS
  • Network Components and Supporting

Infrastructure

www.HighBitSecurity.com

slide-10
SLIDE 10

Merchant-Managed

(Proprietary)

  • Merchant writes code themselves; integrates direct to payment

processor

www.HighBitSecurity.com

slide-11
SLIDE 11

Merchant-Managed

(Commercial Shopping Cart/Payment Applications)

  • Payment processing direct via commercially available software

www.HighBitSecurity.com

slide-12
SLIDE 12

Shared-Management

(Third-Party Embedded APIs with Direct Post)

  • Payment processing

indirect via browser using third party API

www.HighBitSecurity.com

slide-13
SLIDE 13

Shared-Management

(Third-party Inline Frames)

  • Inline frames or

“iFrames” allow a web page to be embedded within another web page.

www.HighBitSecurity.com

slide-14
SLIDE 14

Shared-Management

(Third-Party Hosted Payment Page)

  • Merchant’s

customer is redirected to the payment page on the e-commerce payment processor’s site to enter payment card data.

  • Once payment is

processed, acknowledgement is sent back to the merchant’s web application.

www.HighBitSecurity.com

slide-15
SLIDE 15

Shared Model: Security Considerations

  • Direct-post API Approach
  • Merchant responsible for security of web page
  • iFrame Approach
  • Merchant responsible for security of web page
  • Hosted-payment Page Approach
  • Merchant responsible for security of web page
  • Merchant should:
  • Monitor for unauthorized changes, respond quickly
  • Practice secure development
  • Perform thorough penetration testing

www.HighBitSecurity.com

slide-16
SLIDE 16

Outsourced E-commerce Implementations and SAQ A

  • Even wholesale outsourcing does not absolve

merchants of their PCI requirements

  • Merchants may be eligible to complete SAQ A,

however, should validate with their acquirer to confirm

  • Immediate challenges: card-present, fax, mail, phone
  • PCI treats local machines connecting to third party

gateway via Internet as virtual terminals

www.HighBitSecurity.com

slide-17
SLIDE 17

Common Security Vulnerabilities

  • Insecure Coding
  • Injection Flaws, Cross-site Scripting (XSS), Cross-site Request Forgery

(CSRF) , Buffer Overflows , Weak Authentication and/or Session Credentials

  • Security Misconfigurations
  • Secure configuration of the DMZ to limit inbound traffic to only those components intended to provide

authorized, publicly accessible services, and to prohibit unauthorized outbound traffic (PCI DSS Requirements 1.3.1 and 1.3.4)

  • Secure system configuration and changing vendor-supplied default passwords and settings (PCI DSS Req 2)
  • Using secure encryption mechanisms when transmitting data over the Internet (PCI DSS Requirement 4)
  • Protecting e-commerce components from known malware (PCI DSS Requirement 5)
  • Keeping all software and network components up to date with vendor-supplied patches (PCI DSS Req 6.1)
  • Using secure software development and coding practices for websites (PCI DSS Requirements 6.3 – 6.5)
  • Implementing a process to address new security vulnerabilities (PCI DSS Reqts 6.1, 6.2, 6.6 and 11.2)
  • Limiting access to only those users with a need to know and requiring strong authentication credentials for

those with access (PCI DSS Requirements 7 and 8)

  • Logging and monitoring (PCI DSS Requirements 10 and 11)
  • Security Myths:
  • Net Admins / Developers <> Security
  • Passing ASV scan <> Security

www.HighBitSecurity.com

slide-18
SLIDE 18

Recommendations

  • Know the Location of all Your Cardholder Data
  • If You Don’t Need It, Don’t Store It
  • Evaluate Risks Associated with the Selected E-commerce Technology
  • Address Risks Associated with Outsourcing to Third-party Service Providers
  • ASV Scanning of Web-hosted Environments
  • Penetration Testing
  • Best Practices for Payment Applications
  • Implement Security Training for all Staff
  • Other Recommendations
  • Monitoring security alerts
  • Additional firewall between application and database servers
  • Never reflect full card number via interface / receipt
  • Best Practices for Consumer Awareness
  • Don’t use public computers for e-commerce
  • Don’t use public WiFi
  • Shoulder surfing
  • Patching
  • Strong passwords / password keeper (KeePass / KeePassX)

www.HighBitSecurity.com

slide-19
SLIDE 19

Importance?

  • News
  • International hacking rings
  • Card theft rings
  • Chinese government hacking facility
  • Security
  • Security of card data – sure
  • PCI <> corporate security

www.HighBitSecurity.com

slide-20
SLIDE 20

Additional Questions?

Free consultations and proposals for:

  • Security Testing
  • Security Consulting

Adam Goslin, Chief Operations Officer AGoslin@HighBitSecurity.com www.HighBitSecurity.com Direct: 248.388.4328