Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published byErika Clark Modified over 7 years ago

Similar presentations

Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Effective Software Development in a PCI DSS Environment Bruce Ashton Senior Software Engineer Mako Networks Ltd brucea@makonetworks.com +64 21 546 231 2012-04-13

2 OWASP 2 Content  What is PCI DSS and where does it apply  How PCI DSS affects on software development  PCI DSS and company culture

3 OWASP 3 What is PCI DSS  Payment Card Industry Data Security Standard  A set of twelve requirements and 200-odd security assessment questions  A standard for protecting payment card data  An audit every year by the QSA  Documentation and red tape

4 OWASP 4 Where does it come from  The PCI Security Standards Council  An open global forum launched in 2006  Also responsible for PA-DSS and PTS  Founded by:

5 OWASP 5 What PCI DSS was designed to do  Encourage and enhance cardholder data security  Facilitate the broad adoption of consistent data security measures globally  Combat credit card fraud

6 OWASP 6 When does PCI DSS Apply  PCI DSS only applies if PANs (Primary Account Numbers) are stored, processed and/or transmitted.  PCI DSS applies wherever account data is stored, processed or transmitted.

7 OWASP 7 Account Data  Cardholder Data  Primary Acount Number (PAN)  Cardholder name  Expiration date  Service code  Sensitive Authentication Data  Full magnetic stripe or equivalent on a chip  CAV2/CVC2/CVV2/CID  PINs/PIN blocks

8 OWASP 8 Scope of PCI DSS  PCI DSS applies to all entities involved in payment card processing – including:  Merchants, processors, acquirers, issuers, and service providers  Any other entities that store, process or transmit cardholder data.  The PCI DSS security requirements apply to all system components

9 OWASP 9 System components and environment  System components  All network components, servers, or applications that are included in or connected to the cardholder data environment  Cardholder data environment  The people, processes and technology that store, process or transmit cardholder data or sensitive authentication data

10 OWASP 10 PA-DSS vs. PCI-DSS  PA-DSS applies to payment applications  PA-DSS does not apply to software provided as a service  PA-DSS does not apply to non-payment applications that are part of a payment application suite  PA-DSS does not apply to payment applications developed by merchants and service providers if used only in-house

11 OWASP 11 PCI DSS Requirements 1.Build and Maintain a Secure Network 2.Protect Cardholder Data 3.Maintain a Vulnerability Management Program 4.Implement Strong Access Control Measures 5.Regularly Monitor and Test Networks 6.Maintain an Information Security Policy

12 OWASP 12 1. Build and Maintain a Secure Network 1.1. Install and maintain a firewall configuration to protect cardholder data  Business justification for use of all services, protocols, and ports allowed  A formal process for all changes  No direct connections to the internet  Stateful packet inspection on all traffic

13 OWASP 13 1. Build and Maintain a Secure Network 1.1. Install and maintain a firewall configuration to protect cardholder data  Good solutions:  Set up required access at the start of a project  Physically separate R&D area  Virtual machines and host-only networks  Bad solutions:  hidemyass.com  Flash drives and sneakernet

14 OWASP 14 1. Build and Maintain a Secure Network 1.2. Do not use vendor-supplied defaults for system passwords and other security parameters  Configuration for all system components consistent with industry-accepted system hardening standards  Enable only necessary and secure services  Remove all unnecessary functionality

15 OWASP 15 1. Build and Maintain a Secure Network 1.2. Do not use vendor-supplied defaults for system passwords and other security parameters  Good Solutions  Consult development on necessary functionality  Push production configuration information out to test and development  Bad Solutions  Developers write their own mail server

16 OWASP 16 2. Protect Cardholder Data 2.1. Protect stored cardholder data  Storage of account data is strictly limited  Not just databases – logs, even swap space  Access to production data and logs is restricted  Core/heap dumps can hold account data  Debugging code may not be safe in production

17 OWASP 17 2. Protect Cardholder Data 2.1. Protect stored cardholder data  Good Solutions  Write logging code with PCI DSS rules in mind  Use separate debugging code in development  Collect general statistics where you can't obtain specific data  Unique keys that are not account data  Bad solutions  System administrators fix the bugs

18 OWASP 18 2. Protect Cardholder Data 2.2 Encrypt transmission of cardholder data across open, public networks  Code gets treated as card data  Distributed development teams  Solutions:  VPNs  Encrypted email  The other end of a VPN is in PCI DSS scope

19 OWASP 19 3. Maintain a Vulnerability Management Program 3.1. Use and regularly update anti-virus software or programs  Only a problem if your anti-virus software is too aggressive  'Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.'

20 OWASP 20 3. Maintain a Vulnerability Management Program 3.2. Develop and maintain secure systems and applications  All software must have the latest patches  Change control procedures for all changes – every new tool or library  Separation of duties between development, test and production  Develop based on best secure coding practices

21 OWASP 21 3. Maintain a Vulnerability Management Program 3.2. Develop and maintain secure systems and applications  Good Solutions:  Repository manager for tools and libraries  Get the tools and libraries early in the project  OWASP Top Ten  Bad Solutions:  Developers re-inventing the wheel – it was easier...

22 OWASP 22 4. Implement Strong Access Control Measures 4.1. Restrict access to cardholder data by business need to know  Limit access to system components  Principle of least privilege  Deny all by default  Privileges are based on job function  Documented approval for all privileges

23 OWASP 23 4. Implement Strong Access Control Measures 4.1 Restrict access to cardholder data by business need to know  Good Solutions:  Clearly and fully define roles  Consult with employees on necessary access  Bad Solutions:  The shared root login  The secret server under my desk

24 OWASP 24 4. Implement Strong Access Control Measures 4.2. Assign a unique ID to each person with computer access  Store all passwords using strong cryptography  Do not use group, shared, or generic accounts and passwords  Solutions:  Generate test accounts, don't store them in test data

25 OWASP 25 4. Implement Strong Access Control Measures 4.3. Restrict physical access to cardholder data  Use video cameras and/or access control mechanisms to monitor sensitive areas  Restrict access to networking hardware  Maintain strict control over the internal or external distribution of any kind of media

26 OWASP 26 4. Implement Strong Access Control Measures 4.3. Restrict physical access to cardholder data  Good Solutions:  Make video feeds available to everybody  Give each developer their own flash drive  Bad Solutions:  Developers emailing databases to each other

27 OWASP 27 5. Regularly Monitor and Test Networks 5.1. Track and monitor all access to network resources and cardholder data  Establish a process for linking all access to system components to each user  Audit trails for all access to code  Audit trails for access to all audit trails  Review logs for all components daily  Source control is 90% of the solution for code

28 OWASP 28 5. Regularly Monitor and Test Networks 5.2. Regularly test security systems and processes  Internal vulnerability scans at least quarterly  External scans by an ASV at least quarterly  Penetration testing at least annually  Intrusion detection/prevention systems  Solutions:  Scan when you add new components  Choose IDS that can limit false positives

29 OWASP 29 6. Maintain an Information Security Policy 6.1. Maintain a policy that addresses information security for all personnel  Educate employees on hire and at least annually  Personnel to acknowledge annually that they understand the security policy  Employee knowledge of policy is audited  List of company-approved products

30 OWASP 30 6. Maintain an Information Security Policy 6.1. Maintain a policy that addresses information security for all personnel  Solutions:  Keep the policy as simple and plain as possible  Make sure employees know who the key PCI DSS people are  'Ask Bob the Security manager' is often a good answer  Do your own practice audits

31 OWASP 31 The Cost of working in a PCI DSS Environment  Development will be slower. Account for it in software estimation.  There is more process and documentation. Get the tools to manage it.  Teams get siloed. Encourage communication, guard against conflict.  Production environments get walled off. Make sure you have representative test environments.

32 OWASP 32 Inter-Team Relationships  Developers and Testers  Make the release process simple and repeatable  Bugs are fully defined  Developers and Operations  Keep developers informed of the production system architecture  Make the release process simple and repeatable  Developers and the business  Manage expectations. Development will be slower and developers will be blamed

33 OWASP 33 Old Employees and New Rules  Employees will lose access and privileges  Everybody gets extra responsibilities  Give employees new toys tools  Sell the value of having PCI DSS on the CV

34 OWASP 34 Summary  The benefits:  Security and discipline  The costs:  Red tape and slower development  The solutions:  Plan ahead and keep people communicating

35 OWASP 35 References  Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures Version 2.0  Payment Application Data Security Standard Requirements and Security Assessment Procedures Version 2.0  https://www.pcisecuritystandards.org/ https://www.pcisecuritystandards.org/  Mako Networks Ltd [ http://www.makonetworks.com/ ]http://www.makonetworks.com/

36 OWASP 36 Questions?

Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Kevin R Perry August 12, 2014. Part 1: High Level Changes & Clarifications.

Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?
Introduction to PCI DSS

Introduction to PCI DSS
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material.

Disclaimer Copyright Michael Chapple and Jane Drews, This work is the intellectual property of the authors. Permission is granted for this material.
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger 515-237-5007.

Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Protecting Your Credit Card Security Environment (PCI) September 26, 2012 Jacob Arthur, CPA, QSA, CEH Timothy Agee, CISA, CGEIT, QSA FDH Consulting Frasier,

Protecting Your Credit Card Security Environment (PCI) September 26, 2012 Jacob Arthur, CPA, QSA, CEH Timothy Agee, CISA, CGEIT, QSA FDH Consulting Frasier,
The Right Choice for Call Recording WWW.OAISYS.COM OAISYS and PCI DSS Compliance Managing Payment Card Industry Compliance with OAISYS Call Recording Solutions.

The Right Choice for Call Recording OAISYS and PCI DSS Compliance Managing Payment Card Industry Compliance with OAISYS Call Recording Solutions.
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.

An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

Similar presentations

Ads by Google