Presentation is loading. Please wait.

Presentation is loading. Please wait.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Published byMakayla Fox Modified over 10 years ago

Similar presentations

Presentation on theme: "Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller."— Presentation transcript:

1 Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements
Clay Keller

2 Full PCI Glossary at following url.
PCI : Acronym for “Payment Card Industry.” DSS : Data Security Standards. There are 12 groups of standards. PCI-SSC : Payment Card Industry Security Standards Council ASV : Approved Scanning Vendor Full PCI Glossary at following url.

3 Goals of Presentation High Level overview of the PCI Requirements for
Vulnerability Scanning Penetration Testing How to meet those requirements.

4 Disclaimer! Always review your PCI compliance efforts with a QSA if possible and ensure you are using the most current documentation. I am not a QSA!

5 PCI-DSS Vulnerability Management
Which Sections in the DSS? 6.6 – Public Facing App Review 11.2 – Vulnerability Scanning 11.3 – Penetration Testing (11.1 Will not be covered today – Rogue Wireless Detection)

6 PCI-DSS 6.6 6.6 For public-facing web applications, ... ensure these applications are protected against known attacks by either of the following methods: Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes Installing a web-application firewall in front of public-facing web applications

7 Meeting the 6.6 Requirements
Focused on “Public Facing” Web Applications. Annually & After Changes. Reviewers must specialize in App security Reviewers must have Independence. Need to validate fixes! How ?? Manual application testing. WebScarab, Etc.. Automated Testing Tools Webinspect. Etc.. Phoenix/Tools

8 Meeting the 6.6 Requirements
Contract with a 3rd Party Provider to perform testing. Setup your own testing capability. Some Vulnerability Scanners are starting to build in Application Scanning Build in Security testing to your Q/A and pre-release testing.

9 Meeting the 6.6 Requirements
Implement a Web Application Firewall (WAF) A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. OWASP website has great information on WAF's.

10 PCI-DSS 11.2 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network

11 Meeting 11.2 Requirements Internal AND External Scans of your PCI Scope Networks. Must be done at least Quarterly. External Scans Must use an “ASV” to attest or approve your scan results. Must show that “changes” are being scanned. Many Vulnerability Scanning tools exist. Many ASV's exist.

12 Meeting 11.2 Requirements Internal External You Can Do This!
Quarterly (at least) After Changes External Use an ASV. Must run from the Internet. Must be whitelisted in IPS/IDS.

13 PCI-DSS 11.3 11.3 Perform penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). These penetration tests must include the following: Network-layer penetration tests Application-layer penetration tests

14 Meeting 11.3 Requirements Annually External & Internal After Changes
Qualified Testers Network Layer OS Network Application Layer PCI-DSS 6.5 OWASP

15 Meeting 11.3 Requirements Does not need to be an ASV.
Create a “Register” or Inventory of Applications and Network devices to test to ensure complete coverage. Review testing plan with a QSA if possible. Testing Can be expensive. The PCI SSC Website has a guidance document.

16 Summary of PCI Vulnerability Management Tasks
Internal Quarterly Scans. External Quarterly Scans. Internal Annual Penetration Tests External Annual Penetration Tests External Annual Web App Testing Internal Annual Application Testing. After Changes ?? Need to implement process to ensure new additions to your environment are tested adequately before implementation. Strong Security Governance reduces rework!

17 Final Recommendations
Have a clearly defined “Cardholder Environment.” Have QSA review your Vulnerability Management Processes. Be able to explain your methodology clearly. Ensure you are meeting the DSS standards. Security is the goal. Compliance is a minimum!

Download ppt "Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller."

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
Mobile Payment Security The Good, the Bad and the Ugly

Mobile Payment Security The Good, the Bad and the Ugly
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
Troy Leach April 2012 The PCI Security Standards Council.

Troy Leach April 2012 The PCI Security Standards Council.
MARTAs Road to PCI Compliance 1 Presenter: Yolanda Curtis, PMP AFC Project Manager.

MARTAs Road to PCI Compliance 1 Presenter: Yolanda Curtis, PMP AFC Project Manager.
PCI:DSS What is it, and what does it mean to you? Dale Pearson 17 th November 2009.

PCI:DSS What is it, and what does it mean to you? Dale Pearson 17 th November 2009.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Navigating the New SAQs (Helping the 99% validate PCI compliance)

Navigating the New SAQs (Helping the 99% validate PCI compliance)
Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.

Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
PCI Compliance Technical Overview 2008. RM PCI Calendar Sept 2006: Official 15.1 PCI Release Sept 2006: 15.1 certified PCI Compliant Jan 2007: VISA approves.

PCI Compliance Technical Overview RM PCI Calendar Sept 2006: Official 15.1 PCI Release Sept 2006: 15.1 certified PCI Compliant Jan 2007: VISA approves.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
Mod Security (Is it worth it?) By Rich Helton. Abstract (see my paper for sources)  Based on statistics, Apache is the most used web server being used.

Mod Security (Is it worth it?) By Rich Helton. Abstract (see my paper for sources)  Based on statistics, Apache is the most used web server being used.
By Ben Pratt and Clint Forseth.  Ben Pratt ◦ Primary Role: Course Mgmt. Sys. Admin ◦ Secondary Roles: Printer Server Admin, Web Application Firewall.

By Ben Pratt and Clint Forseth.  Ben Pratt ◦ Primary Role: Course Mgmt. Sys. Admin ◦ Secondary Roles: Printer Server Admin, Web Application Firewall.

Similar presentations

Ads by Google