PCI Compliance Updates E-Commerce / Cloud Security Adam Goslin, - PowerPoint PPT Presentation

PCI Compliance Updates E-Commerce / Cloud Security Adam Goslin, Chief Operations Officer AGoslin@HighBitSecurity.com www.HighBitSecurity.com Direct: 248.388.4328

PCI Guidance  Google: “PCI e - commerce guidance” https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf  Provides explanations of e-commerce environment and merchant  obligations from a PCI-DSS compliance perspective The intent of this document is to provide supplemental information.  Information provided here does not replace or supersede requirements in the PCI Data Security Standard (PCI DSS)  Google: “PCI SSC cloud guidance” https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf  Provides explanation of cloud implementation options and guidance  for responsibilities Source for all images and some content is acknowledged as coming from the above guidelines documents. www.HighBitSecurity.com

E-Commerce - What’s New? Mostly clarification and additional explanation  However:  No option completely removes a merchant’s PCI DSS  responsibilities Regardless of the extent of outsourcing to third parties, the merchant retains  responsibility for ensuring that payment card data is protected. Connections and redirections between the merchant and the third party can be compromised, and the merchant should monitor its systems to ensure that no unexpected changes have occurred and that the integrity of the connection/redirection is maintained. There is no one-size-fits-all method or solution for e-commerce  environments to meet PCI DSS requirements To minimize the chance of attack in these scenarios, merchants  should apply extra due diligence to ensure the web application is developed securely and undergoes thorough penetration testing. Covers B2C E- Commerce implementation styles…  www.HighBitSecurity.com

First Steps To PCI:  Data flow – mapping all cardholder data flow  Electronic  Connections with partners  Vendors  Phone **  Mail **  Fax **  In-Person ** ** These are not specifically covered in the guidance doc www.HighBitSecurity.com

Cloud – What’s New?  Cloud Service Models: Software as a Service (SaaS) – Capability for clients to use the  provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser, or a program interface. Platform as a Service (PaaS) – Capability for clients to deploy their  applications (created or acquired) onto the cloud infrastructure, using programming languages, libraries, services, and tools supported by the provider. Infrastructure as a Service (IaaS) – Capability for clients to utilize the  provider’s processing, storage, networks, and other fundamental computing resources to deploy and run operating systems, applications and other software on a cloud infrastructure. www.HighBitSecurity.com

Cloud – Responsibilities  Responsibility Sharing  IaaS Client = encryption / antivirus ; Cloud Service Provider (CSP) = Physical  Remainder = Both  PaaS  CSP = Physical  Remainder = Both  SaaS  Both = Secure systems, restrict to right to know, unique ID  Remainder = CSP  On a per instance basis, evaluation of CSP offering, and ultimately  merchant PCI responsibility Written agreements with CSP, clear definition of responsibilities  Validate PCI compliance of cloud providers  www.HighBitSecurity.com

E-Commerce - Third Parties  Payment Gateway / Processor  Web-hosting Provider  General Infrastructure Hosting Provider Keep in mind – decision on what is best for your organization from the above list depends on many factors. This is the time to obtain guidance once data flow is clearly identified. www.HighBitSecurity.com

Typical 3 Tier Model presentation layer (web) 1) processing layer (application) 2) data-storage layer 3) www.HighBitSecurity.com

Typical Components  Shopping cart software (PA-DSS compliant)  Secure Sockets Layer/Transport Layer Security  SSL / TLS  Network Components and Supporting Infrastructure www.HighBitSecurity.com

Merchant-Managed (Proprietary) Merchant writes code themselves; integrates direct to payment  processor www.HighBitSecurity.com

Merchant-Managed (Commercial Shopping Cart/Payment Applications) Payment processing direct via commercially available software  www.HighBitSecurity.com

Shared-Management (Third-Party Embedded APIs with Direct Post) Payment processing  indirect via browser using third party API www.HighBitSecurity.com

Shared-Management (Third-party Inline Frames) Inline frames or  “iFrames” allow a web page to be embedded within another web page. www.HighBitSecurity.com

Shared-Management (Third-Party Hosted Payment Page) Merchant’s  customer is redirected to the payment page on the e-commerce payment processor’s site to enter payment card data. Once payment is  processed, acknowledgement is sent back to the merchant’s web application. www.HighBitSecurity.com

Shared Model: Security Considerations Direct-post API Approach  Merchant responsible for security of web page  iFrame Approach  Merchant responsible for security of web page  Hosted-payment Page Approach  Merchant responsible for security of web page  Merchant should:  Monitor for unauthorized changes, respond quickly  Practice secure development  Perform thorough penetration testing  www.HighBitSecurity.com

Outsourced E-commerce Implementations and SAQ A  Even wholesale outsourcing does not absolve merchants of their PCI requirements  Merchants may be eligible to complete SAQ A, however, should validate with their acquirer to confirm  Immediate challenges: card-present, fax, mail, phone  PCI treats local machines connecting to third party gateway via Internet as virtual terminals www.HighBitSecurity.com

Common Security Vulnerabilities Insecure Coding  Injection Flaws, Cross-site Scripting (XSS), Cross-site Request Forgery  (CSRF) , Buffer Overflows , Weak Authentication and/or Session Credentials Security Misconfigurations  Secure configuration of the DMZ to limit inbound traffic to only those components intended to provide  authorized, publicly accessible services, and to prohibit unauthorized outbound traffic (PCI DSS Requirements 1.3.1 and 1.3.4) Secure system configuration and changing vendor-supplied default passwords and settings (PCI DSS Req 2)  Using secure encryption mechanisms when transmitting data over the Internet (PCI DSS Requirement 4)  Protecting e-commerce components from known malware (PCI DSS Requirement 5)  Keeping all software and network components up to date with vendor-supplied patches (PCI DSS Req 6.1)  Using secure software development and coding practices for websites (PCI DSS Requirements 6.3 – 6.5)  Implementing a process to address new security vulnerabilities (PCI DSS Reqts 6.1, 6.2, 6.6 and 11.2)  Limiting access to only those users with a need to know and requiring strong authentication credentials for  those with access (PCI DSS Requirements 7 and 8) Logging and monitoring (PCI DSS Requirements 10 and 11)  Security Myths:  Net Admins / Developers <> Security  Passing ASV scan <> Security  www.HighBitSecurity.com

Recommendations Know the Location of all Your Cardholder Data  If You Don’t Need It, Don’t Store It  Evaluate Risks Associated with the Selected E-commerce Technology  Address Risks Associated with Outsourcing to Third-party Service Providers  ASV Scanning of Web-hosted Environments  Penetration Testing  Best Practices for Payment Applications  Implement Security Training for all Staff  Other Recommendations  Monitoring security alerts  Additional firewall between application and database servers  Never reflect full card number via interface / receipt  Best Practices for Consumer Awareness  Don’t use public computers for e -commerce  Don’t use public WiFi  Shoulder surfing  Patching  Strong passwords / password keeper (KeePass / KeePassX)  www.HighBitSecurity.com

Importance?  News  International hacking rings  Card theft rings  Chinese government hacking facility  Security  Security of card data – sure  PCI <> corporate security www.HighBitSecurity.com

Additional Questions? Free consultations and proposals for: - Security Testing - Security Consulting Adam Goslin, Chief Operations Officer AGoslin@HighBitSecurity.com www.HighBitSecurity.com Direct: 248.388.4328