PCI Compliance Updates E-Commerce / Cloud Security Adam Goslin, Chief Operations Officer AGoslin@HighBitSecurity.com Direct: 248.388.4328
PCI Guidance Google: PCI e-commerce guidance https://www.pcisecuritystandards.org/pdfs/pci_dss_v2_ecommerce_guidelines.pdf Provides explanations of e-commerce environment and merchant obligations from a PCI-DSS compliance perspective The intent of this document is to provide supplemental information. Information provided here does not replace or supersede requirements in the PCI Data Security Standard (PCI DSS) Google: PCI SSC cloud guidance https://www.pcisecuritystandards.org/pdfs/pci_dss_v2_cloud_guidelines.pdf Provides explanation of cloud implementation options and guidance for responsibilities Source for all images and some content is acknowledged as coming from the above guidelines documents.
E-Commerce - What s New? Mostly clarification and additional explanation However: No option completely removes a merchant s PCI DSS responsibilities Regardless of the extent of outsourcing to third parties, the merchant retains responsibility for ensuring that payment card data is protected. Connections and redirections between the merchant and the third party can be compromised, and the merchant should monitor its systems to ensure that no unexpected changes have occurred and that the integrity of the connection/redirection is maintained. There is no one-size-fits-all method or solution for e-commerce environments to meet PCI DSS requirements To minimize the chance of attack in these scenarios, merchants should apply extra due diligence to ensure the web application is developed securely and undergoes thorough penetration testing. Covers B2C E-Commerce implementation styles
First Steps To PCI: Data flow mapping all cardholder data flow Electronic Connections with partners Vendors Phone ** Mail ** Fax ** In-Person ** ** These are not specifically covered in the guidance doc
Cloud What s New? Cloud Service Models: Software as a Service (SaaS) Capability for clients to use the provider s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser, or a program interface. Platform as a Service (PaaS) Capability for clients to deploy their applications (created or acquired) onto the cloud infrastructure, using programming languages, libraries, services, and tools supported by the provider. Infrastructure as a Service (IaaS) Capability for clients to utilize the provider s processing, storage, networks, and other fundamental computing resources to deploy and run operating systems, applications and other software on a cloud infrastructure.
Cloud Responsibilities Responsibility Sharing IaaS Client = encryption / antivirus ; Cloud Service Provider (CSP) = Physical Remainder = Both PaaS CSP = Physical Remainder = Both SaaS Both = Secure systems, restrict to right to know, unique ID Remainder = CSP On a per instance basis, evaluation of CSP offering, and ultimately merchant PCI responsibility Written agreements with CSP, clear definition of responsibilities Validate PCI compliance of cloud providers
E-Commerce - Third Parties Payment Gateway / Processor Web-hosting Provider General Infrastructure Hosting Provider Keep in mind decision on what is best for your organization from the above list depends on many factors. This is the time to obtain guidance once data flow is clearly identified.
Typical 3 Tier Model 1) presentation layer (web) 2) processing layer (application) 3) data-storage layer
Typical Components Shopping cart software (PA-DSS compliant) Secure Sockets Layer/Transport Layer Security SSL / TLS Network Components and Supporting Infrastructure
Merchant-Managed (Proprietary) Merchant writes code themselves; integrates direct to payment processor
Merchant-Managed (Commercial Shopping Cart/Payment Applications) Payment processing direct via commercially available software
Shared-Management (Third-Party Embedded APIs with Direct Post) Payment processing indirect via browser using third party API
Shared-Management (Third-party Inline Frames) Inline frames or iframes allow a web page to be embedded within another web page.
Shared-Management (Third-Party Hosted Payment Page) Merchant s customer is redirected to the payment page on the e-commerce payment processor s site to enter payment card data. Once payment is processed, acknowledgement is sent back to the merchant s web application.
Shared Model: Security Considerations Direct-post API Approach Merchant responsible for security of web page iframe Approach Merchant responsible for security of web page Hosted-payment Page Approach Merchant responsible for security of web page Merchant should: Monitor for unauthorized changes, respond quickly Practice secure development Perform thorough penetration testing
Outsourced E-commerce Implementations and SAQ A Even wholesale outsourcing does not absolve merchants of their PCI requirements Merchants may be eligible to complete SAQ A, however, should validate with their acquirer to confirm Immediate challenges: card-present, fax, mail, phone PCI treats local machines connecting to third party gateway via Internet as virtual terminals
Common Security Vulnerabilities Insecure Coding Injection Flaws, Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF), Buffer Overflows, Weak Authentication and/or Session Credentials Security Misconfigurations Secure configuration of the DMZ to limit inbound traffic to only those components intended to provide authorized, publicly accessible services, and to prohibit unauthorized outbound traffic (PCI DSS Requirements 1.3.1 and 1.3.4) Secure system configuration and changing vendor-supplied default passwords and settings (PCI DSS Req 2) Using secure encryption mechanisms when transmitting data over the Internet (PCI DSS Requirement 4) Protecting e-commerce components from known malware (PCI DSS Requirement 5) Keeping all software and network components up to date with vendor-supplied patches (PCI DSS Req 6.1) Using secure software development and coding practices for websites (PCI DSS Requirements 6.3 6.5) Implementing a process to address new security vulnerabilities (PCI DSS Reqts 6.1, 6.2, 6.6 and 11.2) Limiting access to only those users with a need to know and requiring strong authentication credentials for those with access (PCI DSS Requirements 7 and 8) Logging and monitoring (PCI DSS Requirements 10 and 11) Security Myths: Net Admins / Developers <> Security Passing ASV scan <> Security
Recommendations Know the Location of all Your Cardholder Data If You Don t Need It, Don t Store It Evaluate Risks Associated with the Selected E-commerce Technology Address Risks Associated with Outsourcing to Third-party Service Providers ASV Scanning of Web-hosted Environments Penetration Testing Best Practices for Payment Applications Implement Security Training for all Staff Other Recommendations Monitoring security alerts Additional firewall between application and database servers Never reflect full card number via interface / receipt Best Practices for Consumer Awareness Don t use public computers for e-commerce Don t use public WiFi Shoulder surfing Patching Strong passwords / password keeper (KeePass / KeePassX)
Importance? News International hacking rings Card theft rings Chinese government hacking facility Security Security of card data sure PCI <> corporate security
Additional Questions? Free consultations and proposals for: - Security Testing - Security Consulting Adam Goslin, Chief Operations Officer AGoslin@HighBitSecurity.com Direct: 248.388.4328