SlideShare une entreprise Scribd logo

PA-DSS

Télécharger en tant que KEY, PDF
Christian Heinrich
Christian Heinrich

Presented at the Firetalks held at Shmoocon 2010 Updated on 28 Feb 2010

TechnologieFormation
1  sur  19
Payment Application - Don’t Secure Sh!t cmlh Shmoocon 2K10 - Firetalks Last Updated 28 February 2010
cmlh Not QSA and/or PA-QSA i.e. End User therefore Unbiased. PCI-DSS • Energy Australia (.nsw.gov.au Critical Infrastructure) • “Should I Black Your PC I/Eyes Again?” Presentation to .nsw.gov.au • eWay (.au ASP Payment Gateway) • FOXTEL (.au Subscription Television) PA-DSS • OWASP AU 2009 Presentation with Darren Skidmore (FNIS)
PA-DSS - History Payment Application Best Practice (PABP) from VISA PCI Security Standards Council Publications: • Accepted PABP v1.4 until 15 October 2008 • v1.1 - 15 April 2008 • v1.2 - 15 October 2008 Rumoured that PA-DSS is more through then PABP • No way to verify as PABP has ceased publication
PA-DSS - Diff PCI-DSS PCI SCC list Validated Payment Application (VPA) • Not QSA like PCI-DSS PA-DSS Implementation Guide VISA are the only Card Brand mandating PA-DSS • Conformance by 1 July 2012
Economics of INFOSEC Identify Political and/or Technical Deficiencies in: • PA-DSS • Including Dependencies on PCI DSS • PA-QSA Intend to audit specific Validated Payment Application (VPA) at a later date
PA-QSA QSA -> PA-QSA CI$$P (ISC2) and/or CISA/CISM (ISACA) • ISC2 recently launched the C$$LP Security Researchers with these quals???
Out of Scope Due to their PCI-DSS (lack of) effort • Single Implementation (Custom /dev Software) • Payment Gateway (ASP or SaaS) • Implementation (DB, OS, etc) Attack Surface of PCI DSS
In Scope Payment Applications which process VISA only “Payment” Module within COTS is In Scope • Attack Surface of other “Modules”
PCI DSS Dependency 1. Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2), or PIN block data Attacks are similar to those of PCI DSS • Masked on Screen yet read /dev • Commodity Hardware
PCI DSS Dependency 2. Protect stored cardholder data Attacks are similar to those of 3.4 of PCI DSS • No reference to Cryptographic Modes • Hence “Broken” Modes used e.g. ECB Root Cause “Applied Crypto” as “Reference”
PA-DSS 5. Develop secure payment applications Cites OWASP “Guide” - WTF!!! • OWASP Top Ten 2007 -> 2010 RC1 • TANDEM, Mainframe and AS/400 based • www Server on LPAR MITRE CWE has > 700 Type of Vuln
PCI DSS Dependency • 6. Protect wireless transmissions • WEP - WTF!!! • Joshua Wright on Not Broadcasting SSID • Contacted PCI DSS 1.0 • Implemented PCI DSS 1.2
PA-DSS 7. Test payment applications to address vulnerabilities Root Cause is Maturity • Pen Test is Point in Time
PCI DSS Dependency 10. Facilitate secure remote software updates Should be implemented but consider other vendors e.g. Evilgrade
PCI DSS Dependency 12. Encrypt sensitive traffic over public networks 13. Encrypt all non-console administrative access Recent attacks against SSL not considered.
Payment Specific There is no security advice specific to payment transaction types, i.e. Chargeback, etc
Root Causes Elitism • Financial Security is “Smoke and Mirrors” • Compounded by Blowing Smoke up their (_o_)
Root Causes “Hitting the Celling” due to: • CI$$P and CISA/CISM • Reading “Applied Cryptography”/etc only
Conclusion christian.heinrich@cmlh.id.au Thanks • Kyle Osborn @kposborn for rego code • Don’t forget your RUXCON shirt • Bruce @gdead and Heidi Potter for late rego • @grecs for scheduling this firetalk • All other shmoocon staff

Recommandé

Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certificationAlexander Polyakov
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowAlienVault
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2Kimberly Simon MBA
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyAlienVault
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providersCalyptix Security
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 

Recommandé

Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certificationAlexander Polyakov
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowAlienVault
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2Kimberly Simon MBA
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyAlienVault
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providersCalyptix Security
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSSKimberly Simon MBA
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarAriel Ben-Harosh
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential GuideKim Jensen
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowTerra Verde
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guideMohammad Makchudul Alam (Arif)
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS ComplianceSaumya Vishnoi
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceKimberly Simon MBA
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSSKimberly Simon MBA
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONhimalya sharma
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataInMobi Technology
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance MonitoringKimberly Simon MBA
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionControlCase
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONhimalya sharma
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the CloudKimberly Simon MBA
 
PCI DSS: Update on the evolution of the standard. MasterCard WorldWide
PCI DSS: Update on the evolution of the standard. MasterCard WorldWidePCI DSS: Update on the evolution of the standard. MasterCard WorldWide
PCI DSS: Update on the evolution of the standard. MasterCard WorldWideInternet Security Auditors
 
2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_data2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_dataKelvin Medina, CISSP, PA-QSA, QSA, GCIH, CISA, ITIL
 

Contenu connexe

Tendances

Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSSKimberly Simon MBA
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarAriel Ben-Harosh
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential GuideKim Jensen
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowTerra Verde
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONhimalya sharma
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataInMobi Technology
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance MonitoringKimberly Simon MBA
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionControlCase
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONhimalya sharma
 

Tendances (20)

Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSS
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to Know
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder data
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance Monitoring
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed Introduction
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
 

Similaire à PA-DSS

PCI DSS: Update on the evolution of the standard. MasterCard WorldWide
PCI DSS: Update on the evolution of the standard. MasterCard WorldWidePCI DSS: Update on the evolution of the standard. MasterCard WorldWide
PCI DSS: Update on the evolution of the standard. MasterCard WorldWideInternet Security Auditors
 
PCI DSS Certification
PCI DSS CertificationPCI DSS Certification
PCI DSS Certificationhodonoghue
 
PCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline CompliancePCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline ComplianceTokenEx
 
Building Up Network Security: An Introduction
Building Up Network Security: An Introduction Building Up Network Security: An Introduction
Building Up Network Security: An Introduction Global Knowledge Training
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...John Baines
 
Customer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWSCustomer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWSAmazon Web Services
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfssuserbcc088
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI WonderlandMichele Chubirka
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsHelpSystems
 
PCI DSS Scoping and Applicability
PCI DSS Scoping and ApplicabilityPCI DSS Scoping and Applicability
PCI DSS Scoping and ApplicabilityManish Mahapatra
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxgealehegn
 
Navigating the PCI Self-Assessment questionaire
Navigating the PCI Self-Assessment questionaireNavigating the PCI Self-Assessment questionaire
Navigating the PCI Self-Assessment questionaireDavid Strom
 
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceReaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceAlgoSec
 
Technology Overview - Validation & ID Protection (VIP)
Technology Overview - Validation & ID Protection (VIP)Technology Overview - Validation & ID Protection (VIP)
Technology Overview - Validation & ID Protection (VIP)Iftikhar Ali Iqbal
 
Webinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableWebinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableVISTA InfoSec
 

Similaire à PA-DSS (20)

PCI DSS: Update on the evolution of the standard. MasterCard WorldWide
PCI DSS: Update on the evolution of the standard. MasterCard WorldWidePCI DSS: Update on the evolution of the standard. MasterCard WorldWide
PCI DSS: Update on the evolution of the standard. MasterCard WorldWide
 
2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_data2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_data
 
Payment System Risk. Visa
Payment System Risk. VisaPayment System Risk. Visa
Payment System Risk. Visa
 
PCI DSS Certification
PCI DSS CertificationPCI DSS Certification
PCI DSS Certification
 
PCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline CompliancePCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline Compliance
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
Building Up Network Security: An Introduction
Building Up Network Security: An Introduction Building Up Network Security: An Introduction
Building Up Network Security: An Introduction
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...
 
Customer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWSCustomer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWS
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI Wonderland
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power Systems
 
PCI DSS Scoping and Applicability
PCI DSS Scoping and ApplicabilityPCI DSS Scoping and Applicability
PCI DSS Scoping and Applicability
 
Pci multitenancy exalogic at AMIS25
Pci multitenancy exalogic at AMIS25Pci multitenancy exalogic at AMIS25
Pci multitenancy exalogic at AMIS25
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
Navigating the PCI Self-Assessment questionaire
Navigating the PCI Self-Assessment questionaireNavigating the PCI Self-Assessment questionaire
Navigating the PCI Self-Assessment questionaire
 
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceReaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
 
Technology Overview - Validation & ID Protection (VIP)
Technology Overview - Validation & ID Protection (VIP)Technology Overview - Validation & ID Protection (VIP)
Technology Overview - Validation & ID Protection (VIP)
 
Webinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableWebinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicable
 

Plus de Christian Heinrich

Plus de Christian Heinrich (10)

Maltego "Have I been pwned?"
Maltego "Have I been pwned?"Maltego "Have I been pwned?"
Maltego "Have I been pwned?"
 
Maltego Breach
Maltego BreachMaltego Breach
Maltego Breach
 
CVSS
CVSSCVSS
CVSS
 
tit
tittit
tit
 
ssh
sshssh
ssh
 
BSAMMBO
BSAMMBOBSAMMBO
BSAMMBO
 
BSIMM
BSIMMBSIMM
BSIMM
 
skipfish
skipfishskipfish
skipfish
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
Download Indexed Cache
Download Indexed CacheDownload Indexed Cache
Download Indexed Cache
 

Dernier

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Dernier (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

PA-DSS

  • 1. Payment Application - Don’t Secure Sh!t cmlh Shmoocon 2K10 - Firetalks Last Updated 28 February 2010
  • 2. cmlh Not QSA and/or PA-QSA i.e. End User therefore Unbiased. PCI-DSS • Energy Australia (.nsw.gov.au Critical Infrastructure) • “Should I Black Your PC I/Eyes Again?” Presentation to .nsw.gov.au • eWay (.au ASP Payment Gateway) • FOXTEL (.au Subscription Television) PA-DSS • OWASP AU 2009 Presentation with Darren Skidmore (FNIS)
  • 3. PA-DSS - History Payment Application Best Practice (PABP) from VISA PCI Security Standards Council Publications: • Accepted PABP v1.4 until 15 October 2008 • v1.1 - 15 April 2008 • v1.2 - 15 October 2008 Rumoured that PA-DSS is more through then PABP • No way to verify as PABP has ceased publication
  • 4. PA-DSS - Diff PCI-DSS PCI SCC list Validated Payment Application (VPA) • Not QSA like PCI-DSS PA-DSS Implementation Guide VISA are the only Card Brand mandating PA-DSS • Conformance by 1 July 2012
  • 5. Economics of INFOSEC Identify Political and/or Technical Deficiencies in: • PA-DSS • Including Dependencies on PCI DSS • PA-QSA Intend to audit specific Validated Payment Application (VPA) at a later date
  • 6. PA-QSA QSA -> PA-QSA CI$$P (ISC2) and/or CISA/CISM (ISACA) • ISC2 recently launched the C$$LP Security Researchers with these quals???
  • 7. Out of Scope Due to their PCI-DSS (lack of) effort • Single Implementation (Custom /dev Software) • Payment Gateway (ASP or SaaS) • Implementation (DB, OS, etc) Attack Surface of PCI DSS
  • 8. In Scope Payment Applications which process VISA only “Payment” Module within COTS is In Scope • Attack Surface of other “Modules”
  • 9. PCI DSS Dependency 1. Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2), or PIN block data Attacks are similar to those of PCI DSS • Masked on Screen yet read /dev • Commodity Hardware
  • 10. PCI DSS Dependency 2. Protect stored cardholder data Attacks are similar to those of 3.4 of PCI DSS • No reference to Cryptographic Modes • Hence “Broken” Modes used e.g. ECB Root Cause “Applied Crypto” as “Reference”
  • 11. PA-DSS 5. Develop secure payment applications Cites OWASP “Guide” - WTF!!! • OWASP Top Ten 2007 -> 2010 RC1 • TANDEM, Mainframe and AS/400 based • www Server on LPAR MITRE CWE has > 700 Type of Vuln
  • 12. PCI DSS Dependency • 6. Protect wireless transmissions • WEP - WTF!!! • Joshua Wright on Not Broadcasting SSID • Contacted PCI DSS 1.0 • Implemented PCI DSS 1.2
  • 13. PA-DSS 7. Test payment applications to address vulnerabilities Root Cause is Maturity • Pen Test is Point in Time
  • 14. PCI DSS Dependency 10. Facilitate secure remote software updates Should be implemented but consider other vendors e.g. Evilgrade
  • 15. PCI DSS Dependency 12. Encrypt sensitive traffic over public networks 13. Encrypt all non-console administrative access Recent attacks against SSL not considered.
  • 16. Payment Specific There is no security advice specific to payment transaction types, i.e. Chargeback, etc
  • 17. Root Causes Elitism • Financial Security is “Smoke and Mirrors” • Compounded by Blowing Smoke up their (_o_)
  • 18. Root Causes “Hitting the Celling” due to: • CI$$P and CISA/CISM • Reading “Applied Cryptography”/etc only
  • 19. Conclusion christian.heinrich@cmlh.id.au Thanks • Kyle Osborn @kposborn for rego code • Don’t forget your RUXCON shirt • Bruce @gdead and Heidi Potter for late rego • @grecs for scheduling this firetalk • All other shmoocon staff

Notes de l'éditeur

  4. Diff from PCI DSS (.com) or PCI PTS (Hardware /dev) PA-DSS Implementation Guide (i.e. PCI DSS Conformance)
  6. <sarcasm>I mistakenly put $$ which does represent the not for profit agenda of ISC2</sarcasm>
  9. Commodity i.e. not restricted
  10. Cryptographic Modes are mentioned in “Applied Cryptography”
  12. Quotes from http://www.networkworld.com/chat/archive/2008/022608-josh-wright-wireless-security-chat.html Q. “Joshua, please let me know your thoughts on disabling broadcasting your router’s SSID. A. It’s a bad idea. I know the PCI specification requires you to do this, and I’ve told them they need to remove this requirement from the specification.”
  14. ARP Spoofing, DNS Cache Poisoning, DHCP Spoofing