SlideShare une entreprise Scribd logo

PA-DSS

Télécharger en tant que KEY, PDF
Christian Heinrich
Christian Heinrich

Presented at the Firetalks held at Shmoocon 2010 Updated on 28 Feb 2010

TechnologieFormation
1  sur  19
Payment Application - Don’t Secure Sh!t cmlh Shmoocon 2K10 - Firetalks Last Updated 28 February 2010
cmlh Not QSA and/or PA-QSA i.e. End User therefore Unbiased. PCI-DSS • Energy Australia (.nsw.gov.au Critical Infrastructure) • “Should I Black Your PC I/Eyes Again?” Presentation to .nsw.gov.au • eWay (.au ASP Payment Gateway) • FOXTEL (.au Subscription Television) PA-DSS • OWASP AU 2009 Presentation with Darren Skidmore (FNIS)
PA-DSS - History Payment Application Best Practice (PABP) from VISA PCI Security Standards Council Publications: • Accepted PABP v1.4 until 15 October 2008 • v1.1 - 15 April 2008 • v1.2 - 15 October 2008 Rumoured that PA-DSS is more through then PABP • No way to verify as PABP has ceased publication
PA-DSS - Diff PCI-DSS PCI SCC list Validated Payment Application (VPA) • Not QSA like PCI-DSS PA-DSS Implementation Guide VISA are the only Card Brand mandating PA-DSS • Conformance by 1 July 2012
Economics of INFOSEC Identify Political and/or Technical Deficiencies in: • PA-DSS • Including Dependencies on PCI DSS • PA-QSA Intend to audit specific Validated Payment Application (VPA) at a later date
PA-QSA QSA -> PA-QSA CI$$P (ISC2) and/or CISA/CISM (ISACA) • ISC2 recently launched the C$$LP Security Researchers with these quals???
Out of Scope Due to their PCI-DSS (lack of) effort • Single Implementation (Custom /dev Software) • Payment Gateway (ASP or SaaS) • Implementation (DB, OS, etc) Attack Surface of PCI DSS
In Scope Payment Applications which process VISA only “Payment” Module within COTS is In Scope • Attack Surface of other “Modules”
PCI DSS Dependency 1. Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2), or PIN block data Attacks are similar to those of PCI DSS • Masked on Screen yet read /dev • Commodity Hardware
PCI DSS Dependency 2. Protect stored cardholder data Attacks are similar to those of 3.4 of PCI DSS • No reference to Cryptographic Modes • Hence “Broken” Modes used e.g. ECB Root Cause “Applied Crypto” as “Reference”
PA-DSS 5. Develop secure payment applications Cites OWASP “Guide” - WTF!!! • OWASP Top Ten 2007 -> 2010 RC1 • TANDEM, Mainframe and AS/400 based • www Server on LPAR MITRE CWE has > 700 Type of Vuln
PCI DSS Dependency • 6. Protect wireless transmissions • WEP - WTF!!! • Joshua Wright on Not Broadcasting SSID • Contacted PCI DSS 1.0 • Implemented PCI DSS 1.2
PA-DSS 7. Test payment applications to address vulnerabilities Root Cause is Maturity • Pen Test is Point in Time
PCI DSS Dependency 10. Facilitate secure remote software updates Should be implemented but consider other vendors e.g. Evilgrade
PCI DSS Dependency 12. Encrypt sensitive traffic over public networks 13. Encrypt all non-console administrative access Recent attacks against SSL not considered.
Payment Specific There is no security advice specific to payment transaction types, i.e. Chargeback, etc
Root Causes Elitism • Financial Security is “Smoke and Mirrors” • Compounded by Blowing Smoke up their (_o_)
Root Causes “Hitting the Celling” due to: • CI$$P and CISA/CISM • Reading “Applied Cryptography”/etc only
Conclusion christian.heinrich@cmlh.id.au Thanks • Kyle Osborn @kposborn for rego code • Don’t forget your RUXCON shirt • Bruce @gdead and Heidi Potter for late rego • @grecs for scheduling this firetalk • All other shmoocon staff

Recommandé

Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certification
Alexander Polyakov
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
AlienVault
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
sameh Abulfotooh
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
Kimberly Simon MBA
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
Kimberly Simon MBA
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance Strategy
AlienVault
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
Calyptix Security
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
okrantz
 

Recommandé

Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certification
Alexander Polyakov
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
AlienVault
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
sameh Abulfotooh
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
Kimberly Simon MBA
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
Kimberly Simon MBA
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance Strategy
AlienVault
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
Calyptix Security
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
okrantz
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSS
Kimberly Simon MBA
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Ariel Ben-Harosh
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
Kim Jensen
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to Know
Terra Verde
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
Mohammad Makchudul Alam (Arif)
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
Saumya Vishnoi
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
isc2-hellenic
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
Anton Chuvakin
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
Kimberly Simon MBA
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
Kimberly Simon MBA
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
Mark Akins
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
Saumya Vishnoi
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
himalya sharma
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder data
InMobi Technology
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Kimberly Simon MBA
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance Monitoring
Kimberly Simon MBA
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed Introduction
ControlCase
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
himalya sharma
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
Kimberly Simon MBA
 
PCI DSS: Update on the evolution of the standard. MasterCard WorldWide
PCI DSS: Update on the evolution of the standard. MasterCard WorldWidePCI DSS: Update on the evolution of the standard. MasterCard WorldWide
PCI DSS: Update on the evolution of the standard. MasterCard WorldWide
Internet Security Auditors
 
2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_data2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_data
Kelvin Medina, CISSP, PA-QSA, QSA, GCIH, CISA, ITIL
 

Contenu connexe

Tendances

Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Ariel Ben-Harosh
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
Anton Chuvakin
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
Mark Akins
 

Tendances (20)

Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSS
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to Know
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder data
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance Monitoring
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed Introduction
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
 

Similaire à PA-DSS

2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_data2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_data
Kelvin Medina, CISSP, PA-QSA, QSA, GCIH, CISA, ITIL
 
PCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline CompliancePCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline Compliance
TokenEx
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...
John Baines
 
Customer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWSCustomer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWS
Amazon Web Services
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
ssuserbcc088
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power Systems
HelpSystems
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 

Similaire à PA-DSS (20)

PCI DSS: Update on the evolution of the standard. MasterCard WorldWide
PCI DSS: Update on the evolution of the standard. MasterCard WorldWidePCI DSS: Update on the evolution of the standard. MasterCard WorldWide
PCI DSS: Update on the evolution of the standard. MasterCard WorldWide
 
2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_data2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_data
 
Payment System Risk. Visa
Payment System Risk. VisaPayment System Risk. Visa
Payment System Risk. Visa
 
PCI DSS Certification
PCI DSS CertificationPCI DSS Certification
PCI DSS Certification
 
PCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline CompliancePCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline Compliance
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
Building Up Network Security: An Introduction
Building Up Network Security: An Introduction Building Up Network Security: An Introduction
Building Up Network Security: An Introduction
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...
 
Customer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWSCustomer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWS
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI Wonderland
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power Systems
 
PCI DSS Scoping and Applicability
PCI DSS Scoping and ApplicabilityPCI DSS Scoping and Applicability
PCI DSS Scoping and Applicability
 
Pci multitenancy exalogic at AMIS25
Pci multitenancy exalogic at AMIS25Pci multitenancy exalogic at AMIS25
Pci multitenancy exalogic at AMIS25
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
Navigating the PCI Self-Assessment questionaire
Navigating the PCI Self-Assessment questionaireNavigating the PCI Self-Assessment questionaire
Navigating the PCI Self-Assessment questionaire
 
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceReaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
 
Technology Overview - Validation & ID Protection (VIP)
Technology Overview - Validation & ID Protection (VIP)Technology Overview - Validation & ID Protection (VIP)
Technology Overview - Validation & ID Protection (VIP)
 
Webinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableWebinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicable
 

Plus de Christian Heinrich

Plus de Christian Heinrich (10)

Maltego "Have I been pwned?"
Maltego "Have I been pwned?"Maltego "Have I been pwned?"
Maltego "Have I been pwned?"
 
Maltego Breach
Maltego BreachMaltego Breach
Maltego Breach
 
CVSS
CVSSCVSS
CVSS
 
tit
tittit
tit
 
ssh
sshssh
ssh
 
BSAMMBO
BSAMMBOBSAMMBO
BSAMMBO
 
BSIMM
BSIMMBSIMM
BSIMM
 
skipfish
skipfishskipfish
skipfish
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
Download Indexed Cache
Download Indexed CacheDownload Indexed Cache
Download Indexed Cache
 

Dernier

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Dernier (20)

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

PA-DSS

  • 1. Payment Application - Don’t Secure Sh!t cmlh Shmoocon 2K10 - Firetalks Last Updated 28 February 2010
  • 2. cmlh Not QSA and/or PA-QSA i.e. End User therefore Unbiased. PCI-DSS • Energy Australia (.nsw.gov.au Critical Infrastructure) • “Should I Black Your PC I/Eyes Again?” Presentation to .nsw.gov.au • eWay (.au ASP Payment Gateway) • FOXTEL (.au Subscription Television) PA-DSS • OWASP AU 2009 Presentation with Darren Skidmore (FNIS)
  • 3. PA-DSS - History Payment Application Best Practice (PABP) from VISA PCI Security Standards Council Publications: • Accepted PABP v1.4 until 15 October 2008 • v1.1 - 15 April 2008 • v1.2 - 15 October 2008 Rumoured that PA-DSS is more through then PABP • No way to verify as PABP has ceased publication
  • 4. PA-DSS - Diff PCI-DSS PCI SCC list Validated Payment Application (VPA) • Not QSA like PCI-DSS PA-DSS Implementation Guide VISA are the only Card Brand mandating PA-DSS • Conformance by 1 July 2012
  • 5. Economics of INFOSEC Identify Political and/or Technical Deficiencies in: • PA-DSS • Including Dependencies on PCI DSS • PA-QSA Intend to audit specific Validated Payment Application (VPA) at a later date
  • 6. PA-QSA QSA -> PA-QSA CI$$P (ISC2) and/or CISA/CISM (ISACA) • ISC2 recently launched the C$$LP Security Researchers with these quals???
  • 7. Out of Scope Due to their PCI-DSS (lack of) effort • Single Implementation (Custom /dev Software) • Payment Gateway (ASP or SaaS) • Implementation (DB, OS, etc) Attack Surface of PCI DSS
  • 8. In Scope Payment Applications which process VISA only “Payment” Module within COTS is In Scope • Attack Surface of other “Modules”
  • 9. PCI DSS Dependency 1. Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2), or PIN block data Attacks are similar to those of PCI DSS • Masked on Screen yet read /dev • Commodity Hardware
  • 10. PCI DSS Dependency 2. Protect stored cardholder data Attacks are similar to those of 3.4 of PCI DSS • No reference to Cryptographic Modes • Hence “Broken” Modes used e.g. ECB Root Cause “Applied Crypto” as “Reference”
  • 11. PA-DSS 5. Develop secure payment applications Cites OWASP “Guide” - WTF!!! • OWASP Top Ten 2007 -> 2010 RC1 • TANDEM, Mainframe and AS/400 based • www Server on LPAR MITRE CWE has > 700 Type of Vuln
  • 12. PCI DSS Dependency • 6. Protect wireless transmissions • WEP - WTF!!! • Joshua Wright on Not Broadcasting SSID • Contacted PCI DSS 1.0 • Implemented PCI DSS 1.2
  • 13. PA-DSS 7. Test payment applications to address vulnerabilities Root Cause is Maturity • Pen Test is Point in Time
  • 14. PCI DSS Dependency 10. Facilitate secure remote software updates Should be implemented but consider other vendors e.g. Evilgrade
  • 15. PCI DSS Dependency 12. Encrypt sensitive traffic over public networks 13. Encrypt all non-console administrative access Recent attacks against SSL not considered.
  • 16. Payment Specific There is no security advice specific to payment transaction types, i.e. Chargeback, etc
  • 17. Root Causes Elitism • Financial Security is “Smoke and Mirrors” • Compounded by Blowing Smoke up their (_o_)
  • 18. Root Causes “Hitting the Celling” due to: • CI$$P and CISA/CISM • Reading “Applied Cryptography”/etc only
  • 19. Conclusion christian.heinrich@cmlh.id.au Thanks • Kyle Osborn @kposborn for rego code • Don’t forget your RUXCON shirt • Bruce @gdead and Heidi Potter for late rego • @grecs for scheduling this firetalk • All other shmoocon staff

Notes de l'éditeur

  4. Diff from PCI DSS (.com) or PCI PTS (Hardware /dev) PA-DSS Implementation Guide (i.e. PCI DSS Conformance)
  6. <sarcasm>I mistakenly put $$ which does represent the not for profit agenda of ISC2</sarcasm>
  9. Commodity i.e. not restricted
  10. Cryptographic Modes are mentioned in “Applied Cryptography”
  12. Quotes from http://www.networkworld.com/chat/archive/2008/022608-josh-wright-wireless-security-chat.html Q. “Joshua, please let me know your thoughts on disabling broadcasting your router’s SSID. A. It’s a bad idea. I know the PCI specification requires you to do this, and I’ve told them they need to remove this requirement from the specification.”
  14. ARP Spoofing, DNS Cache Poisoning, DHCP Spoofing