SlideShare une entreprise Scribd logo

PCI DSS Compliance for Web Applications

Savan Gadhiya
Savan Gadhiya

This presentation includes basics of PCI DSS compliance. Presented at Null Ahmedabad Meet: https://www.null.co.in/events/485-ahmedabad-null-ahmedabad-meet-16-september-2018-monthly-meet Join upcoming Null Ahmedabad events: https://www.null.co.in/chapters/17-ahmedabad

Logiciels
1  sur  15
PCI DSS Compliance for Web Applications Savan Gadhiya
#whoami – Savan Gadhiya • Senior Security Consultant at NotSoSecure • Hacker, Security Researcher, Developer and Bounty Hunter ☺ • 7 years of experience in Information Technology • Master of Engineering in IT Systems and Network Security /gadhiyasavan @gadhiyasavan
Agenda • What is Compliance? • List of Compliances • Understand PCI DSS Compliance – Basic • Applicability • Overview • Testing Procedure • Storage Procedure • Lifecycle Phase • PCI DSS – Web application checklist
What is Compliance? • Compliance means • Conforming to a rule, such as a specification, policy, standard or law • List of widely used Compliances: • PCI DSS - Payment Card Industry Data Security Standard • HIPAA - Health Insurance Portability and Accountability Act • FISMA - Federal Information Security Management Act • SOX - Sarbanes-Oxley Act • GDPR - General Data Protection Regulation
PCI DSS • PCI DSS - Payment Card Industry Data Security Standard • Requirement for the majority of businesses today, as most handle or interact with credit card data and other sensitive customer information. Version Date May 2018 3.2.1 April 2016 3.2 – Retires on 31st December 2018 April 2015 3.1 November 2013 3.0 October 2010 2.0 July 2009 1.2.1 October 2008 1.2
PCI DSS – Applicability • PCI DSS applies to: • All entities involved in payment and processing – including merchants, processors, acquirers, issuers and service provides • Store, process or transmit cardholder data and/or sensitive authentication data • Examples: Retail sites, Online travel agencies, bill-pay portals for utilities and services, online wallet and bank transfer services etc. • Cardholder’s data: • Primary Account Number – PAN • Cardholder Name • Expiration Date • Service Code • Cardholder’s sensitive authentication data: • Full track data – magnetic-stripe data or equivalent on a chip • CAV2/CVC2/CVV2/CID • PINs/PIN blocks
PCI DSS – Overview Reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
PCI DSS – Testing Procedure • Compliance check on sample systems/devices • Selected randomly at the time of audit • Examine policies • Examine the supporting documentation • Interview responsible personnel etc.
PCI DSS – Storage Permission Reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
PCI DSS – Lifecycle Phase Lifecycle Phase Tools and/or Methods PCI Question Examples Requirement gatherings Include security requirements Do PANs need to be stored? Design and architecture Perform risk analysis Who needs access? Can individual user accounts be supported for access to databases? Development Frameworks and approved libraries What encryption algorithms are approved? Code scanning and review Are inputs validated? Testing Application vulnerability scanners and penetration testing All test data removed? Is account access working properly? Deployment Monitoring and audit Are transcripts logged? Is sensitive authentication data (SAD) eliminated after authorization? Reference: https://searchsecurity.techtarget.com/tip/Applying-PCI-DSS-to-Web-application-security
PCI DSS – Web Application Checklist • Default credentials • Firewall bypass • Information leakage – Card Holder’s data • Cleartext transmission of card holder’s data/credentials/sensitive information • Usage of weak cipher suites such as SSL/early TLS • Verify that PAN is rendered unreadable or secured with strong cryptography • Verify the restrictions on access of Card Holder’s data • Least amount of data • Duration
PCI DSS – Web Application Checklist If support team/administrators are using Card Holder’s data for web application: • Password Complexity • At least 7 characters, Numbers and alphanumeric, Change users password at least once in 90 days, Do not allow to set password from last four passwords • Set password for first time use only – upon reset to a unique value for each users, change immediately after first usage • Remove inactive accounts within 90 days • Unique identification of users • Account lockout on 6 invalid attempts, set account lockout to a minimum of 30 minutes or until an admin enables the user ID • Session Expiration after 15 minutes of inactivity • Authenticate users • Something you Know, Something you have, Something you are
PCI DSS – Web Application Checklist If support team/administrators are using Card Holder’s data for web application: • Credentials in unreadable encrypted format while transmission or storage • Verify the user identity before modifying any authentication credentials, for e.g. performing password resets, provisioning new tokens, generating new keys etc. • Two Factor Authentication for Card Holder Data Environment for Remote accesses • Generic or shared user IDs should be disabled Others: • Logging management • Secure Code Review • Application layer firewall in front of Web-facing applications
References • https://www.pcisecuritystandards.org • https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf • https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf • https://www.visa-asia.com/ap/sa/merchants/riskmgmt/includes/uploads/PABP_v14.pdf • https://www.pcicomplianceguide.org/web-application-security-how-do-you-know- which-solutions-will-work-best-for-your-business/ • https://searchsecurity.techtarget.com/tip/Applying-PCI-DSS-to-Web-application- security
Questions? /gadhiyasavan @gadhiyasavan

Recommandé

Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSSKimberly Simon MBA
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the CloudKimberly Simon MBA
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowAlienVault
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowTerra Verde
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataInMobi Technology
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providersCalyptix Security
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Webinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableWebinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableVISTA InfoSec
 

Recommandé

Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSSKimberly Simon MBA
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the CloudKimberly Simon MBA
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowAlienVault
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowTerra Verde
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataInMobi Technology
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providersCalyptix Security
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Webinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableWebinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableVISTA InfoSec
 
Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Adoção do PCI no Brasil - 10o Workshop SegInfo - ApresentaçãoAdoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Adoção do PCI no Brasil - 10o Workshop SegInfo - ApresentaçãoClavis Segurança da Informação
 
Protective Monitoring
Protective MonitoringProtective Monitoring
Protective Monitoringjohandev
 
PCI DSS: Update on the evolution of the standard. MasterCard WorldWide
PCI DSS: Update on the evolution of the standard. MasterCard WorldWidePCI DSS: Update on the evolution of the standard. MasterCard WorldWide
PCI DSS: Update on the evolution of the standard. MasterCard WorldWideInternet Security Auditors
 
Firehost Webinar: Do you know where your Cardholder Data Environment is?
Firehost Webinar: Do you know where your Cardholder Data Environment is? Firehost Webinar: Do you know where your Cardholder Data Environment is?
Firehost Webinar: Do you know where your Cardholder Data Environment is? Armor
 
Practical pseudonymisationv4
Practical pseudonymisationv4Practical pseudonymisationv4
Practical pseudonymisationv4davidjohnhill
 
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsAnton Chuvakin
 
#MFSummit2016 Secure: Introduction to identity, access and security
#MFSummit2016 Secure: Introduction to identity, access and security#MFSummit2016 Secure: Introduction to identity, access and security
#MFSummit2016 Secure: Introduction to identity, access and securityMicro Focus
 
[WSO2Con EU 2018] Medical Device Integration: The Future is Here
[WSO2Con EU 2018] Medical Device Integration: The Future is Here[WSO2Con EU 2018] Medical Device Integration: The Future is Here
[WSO2Con EU 2018] Medical Device Integration: The Future is HereWSO2
 
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...ControlCase
 
Forecast odcau6 100_eb
Forecast odcau6 100_ebForecast odcau6 100_eb
Forecast odcau6 100_ebOpen Data Center Alliance
 
1 final secnet_pci
1 final secnet_pci1 final secnet_pci
1 final secnet_pcimosyas
 
2016 mindthesec Format-Preserving Encryption
2016 mindthesec Format-Preserving Encryption2016 mindthesec Format-Preserving Encryption
2016 mindthesec Format-Preserving EncryptionBruno Motta Rego
 
ControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSSControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSSControlCase
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security StandardsAshintha Rukmal
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS ComplianceSaumya Vishnoi
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance ReadinessAl Abbas, PMP, CISSP, MBA, MSc
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)Maksim Djackov
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011Donald E. Hester
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration TestingNetwork Intelligence India
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentestingn|u - The Open Security Community
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should careSean D. Goodwin
 

Contenu connexe

Tendances

Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Adoção do PCI no Brasil - 10o Workshop SegInfo - ApresentaçãoAdoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Adoção do PCI no Brasil - 10o Workshop SegInfo - ApresentaçãoClavis Segurança da Informação
 
Protective Monitoring
Protective MonitoringProtective Monitoring
Protective Monitoringjohandev
 
PCI DSS: Update on the evolution of the standard. MasterCard WorldWide
PCI DSS: Update on the evolution of the standard. MasterCard WorldWidePCI DSS: Update on the evolution of the standard. MasterCard WorldWide
PCI DSS: Update on the evolution of the standard. MasterCard WorldWideInternet Security Auditors
 
Firehost Webinar: Do you know where your Cardholder Data Environment is?
Firehost Webinar: Do you know where your Cardholder Data Environment is? Firehost Webinar: Do you know where your Cardholder Data Environment is?
Firehost Webinar: Do you know where your Cardholder Data Environment is? Armor
 
Practical pseudonymisationv4
Practical pseudonymisationv4Practical pseudonymisationv4
Practical pseudonymisationv4davidjohnhill
 
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsAnton Chuvakin
 
#MFSummit2016 Secure: Introduction to identity, access and security
#MFSummit2016 Secure: Introduction to identity, access and security#MFSummit2016 Secure: Introduction to identity, access and security
#MFSummit2016 Secure: Introduction to identity, access and securityMicro Focus
 
[WSO2Con EU 2018] Medical Device Integration: The Future is Here
[WSO2Con EU 2018] Medical Device Integration: The Future is Here[WSO2Con EU 2018] Medical Device Integration: The Future is Here
[WSO2Con EU 2018] Medical Device Integration: The Future is HereWSO2
 
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...ControlCase
 
1 final secnet_pci
1 final secnet_pci1 final secnet_pci
1 final secnet_pcimosyas
 
2016 mindthesec Format-Preserving Encryption
2016 mindthesec Format-Preserving Encryption2016 mindthesec Format-Preserving Encryption
2016 mindthesec Format-Preserving EncryptionBruno Motta Rego
 
ControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSSControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSSControlCase
 

Tendances (13)

Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Adoção do PCI no Brasil - 10o Workshop SegInfo - ApresentaçãoAdoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
 
Protective Monitoring
Protective MonitoringProtective Monitoring
Protective Monitoring
 
PCI DSS: Update on the evolution of the standard. MasterCard WorldWide
PCI DSS: Update on the evolution of the standard. MasterCard WorldWidePCI DSS: Update on the evolution of the standard. MasterCard WorldWide
PCI DSS: Update on the evolution of the standard. MasterCard WorldWide
 
Firehost Webinar: Do you know where your Cardholder Data Environment is?
Firehost Webinar: Do you know where your Cardholder Data Environment is? Firehost Webinar: Do you know where your Cardholder Data Environment is?
Firehost Webinar: Do you know where your Cardholder Data Environment is?
 
Practical pseudonymisationv4
Practical pseudonymisationv4Practical pseudonymisationv4
Practical pseudonymisationv4
 
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
 
#MFSummit2016 Secure: Introduction to identity, access and security
#MFSummit2016 Secure: Introduction to identity, access and security#MFSummit2016 Secure: Introduction to identity, access and security
#MFSummit2016 Secure: Introduction to identity, access and security
 
[WSO2Con EU 2018] Medical Device Integration: The Future is Here
[WSO2Con EU 2018] Medical Device Integration: The Future is Here[WSO2Con EU 2018] Medical Device Integration: The Future is Here
[WSO2Con EU 2018] Medical Device Integration: The Future is Here
 
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
 
Forecast odcau6 100_eb
Forecast odcau6 100_ebForecast odcau6 100_eb
Forecast odcau6 100_eb
 
1 final secnet_pci
1 final secnet_pci1 final secnet_pci
1 final secnet_pci
 
2016 mindthesec Format-Preserving Encryption
2016 mindthesec Format-Preserving Encryption2016 mindthesec Format-Preserving Encryption
2016 mindthesec Format-Preserving Encryption
 
ControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSSControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSS
 

Similaire à PCI DSS Compliance for Web Applications

Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security StandardsAshintha Rukmal
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)Maksim Djackov
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011Donald E. Hester
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should careSean D. Goodwin
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Donald E. Hester
 
Maze & Associates PCI Compliance Tracker for Local Governments
Maze & Associates PCI Compliance Tracker for Local GovernmentsMaze & Associates PCI Compliance Tracker for Local Governments
Maze & Associates PCI Compliance Tracker for Local GovernmentsDonald E. Hester
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Crew
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)Miminten
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsChristopher Foot
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
Reducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesReducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesVISTA InfoSec
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Stephanie Gutowski
 

Similaire à PCI DSS Compliance for Web Applications (20)

Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security Standards
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should care
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010
 
Maze & Associates PCI Compliance Tracker for Local Governments
Maze & Associates PCI Compliance Tracker for Local GovernmentsMaze & Associates PCI Compliance Tracker for Local Governments
Maze & Associates PCI Compliance Tracker for Local Governments
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance Projects
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
Reducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesReducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniques
 
2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_data2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_data
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
 

Dernier

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Intelisync
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 

Dernier (20)

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 

PCI DSS Compliance for Web Applications

  • 1. PCI DSS Compliance for Web Applications Savan Gadhiya
  • 2. #whoami – Savan Gadhiya • Senior Security Consultant at NotSoSecure • Hacker, Security Researcher, Developer and Bounty Hunter ☺ • 7 years of experience in Information Technology • Master of Engineering in IT Systems and Network Security /gadhiyasavan @gadhiyasavan
  • 3. Agenda • What is Compliance? • List of Compliances • Understand PCI DSS Compliance – Basic • Applicability • Overview • Testing Procedure • Storage Procedure • Lifecycle Phase • PCI DSS – Web application checklist
  • 4. What is Compliance? • Compliance means • Conforming to a rule, such as a specification, policy, standard or law • List of widely used Compliances: • PCI DSS - Payment Card Industry Data Security Standard • HIPAA - Health Insurance Portability and Accountability Act • FISMA - Federal Information Security Management Act • SOX - Sarbanes-Oxley Act • GDPR - General Data Protection Regulation
  • 5. PCI DSS • PCI DSS - Payment Card Industry Data Security Standard • Requirement for the majority of businesses today, as most handle or interact with credit card data and other sensitive customer information. Version Date May 2018 3.2.1 April 2016 3.2 – Retires on 31st December 2018 April 2015 3.1 November 2013 3.0 October 2010 2.0 July 2009 1.2.1 October 2008 1.2
  • 6. PCI DSS – Applicability • PCI DSS applies to: • All entities involved in payment and processing – including merchants, processors, acquirers, issuers and service provides • Store, process or transmit cardholder data and/or sensitive authentication data • Examples: Retail sites, Online travel agencies, bill-pay portals for utilities and services, online wallet and bank transfer services etc. • Cardholder’s data: • Primary Account Number – PAN • Cardholder Name • Expiration Date • Service Code • Cardholder’s sensitive authentication data: • Full track data – magnetic-stripe data or equivalent on a chip • CAV2/CVC2/CVV2/CID • PINs/PIN blocks
  • 7. PCI DSS – Overview Reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
  • 8. PCI DSS – Testing Procedure • Compliance check on sample systems/devices • Selected randomly at the time of audit • Examine policies • Examine the supporting documentation • Interview responsible personnel etc.
  • 9. PCI DSS – Storage Permission Reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
  • 10. PCI DSS – Lifecycle Phase Lifecycle Phase Tools and/or Methods PCI Question Examples Requirement gatherings Include security requirements Do PANs need to be stored? Design and architecture Perform risk analysis Who needs access? Can individual user accounts be supported for access to databases? Development Frameworks and approved libraries What encryption algorithms are approved? Code scanning and review Are inputs validated? Testing Application vulnerability scanners and penetration testing All test data removed? Is account access working properly? Deployment Monitoring and audit Are transcripts logged? Is sensitive authentication data (SAD) eliminated after authorization? Reference: https://searchsecurity.techtarget.com/tip/Applying-PCI-DSS-to-Web-application-security
  • 11. PCI DSS – Web Application Checklist • Default credentials • Firewall bypass • Information leakage – Card Holder’s data • Cleartext transmission of card holder’s data/credentials/sensitive information • Usage of weak cipher suites such as SSL/early TLS • Verify that PAN is rendered unreadable or secured with strong cryptography • Verify the restrictions on access of Card Holder’s data • Least amount of data • Duration
  • 12. PCI DSS – Web Application Checklist If support team/administrators are using Card Holder’s data for web application: • Password Complexity • At least 7 characters, Numbers and alphanumeric, Change users password at least once in 90 days, Do not allow to set password from last four passwords • Set password for first time use only – upon reset to a unique value for each users, change immediately after first usage • Remove inactive accounts within 90 days • Unique identification of users • Account lockout on 6 invalid attempts, set account lockout to a minimum of 30 minutes or until an admin enables the user ID • Session Expiration after 15 minutes of inactivity • Authenticate users • Something you Know, Something you have, Something you are
  • 13. PCI DSS – Web Application Checklist If support team/administrators are using Card Holder’s data for web application: • Credentials in unreadable encrypted format while transmission or storage • Verify the user identity before modifying any authentication credentials, for e.g. performing password resets, provisioning new tokens, generating new keys etc. • Two Factor Authentication for Card Holder Data Environment for Remote accesses • Generic or shared user IDs should be disabled Others: • Logging management • Secure Code Review • Application layer firewall in front of Web-facing applications
  • 14. References • https://www.pcisecuritystandards.org • https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf • https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf • https://www.visa-asia.com/ap/sa/merchants/riskmgmt/includes/uploads/PABP_v14.pdf • https://www.pcicomplianceguide.org/web-application-security-how-do-you-know- which-solutions-will-work-best-for-your-business/ • https://searchsecurity.techtarget.com/tip/Applying-PCI-DSS-to-Web-application- security