Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Is there a penetration testing within PCI DSS certification? (Dmytro Diordiychuk)

Is there a penetration testing within PCI DSS certification? Main misconceptions, traits, and requirements.

  • Soyez le premier à commenter

Is there a penetration testing within PCI DSS certification? (Dmytro Diordiychuk)

  1. 1. Is there a penetration testing within PCI DSS certification? Main misconceptions, traits, and requirements Dmytro Diordiichuk OSCP, CRPT, WPTX, CEH O_o Advantio - OWASP Kyiv
  2. 2. Agenda - What is PCI DSS? - PCI DSS players - Penetration testing requirements - Myths & misconceptions
  3. 3. What is PCI DSS ?
  4. 4. [PCI DSS] Payment Card Industry
  5. 5. [PCI DSS] Data Security Standard
  6. 6. [PCI SSC] Security Standards Council
  7. 7. PCI + DSS 1.0
  8. 8. History • PCI DSS 1.0 - 2004 • PCI DSS 1.1 - 2006 (SSC) • PCI DSS 1.2 - 2008 • PCI DSS 1.2.1 - 2009 • PCI DSS 2.0 - 2010 • PCI DSS 3.0 - 2013 • PCI DSS 3.1 - 2015 • PCI DSS 3.2 - 2016 • PCI DSS 3.2.1 - 2018 • PCI DSS 4.0 - soon
  9. 9. Subject of protection
  10. 10. Cardholder+payment data availability integrity confidentiality
  11. 11. Game Players
  12. 12. Any company that processes, stores or transmits cardholder data
  13. 13. Cardholder Merchants Payment Processor Acquirer Card Brand Issuer
  14. 14. 12 requirements +100500 security controls
  15. 15. [QSA] Qualified Security Auditor Assessor
  16. 16. PT requirements
  17. 17. PT requirements Requirement 11.3: PT Methodology based on best practises Requirement 11.3.1: External PT Requirement 11.3.2: Internal PT Requirement 11.3.3: Found vulnerabilities were corrected Requirement 11.3.4: Segmentation testing annually Requirement 11.3.4.1: Segmentation testing every 6 months (only for SP)
  18. 18. So, is it PT or not?
  19. 19. Yes, with minor changes
  20. 20. PCI DSS Penetration Testing Guidance [2015] Scoping and layers of testing (app+infra) Segmentation checks Social engineering Pentesters qualification Post-engagement phase Report requirements
  21. 21. Focus of PCI DSS PT Scope and environment Total white-listening It's not a Black-box texting Periodicity PASS / FAIL statuses Remediation check Tester experience Segmentation testing
  22. 22. EXAMPLE req 6.5.7 -> -> Cross-site scripting (XSS)
  23. 23. [Segmentation Testing] PCI DSS Scoping Categories - Level 1: Cardholder Data Environment - Level 2: Connected to and/or Security Impacting Systems - Level 3: Out-of-Scope systems 1 2 3
  24. 24. Myths & misconceptions
  25. 25. 1 // I can do it myself
  26. 26. Can you? Think twice
  27. 27. 2 // It's vulnerability scanning
  28. 28. No, vulnerability scanning is req 11.2
  29. 29. 3 // I'm not gonna give you access
  30. 30. You should give access and support your PT team
  31. 31. 4 // It's just for compliance. Let's buy a cheaper service
  32. 32. You have to understand that cheaper service means low quality -> compliance status
  33. 33. 5 // ???
  34. 34. QSA Q&A

×