PCI DSS Compliance for Web Applications
2 likes217 views
This presentation includes basics of PCI DSS compliance. Presented at Null Ahmedabad Meet: https://www.null.co.in/events/485-ahmedabad-null-ahmedabad-meet-16-september-2018-monthly-meet Join upcoming Null Ahmedabad events: https://www.null.co.in/chapters/17-ahmedabad
PCI DSS Compliance for Web Applications
- 1. PCI DSS Compliance for Web Applications Savan Gadhiya
- 2. #whoami Savan Gadhiya Senior Security Consultant at NotSoSecure Hacker, Security Researcher, Developer and Bounty Hunter 7 years of experience in Information Technology Master of Engineering in IT Systems and Network Security /gadhiyasavan @gadhiyasavan
- 3. Agenda What is Compliance? List of Compliances Understand PCI DSS Compliance Basic Applicability Overview Testing Procedure Storage Procedure Lifecycle Phase PCI DSS Web application checklist
- 4. What is Compliance? Compliance means Conforming to a rule, such as a specification, policy, standard or law List of widely used Compliances: PCI DSS - Payment Card Industry Data Security Standard HIPAA - Health Insurance Portability and Accountability Act FISMA - Federal Information Security Management Act SOX - Sarbanes-Oxley Act GDPR - General Data Protection Regulation
- 5. PCI DSS PCI DSS - Payment Card Industry Data Security Standard Requirement for the majority of businesses today, as most handle or interact with credit card data and other sensitive customer information. Version Date May 2018 3.2.1 April 2016 3.2 Retires on 31st December 2018 April 2015 3.1 November 2013 3.0 October 2010 2.0 July 2009 1.2.1 October 2008 1.2
- 6. PCI DSS Applicability PCI DSS applies to: All entities involved in payment and processing including merchants, processors, acquirers, issuers and service provides Store, process or transmit cardholder data and/or sensitive authentication data Examples: Retail sites, Online travel agencies, bill-pay portals for utilities and services, online wallet and bank transfer services etc. Cardholders data: Primary Account Number PAN Cardholder Name Expiration Date Service Code Cardholders sensitive authentication data: Full track data magnetic-stripe data or equivalent on a chip CAV2/CVC2/CVV2/CID PINs/PIN blocks
- 7. PCI DSS Overview Reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- 8. PCI DSS Testing Procedure Compliance check on sample systems/devices Selected randomly at the time of audit Examine policies Examine the supporting documentation Interview responsible personnel etc.
- 9. PCI DSS Storage Permission Reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- 10. PCI DSS Lifecycle Phase Lifecycle Phase Tools and/or Methods PCI Question Examples Requirement gatherings Include security requirements Do PANs need to be stored? Design and architecture Perform risk analysis Who needs access? Can individual user accounts be supported for access to databases? Development Frameworks and approved libraries What encryption algorithms are approved? Code scanning and review Are inputs validated? Testing Application vulnerability scanners and penetration testing All test data removed? Is account access working properly? Deployment Monitoring and audit Are transcripts logged? Is sensitive authentication data (SAD) eliminated after authorization? Reference: https://searchsecurity.techtarget.com/tip/Applying-PCI-DSS-to-Web-application-security
- 11. PCI DSS Web Application Checklist Default credentials Firewall bypass Information leakage Card Holders data Cleartext transmission of card holders data/credentials/sensitive information Usage of weak cipher suites such as SSL/early TLS Verify that PAN is rendered unreadable or secured with strong cryptography Verify the restrictions on access of Card Holders data Least amount of data Duration
- 12. PCI DSS Web Application Checklist If support team/administrators are using Card Holders data for web application: Password Complexity At least 7 characters, Numbers and alphanumeric, Change users password at least once in 90 days, Do not allow to set password from last four passwords Set password for first time use only upon reset to a unique value for each users, change immediately after first usage Remove inactive accounts within 90 days Unique identification of users Account lockout on 6 invalid attempts, set account lockout to a minimum of 30 minutes or until an admin enables the user ID Session Expiration after 15 minutes of inactivity Authenticate users Something you Know, Something you have, Something you are
- 13. PCI DSS Web Application Checklist If support team/administrators are using Card Holders data for web application: Credentials in unreadable encrypted format while transmission or storage Verify the user identity before modifying any authentication credentials, for e.g. performing password resets, provisioning new tokens, generating new keys etc. Two Factor Authentication for Card Holder Data Environment for Remote accesses Generic or shared user IDs should be disabled Others: Logging management Secure Code Review Application layer firewall in front of Web-facing applications
- 14. References https://www.pcisecuritystandards.org https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf https://www.visa-asia.com/ap/sa/merchants/riskmgmt/includes/uploads/PABP_v14.pdf https://www.pcicomplianceguide.org/web-application-security-how-do-you-know- which-solutions-will-work-best-for-your-business/ https://searchsecurity.techtarget.com/tip/Applying-PCI-DSS-to-Web-application- security