Download as PDF, PPTX
Uploaded byApigee | Google Cloud
Does your API need to be PCI Compliant?
The document discusses whether APIs need to be PCI compliant, explaining that PCI compliance concerns the proper handling of credit card information and includes specific security requirements defined by the Payment Card Industry. It highlights the role of Apigee in enabling PCI compliance through process and technology but emphasizes that no software tool alone can confer compliance. Key objectives for PCI compliance include securing networks, protecting cardholder data, and maintaining an information security policy.
More Related Content
Similar to Does your API need to be PCI Compliant?
![Log Management for PCI Compliance [OLD]](https://cdn.slidesharecdn.com/ss_thumbnails/pcicomplianceforinsecureanton-091218015854-phpapp02-thumbnail.jpg?width=640&height=640&fit=bounds)
Does your API need to be PCI Compliant?
- 1. Does Your API Need to be PCI Compliant? Rapid API Workshop Brian Pagano @brianpagano Sco7 Metzger @sco7metzger
- 2. @brianpagano @sco7metzger
- 3. Rapid API WorkshopWebinar Series Mapping out your API Strategy Pragma?c REST: API Design Fu 10 Pa7erns of Successful API Programs API Metrics – What to Measure? API Technology & Opera?ons Your API Sucks! Today: Does Your API Need to be PCI Compliant? Next: Launching Your API and A7rac?ng Developers
- 4. We Will Cover • Facts & Common Myths about PCI Compliance • What does it mean to be PCI compliant when transac?ng via APIs? • How can Apigee enable you to be PCI compliant?
- 5. PCI Fundamentals What is it? • The Payment Card Industry specifica?on is produced by a consor?um consis?ng of Visa, MasterCard, JCB, American Express, and Discover. • It describes the proper handling of credit card informa?on (during transac?ons and at rest).
- 6. PCI Fundamentals What is it? • Council originally formed in 2006. • DSS (Data Security Standards) define 12 requirements for compliance.
- 7. PCI Fundamentals What it isn’t? • It is not an enforcement or policing organiza?on.
- 8. PCI Fundamentals Then what does it do? • The intent is to prevent merchants from having to write to mul?ple, proprietary standards. • Gives consumers confidence. • Useful for audits.
- 9. PCI Fundamentals • So who should care about PCI?
- 10. Main PCI Control Objec?ves • Build and maintain a secure network • Protect cardholder data • Maintain a vulnerability management program • Implement strong access control measures • Regularly monitor and test networks • Maintain an informa?on security policy
- 11. PCI Control Objec?ves Build and maintain a secure network • Install and maintain a firewall • Do not use any default passwords
- 12. PCI Control Objec?ves Protect Cardholder Data • Protect stored data • Encrypt transmission of data
- 13. PCI Control Objec?ves Maintain a vulnerability management program • Update an?-‐virus • Develop secure applica?ons and systems
- 14. PCI Control Objec?ves Implement strong access control measures • Need-‐to-‐know access to cardholder data • System access only via unique IDs • Physical access controls
- 15. PCI Control Objec?ves Regularly monitor and test networks • Monitor network access • Test systems, test processes
- 16. PCI Control Objec?ves Maintain an informa?on security policy
- 17. What does it mean to be PCI Compliant? • A company must have an audit performed • By a third party audi?ng firm • From the Visa/Mastercard approved auditor list, • Which checks that the correct processes and technologies are in place.
- 18. PCI Compliance Does my API need to be PCI compliant?
- 19. PCI Compliance Can a sofware tool make me PCI compliant? • No.
- 20. PCI & Apigee So, PCI is a specifica?on for (a) processes and (b) security measures to protect cardholder informa?on. • Apigee can help with the process. • Apigee can help with the technology.
- 21. PCI & Apigee: Process • The Apigee gateway provides a central loca?on for logging, policies, and security. • The gateway can perform data masking to log transac?ons without storing any sensi?ve informa?on. Also, feeds into log aggregators. • This centraliza?on helps with audi?ng and a7esta?ons.
- 22. PCI & Apigee: Technology • The Apigee gateway contributes to defense in depth, protects backend systems, and strengthens network security. • Apigee provides a hosted solu?on that enables PCI compliance. • No product will make someone PCI compliant! • Apigee enables and contributes to compliance.
- 23. Rapid API WorkshopWebinar Series Mapping out your API Strategy Pragma?c REST: API Design Fu 10 Pa7erns in Successful API Programs Today: API Metrics – What to Measure? API Technology & Opera?ons Your API Sucks! Does Your API Need to be PCI Compliant? Next: Launching Your API and ADracEng Developers
- 24. THANKS! Send ques)ons, examples, and ideas to @apigee Brian Pagano Sco7 Metzger bpagano@apigee.com smetzger@apigee.com @brianpagano @sco7metzger