Does your API need to be PCI Compliant?

Does Your API Need to be PCI Compliant? Rapid API Workshop Brian Pagano @brianpagano Sco7 Metzger @sco7metzger

@brianpagano @sco7metzger

Rapid API Workshop Webinar SeriesMapping out your API Strategy Pragma?c REST: API Design Fu 10 Pa7erns of Successful API Programs API Metrics – What to Measure? API Technology & Opera?ons Your API Sucks! Today: Does Your API Need to be PCI Compliant? Next: Launching Your API and A7rac?ng Developers

We Will Cover •  Facts & Common Myths about PCI Compliance •  What does it mean to be PCI compliant when transac?ng via APIs? •  How can Apigee enable you to be PCI compliant?

PCI Fundamentals What is it? •  The Payment Card Industry speciﬁca?on is produced by a consor?um consis?ng of Visa, MasterCard, JCB, American Express, and Discover. •  It describes the proper handling of credit card informa?on (during transac?ons and at rest).

PCI Fundamentals What is it? •  Council originally formed in 2006. •  DSS (Data Security Standards) deﬁne 12 requirements for compliance.

PCI Fundamentals What it isn’t? •  It is not an enforcement or policing organiza?on.

PCI Fundamentals Then what does it do? •  The intent is to prevent merchants from having to write to mul?ple, proprietary standards. •  Gives consumers conﬁdence. •  Useful for audits.

PCI Fundamentals •  So who should care about PCI?

Main PCI Control Objec?ves •  Build and maintain a secure network •  Protect cardholder data •  Maintain a vulnerability management program •  Implement strong access control measures •  Regularly monitor and test networks •  Maintain an informa?on security policy

PCI Control Objec?ves Build and maintain a secure network •  Install and maintain a ﬁrewall •  Do not use any default passwords

PCI Control Objec?ves Protect Cardholder Data •  Protect stored data •  Encrypt transmission of data

PCI Control Objec?ves Maintain a vulnerability management program •  Update an?-‐virus •  Develop secure applica?ons and systems

PCI Control Objec?ves Implement strong access control measures •  Need-‐to-‐know access to cardholder data •  System access only via unique IDs •  Physical access controls

PCI Control Objec?ves Regularly monitor and test networks •  Monitor network access •  Test systems, test processes

PCI Control Objec?ves Maintain an informa?on security policy

What does it mean to be PCI Compliant? •  A company must have an audit performed •  By a third party audi?ng ﬁrm •  From the Visa/Mastercard approved auditor list, •  Which checks that the correct processes and technologies are in place.

PCI Compliance Does my API need to be PCI compliant?

PCI Compliance Can a sofware tool make me PCI compliant? •  No.

PCI & Apigee So, PCI is a speciﬁca?on for (a) processes and (b) security measures to protect cardholder informa?on. •  Apigee can help with the process. •  Apigee can help with the technology.

PCI & Apigee: Process •  The Apigee gateway provides a central loca?on for logging, policies, and security. •  The gateway can perform data masking to log transac?ons without storing any sensi?ve informa?on. Also, feeds into log aggregators. •  This centraliza?on helps with audi?ng and a7esta?ons.

PCI & Apigee: Technology •  The Apigee gateway contributes to defense in depth, protects backend systems, and strengthens network security. •  Apigee provides a hosted solu?on that enables PCI compliance. •  No product will make someone PCI compliant! •  Apigee enables and contributes to compliance.

Rapid API Workshop Webinar SeriesMapping out your API Strategy Pragma?c REST: API Design Fu 10 Pa7erns in Successful API Programs Today: API Metrics – What to Measure? API Technology & Opera?ons Your API Sucks! Does Your API Need to be PCI Compliant? Next: Launching Your API and ADracEng Developers

THANKS! Send ques)ons, examples, and ideas to @apigee Brian Pagano Sco7 Metzger bpagano@apigee.com smetzger@apigee.com @brianpagano @sco7metzger

http://apigee.com	134
http://mktg-dev.wearepropeople.md	3
https://twitter.com	1

Does your API need to be PCI Compliant?

by Apigee

Accessibility

Categories

Upload Details

Usage Rights

3 Embeds 138

Statistics

Does your API need to be PCI Compliant? Presentation Transcript