PCI DSSfor Penetration Testers             K. K. Mookhey
What is PCI DSS ? Payment Card Industry (PCI) Data Security Standard (DSS) PCI DSS provides a baseline of technical and ...
Why Is Compliance with PCI DSS                 Important? A security breach and subsequent compromise of payment  card da...
PCI DSS    Payment Card Industry Data Security Standard Standard applies to:    Merchants    Service Providers (Third T...
The PCI Security Standards Council                         (PCI SSC)   An open global forum, launched in 2006, responsibl...
PCI SSC- Standards
PIN Transaction (PTS) Security                  Requirements• It is a set of security requirements focused on characterist...
Payment Application Data Security             Standard (PA-DSS)• The PA-DSS is for software developers and integrators of ...
PCI Data Security Standard (DSS)• The PCI DSS applies to all entities that store, process, and/or  transmit cardholder dat...
The PCI Security Standards Founders
Data on Payment Card
Track 1 vs. Track 2 Data
Track 1 vs. Track 2 Data (cont..) If full track (either Track 1 or Track 2, from the magnetic stripe, magnetic-  stripe i...
What to store & what not to store
Guidelines for Storage1. One-way hash functions based on strong cryptography – converts theentire PAN into a unique, fixed...
The PCI Data Security Standard    Six Goals, Twelve RequirementsBuild and Maintain a       1. Install and maintain a firew...
Other PCI Standards
PCI SSC- Standards
PIN Transaction (PTS) Security                  Requirements• It is a set of security requirements focused on characterist...
PIN Transaction (PTS) Security              Requirements (cont..)• Objective 1 : PINs used in transactions governed by the...
PIN Transaction (PTS) Security              Requirements (cont..)• Objective 4 : Key-loading to hosts and PIN entry device...
Payment Application Data Security             Standard (PA-DSS)• The PA-DSS is for software developers and integrators of ...
PA-DSS (cont..)• Requirement 1 : Do not retain full magnetic stripe, card  verification code or value (CAV2, CID, CVC2, CV...
PA-DSS (cont..)• Requirement 10 : Facilitate secure remote access to  payment application• Requirement 11 : Encrypt sensit...
Thank you!                Questions / Queries        NETWORK INTELLIGENCE INDIA PVT. LTD.              AN ISO/IEC 27001:20...
PCI DSS for Pentesting
Upcoming SlideShare
Loading in …5
×

PCI DSS for Pentesting

1,893 views
1,769 views

Published on

null Mumbai Chapter - March 2013 Meet

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,893
On SlideShare
0
From Embeds
0
Number of Embeds
314
Actions
Shares
0
Downloads
36
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

PCI DSS for Pentesting

  1. 1. PCI DSSfor Penetration Testers K. K. Mookhey
  2. 2. What is PCI DSS ? Payment Card Industry (PCI) Data Security Standard (DSS) PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS comprises a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks
  3. 3. Why Is Compliance with PCI DSS Important? A security breach and subsequent compromise of payment card data has far-reaching consequences for affected organizations, including:  Regulatory notification requirements,  Loss of reputation,  Loss of customers,  Potential financial liabilities (for example, regulatory and other fees and fines), and  Litigation.
  4. 4. PCI DSS Payment Card Industry Data Security Standard Standard applies to:  Merchants  Service Providers (Third Third-party vendor, gateways)  Systems (Hardware, software) Who:  Store cardholder data  Transmit cardholder data  Process cardholder data Inclusive of:  Electronic Transactions  Paper Transactions
  5. 5. The PCI Security Standards Council (PCI SSC) An open global forum, launched in 2006, responsible for the development, management, education, and awareness of the PCI Security Standards, including:  Data Security Standard (DSS)  Payment Application Data Security Standard (PA-DSS)  Pin Transaction Security (PTS)  Formally known as Pin-Entry Device (PED) PCI PTS PCI PA-DSS PCI DSS
  6. 6. PCI SSC- Standards
  7. 7. PIN Transaction (PTS) Security Requirements• It is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities.• The requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it.• Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI SSC.www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html
  8. 8. Payment Application Data Security Standard (PA-DSS)• The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties.• Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC.Validated applications are listed at:www.pcisecuritystandards.org/security_standards/pa_dss.shtml
  9. 9. PCI Data Security Standard (DSS)• The PCI DSS applies to all entities that store, process, and/or transmit cardholder data.• It covers technical and operational system components included in or connected to cardholder data.• If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS.
  10. 10. The PCI Security Standards Founders
  11. 11. Data on Payment Card
  12. 12. Track 1 vs. Track 2 Data
  13. 13. Track 1 vs. Track 2 Data (cont..) If full track (either Track 1 or Track 2, from the magnetic stripe, magnetic- stripe image in a chip, or elsewhere) data is stored, malicious individuals who obtain that data can reproduce and sell payment cards around the world. Full track data storage also violates the payment brands operating regulations and can lead to fines and penalties.
  14. 14. What to store & what not to store
  15. 15. Guidelines for Storage1. One-way hash functions based on strong cryptography – converts theentire PAN into a unique, fixed-length cryptographic value.2. Truncation – permanently removes a segment of the data (for example, retainingonly the last four digits).3. Index tokens and securely stored pads – encryption algorithm that combinessensitive plain text data with a random key or “pad” that works only once.4. Strong cryptography – with associated key management processes andprocedures. Refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations andAcronyms for the definition of “strong cryptography.”
  16. 16. The PCI Data Security Standard Six Goals, Twelve RequirementsBuild and Maintain a 1. Install and maintain a firewall configuration to protect cardholderSecure Network data 2. Do not use vendor-supplied defaults for system passwords and other security parametersProtect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networksMaintain a Vulnerability 5. Use and regularly update anti-virus software or programsManagement Program 6. Develop and maintain secure systems and applicationsImplement Strong Access 7. Restrict access to cardholder data by business need-to-knowControl Measures 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder dataRegularly Monitor and 10. Track and monitor all access to network resources and cardholderTest Networks data 11. Regularly test security systems and processesMaintain an Information 12. Maintain a policy that addresses information security forSecurity Policy employees and contractors
  17. 17. Other PCI Standards
  18. 18. PCI SSC- Standards
  19. 19. PIN Transaction (PTS) Security Requirements• It is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities.• The requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it.• Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI SSC.www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html
  20. 20. PIN Transaction (PTS) Security Requirements (cont..)• Objective 1 : PINs used in transactions governed by these requirements are processed using equipment and methodologies that ensure they are kept secure.• Objective 2 : Cryptographic keys used for PIN encryption/decryption and related key management are created using processes that ensure that it is not possible to predict any key or determine that certain keys are more probable than other keys.• Objective 3 : Keys are conveyed or transmitted in a secure manner.
  21. 21. PIN Transaction (PTS) Security Requirements (cont..)• Objective 4 : Key-loading to hosts and PIN entry devices is handled in a secure manner.• Objective 5 : Keys are used in a manner that prevents or detects their unauthorized usage.• Objective 6 : Keys are administered in a secure manner.• Objective 7 : Equipment used to process PINs and keys is managed in a secure manner.
  22. 22. Payment Application Data Security Standard (PA-DSS)• The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties.• Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC.Validated applications are listed at:www.pcisecuritystandards.org/security_standards/pa_dss.shtml
  23. 23. PA-DSS (cont..)• Requirement 1 : Do not retain full magnetic stripe, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data• Requirement 2 : Protect stored cardholder data• Requirement 3 : Provide secure authentication features• Requirement 4 : Log payment application activity• Requirement 5 : Develop secure payment applications• Requirement 6 : Protect wireless transmissions• Requirement 7 : Test payment applications to address vulnerabilities• Requirement 8 : Facilitate secure network implementation• Requirement 9 : Cardholder data must never be stored on a server connected to the Internet
  24. 24. PA-DSS (cont..)• Requirement 10 : Facilitate secure remote access to payment application• Requirement 11 : Encrypt sensitive traffic over public networks• Requirement 12 : Encrypt all non-console administrative access• Requirement 13 : Maintain instructional documentation and training programs for customers, resellers, and integrators
  25. 25. Thank you! Questions / Queries NETWORK INTELLIGENCE INDIA PVT. LTD. AN ISO/IEC 27001:2005 CERTIFIED COMPANYWeb http://www.niiconsulting.comEmail kkmookhey@niiconsulting.comTel +91-22-2839-2628 +91-22-4005-2628Fax +91-22-2837-5454

×