Let's Talk About PCI
Compliance for Drupal

Rick Manelius, PhD	

@rickmanelius
Overview

•
•
•

Why (should I care)?	

What (exactly is this PCI compliance thing)?	

How (do I get started)?
Why?
My Story

•
•
•

From great success to sheer panic.	

You’ll experience something similar at some point.	

The 5 Stages of...
Why? It’s In the News
You’ve Got Mail!
Security Breaches Hurt

•
•
•
•
•
•
•

Adobe - 2.9 million customer records.	

Sony Playstation Network - $77 Million.	

J...
PCI Compliance is Mandatory

•
•
•
•
•

Golden Rule	

Contractual	

Privilege	

It can be revoked	

One strike rule
My Goals

•
•

World Class eCommerce Platform => Set the Standard	

4 Stages of Mastery	

1. Unconscious Incompetence	

2....
Drupal PCI Compliance White Paper

•
•
•
•
•
•

http://drupalpcicompliance.org	

Co-authors:	


•
•

Greg Knaddison (Head ...
Sponsors
What?
The Journey of a Credit Card

•
•
•
•
•
•
•
•

User’s browser	

Internet	

Hosting Network	

Server	

LAMP Stack	

Drupal ...
Holistic Approach

•
•
•
•

Card Data Environment (CDE)	

Everything that can touch the card falls into CDE.	

Security (&...
PCI-DSS

•
•
•
•

PCI = Payment Card Industry	

DSS = Data Security Standard	

12 requirements (aka the dirty dozen)	

We ...
PCI Data Security Standard

•
•
•
•

1. Install and Maintain a Firewall	


•

5. Use and regularly update anti-virus softw...
PCI Data Security Standard

•

7. Restrict access to cardholder data by business
need-to-know	


•

8. Assign a unique ID ...
PCI Data Security Standard

•
•

288 total checklist items.	

The number of items an eCommerce site is
responsible for dep...
How?
So... Where Do I Start?

•
•
•

Key Factors: Volume & Validation Type.	

Volume determines PCI Level (1, 2, 3, or 4)	

Val...
Volume
!
!
!
!
!
!
!

•

Reported Breach = Automatic Level 1
Validation Type

•
•

(i.e. method by which you accept payment)	

A, C, and D are the most relevant for eCommerce.
Validation Type (English Please!)

•
•
•

SAQ A: Fully outsourced handling of sensitive data.	

SAQ C: “Standard” eCommerc...
Determining Your SAQ

•
•

Largely a function of payment method.	

3 types of payment methods: 	


•
•
•

Wholly Outsource...
Determining Your SAQ

•
•

Largely a function of payment method.	

3 types of payment methods: 	


•
•
•

Wholly Outsource...
Wholly Outsourced: SAQ A

•

Sensitive data is completely handled by another
vendor.	


•
•

Examples: Volusions, Big Comm...
Merchant Managed: SAQ C/D

•

Drupal application processes and transmits credit
card data to the payment gateway.	


•

If...
Shared Management: SAQ A/C

•

•
•
•

Three Types	


•
•
•

Hosted Payment Page	

Direct Post	

iFrame	


Often advertised...
Hosted Payment Pages

•

Image courtesy of authorize.net
Direct Post

•

Image courtesy of authorize.net
iFrame

•

Basically direct post with the additional security of
an iframe surrounding the form element.	


•

Protects fr...
Attacking Shared-Management

•
•
•
•

Direct Post (Stripe, Braintree, etc)	


•

JS Keylogger.	


Hosted Payment Page (Pay...
SAQ Breakdown

•
•
•
•
•

Merchant Managed - SAQ C/D	

Shared-Management - SAQ A/C	

Wholly Outsourced - SAQ A	

SAQ C - “...
Recommendations

•
•
•
•
•
•

Use shared-management types.	

iFrame or Hosted Payment Pages Preferred	

Use SAQ C regardle...
Recommendations

•

Download: Drupal PCI Compliance White Paper!	


•

http://drupalpcicompliance.org/
Summarizing

•
•
•

Why	


•
•

Mandatory	

Financial, PR, and legal risks.	


What	


•

Standard that addresses security...
Questions
!
!
!
!
!

•

PS. Don’t forget:	


•
•

http://drupalpcicompliance.org/	

Drupal.org/IRC/twitter: @rickmanelius
Upcoming SlideShare
Loading in …5
×

PCI Compliance and Drupal - Commerce Guys Webinar

355
-1

Published on

These are the slides taken from the Commerce Guys webinar on PCI compliance for Drupal (recorded on 11/14/2013). You can watch the video recording at the following link: http://commerceguys.com/webinars/archive/pci-compliance-drupal

Original webinar description below:

You’re taking payments online, so you must be PCI Compliant, right? How do you know?

Drupal.org reports over 80,000+ active Ubercart and Drupal Commerce installations. That’s great news! With such a large and active portion of our community involved in eCommerce, effort and resources must go toward helping these websites achieve the mandatory security standards set forth by the Payment Card Industry (PCI).

In the past, a definitive guide or comprehensive resource simply didn’t exist. Information seekers could find a handful of articles, forum threads, and videos; but most of these resources were fragmented, outdated, and might have contained inaccurate information...Not a good thing when failing to become PCI compliant exposes businesses to legal and financial liabilities.

That’s why we’ve invited Rick Manelius to our next Commerce Guys webinar. He’s one of the authors of a new report on PCI compliance, focused specifically on Drupal. The report was created as a means to help Drupal shops, developers, and customers understand their PCI compliance responsibilities.. and discover the steps to achieving full compliance.

He’ll be joined by Robert Douglass, a long time Drupal contributor and Director of Product Operations for Commerce Guys. Together they’ll present a very open and honest view of the eCommerce landscape for Drupal and lend valuable insight for companies looking to achieve success…and security...when taking payments online.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
355
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

PCI Compliance and Drupal - Commerce Guys Webinar

  1. 1. Let's Talk About PCI Compliance for Drupal Rick Manelius, PhD @rickmanelius
  2. 2. Overview • • • Why (should I care)? What (exactly is this PCI compliance thing)? How (do I get started)?
  3. 3. Why?
  4. 4. My Story • • • From great success to sheer panic. You’ll experience something similar at some point. The 5 Stages of PCI Compliance Grief • • • • • Denial (“That doesn’t pertain to me.”) Anger (“WTF! Why didn’t someone tell me?”) Bargaining (“I’m more secure than others.”) Depression (“This is going to be so hard…”) Acceptance (“Alright, let’s do this!”)
  5. 5. Why? It’s In the News
  6. 6. You’ve Got Mail!
  7. 7. Security Breaches Hurt • • • • • • • Adobe - 2.9 million customer records. Sony Playstation Network - $77 Million. JC Penny - 650,000 records. Ubercart with custom module (3) $25-$215 / Breached Record. (1) Small merchants — 80+% of breaches. (2) One strike rule for PCI Level. 1. 2010 Annual Study: U.S. Cost of a Data Breach (symantec.com) 2. In Data Leaks, Culprits Often Are Mom (Online Wall Street Journal)
  8. 8. PCI Compliance is Mandatory • • • • • Golden Rule Contractual Privilege It can be revoked One strike rule
  9. 9. My Goals • • World Class eCommerce Platform => Set the Standard 4 Stages of Mastery 1. Unconscious Incompetence 2. Conscious Incompetence 3. Conscious Competence 4. Unconscious Competence • • • I believe the Drupal community is primarily at 1-2. At the very least, we need to get to 2 (awareness). Ideally 90+% of Drupal eCommerce sites get to 3.
  10. 10. Drupal PCI Compliance White Paper • • • • • • http://drupalpcicompliance.org Co-authors: • • Greg Knaddison (Head of Drupal Security Team) Ned McClain (QSA at Applied Trust) Readable in less than an hour. Target audiences: developers, shops, & evaluators. Drupal specific information. Goes well beyond the information in this talk.
  11. 11. Sponsors
  12. 12. What?
  13. 13. The Journey of a Credit Card • • • • • • • • User’s browser Internet Hosting Network Server LAMP Stack Drupal App Payment Gateway Merchant Service Provider
  14. 14. Holistic Approach • • • • Card Data Environment (CDE) Everything that can touch the card falls into CDE. Security (& trust) is as strong as the weakest link. Need a policy to ensure end to end security.
  15. 15. PCI-DSS • • • • PCI = Payment Card Industry DSS = Data Security Standard 12 requirements (aka the dirty dozen) We will (quickly) go through them.
  16. 16. PCI Data Security Standard • • • • 1. Install and Maintain a Firewall • 5. Use and regularly update anti-virus software or programs • 6. Develop and maintain secure systems and applications 2. Do Not Use Vendor Supplied Default Passwords 3. Protect Stored Data 4. Encrypt transmission of cardholder data across open, public networks
  17. 17. PCI Data Security Standard • 7. Restrict access to cardholder data by business need-to-know • 8. Assign a unique ID to each person with computer access • • 9. Restrict physical access to cardholder data • • 11. Regularly test security systems and processes 10. Track and monitor all access to network resources and cardholder data 12. Maintain a policy that addresses information security for all personnel
  18. 18. PCI Data Security Standard • • 288 total checklist items. The number of items an eCommerce site is responsible for depends on how its structured!
  19. 19. How?
  20. 20. So... Where Do I Start? • • • Key Factors: Volume & Validation Type. Volume determines PCI Level (1, 2, 3, or 4) Validation type determines SAQ (A, B, C, C-VT, D) • • SAQ = Self Assessment Questionnaires Provides checklist for 12 requirements.
  21. 21. Volume ! ! ! ! ! ! ! • Reported Breach = Automatic Level 1
  22. 22. Validation Type • • (i.e. method by which you accept payment) A, C, and D are the most relevant for eCommerce.
  23. 23. Validation Type (English Please!) • • • SAQ A: Fully outsourced handling of sensitive data. SAQ C: “Standard” eCommerce setup. SAC D: Storing sensitive data.
  24. 24. Determining Your SAQ • • Largely a function of payment method. 3 types of payment methods: • • • Wholly Outsourced Shared-Management Merchant Managed
  25. 25. Determining Your SAQ • • Largely a function of payment method. 3 types of payment methods: • • • Wholly Outsourced Shared-Management Merchant Managed
  26. 26. Wholly Outsourced: SAQ A • Sensitive data is completely handled by another vendor. • • Examples: Volusions, Big Commerce, etc. Grey area for Drupal payment gateways (more on this later).
  27. 27. Merchant Managed: SAQ C/D • Drupal application processes and transmits credit card data to the payment gateway. • If you store cards, you’re SAQ D (dangerous!) • Do not do this unless you absolutely, positively know what you’re doing.
  28. 28. Shared Management: SAQ A/C • • • • Three Types • • • Hosted Payment Page Direct Post iFrame Often advertised as SAQ A. PCI Council outlines vulnerabilities. Consider these an “easier SAQ C”.
  29. 29. Hosted Payment Pages • Image courtesy of authorize.net
  30. 30. Direct Post • Image courtesy of authorize.net
  31. 31. iFrame • Basically direct post with the additional security of an iframe surrounding the form element. • Protects from JS attacks from the parent DOM.
  32. 32. Attacking Shared-Management • • • • Direct Post (Stripe, Braintree, etc) • JS Keylogger. Hosted Payment Page (Paypal, etc) • Redirecting to a spoof site. iframe (Auth.net hosted CIM, Hosted PCI) • Replace the iframe. While still vulnerable, shared-management solutions are considerably less risky than merchant managed solutions!
  33. 33. SAQ Breakdown • • • • • Merchant Managed - SAQ C/D Shared-Management - SAQ A/C Wholly Outsourced - SAQ A SAQ C - “Standard” eCommerce Site. SAQ D - Storing Cardholder Data.
  34. 34. Recommendations • • • • • • Use shared-management types. iFrame or Hosted Payment Pages Preferred Use SAQ C regardless of vendor claims. New 3.0 PCI standard coming out soon. Consider SAQ the minimum level. Seek help if you have any questions.
  35. 35. Recommendations • Download: Drupal PCI Compliance White Paper! • http://drupalpcicompliance.org/
  36. 36. Summarizing • • • Why • • Mandatory Financial, PR, and legal risks. What • Standard that addresses security holistically. How • • • Determine your volume + transaction type. Complete the relevant SAQ form. Do your due diligence!!!
  37. 37. Questions ! ! ! ! ! • PS. Don’t forget: • • http://drupalpcicompliance.org/ Drupal.org/IRC/twitter: @rickmanelius
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×