These are not the credit cards you're looking for

818 views
767 views

Published on

My presentation from the Scottish Ruby Conference about PCI DSS, what you as a web developer need to consider and some straight-forward and hopefully common-sense ideas based on my own experience in building the compliant infrastructure and software for a PCI DSS Level 1 service provider.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
818
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • These are not the credit cards you're looking for

    1. 1. These are not the Credit Cards you’re looking for A hopefully interesting PCI DSS introduction Ryan Stenhouse, Ruby Engineer @ryanstenhouse ryan.stenhou.se
    2. 2. Hi, I’m Ryan StenhouseRuby Engineer at FreeAgent‣ @ryanstenhouse‣ http://ryan.stenhou.se‣ Blogs, writes Ruby, has been through PCI DSS compliance as a Level 1 service provider‣ Works with the awesome folks at FreeAgent
    3. 3. PCI DSS - Guh, wha?How to baffle a room-full of people in one go‣ PCI DSS is a mandatory security standard that everyone who deals with credit card information has to adhere to‣ Complicated and annoying, but defeatable with common-sense and good planning‣ Can’t be ignored‣ Can be quite costly
    4. 4. What I’m going to talkabout a room-full of people in one goHow to baffle‣ Self-Assessment Compliance‣ What you need to worry about‣ Where it gets annoying‣ Quick wins and bear traps‣ Logging
    5. 5. Self AsessmentComplianceTax doesn’t have to be taxing‣ Probably the most relevant to the audience here.‣ SAQ A‣ SAQ C‣ There are others
    6. 6. SAQ A - Nice and simpleNothing to see here sir, move it along‣ If you outsource all your card processing to someone like PayPal and never touch card data, this is for you.‣ Only 13 questions to answer, from Requirements 9 and 12.
    7. 7. SAQ C - More involvedMore risk, but more reward‣ If you capture, then transmit card information on (think ActiveMerchant) but don’t store CHD, then you need SAQ C.‣ 80 questions to answer from requirements 1 - 9, 11 & 12.‣ Needs a lot more documentation, business policy and technical work‣ Probably ‘as bad as it gets’
    8. 8. SAQ C - More involvedMore risk, but more reward‣ If you capture, then transmit card information on (think ActiveMerchant) but don’t store CHD, then you need SAQ C.‣ 80 questions to answer from requirements 1 - 9, 11 & 12.‣ Needs a lot more documentation, business policy and technical work‣ Probably ‘as bad as it gets’
    9. 9. What you need to worryaboutAs a developer‣ For SAQ A, nothing. Really.‣ For SAQ C, it gets more complicated. You need to have an organisation policy around development ‘best practices’ and security. You need to keep on top of patches, and you need to be up to speed on things like OWASP’s recommendations.‣ I’ll come back to this later
    10. 10. What you need to worryaboutAs a sysadmin‣ For SAQ A, nothing. Really.‣ For SAQ C, you’re probably going to have to spend a lot of time hardening your machines, footering around with your network(s) and generally having a lot of overheads. There needs to be various documented policies covered that must be followed.‣ I’ll come back to this later
    11. 11. What you need to worryaboutAs a business‣ If you’re not compliant, the consequences can be as dire as your acquirer stopping you from being able to accept payment by card and hitting you with massive fines.‣ For SAQ C, you’re going to need to put in place a lot of policy and procedural documentation.‣ You need to and must be PCI DSS
    12. 12. Bored yet? Quick wins!Q: Did you hear about the constipatedAccountant?‣ Go for SAQ A unless there’s a good business reason not to.‣ If you need SAQ C or higher, save some pain and kill your WIFI‣ Outsource whatever you can to a PCI DSS ceritfied supplier.
    13. 13. Here are the bear trapsA: She worked it out with a pencil‣ PCI’s logging requirements are challenging to say the least.‣ For very small teams, you can’t always segregate roles and responsibilities as you’d like.‣ Quarterly ASV scans, Pen Tests every time you make a network change.
    14. 14. Change ManagementChange is difficult and needs to bedocumented‣ You will need to have a documented and enforced change management procedure for your application(s).‣ It needs to include the details of the change, why it’s needed, the impact of the risk, post and pre deployment test plans and a rollback strategy.
    15. 15. FIM and IDSOn your cardholder environment‣ You need to be able to proceed your machines from unauthorised access and changes, a good FIM and IDF tool is required for this (if your firewall doesn’t do it).‣ OSSEC, a free project by Trend Mirco is perfect for this.
    16. 16. LoggingHarder than chinese algebra‣ PCI’s logging requirements are vast, complicated and crucial to maintain a useful audit trail.‣ Logs should be centralised, backed up and properly protected against unauthorised changes and access.
    17. 17. LoggingHarder than chinese algebra‣ You need to keep 6 months on hand and 2 (or more) years worth in archive.‣ Logs need to be audited.‣ The creation of logs needs to be logged.‣ rsyslogd and a lot of painful configuration is good enough if you document what you do
    18. 18. Some stuff aboutnetworking I tend to rambleAsk me more about this,‣ You need to properly isolate your cardholder environment from the rest of your network.‣ This will mean one of more firewalls, iptables has been good enough for me in the past.‣ You need to regularly audit your firewall configuration (quarterly).‣ Penetration tests every time you
    19. 19. Misc AdviceStuff that occurred to me as I was writing thisup‣ VM’s are a-ok as far as ‘servers’ for PCI are concerned.‣ You need identify and isolate ALL of your cardholder data. Consolidate it to one place and your life will be easier.‣ If you’re in doubt, hire a QSA for the day (Might be quite expensive).

    ×