Successfully reported this slideshow.

New PCI Requirements for Component Security


Published on

The Payment Card Industry (PCI) standards help ensure that banks, financial services firms and merchants protect their customer's credit card data. Credit card security became more challenging with the mandate to "avoid components with known vulnerabilities" based on recent Open Web Application Security Project (OWASP) guidelines.

To learn more about PCI compliance and component security please visit

Published in: Technology
  • Be the first to comment

  • Be the first to like this

New PCI Requirements for Component Security

  1. 1. The Webinar will start at 9 AM EST Tweet your thoughts: #sonatype
  2. 2. Director of Card Solutions, Crosskey #sonatype
  3. 3. PCI Updated to Reflect How Software is Built Today Source: 2012 / 2013 Sonatype analysis of more than 1,000 enterprise applications 3 #sonatype
  4. 4. An Ecosystem Phenomenon Vulnerable production applications put you at risk and cause PCI certification issues 4 #sonatype
  5. 5. The Threat is Real - Popular Web Framework Exploit Global Bank Software Provider Software Provider’s Customer State University Three-Letter Agency Large Financial Exchange 5 #sonatype
  6. 6. Governance that is Effective Complexity Diversity Volume Change One component may rely on 00s of others 40,000 Projects 200MM Classes 400K Components Typical Enterprise Consumes 1,000s of Components Monthly Typical Component is Updated 4X per Year Governance through policy automation is the only viable approach. 6 #sonatype
  7. 7. Crosskey Case Study Monika Liikamaa, Director of Card & Mobile Payments
  8. 8. It’s all about TRUST Crosskey a PCI DSS Compliant Service Provider 8 #sonatype
  9. 9. It’s all about TRUST The beginning A void #sonatype
  10. 10. It’s all about TRUST The beginning To be filled up with 200+ requirements #sonatype
  11. 11. It’s all about TRUST The beginning 1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations 1.1.2 Current network diagram with all connections to cardholder data, including any wireless networks 1.1.3 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone 1.1.5 Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP 1.2.2 Secure and synchronize router configuration files 1.2.3 Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports 1.1.6 Requirement to review firewall and router rule sets at least every six months 1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment 1.3.3 Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment. 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ 1.3.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet #sonatype
  12. 12. Policies Policies, Standards and Guidelines Acceptable Use / Email Policy PCI requirement 4.2.b Third-Party Policy PCI requirement 12.8.x Systems Configuration Standards PCI requirement 2.x, 10.4.x, 11.4.c Data / Access Control Policy PCI requirement 7.1.x, 7.2.2, 8.1, 8.2 Software Development Processes PCI requirement 6.3.x, 6.5.x Change Control Policy PCI requirement 6.4.x Industry-accepted system hardening standards PCI requirement 2.2 Patch Management Policy PCI requirement 6.1 Password Policy PCI requirement 8.5.x Encryption / Key Management Policy / Masking PCI requirement 3.4, 3.5, 3.6.x, 3.3 Badge Access Policy PCI requirement 9.2.x Account Administration Policy PCI requirement 8.5.x Log Retention Policy PCI requirement 10.7.x Vulnerability Testing Policy Desktop Firewall Policy PCI requirement 1.4.x Firewall and Router Configuration Standards PCI requirement 1.x, 2.x Vulnerability Management Policy PCI requirement 6.2.b Network Diagrams PCI requirement 1.1.2.x Physical Security Policy PCI requirement 9.4.b External Penetration Test Report PCI requirement 11.3.x Log Monitoring Policy PCI requirement 10.5.1, 10.6.a Media Policy PCI requirement 9.5, 9.6, 9.7, 9.8, 9.9 External Vulnerability Scan Reports (4 quarters of clean scan results) PCI requirement 11.2.b, 11.2.c Third-Party Policy PCI requirement 12.8.x Incident Response Policy PCI requirement 12.9.x, 11.1.e Retention / Disposal Policy PCI requirement 3.1 Remote Access Policy Risk Assessment Policy PCI requirement 8.3, 2.3 PCI requirement 12.1.2 Internal Penetration Test Report PCI requirement 11.3.x Anti-Virus Policy PCI requirement 5.2.a Internal Vulnerability Scan Reports (4 quarters of clean scan results) PCI requirement 11.2.a, 11.2.c Daily Operational Security Procedures PCI requirement 12.2 Wireless Scan Reports Information Security Policy PCI requirement 12.1.x, 12.4, 12.5.x Background Check Policy Acceptable Use Policy
  13. 13. Compliance The enemy of agility • Component-based development • 6 week release cycles • Volume and complexity of components and applications Manual controls are impossible #sonatype
  14. 14. Sonatype CLM The answer for trust and agility • Inventory of all components used • Security and license data to: Choose best components at the start Manage components over time • Automated policy management Intelligence, control, speed! #sonatype
  15. 15. Thank you! Elverksgatan 10, AX-22 100 Mariehamn Tel: +358 (0) 204 29 022 Email:
  16. 16. PCI 3.0 – Component Impact Technical Details & Starting Steps
  17. 17. It Didn’t Start with PCI 3.0 • There were 28 individual requirements that relate to application components in Version 2.0. • PCI 3.0 (as part of the Version 3.0 Change Highlights process) introduced 9 additional requirements for application components. PCI references OWASP – the OWASP Top 10 now has a dedicated item (A9) about component management #sonatype
  18. 18. Secure Applications Require Trusted Components Application Inventory Risk-Based Management Secure Components Security Policies #sonatype Coding Guidelines
  19. 19. Maintain Inventory of Components • Component inventory is now required in PCI 3.0 • Leverage external security vulnerability sources Precise, instant inventory integrated from consumption to production provides comprehensive governance #sonatype
  20. 20. Follow Secure Coding Guidelines • OWASP A9 addresses vulnerable components • Stay current with effective patch management Start with optimal components and stay current with component recommendations and single click migration #sonatype
  21. 21. Implement Security Policies • Establish, document & distribute policies • Security as a shared responsibility Automated policies provide guidance to multiple constituents throughout the entire software lifecycle #sonatype
  22. 22. Utilize Risk-based Management Approach • Monitor & analyze production applications • Prioritize remediation efforts by risk profile Delivers continuous trust for production applications with proactive notifications of newly discovered vulnerabilities #sonatype
  23. 23. 3 Steps to Start the PCI Component Management Journey 1. Build & Maintain an Accurate Inventory #sonatype 2. Determine Your Threat Exposure 3. Prevent Vulnerabilities & Remediate Flaws
  24. 24. Sonatype Helps You Address PCI While Moving Fast Go Fast. Be Secure. Be Compliant. Sonatype speeds development by integrating guidance directly into the development lifecycle. Sonatype ensures PCI compliance by automating policy enforcement throughout the lifecycle. Sonatype provides continuous trust with ongoing monitoring, alerts, and rapid remediation for protection against newly discovered vulnerabilities. 24 #sonatype
  25. 25. Learn how Sonatype can help meet PCI Component Requirements PCI Compliance Best Practices for Securing Component Based Applications Details on how Crosskey Achieved Component Security in 6 Weeks