Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

PCI DSS Compliance for Web Applications


Published on

This presentation includes basics of PCI DSS compliance.

Presented at Null Ahmedabad Meet:

Join upcoming Null Ahmedabad events:

Published in: Software
  • Be the first to comment

PCI DSS Compliance for Web Applications

  1. 1. PCI DSS Compliance for Web Applications Savan Gadhiya
  2. 2. #whoami – Savan Gadhiya • Senior Security Consultant at NotSoSecure • Hacker, Security Researcher, Developer and Bounty Hunter ☺ • 7 years of experience in Information Technology • Master of Engineering in IT Systems and Network Security /gadhiyasavan @gadhiyasavan
  3. 3. Agenda • What is Compliance? • List of Compliances • Understand PCI DSS Compliance – Basic • Applicability • Overview • Testing Procedure • Storage Procedure • Lifecycle Phase • PCI DSS – Web application checklist
  4. 4. What is Compliance? • Compliance means • Conforming to a rule, such as a specification, policy, standard or law • List of widely used Compliances: • PCI DSS - Payment Card Industry Data Security Standard • HIPAA - Health Insurance Portability and Accountability Act • FISMA - Federal Information Security Management Act • SOX - Sarbanes-Oxley Act • GDPR - General Data Protection Regulation
  5. 5. PCI DSS • PCI DSS - Payment Card Industry Data Security Standard • Requirement for the majority of businesses today, as most handle or interact with credit card data and other sensitive customer information. Version Date May 2018 3.2.1 April 2016 3.2 – Retires on 31st December 2018 April 2015 3.1 November 2013 3.0 October 2010 2.0 July 2009 1.2.1 October 2008 1.2
  6. 6. PCI DSS – Applicability • PCI DSS applies to: • All entities involved in payment and processing – including merchants, processors, acquirers, issuers and service provides • Store, process or transmit cardholder data and/or sensitive authentication data • Examples: Retail sites, Online travel agencies, bill-pay portals for utilities and services, online wallet and bank transfer services etc. • Cardholder’s data: • Primary Account Number – PAN • Cardholder Name • Expiration Date • Service Code • Cardholder’s sensitive authentication data: • Full track data – magnetic-stripe data or equivalent on a chip • CAV2/CVC2/CVV2/CID • PINs/PIN blocks
  7. 7. PCI DSS – Overview Reference:
  8. 8. PCI DSS – Testing Procedure • Compliance check on sample systems/devices • Selected randomly at the time of audit • Examine policies • Examine the supporting documentation • Interview responsible personnel etc.
  9. 9. PCI DSS – Storage Permission Reference:
  10. 10. PCI DSS – Lifecycle Phase Lifecycle Phase Tools and/or Methods PCI Question Examples Requirement gatherings Include security requirements Do PANs need to be stored? Design and architecture Perform risk analysis Who needs access? Can individual user accounts be supported for access to databases? Development Frameworks and approved libraries What encryption algorithms are approved? Code scanning and review Are inputs validated? Testing Application vulnerability scanners and penetration testing All test data removed? Is account access working properly? Deployment Monitoring and audit Are transcripts logged? Is sensitive authentication data (SAD) eliminated after authorization? Reference:
  11. 11. PCI DSS – Web Application Checklist • Default credentials • Firewall bypass • Information leakage – Card Holder’s data • Cleartext transmission of card holder’s data/credentials/sensitive information • Usage of weak cipher suites such as SSL/early TLS • Verify that PAN is rendered unreadable or secured with strong cryptography • Verify the restrictions on access of Card Holder’s data • Least amount of data • Duration
  12. 12. PCI DSS – Web Application Checklist If support team/administrators are using Card Holder’s data for web application: • Password Complexity • At least 7 characters, Numbers and alphanumeric, Change users password at least once in 90 days, Do not allow to set password from last four passwords • Set password for first time use only – upon reset to a unique value for each users, change immediately after first usage • Remove inactive accounts within 90 days • Unique identification of users • Account lockout on 6 invalid attempts, set account lockout to a minimum of 30 minutes or until an admin enables the user ID • Session Expiration after 15 minutes of inactivity • Authenticate users • Something you Know, Something you have, Something you are
  13. 13. PCI DSS – Web Application Checklist If support team/administrators are using Card Holder’s data for web application: • Credentials in unreadable encrypted format while transmission or storage • Verify the user identity before modifying any authentication credentials, for e.g. performing password resets, provisioning new tokens, generating new keys etc. • Two Factor Authentication for Card Holder Data Environment for Remote accesses • Generic or shared user IDs should be disabled Others: • Logging management • Secure Code Review • Application layer firewall in front of Web-facing applications
  14. 14. References • • • • • which-solutions-will-work-best-for-your-business/ • security
  15. 15. Questions? /gadhiyasavan @gadhiyasavan