SlideShare a Scribd company logo

PCI DSS for Pentesting

n|u - The Open Security Community
n|u - The Open Security Community

null Mumbai Chapter - March 2013 Meet

1 of 26
Download to read offline
PCI DSS for Penetration Testers K. K. Mookhey
What is PCI DSS ?  Payment Card Industry (PCI) Data Security Standard (DSS)  PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data.  PCI DSS comprises a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks
Why Is Compliance with PCI DSS Important?  A security breach and subsequent compromise of payment card data has far-reaching consequences for affected organizations, including:  Regulatory notification requirements,  Loss of reputation,  Loss of customers,  Potential financial liabilities (for example, regulatory and other fees and fines), and  Litigation.
PCI DSS Payment Card Industry Data Security Standard  Standard applies to:  Merchants  Service Providers (Third Third-party vendor, gateways)  Systems (Hardware, software)  Who:  Store cardholder data  Transmit cardholder data  Process cardholder data  Inclusive of:  Electronic Transactions  Paper Transactions
The PCI Security Standards Council (PCI SSC)  An open global forum, launched in 2006, responsible for the development, management, education, and awareness of the PCI Security Standards, including:  Data Security Standard (DSS)  Payment Application Data Security Standard (PA-DSS)  Pin Transaction Security (PTS)  Formally known as Pin-Entry Device (PED) PCI PTS PCI PA-DSS PCI DSS
PCI SSC- Standards
PIN Transaction (PTS) Security Requirements • It is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities. • The requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it. • Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI SSC. www.pcisecuritystandards.org/security_standards/ped/pedapprovallist. html
Payment Application Data Security Standard (PA-DSS) • The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties. • Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC. Validated applications are listed at: www.pcisecuritystandards.org/security_standards/pa_dss.shtml
PCI Data Security Standard (DSS) • The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. • It covers technical and operational system components included in or connected to cardholder data. • If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS.
The PCI Security Standards Founders
Data on Payment Card
Track 1 vs. Track 2 Data
Track 1 vs. Track 2 Data (cont..)  If full track (either Track 1 or Track 2, from the magnetic stripe, magnetic- stripe image in a chip, or elsewhere) data is stored, malicious individuals who obtain that data can reproduce and sell payment cards around the world.  Full track data storage also violates the payment brands' operating regulations and can lead to fines and penalties.
What to store & what not to store
Guidelines for Storage 1. One-way hash functions based on strong cryptography – converts the entire PAN into a unique, fixed-length cryptographic value. 2. Truncation – permanently removes a segment of the data (for example, retaining only the last four digits). 3. Index tokens and securely stored pads – encryption algorithm that combines sensitive plain text data with a random key or “pad” that works only once. 4. Strong cryptography – with associated key management processes and procedures. Refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations and Acronyms for the definition of “strong cryptography.”
The PCI Data Security Standard Six Goals, Twelve Requirements Build and Maintain a 1. Install and maintain a firewall configuration to protect cardholder Secure Network data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability 5. Use and regularly update anti-virus software or programs Management Program 6. Develop and maintain secure systems and applications Implement Strong Access 7. Restrict access to cardholder data by business need-to-know Control Measures 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and 10. Track and monitor all access to network resources and cardholder Test Networks data 11. Regularly test security systems and processes Maintain an Information 12. Maintain a policy that addresses information security for Security Policy employees and contractors
Other PCI Standards
PCI SSC- Standards
PIN Transaction (PTS) Security Requirements • It is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities. • The requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it. • Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI SSC. www.pcisecuritystandards.org/security_standards/ped/pedapprovallist. html
PIN Transaction (PTS) Security Requirements (cont..) • Objective 1 : PINs used in transactions governed by these requirements are processed using equipment and methodologies that ensure they are kept secure. • Objective 2 : Cryptographic keys used for PIN encryption/decryption and related key management are created using processes that ensure that it is not possible to predict any key or determine that certain keys are more probable than other keys. • Objective 3 : Keys are conveyed or transmitted in a secure manner.
PIN Transaction (PTS) Security Requirements (cont..) • Objective 4 : Key-loading to hosts and PIN entry devices is handled in a secure manner. • Objective 5 : Keys are used in a manner that prevents or detects their unauthorized usage. • Objective 6 : Keys are administered in a secure manner. • Objective 7 : Equipment used to process PINs and keys is managed in a secure manner.
Payment Application Data Security Standard (PA-DSS) • The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties. • Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC. Validated applications are listed at: www.pcisecuritystandards.org/security_standards/pa_dss.shtml
PA-DSS (cont..) • Requirement 1 : Do not retain full magnetic stripe, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data • Requirement 2 : Protect stored cardholder data • Requirement 3 : Provide secure authentication features • Requirement 4 : Log payment application activity • Requirement 5 : Develop secure payment applications • Requirement 6 : Protect wireless transmissions • Requirement 7 : Test payment applications to address vulnerabilities • Requirement 8 : Facilitate secure network implementation • Requirement 9 : Cardholder data must never be stored on a server connected to the Internet
PA-DSS (cont..) • Requirement 10 : Facilitate secure remote access to payment application • Requirement 11 : Encrypt sensitive traffic over public networks • Requirement 12 : Encrypt all non-console administrative access • Requirement 13 : Maintain instructional documentation and training programs for customers, resellers, and integrators
Thank you! Questions / Queries NETWORK INTELLIGENCE INDIA PVT. LTD. AN ISO/IEC 27001:2005 CERTIFIED COMPANY Web http://www.niiconsulting.com Email kkmookhey@niiconsulting.com Tel +91-22-2839-2628 +91-22-4005-2628 Fax +91-22-2837-5454

Recommended

A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
Jisc
 
Application Security Verification Standard Project
Application Security Verification Standard ProjectApplication Security Verification Standard Project
Application Security Verification Standard Project
Narudom Roongsiriwong, CISSP
 
information security management
information security managementinformation security management
information security management
Gurpreetkaur838
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021
Management Events
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 Challenges
Leandro Bennaton
 
Security architecture
Security architectureSecurity architecture
Security architecture
Duncan Unwin
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
Tuan Phan
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
 

Recommended

A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
Jisc
 
Application Security Verification Standard Project
Application Security Verification Standard ProjectApplication Security Verification Standard Project
Application Security Verification Standard Project
Narudom Roongsiriwong, CISSP
 
information security management
information security managementinformation security management
information security management
Gurpreetkaur838
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021
Management Events
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 Challenges
Leandro Bennaton
 
Security architecture
Security architectureSecurity architecture
Security architecture
Duncan Unwin
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
Tuan Phan
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
 
Securityawareness
SecurityawarenessSecurityawareness
Securityawareness
JayfErika
 
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
NetEnrich, Inc.
 
Cyber-Security Certifications
Cyber-Security CertificationsCyber-Security Certifications
Cyber-Security Certifications
Nithin Sai
 
Information Security Awareness And Training Business Case For Web Based Solut...
Information Security Awareness And Training Business Case For Web Based Solut...Information Security Awareness And Training Business Case For Web Based Solut...
Information Security Awareness And Training Business Case For Web Based Solut...
Michael Kaishar, MSIA | CISSP
 
Information Security Career Day Presentation
Information Security Career Day PresentationInformation Security Career Day Presentation
Information Security Career Day Presentation
djglass
 
Security metrics
Security metrics Security metrics
Security metrics
PRAYAGRAJ11
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
PECB
 
P2PE - PCI DSS
P2PE - PCI DSSP2PE - PCI DSS
P2PE - PCI DSS
ControlCase
 
Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)
Hamisi Kibonde
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
primeteacher32
 
Implementing CSIRT based on some frameworks and maturity model
Implementing CSIRT based on some frameworks and maturity modelImplementing CSIRT based on some frameworks and maturity model
Implementing CSIRT based on some frameworks and maturity model
Rakuten Group, Inc.
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
PECB
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
Saumya Vishnoi
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attack
Mark Silver
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boards
Paul McGillicuddy
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Understanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor Landscape
Sounil Yu
 
Security policies
Security policiesSecurity policies
Security policies
Nishant Pahad
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
Duy Do Phan
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
Network Intelligence India
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
isc2-hellenic
 

More Related Content

What's hot

Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
PECB
 
Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)
Hamisi Kibonde
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
PECB
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boards
Paul McGillicuddy
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 

What's hot (20)

Securityawareness
SecurityawarenessSecurityawareness
Securityawareness
 
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
 
Cyber-Security Certifications
Cyber-Security CertificationsCyber-Security Certifications
Cyber-Security Certifications
 
Information Security Awareness And Training Business Case For Web Based Solut...
Information Security Awareness And Training Business Case For Web Based Solut...Information Security Awareness And Training Business Case For Web Based Solut...
Information Security Awareness And Training Business Case For Web Based Solut...
 
Information Security Career Day Presentation
Information Security Career Day PresentationInformation Security Career Day Presentation
Information Security Career Day Presentation
 
Security metrics
Security metrics Security metrics
Security metrics
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
 
P2PE - PCI DSS
P2PE - PCI DSSP2PE - PCI DSS
P2PE - PCI DSS
 
Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
 
Implementing CSIRT based on some frameworks and maturity model
Implementing CSIRT based on some frameworks and maturity modelImplementing CSIRT based on some frameworks and maturity model
Implementing CSIRT based on some frameworks and maturity model
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attack
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boards
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Understanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor Landscape
 
Security policies
Security policiesSecurity policies
Security policies
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 

Similar to PCI DSS for Pentesting

pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
gealehegn
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
SafeNet
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
Mark Akins
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
Risk Crew
 

Similar to PCI DSS for Pentesting (20)

PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security Standards
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
Making Compliance Business as Usual
Making Compliance Business as UsualMaking Compliance Business as Usual
Making Compliance Business as Usual
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 

More from n|u - The Open Security Community

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

PCI DSS for Pentesting

  • 1. PCI DSS for Penetration Testers K. K. Mookhey
  • 2. What is PCI DSS ?  Payment Card Industry (PCI) Data Security Standard (DSS)  PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data.  PCI DSS comprises a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks
  • 3. Why Is Compliance with PCI DSS Important?  A security breach and subsequent compromise of payment card data has far-reaching consequences for affected organizations, including:  Regulatory notification requirements,  Loss of reputation,  Loss of customers,  Potential financial liabilities (for example, regulatory and other fees and fines), and  Litigation.
  • 4.
  • 5. PCI DSS Payment Card Industry Data Security Standard  Standard applies to:  Merchants  Service Providers (Third Third-party vendor, gateways)  Systems (Hardware, software)  Who:  Store cardholder data  Transmit cardholder data  Process cardholder data  Inclusive of:  Electronic Transactions  Paper Transactions
  • 6. The PCI Security Standards Council (PCI SSC)  An open global forum, launched in 2006, responsible for the development, management, education, and awareness of the PCI Security Standards, including:  Data Security Standard (DSS)  Payment Application Data Security Standard (PA-DSS)  Pin Transaction Security (PTS)  Formally known as Pin-Entry Device (PED) PCI PTS PCI PA-DSS PCI DSS
  • 8. PIN Transaction (PTS) Security Requirements • It is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities. • The requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it. • Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI SSC. www.pcisecuritystandards.org/security_standards/ped/pedapprovallist. html
  • 9. Payment Application Data Security Standard (PA-DSS) • The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties. • Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC. Validated applications are listed at: www.pcisecuritystandards.org/security_standards/pa_dss.shtml
  • 10. PCI Data Security Standard (DSS) • The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. • It covers technical and operational system components included in or connected to cardholder data. • If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS.
  • 11. The PCI Security Standards Founders
  • 13. Track 1 vs. Track 2 Data
  • 14. Track 1 vs. Track 2 Data (cont..)  If full track (either Track 1 or Track 2, from the magnetic stripe, magnetic- stripe image in a chip, or elsewhere) data is stored, malicious individuals who obtain that data can reproduce and sell payment cards around the world.  Full track data storage also violates the payment brands' operating regulations and can lead to fines and penalties.
  • 15. What to store & what not to store
  • 16. Guidelines for Storage 1. One-way hash functions based on strong cryptography – converts the entire PAN into a unique, fixed-length cryptographic value. 2. Truncation – permanently removes a segment of the data (for example, retaining only the last four digits). 3. Index tokens and securely stored pads – encryption algorithm that combines sensitive plain text data with a random key or “pad” that works only once. 4. Strong cryptography – with associated key management processes and procedures. Refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations and Acronyms for the definition of “strong cryptography.”
  • 17. The PCI Data Security Standard Six Goals, Twelve Requirements Build and Maintain a 1. Install and maintain a firewall configuration to protect cardholder Secure Network data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability 5. Use and regularly update anti-virus software or programs Management Program 6. Develop and maintain secure systems and applications Implement Strong Access 7. Restrict access to cardholder data by business need-to-know Control Measures 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and 10. Track and monitor all access to network resources and cardholder Test Networks data 11. Regularly test security systems and processes Maintain an Information 12. Maintain a policy that addresses information security for Security Policy employees and contractors
  • 20. PIN Transaction (PTS) Security Requirements • It is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities. • The requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it. • Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI SSC. www.pcisecuritystandards.org/security_standards/ped/pedapprovallist. html
  • 21. PIN Transaction (PTS) Security Requirements (cont..) • Objective 1 : PINs used in transactions governed by these requirements are processed using equipment and methodologies that ensure they are kept secure. • Objective 2 : Cryptographic keys used for PIN encryption/decryption and related key management are created using processes that ensure that it is not possible to predict any key or determine that certain keys are more probable than other keys. • Objective 3 : Keys are conveyed or transmitted in a secure manner.
  • 22. PIN Transaction (PTS) Security Requirements (cont..) • Objective 4 : Key-loading to hosts and PIN entry devices is handled in a secure manner. • Objective 5 : Keys are used in a manner that prevents or detects their unauthorized usage. • Objective 6 : Keys are administered in a secure manner. • Objective 7 : Equipment used to process PINs and keys is managed in a secure manner.
  • 23. Payment Application Data Security Standard (PA-DSS) • The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties. • Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC. Validated applications are listed at: www.pcisecuritystandards.org/security_standards/pa_dss.shtml
  • 24. PA-DSS (cont..) • Requirement 1 : Do not retain full magnetic stripe, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data • Requirement 2 : Protect stored cardholder data • Requirement 3 : Provide secure authentication features • Requirement 4 : Log payment application activity • Requirement 5 : Develop secure payment applications • Requirement 6 : Protect wireless transmissions • Requirement 7 : Test payment applications to address vulnerabilities • Requirement 8 : Facilitate secure network implementation • Requirement 9 : Cardholder data must never be stored on a server connected to the Internet
  • 25. PA-DSS (cont..) • Requirement 10 : Facilitate secure remote access to payment application • Requirement 11 : Encrypt sensitive traffic over public networks • Requirement 12 : Encrypt all non-console administrative access • Requirement 13 : Maintain instructional documentation and training programs for customers, resellers, and integrators
  • 26. Thank you! Questions / Queries NETWORK INTELLIGENCE INDIA PVT. LTD. AN ISO/IEC 27001:2005 CERTIFIED COMPANY Web http://www.niiconsulting.com Email kkmookhey@niiconsulting.com Tel +91-22-2839-2628 +91-22-4005-2628 Fax +91-22-2837-5454