SlideShare a Scribd company logo
1 of 20
These are not the Credit Cards
      you’re looking for
   A hopefully interesting PCI DSS
            introduction
       Ryan Stenhouse, Ruby Engineer
      @ryanstenhouse ryan.stenhou.se
Hi, I’m Ryan Stenhouse
Ruby Engineer at FreeAgent


‣ @ryanstenhouse
‣ http://ryan.stenhou.se
‣ Blogs, writes Ruby, has been through
 PCI DSS compliance as a Level 1
 service provider
‣ Works with the awesome folks at
 FreeAgent
PCI DSS - Guh, wha?
How to baffle a room-full of people in one go

‣ PCI DSS is a mandatory security
 standard that everyone who deals
 with credit card information has to
 adhere to
‣ Complicated and annoying, but
 defeatable with common-sense and
 good planning
‣ Can’t be ignored
‣ Can be quite costly
What I’m going to talk
about a room-full of people in one go
How to baffle

‣ Self-Assessment Compliance
‣ What you need to worry about
‣ Where it gets annoying
‣ Quick wins and bear traps
‣ Logging
Self Asessment
Compliance
Tax doesn’t have to be taxing

‣ Probably the most relevant to the
 audience here.
‣ SAQ A
‣ SAQ C
‣ There are others
SAQ A - Nice and simple
Nothing to see here sir, move it along

‣ If you outsource all your card
 processing to someone like PayPal
 and never touch card data, this is for
 you.
‣ Only 13 questions to answer, from
 Requirements 9 and 12.
SAQ C - More involved
More risk, but more reward

‣ If you capture, then transmit card
 information on (think ActiveMerchant)
 but don’t store CHD, then you need
 SAQ C.
‣ 80 questions to answer from
 requirements 1 - 9, 11 & 12.
‣ Needs a lot more documentation,
 business policy and technical work
‣ Probably ‘as bad as it gets’
SAQ C - More involved
More risk, but more reward

‣ If you capture, then transmit card
 information on (think ActiveMerchant)
 but don’t store CHD, then you need
 SAQ C.
‣ 80 questions to answer from
 requirements 1 - 9, 11 & 12.
‣ Needs a lot more documentation,
 business policy and technical work
‣ Probably ‘as bad as it gets’
What you need to worry
about
As a developer

‣ For SAQ A, nothing. Really.
‣ For SAQ C, it gets more complicated.
 You need to have an organisation
 policy around development ‘best
 practices’ and security. You need to
 keep on top of patches, and you need
 to be up to speed on things like
 OWASP’s recommendations.
‣ I’ll come back to this later
What you need to worry
about
As a sysadmin

‣ For SAQ A, nothing. Really.
‣ For SAQ C, you’re probably going to
 have to spend a lot of time hardening
 your machines, footering around with
 your network(s) and generally having
 a lot of overheads. There needs to be
 various documented policies covered
 that must be followed.
‣ I’ll come back to this later
What you need to worry
about
As a business

‣ If you’re not compliant, the
 consequences can be as dire as your
 acquirer stopping you from being able
 to accept payment by card and hitting
 you with massive fines.
‣ For SAQ C, you’re going to need to put
 in place a lot of policy and procedural
 documentation.
‣ You need to and must be PCI DSS
Bored yet? Quick wins!
Q: Did you hear about the constipated
Accountant?
‣ Go for SAQ A unless there’s a good
 business reason not to.
‣ If you need SAQ C or higher, save
 some pain and kill your WIFI
‣ Outsource whatever you can to a PCI
 DSS ceritfied supplier.
Here are the bear traps
A: She worked it out with a pencil

‣ PCI’s logging requirements are
 challenging to say the least.
‣ For very small teams, you can’t always
 segregate roles and responsibilities
 as you’d like.
‣ Quarterly ASV scans, Pen Tests every
 time you make a network change.
Change Management
Change is difficult and needs to be
documented
‣ You will need to have a documented
 and enforced change management
 procedure for your application(s).
‣ It needs to include the details of the
 change, why it’s needed, the impact of
 the risk, post and pre deployment test
 plans and a rollback strategy.
FIM and IDS
On your cardholder environment

‣ You need to be able to proceed your
 machines from unauthorised access
 and changes, a good FIM and IDF tool
 is required for this (if your firewall
 doesn’t do it).
‣ OSSEC, a free project by Trend Mirco
 is perfect for this.
Logging
Harder than chinese algebra

‣ PCI’s logging requirements are vast,
 complicated and crucial to maintain a
 useful audit trail.
‣ Logs should be centralised, backed up
 and properly protected against
 unauthorised changes and access.
Logging
Harder than chinese algebra

‣ You need to keep 6 months on hand
 and 2 (or more) years worth in
 archive.
‣ Logs need to be audited.
‣ The creation of logs needs to be
 logged.
‣ rsyslogd and a lot of painful
 configuration is good enough if you
 document what you do
Some stuff about
networking I tend to ramble
Ask me more about this,

‣ You need to properly isolate your
 cardholder environment from the rest
 of your network.
‣ This will mean one of more firewalls,
 iptables has been good enough for me
 in the past.
‣ You need to regularly audit your
 firewall configuration (quarterly).
‣ Penetration tests every time you
Misc Advice
Stuff that occurred to me as I was writing this
up
‣ VM’s are a-ok as far as ‘servers’ for
 PCI are concerned.
‣ You need identify and isolate ALL of
 your cardholder data. Consolidate it to
 one place and your life will be easier.
‣ If you’re in doubt, hire a QSA for the
 day (Might be quite expensive).
These are not the credit cards you're looking for

More Related Content

Similar to These are not the credit cards you're looking for

Designing a Program that Increases Your Intelligent Automation “Velocity”
Designing a Program that Increases Your Intelligent Automation “Velocity”Designing a Program that Increases Your Intelligent Automation “Velocity”
Designing a Program that Increases Your Intelligent Automation “Velocity”ScottMadden, Inc.
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxgealehegn
 
Introduction To SAQ 4 U
Introduction To SAQ 4 UIntroduction To SAQ 4 U
Introduction To SAQ 4 URAlcala65
 
Pci dss compliance
Pci dss compliancePci dss compliance
Pci dss compliancepcidss14s
 
Xeric CloudFR
Xeric CloudFRXeric CloudFR
Xeric CloudFRSunny Tan
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI complianceJisc
 
7 things to consider when choosing your IaaS provider for ISV/SaaS
7 things to consider when choosing your IaaS provider for ISV/SaaS7 things to consider when choosing your IaaS provider for ISV/SaaS
7 things to consider when choosing your IaaS provider for ISV/SaaSFrederik Denkens
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfawish11
 
So many clouds - 7 things to consider when choosing your IaaS provider
So many clouds - 7 things to consider when choosing your IaaS providerSo many clouds - 7 things to consider when choosing your IaaS provider
So many clouds - 7 things to consider when choosing your IaaS providerSirris
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperShaun O'keeffe
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Merchants
 
PCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card CriminalsPCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card CriminalsFit Small Business
 
Technology Challenges of the new Regulatory Environment
Technology Challenges of the new Regulatory EnvironmentTechnology Challenges of the new Regulatory Environment
Technology Challenges of the new Regulatory EnvironmentLászló Árvai
 
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and SecureHow To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and SecurePaymetric, Inc.
 
A systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archerA systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archerSubhajit Bhuiya
 

Similar to These are not the credit cards you're looking for (20)

PCI Myths
PCI MythsPCI Myths
PCI Myths
 
Designing a Program that Increases Your Intelligent Automation “Velocity”
Designing a Program that Increases Your Intelligent Automation “Velocity”Designing a Program that Increases Your Intelligent Automation “Velocity”
Designing a Program that Increases Your Intelligent Automation “Velocity”
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
Evolution Pci For Pod1
Evolution Pci For Pod1Evolution Pci For Pod1
Evolution Pci For Pod1
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
Introduction To SAQ 4 U
Introduction To SAQ 4 UIntroduction To SAQ 4 U
Introduction To SAQ 4 U
 
Pci dss compliance
Pci dss compliancePci dss compliance
Pci dss compliance
 
Xeric CloudFR
Xeric CloudFRXeric CloudFR
Xeric CloudFR
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
 
7 things to consider when choosing your IaaS provider for ISV/SaaS
7 things to consider when choosing your IaaS provider for ISV/SaaS7 things to consider when choosing your IaaS provider for ISV/SaaS
7 things to consider when choosing your IaaS provider for ISV/SaaS
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
 
So many clouds - 7 things to consider when choosing your IaaS provider
So many clouds - 7 things to consider when choosing your IaaS providerSo many clouds - 7 things to consider when choosing your IaaS provider
So many clouds - 7 things to consider when choosing your IaaS provider
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
PCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card CriminalsPCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
 
Technology Challenges of the new Regulatory Environment
Technology Challenges of the new Regulatory EnvironmentTechnology Challenges of the new Regulatory Environment
Technology Challenges of the new Regulatory Environment
 
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and SecureHow To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
 
Don’t Fear PCI DSS!
Don’t Fear PCI DSS!Don’t Fear PCI DSS!
Don’t Fear PCI DSS!
 
A systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archerA systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archer
 

Recently uploaded

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Recently uploaded (20)

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

These are not the credit cards you're looking for

  • 1. These are not the Credit Cards you’re looking for A hopefully interesting PCI DSS introduction Ryan Stenhouse, Ruby Engineer @ryanstenhouse ryan.stenhou.se
  • 2. Hi, I’m Ryan Stenhouse Ruby Engineer at FreeAgent ‣ @ryanstenhouse ‣ http://ryan.stenhou.se ‣ Blogs, writes Ruby, has been through PCI DSS compliance as a Level 1 service provider ‣ Works with the awesome folks at FreeAgent
  • 3. PCI DSS - Guh, wha? How to baffle a room-full of people in one go ‣ PCI DSS is a mandatory security standard that everyone who deals with credit card information has to adhere to ‣ Complicated and annoying, but defeatable with common-sense and good planning ‣ Can’t be ignored ‣ Can be quite costly
  • 4. What I’m going to talk about a room-full of people in one go How to baffle ‣ Self-Assessment Compliance ‣ What you need to worry about ‣ Where it gets annoying ‣ Quick wins and bear traps ‣ Logging
  • 5. Self Asessment Compliance Tax doesn’t have to be taxing ‣ Probably the most relevant to the audience here. ‣ SAQ A ‣ SAQ C ‣ There are others
  • 6. SAQ A - Nice and simple Nothing to see here sir, move it along ‣ If you outsource all your card processing to someone like PayPal and never touch card data, this is for you. ‣ Only 13 questions to answer, from Requirements 9 and 12.
  • 7. SAQ C - More involved More risk, but more reward ‣ If you capture, then transmit card information on (think ActiveMerchant) but don’t store CHD, then you need SAQ C. ‣ 80 questions to answer from requirements 1 - 9, 11 & 12. ‣ Needs a lot more documentation, business policy and technical work ‣ Probably ‘as bad as it gets’
  • 8. SAQ C - More involved More risk, but more reward ‣ If you capture, then transmit card information on (think ActiveMerchant) but don’t store CHD, then you need SAQ C. ‣ 80 questions to answer from requirements 1 - 9, 11 & 12. ‣ Needs a lot more documentation, business policy and technical work ‣ Probably ‘as bad as it gets’
  • 9. What you need to worry about As a developer ‣ For SAQ A, nothing. Really. ‣ For SAQ C, it gets more complicated. You need to have an organisation policy around development ‘best practices’ and security. You need to keep on top of patches, and you need to be up to speed on things like OWASP’s recommendations. ‣ I’ll come back to this later
  • 10. What you need to worry about As a sysadmin ‣ For SAQ A, nothing. Really. ‣ For SAQ C, you’re probably going to have to spend a lot of time hardening your machines, footering around with your network(s) and generally having a lot of overheads. There needs to be various documented policies covered that must be followed. ‣ I’ll come back to this later
  • 11. What you need to worry about As a business ‣ If you’re not compliant, the consequences can be as dire as your acquirer stopping you from being able to accept payment by card and hitting you with massive fines. ‣ For SAQ C, you’re going to need to put in place a lot of policy and procedural documentation. ‣ You need to and must be PCI DSS
  • 12. Bored yet? Quick wins! Q: Did you hear about the constipated Accountant? ‣ Go for SAQ A unless there’s a good business reason not to. ‣ If you need SAQ C or higher, save some pain and kill your WIFI ‣ Outsource whatever you can to a PCI DSS ceritfied supplier.
  • 13. Here are the bear traps A: She worked it out with a pencil ‣ PCI’s logging requirements are challenging to say the least. ‣ For very small teams, you can’t always segregate roles and responsibilities as you’d like. ‣ Quarterly ASV scans, Pen Tests every time you make a network change.
  • 14. Change Management Change is difficult and needs to be documented ‣ You will need to have a documented and enforced change management procedure for your application(s). ‣ It needs to include the details of the change, why it’s needed, the impact of the risk, post and pre deployment test plans and a rollback strategy.
  • 15. FIM and IDS On your cardholder environment ‣ You need to be able to proceed your machines from unauthorised access and changes, a good FIM and IDF tool is required for this (if your firewall doesn’t do it). ‣ OSSEC, a free project by Trend Mirco is perfect for this.
  • 16. Logging Harder than chinese algebra ‣ PCI’s logging requirements are vast, complicated and crucial to maintain a useful audit trail. ‣ Logs should be centralised, backed up and properly protected against unauthorised changes and access.
  • 17. Logging Harder than chinese algebra ‣ You need to keep 6 months on hand and 2 (or more) years worth in archive. ‣ Logs need to be audited. ‣ The creation of logs needs to be logged. ‣ rsyslogd and a lot of painful configuration is good enough if you document what you do
  • 18. Some stuff about networking I tend to ramble Ask me more about this, ‣ You need to properly isolate your cardholder environment from the rest of your network. ‣ This will mean one of more firewalls, iptables has been good enough for me in the past. ‣ You need to regularly audit your firewall configuration (quarterly). ‣ Penetration tests every time you
  • 19. Misc Advice Stuff that occurred to me as I was writing this up ‣ VM’s are a-ok as far as ‘servers’ for PCI are concerned. ‣ You need identify and isolate ALL of your cardholder data. Consolidate it to one place and your life will be easier. ‣ If you’re in doubt, hire a QSA for the day (Might be quite expensive).

Editor's Notes

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. \n
  13. \n
  14. \n
  15. \n
  16. \n
  17. \n
  18. \n
  19. \n
  20. \n