This document discusses IBM DataPower PCI solutions. It provides an overview of the Payment Card Industry Data Security Standard (PCI DSS) and its requirements. It then describes how IBM DataPower appliances can help organizations meet many of the PCI DSS requirements by providing functions like firewalling, encryption, access control, logging, and security policy management. The document also highlights some of DataPower's key products and capabilities for PCI compliance, and provides contact information for the IBM sales representative.
Vormetric data security complying with pci dss encryption rules
IBM DataPower PCI Solutions
1. IBM DataPower
PCI Solutions
Steven Cawn
WebSphere DataPower World Wide
Sales leader
scawn@us.ibm.com
1
2. What is PCI DSS?
• Payment Card Industry Data
Security Standard (PCI DSS)
is a global security program
that was created to increase
confidence in the payment
card industry and reduce risks
to PCI Members, Merchants,
Service Providers and
Consumers.
2
3. Payment Card Industry – History
Defined by the Payment Card Industry Security Standards Council, the
standard was created to increase controls around cardholder data to
reduce credit card fraud via its exposure. Validation of compliance is done
annually — by an external Qualified Security Assessor (QSA) for
organizations handling large volumes of transactions, or by Self-
Assessment Questionnaire (SAQ) for companies handling smaller volumes.
•Initial specifications adopted December 2004
•1.1 Specifications adopted September 2006
•1.2 Specifications adopted October 2008
•1.2.1 specifications adopted August 2009
•2.0 specifications adopted October 2010
•As of January 2011, every institution must abide
by 2.0 specifications
3
4. To Whom Does PCI DSS Apply?
• All merchants & service providers that store, process, use,
or transmit cardholder data
• Retail (e-commerce & brick & mortar)
• Hospitality (restaurants, hotels, casinos)
• Convenience Stores (gas stations, fast food)
• Transportation (airlines, car rental, travel agencies)
• Financial Services (credit card processors, banks, insurance
companies)
• Healthcare/Education (hospitals, universities)
• Government (where payment cards are accepted)
4
5. PCI DSS Requirements “The Digital Dozen”
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data sent across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security – Connected Entities
5 and Contracts
PCI DSS Ver. 1.1
6. PCI Non-Compliance Consequences (Global)
• If non-compliant and a breach occurs…
– Merchants/Service Providers have liability for the
acquirer bank's losses, cost of the investigations,
litigation costs and card re-issuance costs
– Fines per incident from Visa (against acquiring bank)
– Restrictions imposed by card companies (prohibiting future
credit card processing)
– Repayment of losses may exceed the ability to pay and cause
total failure of the organization
• Other potential consequences:
– Damaged brand reputation
– Invasive media attention
– Loss of customers
6
7. Over to 1,800 worldwide installations and growing
Government
Agencies and ministries
Defense and security organizations
Crown corporations
Banking
80% of top 100 Banks
Numerous regional banks and credit unions
SaaS providers, ASPs, regulators, etc.
Insurance
Used by 95% of top global insurances firms
SaaS providers, ASPs, regulators, etc.
Many, many, more
Retailers
Utilities, Power, Oil and Gas
Airlines
etc.
7
8. What are WebSphere DataPower Appliances?
Business Value
The purpose of WebSphere DataPower Appliances is to take the
‘hard parts’ of SOA deployments (service security, integration, ESB,
load distribution, etc.) that are traditionally performed by software
on application servers, yet have nothing to do with Business Logic,
and move those ‘hard parts’ into highly efficient hardened
configuration driven devices in the network.
By moving this computationally intensive “grunt work” into the
network, your application servers regain cycles to do what you pay
for them to do: Run Business Logic
88
9. What are WebSphere DataPower Appliances?
Product Value
“Specialized purpose-built hardened embedded network
devices that take the “hard parts” of SOA security and
integration traditionally requiring complex and costly
software systems and delivers them in a simple “uncrate,
rack, configure and deploy” platform.”
Powerful and uniquely efficient message and file oriented
configuration-driven Security and Integration platform with the
extremely low operational TCO of a true network device.
99
10. WebSphere DataPower - Use Cases
Internet DMZ Trusted Domain Application
Business
1 B2B Partner Gateway
Application
2 Secure Gateway
(Web Services,
Web Applications) 4 Internal Security
3 Intelligent Load 5 Enterprise Service Bus
Consumer Distribution
Mobile
6 Web Service Management HMC
7 Legacy Integration System z
8 Run time SOA Governance
10
11. WebSphere DataPower and the PCI DSS “Digital Dozen”
Complete
WebSphere DataPower ideal solution for many requirements: solution
Part of
• Build and Maintain a Secure Network solution
– Requirement 1: Install and maintain a firewall configuration to protect cardholder data
– Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect Cardholder Data
– Requirement 3: Protect stored cardholder data
– Requirement 4: Encrypt transmission of cardholder data across open, public networks
• Maintain a Vulnerability Management Program
– Requirement 5: Use and regularly update anti-virus software
– Requirement 6: Develop and maintain secure systems and applications
• Implement Strong Access Control Measures
– Requirement 7: Restrict access to cardholder data by business need-to-know
– Requirement 8: Assign a unique ID to each person with computer access
– Requirement 9: Restrict physical access to cardholder data
• Regularly Monitor and Test Networks
– Requirement 10: Track and monitor all access to network resources and cardholder data
– Requirement 11: Regularly test security systems and processes
• Maintain an Information Security Policy
– Requirement 12: Maintain a policy that addresses information security
11
12. DataPower - Key Functions for
PCI Compliance Easy to Use Appliance Purpose-Built
Purpose-
for SOA Security
Req. 1
Web Services (XML) - Filter on any content, metadata or network variables
Web Application Firewall - HTTP Protocol Filtering, Threat Protection, Cookie Handling
Data Validation - Approve incoming/outgoing Web traffic, Web Services, XML at wirespeed
Req. 3,4
Field Level Security - WS-Security, encrypt & sign individual fields, non-repudiation
Encryption of transport layer - HTTP, HTTPS, SSL.
Req. 5
Anti Virus Protection - messages and attachments checked for viruses; integrates with
corporate virus checking software through ICAP protocol
Req. 7,8,9
XML Web Services Access Control/AAA - SAML, LDAP, RADIUS, etc
Req. 10 Management & Logging - manage & track services, logging of all activities, audit.
Req. 12 Security Policy Management - security policies “universally understood” by multiple
software solutions, eases PCI certification process.
Easy Configuration & Management - WebGUI, CLI, IDE and Eclipse Configuration to
address broad organizational needs (Architects, Developers, Network Operations, Security)
12
13. WebSphere DataPower: Protecting Cardholder
Data
Incoming Message – data not encrypted Encrypted & digitally signed Message
<Credit Card> <Credit Card>
<Cust>Brian P. Bell</Cust> <Cust>Brian P. Bell</Cust>
<CreditCardNumber> <Encrypted CCN>
Client sends credit Encrypted XML
3732 955939 395500</CreditCardNumber> ws389maz301</Encrypted CCN>
card information to data is delivered to
<Credit Type>AMEX</Credit Type> <Credit Type>AMEX</Credit Type>
be stored in the the database to the
………………. ……………….
database though an encrypted credit
</Credit Card> </Credit Card>
supported protocol card for later use
Protocols: HTTP/s, MQ, Tibco,
JMS, FTPs, NFS, etc
Direct DB Connect
Database
Response Response
message is Key Functions: message is sent
received confirming Terminate SSL confirming the
the insertion of the Defend against XML threats insertion of the
encrypted credit Validate XML (schema) encrypted credit
card number into Authentication card number into
the database Authorization the database
Audit/Transaction Logging
Filter data
Requirement 3 Encrypt/Decrypt message
Protect stored cardholder data. Digitally sign message
Requirement 4: Mask back-end resources
Route based on content
Encrypt transmission of
cardholder data across open,
13
public networks.
14. Access Control & Credential Mapping
Requirement 7
Restrict access to cardholder
data by business need-to-know.
Requirement 8
Assign a unique ID to each
person with computer access.
1. Client send request to App Server
2. Request carry client username & Password
3. DataPower will authenticate client
4. DataPower will map credentials for unified communication with backend*
14
* Assuming all authentic users are authorized. Otherwise TAM or similar must be used for Authorization
15. DataPower Anti-Virus Protection
• Allows messages and
attachments to be checked
for viruses
• Integrates with corporate
virus checking software
through the ICAP protocol
• Anti-Virus Processing Action
eases configuration and use
of
this capability
• Includes pre-configured Host
Types (CLAM, Symantec,
Trend, Webwasher) as well
as customizability
15
16. Logging of Transactions Requirement 10
Track and monitor all access to network
resources and cardholder data.
DataPower can Log transactions passing through it to:
- On-the-box File System
- Database
- Network File System
- MQ queues
- FTP Server
DataPower could be integrated with monitoring software via
SNMP protocol (not vendor specific)
Requirement 5
Use and regularly update anti-virus
software
DataPower could integrate with Antivirus for attachments scanning
16
17. Protection against Open Web Application Security
Project (OWASP) Top 10 Attacks
Top 10 Most
Critical Web
Application
Security Risks
17
18. Open Web Application Security Project
Compliance
Provides
Protection
Against 100 %
Of OWASP
Top 10 Risks
18
19. DataPower has deployments cross
industry for PCI Compliance
National Uniform Provider
Major Prepaid Wireless carrier
Large US based Insurance Provider
Telecommunication Provider in Australia
19
20. Summary: Business Benefits
Key Reusable Core IT Functionality: Solves complex SOA IT service integration and
security challenges in a secure, easy to consume and extremely low TCO network device
Configuration Driven: All enforced policies and mediations are configuration driven, not
programmed. This significantly simplifies and reduces deployment requirements and cost
Flexibility: Secure, integrate, bridge and version applications without application
modification
Reduce Complexity: Do work “in the network” as the data flows over the wire instead of
on application servers, reducing infrastructure footprint and freeing up application servers
to run more business logic
Reduce Time to Market: Dramatically decrease the “time to deploy” in your environment.
Being a configuration-driven platform, most deployments are “uncrate, rack, configure and
deploy”
Reduce Risk: Takes the “grunt work” out of SOA application security and integration
allowing you to focus on building your business logic. “In the network” platform allows
improved security and audit capabilities without application modification
Lower TCO: It’s a network device. Customers’ own data has shown that DataPower
appliances can be 7X-8X less expensive to operate in the data center than software
alternatives
A New Approach: These are not “software pre-installed on servers”. DataPower applies
sophisticated embedded technology to solve complex IT challenges in new and novel ways
20
20
21. DataPower Product Family Highlights
B2B Appliance XB62
B2B Messaging (AS1/AS2/AS3/EDI)
Trading Partner Profile Management
B2B Transaction Viewer
Support for HL7 and EDIfact Industry Pack
Integration Appliance XI50B,
XI50z, XI52 Service Gateway XG45
Hardware ESB Enhanced Security Capabilities
“Any-to-Any” Conversion at wire- Centralized Policy Enforcement
speed Fine-grained Authorization and
Bridges multiple protocols Authentication
Integrated message-level security Network Load Balancing
Network Load Balancing
21
22. Mobile Payments Industry Activities
some examples
Mobile Payments Conference
October 10-11, 2012 | Park Central Hotel New York
WEBINAR: Does Your Call Recording Comply with PCI
Data Security Standards?
Learn Best Practices for Secure Handling of Customer
Payment Card Data
Tuesday July 31, 2012 2:00PM EST/11:00AM PST
Even though PCI has been around since
the mid 2000’s, industry activities are
going on almost every week
22
23. Additional Information
WebSphere DataPower home page
http://www-01.ibm.com/software/integration/datapower
WebSphere DataPower Information Center (online help):
– http://publib.boulder.ibm.com/infocenter/wsdatap/v3r8m1/index.jsp
developerWorks
– http://www.ibm.com/developerworks/websphere/zones/businessintegration/dp.h
tml
WebSphere Education
– http://www.ibm.com/software/websphere/education/
IBM Software Services for WebSphere
– http://www.ibm.com/developerworks/websphere/services/
IBM WebSphere DataPower SOA Appliance Handbook
– http://www.ibmpressbooks.com/bookstore/product.asp?isbn=9780137148196
DataPower SOA Appliance Customer Forum
– http://www.ibm.com/developerworks/forums/forum.jspa?forumID=1198
23
24. Additional Information
Global WebSphere Community
– http://www.websphereusergroup.org/datapower
Technotes
– http://www.ibm.com/search/csass/search?q=&sn=spe&lang=en&filter=collection:stgsysx,d
blue,ic,pubs,devrel1&prod=U692969C82819Q63
• DataPower Redbooks
– http://www.redbooks.ibm.com/cgi-bin/searchsite.cgi?query=datapower
DataPower on YouTube
- http://www.youtube.com/watch?v=LRy0twFpmUQ
zEnterprise and PCI-DSS compliance
– http://www.businesswire.com/news/home/20100308006657/en/atsec-Publishes-Payment-
Card-Industry-Compliance-Large
• Certification Whitepaper regarding PCI Compliance
– http://www.atsec.com/downloads/white-papers/PCI_Compliance_for_LCS.pdf
24
27. Threat: A1- Injection
• Threat description
– Injection flaws, such as SQL, Command shell, or LDAP injection,
occur when untrusted data is sent to an interpreter as part of a
command or query. The attacker’s hostile data can trick the
interpreter into executing unintended commands, or accessing
unauthorized data.
• DataPower mitigation
–Data type checking for invalid input
–XML Threat protection setting for XPath injection
–SQL injection filter configuration rejects SQL injections
–Regular-expression filters used as a “catch-all” for shell injections,
LDAP calls, PHP code, or any other programming language
27
28. Threat: A2 - Cross-Site Scripting (XSS)
• Threat description
–XSS flaws occur whenever an application takes untrusted data and
sends it to a web browser without proper validation and escaping.
XSS allows attackers to execute scripts in the victim’s browser
which can hijack user sessions, deface web sites, or redirect the
user to malicious sites.
• DataPower mitigation
–Native XSS filter configuration for rejecting incoming/outgoing
traffic that contains XSS content
28
29. Threat: A3 - Broken Authentication and Session
Management
• Threat description
– Application functions related to authentication and session management
are often not implemented correctly, allowing attackers to compromise
passwords, keys, session tokens, or exploit other implementation flaws to
assume other users’ identities.
• DataPower mitigation
– Broad security standards support, i.e. WS-Security, XACML, SAML,
SSL/TLS
– “Out-of-the-box” integration with many industry-leading PDP solutions,
such as Tivoli Access Manager, Active Directory, LDAP, SiteMinder, etc.
– Centralized platform for Security governance
– Tools for configurable AAA and Crypto processing, as well as key
protection
29
30. Threat: A4 - Insecure Direct Object
References
• Threat description
–A direct object reference occurs when a developer exposes a
reference to an internal implementation object, such as a file,
directory, or database key. Without an access control check or
other protection, attackers can manipulate these references to
access unauthorized data.
• DataPower mitigation
–Enforces security decisions based on properly classified users
authorized to specific resources and actions in a policy.
–Transforms and exposes indirect object identifiers that are mapped
to direct object identifiers at the application, such as references to
a SSN or an Account number.
30
31. Threat: A5 - Cross-Site Request Forgery
(CSRF)
• Threat description
– A CSRF attack forces a logged-on victim’s browser to send a forged HTTP
request, including the victim’s session cookie and any other automatically
included authentication information, to a vulnerable web application. This
allows the attacker to force the victim’s browser to generate requests the
vulnerable application thinks are legitimate requests from the victim.
• DataPower mitigation
– Provides several building blocks to prevent such attacks:
• Creation, or checking Nonce values
• Generation, or validation Digital Signatures on each request
• Creation, or confirmation for Hash values
• Injection, or parsing of secondary session cookies present in hidden HTTP
fields
31
32. Threat: A6 - Security Misconfiguration
• Threat description
– Security misconfiguration can happen at any level of an application stack,
including the platform, web server, application server, framework, and
custom code. The system could be completely compromised without one
knowing it. Causing all data to be stolen, or modified slowly over time.
• DataPower’s mitigation
– DataPower can't solve this problem alone, but it can significantly reduce
the scope of what must be configured, or programmed
– By pulling security policies and functions away from application servers
and centralizing them on DataPower, the chance of security
misconfiguration is reduced because the number of systems that contain
security processing code is also reduced.
– Additionally, centralizing corporate wide security policies on a common
gateway means that services that trust the gateway are all configured to
share a consistent security policy among them.
32
33. Threat: A7 - Insecure Cryptographic
Storage
• Threat description
– Many web applications do not properly protect sensitive data, such as
credit cards, SSNs, and authentication credentials, with appropriate
encryption or hashing. Attackers may steal or modify such weakly
protected data to conduct identity theft, credit card fraud, or other crimes
• DataPower mitigation
– Standards based cryptographic processing, such as encryption and hash
operations
– Secured key material stored in the encrypted part of the file system
– Encrypts sensitive data and stores it in a database. Providing authorized
applications to access confidential data through DataPower – in essence
functioning as a Data-as-a-Service (DaaS) provider
33
34. Threat: A8 - Failure to Restrict URL Access
• Threat description
– Many web applications check URL access rights before rendering
protected links and buttons. However, applications need to perform similar
access control checks each time these pages are accessed, or attackers
will be able to forge URLs to access these hidden pages anyway.
• DataPower mitigation
– Leverage DataPower’s explicit white-list policy model using Matching rules
– Enforces per-request authentication and resource-based authorization
based on the AAA framework
– URL-Rewrites to hide the original URL of the backend application
34
35. Threat: A9 - Insufficient Transport Layer
Protection
• Threat description
– Applications frequently fail to authenticate, encrypt, and protect the
confidentiality and integrity of sensitive network traffic. When they do, they
sometimes support weak algorithms, use expired or invalid certificates, or
do not use them correctly.
• DataPower mitigation
– SSL Proxy configuration secures traffic using SSL/TLS
– Strong SSL Cipher suite is available and enabled by default
– Clients can be trusted using mutual authentication
– CRL and OCSP support ensures certificates are valid and trusted
– The key material is stored securely in an encrypted portion of the flash
memory
35
36. Threat: A10 - Invalid Redirects and
Forwards
• Threat description
–Web applications frequently redirect and forward users to other
pages and websites, and use untrusted data to determine the
destination pages. Without proper validation, attackers can redirect
victims to phishing or malware sites, or use forwards to access
unauthorized pages.
• DataPower mitigation
–Applications not expecting Re-directs can be configured to reject
HTTP 302
–HTTP Front-side handler, User-Agent and URL Re-write
configurations can be used to flag and reject these requests as
potential threats
36