Maksim Djackov, profile picture
Uploaded byMaksim Djackov
PPTX, PDF439 views

PCI Compliance (for developers)

This document provides an overview of PCI compliance, emphasizing the protection of cardholder data and detailing the various standards for developers and merchants. It outlines best practices for handling sensitive data, requirements for encryption, and the consequences of non-compliance, such as financial fines and reputational damage. Additionally, it includes information on using PA-DSS to develop secure payment applications that ensure compliance with PCI standards.

Software
Related topics:
Information Security

Embed presentation

Download to read offline
PCI COMPLIANCE Introduction for developers mostly
• Goal of the standard is to protect cardholder data • Statistics for US and Europe: • 81% store payment card numbers • 73% store payment card expiration dates • 71% store payment card verification codes • 16% store other personal data • Internet • Public Networks • Wireless POS • Internet • Public Networks • Wireless Merchant • Internet • Public Networks • Wireless Service Provider • Internet • Public Networks • Wireless Acquirer
• PCI DSS compliance process Repair Report Assess
• PAYMENT CARD INDUSTRY SECURITY STANDARDS Manufacturers PCI PTS PIN Transaction Security Software Developers PCI PA-DSS Payment Application Vendors Merchants & Processors PCI DSS Data Security Standard
• PCI DSS version 1.2 common sense steps that mirror best security practices Goals PCI DSS Requirements Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to- know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for employees and contractors
• Do NOT request, send or accept payment card information by email • If you receive cardholder data via email, do NOT process the transaction • Make the sender aware that, for their safety, they should never email credit card information • Remove the cardholder data when responding and direct them to an approved processing method • Delete the email containing cardholder data completely from your email account. • Many of the above practices can be applied to Personal Information or PI (SSN, home address, anything that can uniquely identify a person)
In majority of the cases we can use cryptographic primitives, methods and protocols (refer to my previous presentation on the topic) to ensure secure path our data travels (card data and PI) from initiator (data storage, POS, etc.) to the end-point. Sometimes we need to make sure we also reflect country or project specific legal requirements. Always think of where your data might end-up and do NOT STORE or TRANSMIT it without strong business reasons ! If you absolutely need to do it think of tokenizing sensitive data.
• The PA-DSS is a standard for developers of payment applications. • Its goal is to help development of secure commercial payment applications that do not store prohibited data, and ensure that payment applications support compliance with the PCI DSS. • Merchants and service providers should ensure that they are using Council-approved payment applications; check with your acquiring financial institution to understand requirements and associated timeframes for implementing approved applications. • PA-DSS has 14 requirements: For details and a list of approved Payment Applications, see PCI website. Why building applications with PA-DSS in mind is important even if your applications is not going to participate in the PCI pipeline? Because it might! And chances are it will if you work with financial industries.
When should we comply with the PCI requirements? • We accept payments (credit card or debit card) in-person • -”- over the phone • -”- over the internet • -”- over mail • We act as a service providers (accept payments for others) PCI standard applies to all actors that store, process or transmit cardholder data.
Extract from the PCI guide: “Requirement 3: Protect stored cardholder data In general, no cardholder data should ever be stored unless it’s necessary to meet the needs of the business. Sensitive data on the magnetic stripe or chip must never be stored. If your organization stores PAN, it is crucial to render it unreadable (see 3.4, and table below for guidelines). 3.1 Limit cardholder data storage and retention time to that required for business, legal, and/or regulatory purposes, as documented in your data retention policy. 3.2 Do not store sensitive authentication data after authorization (even if it is encrypted). See guidelines in table below. 3.3 Mask PAN when displayed; the first six and last four digits are the maximum number of digits you may display. Not applicable for authorized people with a legitimate business need to see the full PAN. Does not supersede stricter requirements in place for displays of cardholder data such as on a point-of-sale receipt. 3.4 Render PAN, at minimum, unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks. Technology solutions for this requirement may include strong one-way hash functions, truncation, index tokens, securely stored pads, or strong cryptography. (See PCI DSS Glossary for definition of strong cryptography.) 3.5 Protect cryptographic keys used for encryption of cardholder data from disclosure and misuse. 3.6 Fully document and implement all appropriate key management processes and procedures for cryptographic keys used for encryption of cardholder data.”
Extract from the PCI guide: “Requirement 4: Encrypt transmission of cardholder data across open, public networks Cyber criminals may be able to intercept transmissions of cardholder data over open, public networks so it is important to prevent their ability to view these data. Encryption is a technology used to render transmitted data unreadable by any unauthorized person. 4.1 Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks (e.g. Internet, wireless technologies, global systems for communications [GSM], general packet radio systems [GPRS]). Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment use industry best practices (e.g., IEEE 802.11ix) to implement strong encryption for authentication and transmission. For new wireless implementations, it is prohibited to implement WEP after March 31, 2009. For current implementations, it is prohibited to use WEP after June 30, 2010. 4.2 Never send unencrypted PANs by end user messaging technologies.”
Regarding developing and maintaining secure systems and applications PA-DSS certified applications will have an Implementation Guide. In general there are many secure software development and deployment guidelines, for example OWASP for web applications, or Microsoft security checklists, and it is a good idea to pick any and follow it.
Annual penetration testing and quarterly wireless and vulnerability testing is a part of testing efforts and should be performed. Remember, using penetration testing frameworks during development phase builds a solid foundation for your software!
If you don’t have to comply with the PCI standards, breaching your application will bring you unsatisfaction with the clients and will hurt your reputation, at the very least. The real trouble begins when your organization and your software do need to comply. In that case: “Breach Consequences- Even if a company is 100% PCI compliant and validated, a breach in cardholder data may still occur. Cardholder Breaches can result in the following losses for a merchant.$50-$90 fine per cardholder data compromised Suspension of credit card acceptance by a merchant’s credit card account provider Loss of reputation with customers, suppliers, and partners Possible civil litigation from breached customers Loss of customer trust which effects future sales” And these are just a small part if the forthcoming troubles.
Project implementation examples
Questions?

More Related Content

PDF
Pci ssc quick reference guide
byMohammad Makchudul Alam (Arif)
 
PPTX
PCI DSS 2.0 Detailed Introduction
byControlCase
 
PPTX
A practical guides to PCI compliance
byJisc
 
PDF
PCI-DSS_Overview
bysameh Abulfotooh
 
PPTX
PCI DSS and PA DSS
byKimberly Simon MBA
 
PDF
You Know You Need PCI Compliance Help When…
byRochester Security Summit
 
PPTX
PCI DSS Compliance
bySaumya Vishnoi
 
PDF
1. PCI Compliance Overview
byokrantz
 
Pci ssc quick reference guide
byMohammad Makchudul Alam (Arif)
 
PCI DSS 2.0 Detailed Introduction
byControlCase
 
A practical guides to PCI compliance
byJisc
 
PCI-DSS_Overview
bysameh Abulfotooh
 
PCI DSS and PA DSS
byKimberly Simon MBA
 
You Know You Need PCI Compliance Help When…
byRochester Security Summit
 
PCI DSS Compliance
bySaumya Vishnoi
 
1. PCI Compliance Overview
byokrantz
 

What's hot

PPTX
Introduction to PCI DSS
bySaumya Vishnoi
 
PPS
P0 Pcidss Overview
byb28stu
 
PPTX
Introduction to Token Service Provider (TSP) Certification
byKimberly Simon MBA
 
PDF
PCIDSS compliance made easier through a collaboration between NC State and UN...
byJohn Baines
 
PPTX
PCI DSS 3.2
byKimberly Simon MBA
 
PPTX
PCI DSSand PA DSS
byKimberly Simon MBA
 
PDF
PCI DSS: What it is, and why you should care
bySean D. Goodwin
 
PPT
Tizor_Data-Best-Practices.ppt
bywebhostingguy
 
PDF
Pcidss qr gv3_1
byleon bonilla
 
PPTX
PCI DSS 3.2 - Business as Usual
byKimberly Simon MBA
 
PPTX
Webinar - pci dss 4.0 updates
byVISTA InfoSec
 
PPTX
Data Discovery and PCI DSS
byKimberly Simon MBA
 
PDF
Alcumus ISOQAR PCIDSS Compliance Presentation
byBhargav Upadhyay
 
PPTX
PCI DSS Simplified: What You Need to Know
byAlienVault
 
PPTX
Card Data Discovery and PCI DSS
byKimberly Simon MBA
 
PPT
Application security and pa dss certification
byAlexander Polyakov
 
KEY
PA-DSS
byChristian Heinrich
 
PPTX
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
byTokenEx
 
DOCX
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
byhimalya sharma
 
PPTX
PCI DSS and PA DSS
byKimberly Simon MBA
 
Introduction to PCI DSS
bySaumya Vishnoi
 
P0 Pcidss Overview
byb28stu
 
Introduction to Token Service Provider (TSP) Certification
byKimberly Simon MBA
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
byJohn Baines
 
PCI DSS 3.2
byKimberly Simon MBA
 
PCI DSSand PA DSS
byKimberly Simon MBA
 
PCI DSS: What it is, and why you should care
bySean D. Goodwin
 
Tizor_Data-Best-Practices.ppt
bywebhostingguy
 
Pcidss qr gv3_1
byleon bonilla
 
PCI DSS 3.2 - Business as Usual
byKimberly Simon MBA
 
Webinar - pci dss 4.0 updates
byVISTA InfoSec
 
Data Discovery and PCI DSS
byKimberly Simon MBA
 
Alcumus ISOQAR PCIDSS Compliance Presentation
byBhargav Upadhyay
 
PCI DSS Simplified: What You Need to Know
byAlienVault
 
Card Data Discovery and PCI DSS
byKimberly Simon MBA
 
Application security and pa dss certification
byAlexander Polyakov
 
PA-DSS
byChristian Heinrich
 
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
byTokenEx
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
byhimalya sharma
 
PCI DSS and PA DSS
byKimberly Simon MBA
 

Viewers also liked

PPSX
9. lo que nunca barrí
byChepe Jrmr
 
PPTX
Жінки в буддизмі
byZoya79
 
ODP
Ordinador
byeljuliusfumaweed
 
PDF
CMS Development – Empowering Ecommerce Website
byStephen Lee
 
PDF
碧桂园·森林城市项目介绍
byJason Huang
 
PPTX
El derecho concursal
bysilviabelloo
 
PPT
The1980s Hw Bush Bio
byNathan Tengowski
 
PDF
What would Dame Cicely do? | My biggest comms inspiration seminar | 29 Septem...
byCharityComms
 
PPTX
Rediseño de licenciatura en comunicación. Caso de estudio Modalidad a Distanc...
byAbel Suing
 
PPTX
Online vehicle showroom DB project
byTish997
 
9. lo que nunca barrí
byChepe Jrmr
 
Жінки в буддизмі
byZoya79
 
Ordinador
byeljuliusfumaweed
 
CMS Development – Empowering Ecommerce Website
byStephen Lee
 
碧桂园·森林城市项目介绍
byJason Huang
 
El derecho concursal
bysilviabelloo
 
The1980s Hw Bush Bio
byNathan Tengowski
 
What would Dame Cicely do? | My biggest comms inspiration seminar | 29 Septem...
byCharityComms
 
Rediseño de licenciatura en comunicación. Caso de estudio Modalidad a Distanc...
byAbel Suing
 
Online vehicle showroom DB project
byTish997
 

Similar to PCI Compliance (for developers)

PDF
PCI DSS for Pentesting
byn|u - The Open Security Community
 
PPTX
PCI DSS for Penetration Testing
byNetwork Intelligence India
 
PPT
PCI DSS
byDuy Do Phan
 
PDF
Pci dss intro v2
byTorstein Hansen
 
DOCX
Online_Transactions_PCI
byKelly Lam
 
PPTX
Payment Card Industry Security Standards
byAshintha Rukmal
 
PPTX
Don’t Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Da...
byDataStax
 
PDF
PCI Compliance White Paper
byRaz-Lee Security
 
PDF
PCI-DSS for IDRBT
byShanmugavel Sankaran
 
PPT
PCI-DSS Experience- Phan Canh Nhat Present on 13/11/2014
byLuong Trung Thanh
 
PDF
Protecting Payment Card Data Wp091010
byErik Ginalick
 
PPT
Experience for implement PCI DSS
byNhat Phan Canh
 
PPTX
Things to Keep in Mind Regarding PCI DSS Compliance
byINTERCERT
 
PPTX
Sgsits cyber securityworkshop_4mar2017
byAnil Jain
 
PDF
PCI Compliance: What You Need to Know
bySasha Nunke
 
PDF
PCI Compliance Overview
byLawPay
 
PDF
Pci standards, from participation to implementation and review
byisc2-hellenic
 
PPT
IBM Share Conference 2010, Boston, Ulf Mattsson
byUlf Mattsson
 
DOCX
A Case Study on Payment Card Industry Data Security Standards
byVictor Oluwajuwon Badejo
 
PDF
Credit Card Processing for Small Business
byMark Ginnebaugh
 
PCI DSS for Pentesting
byn|u - The Open Security Community
 
PCI DSS for Penetration Testing
byNetwork Intelligence India
 
PCI DSS
byDuy Do Phan
 
Pci dss intro v2
byTorstein Hansen
 
Online_Transactions_PCI
byKelly Lam
 
Payment Card Industry Security Standards
byAshintha Rukmal
 
Don’t Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Da...
byDataStax
 
PCI Compliance White Paper
byRaz-Lee Security
 
PCI-DSS for IDRBT
byShanmugavel Sankaran
 
PCI-DSS Experience- Phan Canh Nhat Present on 13/11/2014
byLuong Trung Thanh
 
Protecting Payment Card Data Wp091010
byErik Ginalick
 
Experience for implement PCI DSS
byNhat Phan Canh
 
Things to Keep in Mind Regarding PCI DSS Compliance
byINTERCERT
 
Sgsits cyber securityworkshop_4mar2017
byAnil Jain
 
PCI Compliance: What You Need to Know
bySasha Nunke
 
PCI Compliance Overview
byLawPay
 
Pci standards, from participation to implementation and review
byisc2-hellenic
 
IBM Share Conference 2010, Boston, Ulf Mattsson
byUlf Mattsson
 
A Case Study on Payment Card Industry Data Security Standards
byVictor Oluwajuwon Badejo
 
Credit Card Processing for Small Business
byMark Ginnebaugh
 

Recently uploaded

PDF
Attendance Dashboard – Time & Attendance Analytics
byHajir Pro
 
PPTX
HackYourBrain_JFokusConference_03022026.pptx
bySimonedeGijt
 
PDF
20260201 [FOSDEM] gomodjail - library sandboxing for Go modules.pdf
byAkihiro Suda
 
PDF
Track Phone Location Android (2026)_ What Actually Works, What’s New, and the...
byRachel Green
 
PPTX
HR Software for Construction: Smarter Workforce & Payroll Management
byhelixtahr
 
PPTX
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 
PPTX
GraphQL Day Paris 2025 | Bringing DevOps to GraphQL with the Apollo GraphOS O...
byapidays
 
PDF
Artificial Intelligence Planning (Harinath Palavalli)
byHarinath Palavalli
 
PDF
apidays Amsterdam 2025 | APIs with a Purpose
byapidays
 
PDF
Build a Scalable On-Demand Courier Service App
byV3CUBE TECHNOLABS
 
PDF
2026 Safety Roadmap: Systems, Skills, and Scale for EHS Leaders
byTECH EHS Solution
 
PDF
JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...
byOrtus Solutions, Corp
 
PDF
Azure DevOps Services: Complete Guide to DevOps Tools, Automation & End-to-En...
byjohncarterjn
 
PDF
Image and video processing: From Mars to Hollywood with a stop at the hospita...
byHarinath Palavalli
 
PDF
Monitoring your MySQL Server's Health Trends
byIgor Donchovski
 
PDF
apidays Australia 2025 | Build Your First MCP Server with Postman Flows
byapidays
 
PDF
apidays Amsterdam 2025 | Making AI work for you as an API Product Manager
byapidays
 
PDF
apidays Australia 2025 | Orchestrator vs. Choreography
byapidays
 
PPTX
Edison MuleSoft Meetup : Vibe Coding | MuleSoft Meetups
bySravan Lingam
 
PDF
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 
Attendance Dashboard – Time & Attendance Analytics
byHajir Pro
 
HackYourBrain_JFokusConference_03022026.pptx
bySimonedeGijt
 
20260201 [FOSDEM] gomodjail - library sandboxing for Go modules.pdf
byAkihiro Suda
 
Track Phone Location Android (2026)_ What Actually Works, What’s New, and the...
byRachel Green
 
HR Software for Construction: Smarter Workforce & Payroll Management
byhelixtahr
 
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 
GraphQL Day Paris 2025 | Bringing DevOps to GraphQL with the Apollo GraphOS O...
byapidays
 
Artificial Intelligence Planning (Harinath Palavalli)
byHarinath Palavalli
 
apidays Amsterdam 2025 | APIs with a Purpose
byapidays
 
Build a Scalable On-Demand Courier Service App
byV3CUBE TECHNOLABS
 
2026 Safety Roadmap: Systems, Skills, and Scale for EHS Leaders
byTECH EHS Solution
 
JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...
byOrtus Solutions, Corp
 
Azure DevOps Services: Complete Guide to DevOps Tools, Automation & End-to-En...
byjohncarterjn
 
Image and video processing: From Mars to Hollywood with a stop at the hospita...
byHarinath Palavalli
 
Monitoring your MySQL Server's Health Trends
byIgor Donchovski
 
apidays Australia 2025 | Build Your First MCP Server with Postman Flows
byapidays
 
apidays Amsterdam 2025 | Making AI work for you as an API Product Manager
byapidays
 
apidays Australia 2025 | Orchestrator vs. Choreography
byapidays
 
Edison MuleSoft Meetup : Vibe Coding | MuleSoft Meetups
bySravan Lingam
 
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 

PCI Compliance (for developers)

  • 1.
  • 2.
    • Goal ofthe standard is to protect cardholder data • Statistics for US and Europe: • 81% store payment card numbers • 73% store payment card expiration dates • 71% store payment card verification codes • 16% store other personal data • Internet • Public Networks • Wireless POS • Internet • Public Networks • Wireless Merchant • Internet • Public Networks • Wireless Service Provider • Internet • Public Networks • Wireless Acquirer
  • 3.
    • PCI DSScompliance process Repair Report Assess
  • 4.
    • PAYMENT CARDINDUSTRY SECURITY STANDARDS Manufacturers PCI PTS PIN Transaction Security Software Developers PCI PA-DSS Payment Application Vendors Merchants & Processors PCI DSS Data Security Standard
  • 5.
    • PCI DSSversion 1.2 common sense steps that mirror best security practices Goals PCI DSS Requirements Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to- know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for employees and contractors
  • 6.
    • Do NOTrequest, send or accept payment card information by email • If you receive cardholder data via email, do NOT process the transaction • Make the sender aware that, for their safety, they should never email credit card information • Remove the cardholder data when responding and direct them to an approved processing method • Delete the email containing cardholder data completely from your email account. • Many of the above practices can be applied to Personal Information or PI (SSN, home address, anything that can uniquely identify a person)
  • 7.
    In majority ofthe cases we can use cryptographic primitives, methods and protocols (refer to my previous presentation on the topic) to ensure secure path our data travels (card data and PI) from initiator (data storage, POS, etc.) to the end-point. Sometimes we need to make sure we also reflect country or project specific legal requirements. Always think of where your data might end-up and do NOT STORE or TRANSMIT it without strong business reasons ! If you absolutely need to do it think of tokenizing sensitive data.
  • 8.
    • The PA-DSSis a standard for developers of payment applications. • Its goal is to help development of secure commercial payment applications that do not store prohibited data, and ensure that payment applications support compliance with the PCI DSS. • Merchants and service providers should ensure that they are using Council-approved payment applications; check with your acquiring financial institution to understand requirements and associated timeframes for implementing approved applications. • PA-DSS has 14 requirements: For details and a list of approved Payment Applications, see PCI website. Why building applications with PA-DSS in mind is important even if your applications is not going to participate in the PCI pipeline? Because it might! And chances are it will if you work with financial industries.
  • 9.
    When should wecomply with the PCI requirements? • We accept payments (credit card or debit card) in-person • -”- over the phone • -”- over the internet • -”- over mail • We act as a service providers (accept payments for others) PCI standard applies to all actors that store, process or transmit cardholder data.
  • 10.
    Extract from thePCI guide: “Requirement 3: Protect stored cardholder data In general, no cardholder data should ever be stored unless it’s necessary to meet the needs of the business. Sensitive data on the magnetic stripe or chip must never be stored. If your organization stores PAN, it is crucial to render it unreadable (see 3.4, and table below for guidelines). 3.1 Limit cardholder data storage and retention time to that required for business, legal, and/or regulatory purposes, as documented in your data retention policy. 3.2 Do not store sensitive authentication data after authorization (even if it is encrypted). See guidelines in table below. 3.3 Mask PAN when displayed; the first six and last four digits are the maximum number of digits you may display. Not applicable for authorized people with a legitimate business need to see the full PAN. Does not supersede stricter requirements in place for displays of cardholder data such as on a point-of-sale receipt. 3.4 Render PAN, at minimum, unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks. Technology solutions for this requirement may include strong one-way hash functions, truncation, index tokens, securely stored pads, or strong cryptography. (See PCI DSS Glossary for definition of strong cryptography.) 3.5 Protect cryptographic keys used for encryption of cardholder data from disclosure and misuse. 3.6 Fully document and implement all appropriate key management processes and procedures for cryptographic keys used for encryption of cardholder data.”
  • 11.
    Extract from thePCI guide: “Requirement 4: Encrypt transmission of cardholder data across open, public networks Cyber criminals may be able to intercept transmissions of cardholder data over open, public networks so it is important to prevent their ability to view these data. Encryption is a technology used to render transmitted data unreadable by any unauthorized person. 4.1 Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks (e.g. Internet, wireless technologies, global systems for communications [GSM], general packet radio systems [GPRS]). Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment use industry best practices (e.g., IEEE 802.11ix) to implement strong encryption for authentication and transmission. For new wireless implementations, it is prohibited to implement WEP after March 31, 2009. For current implementations, it is prohibited to use WEP after June 30, 2010. 4.2 Never send unencrypted PANs by end user messaging technologies.”
  • 12.
    Regarding developing andmaintaining secure systems and applications PA-DSS certified applications will have an Implementation Guide. In general there are many secure software development and deployment guidelines, for example OWASP for web applications, or Microsoft security checklists, and it is a good idea to pick any and follow it.
  • 13.
    Annual penetration testingand quarterly wireless and vulnerability testing is a part of testing efforts and should be performed. Remember, using penetration testing frameworks during development phase builds a solid foundation for your software!
  • 14.
    If you don’thave to comply with the PCI standards, breaching your application will bring you unsatisfaction with the clients and will hurt your reputation, at the very least. The real trouble begins when your organization and your software do need to comply. In that case: “Breach Consequences- Even if a company is 100% PCI compliant and validated, a breach in cardholder data may still occur. Cardholder Breaches can result in the following losses for a merchant.$50-$90 fine per cardholder data compromised Suspension of credit card acceptance by a merchant’s credit card account provider Loss of reputation with customers, suppliers, and partners Possible civil litigation from breached customers Loss of customer trust which effects future sales” And these are just a small part if the forthcoming troubles.
  • 15.
  • 16.

Editor's Notes

  • #2 Payment Card Industry Data Security Standards (PCI DSS) are administered by the PCI Security Standards Council, which was founded by VISA, MC, AMEX, DISCOVER, and JCB.
  • #3 Issuer Bank or other financial institution that issues payment cards to consumers (cardholders) Acquirer Contracts for payment services with merchant; merchant must validate PCI DSS compliance with its “acquirer”; acquirer reports compliance status to card associations Merchant Entity that sells goods/services and accepts cards; responsible for safeguarding credit card data and complying with the PCI DSS Service Provider Entity that provides all or some of the payment services for the merchant; responsible for safeguarding credit card data and complying with the PCI DSS Merchant-based vulnerabilities may appear almost anywhere in the card-processing ecosystem including point-of-sale devices; personal computers or servers; wireless hotspots or Web shopping applications; in paper-based storage systems; and unsecured transmission of cardholder data to service providers. Vulnerabilities may even extend to systems operated by service providers and acquirers, which are the financial institutions that initiate and maintain the relationships with merchants that accept payment cards.
  • #4 There are three ongoing steps for adhering to the PCI DSS: Assess — identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that could expose cardholder data. Remediate — fixing vulnerabilities and not storing cardholder data unless you need it. Report — compiling and submitting required remediation validation records (if applicable), and submitting compliance reports to the acquiring bank and card brands you do business with.
  • #5 PCI Data Security Standard (DSS) The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS. PIN Transaction (PTS) Security Requirements PCI PTS (formerly PCI PED) is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities. The requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it. Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI SSC (www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html). Payment Application Data Security Standard (PA-DSS) The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties. Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC. Validated applications are listed at: www.pcisecuritystandards.org/security_standards/pa_dss.shtml
  • #8 It is not always necessary to use cryptographic primitives to ensure data secrecy and consistency. For example, do we need to calculate hash of the files we transfer between server while using trusted VPN network?