Prezi

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in the manual

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

PCI for developers

No description
by Fabio Cerullo on 25 July 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of PCI for developers

Injection Prevention
Injection Prevention
PCI for Developers
Fabio Cerullo
- Storing credit/debit card details in plain text.
- Hard-coded passwords.
- Not performing code reviews.
- Not performing pentests.
- Not using SSL at payment gateway.
- Home-made encryption mechanisms.
- Not logging critical information (eg. attacks)
- Even better.. Log ALL the information.
Channel Encryption
Method: issecurechannel
Interface: HTTP utilities
- Guarantees the information is always encrypted during transmission.
Flag: HTTPUtilities.ForceSecureSession
Card Data
- Secure Development Guide
- Testing Guide
- Code Review Guide
- OWASP ESAPI
- ZAP
You can mask the PAN, BUT...
Under PCI Requirement 3.4...

- Use a hash algorithm like SHA1
- Store 6 first and last 4 digits

Example:
4012888888881881
xxxxxxxxxxxxxxxx (10 quadrillons)
4xxxxxxxxxxxxxxx (visa - 4 quadrillons)
401288xxxxxx1881 (under req. 3.3)

How long does it take to crack it?
5.3 seconds!
What is PCI?
Typical Errors
Meanwhile in the wild internet...
How could
OWASP help?
- Organization created by Visa, Amex, Mastercard, Discover, JCB in 2006.
- Defines security standards for debit/credit payments.
Secure Authentication with ESAPI
Two methods: Login / Createuser
Interface: authenticator

All users are disabled and locked when created as default.

The login only works through an SSL connection.
Why was PCI created?
It helps prevent security incidents with credit and debit cards.

Defines requirements to be adopted by:
- merchants which accept those payment methods (PCI DSS).
- software companies or implementers that provide that functionality (PCI PA-DSS).
- many more...
Does it affect me?
Do you accept with credit/debit cards online payments or over the phone?

Is this information stored/processed in YOUR server and/or by a third party?
PCI Ecosystem
PCI PA-DSS

complements

PCI-DSS
PCI-DSS Requirements
PCI-PA DSS Requirements
Security Controls
required by PA-DSS
- Secure Authentication
- Proper Session Management
- Channel Encryption
- Data Encryption
- Injection Prevention
- XSS Prevention
- CSRF Prevention
- Secure Data Access
- Error Handling
- Logging
What is ESAPI?
- Security
Libraries
- Free
- Easy to use.
Proper Session Management
Method: changesessionid
Interface: HTTP utilities
- Prevents Session Fixation.
- Guarantees a unique ID.
Data Encryption
Methods: encrypt / seal
Interface: Encryptor

Guarantees data encryption

(*) Other methods are also available in the frameworks..
Method: getvalidinput
Interface: validator

Prevents malicious
input.
Method: EncodeforXXX
Interface: Encoder

Guarantees adequate
data format.
XSS Prevention
Same as Injection
plus the flag
HTTPUtilities.HTTPOnly
CSRF Prevention
Method: AddCSRFToken
Interface: HTTPUtilities

Adds a unique token per operation/transaction.
Secure Access
to Data
- Indirect object.
- Data Access control.
Indirect Object Reference
/accounts/viewDetail?id=3540

What happens if I change it?

/accounts/viewDetail?id=3541
Data Access Control
Methods: isauthorizedForXXX / randomaccessmap
Interfaces: AccessReferenceMap / AccessController

Guarantees only authorized users can access the resources (data, functions, etc)
Error & Log Handling
Methods: getusermessage / getlogmessage / isauthorizedforXXX

Two different logs.
Other frameworks
- Apache Shiro (Java)
- Spring Framework (Java)
- Visual Studio .Net (Guide
for PCI Compliance)
Do you need to store credit card PAN?
Try to use a tokenization service like:

- Braintree
- Stripe
- Samurai

Identifying Credit Card data location...
Open Source
- Nessus

Commercial
- PixAlert
- Trustwave
Where do I go from here?
What are we trying to protect?
And reality hit us...
Card Data
Let's come up with a plan...
And for Mobile...
Key considerations:

1. Isolating sensitive functions and data in trusted environments

2. Implementing secure coding best practices

3. Eliminating unnecessary third part access and privilege escalation

3. Creating the ability to remotely disable payment applications

4. Creating server-side controls and reporting unauthorized access

- See more at: https://www.pcisecuritystandards.org/documents/Mobile%20Payment%20Security%20Guidelines%20v1%200.pdf
Summary
- Identify card data location.

- Decide if necessary to store it.

- Implement security controls.
See the full transcript