Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


PCI for developers

No description

Fabio Cerullo

on 25 July 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of PCI for developers

Injection Prevention
Injection Prevention
PCI for Developers
Fabio Cerullo
- Storing credit/debit card details in plain text.
- Hard-coded passwords.
- Not performing code reviews.
- Not performing pentests.
- Not using SSL at payment gateway.
- Home-made encryption mechanisms.
- Not logging critical information (eg. attacks)
- Even better.. Log ALL the information.
Channel Encryption
Method: issecurechannel
Interface: HTTP utilities
- Guarantees the information is always encrypted during transmission.
Flag: HTTPUtilities.ForceSecureSession
Card Data
- Secure Development Guide
- Testing Guide
- Code Review Guide
You can mask the PAN, BUT...
Under PCI Requirement 3.4...

- Use a hash algorithm like SHA1
- Store 6 first and last 4 digits

xxxxxxxxxxxxxxxx (10 quadrillons)
4xxxxxxxxxxxxxxx (visa - 4 quadrillons)
401288xxxxxx1881 (under req. 3.3)

How long does it take to crack it?
5.3 seconds!
What is PCI?
Typical Errors
Meanwhile in the wild internet...
How could
OWASP help?
- Organization created by Visa, Amex, Mastercard, Discover, JCB in 2006.
- Defines security standards for debit/credit payments.
Secure Authentication with ESAPI
Two methods: Login / Createuser
Interface: authenticator

All users are disabled and locked when created as default.

The login only works through an SSL connection.
Why was PCI created?
It helps prevent security incidents with credit and debit cards.

Defines requirements to be adopted by:
- merchants which accept those payment methods (PCI DSS).
- software companies or implementers that provide that functionality (PCI PA-DSS).
- many more...
Does it affect me?
Do you accept with credit/debit cards online payments or over the phone?

Is this information stored/processed in YOUR server and/or by a third party?
PCI Ecosystem


PCI-DSS Requirements
PCI-PA DSS Requirements
Security Controls
required by PA-DSS
- Secure Authentication
- Proper Session Management
- Channel Encryption
- Data Encryption
- Injection Prevention
- XSS Prevention
- CSRF Prevention
- Secure Data Access
- Error Handling
- Logging
What is ESAPI?
- Security
- Free
- Easy to use.
Proper Session Management
Method: changesessionid
Interface: HTTP utilities
- Prevents Session Fixation.
- Guarantees a unique ID.
Data Encryption
Methods: encrypt / seal
Interface: Encryptor

Guarantees data encryption

(*) Other methods are also available in the frameworks..
Method: getvalidinput
Interface: validator

Prevents malicious
Method: EncodeforXXX
Interface: Encoder

Guarantees adequate
data format.
XSS Prevention
Same as Injection
plus the flag
CSRF Prevention
Method: AddCSRFToken
Interface: HTTPUtilities

Adds a unique token per operation/transaction.
Secure Access
to Data
- Indirect object.
- Data Access control.
Indirect Object Reference

What happens if I change it?

Data Access Control
Methods: isauthorizedForXXX / randomaccessmap
Interfaces: AccessReferenceMap / AccessController

Guarantees only authorized users can access the resources (data, functions, etc)
Error & Log Handling
Methods: getusermessage / getlogmessage / isauthorizedforXXX

Two different logs.
Other frameworks
- Apache Shiro (Java)
- Spring Framework (Java)
- Visual Studio .Net (Guide
for PCI Compliance)
Do you need to store credit card PAN?
Try to use a tokenization service like:

- Braintree
- Stripe
- Samurai

Identifying Credit Card data location...
Open Source
- Nessus

- PixAlert
- Trustwave
Where do I go from here?
What are we trying to protect?
And reality hit us...
Card Data
Let's come up with a plan...
And for Mobile...
Key considerations:

1. Isolating sensitive functions and data in trusted environments

2. Implementing secure coding best practices

3. Eliminating unnecessary third part access and privilege escalation

3. Creating the ability to remotely disable payment applications

4. Creating server-side controls and reporting unauthorized access

- See more at: https://www.pcisecuritystandards.org/documents/Mobile%20Payment%20Security%20Guidelines%20v1%200.pdf
- Identify card data location.

- Decide if necessary to store it.

- Implement security controls.
Full transcript