Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Do you really want to delete this prezi?
Neither you, nor the coeditors you shared it with will be able to recover it again.
Make your likes visible on Facebook?
You can change this under Settings & Account at any time.
PCI for developers
Transcript of PCI for developers
PCI for Developers
- Storing credit/debit card details in plain text.
- Hard-coded passwords.
- Not performing code reviews.
- Not performing pentests.
- Not using SSL at payment gateway.
- Home-made encryption mechanisms.
- Not logging critical information (eg. attacks)
- Even better.. Log ALL the information.
Interface: HTTP utilities
- Guarantees the information is always encrypted during transmission.
- Secure Development Guide
- Testing Guide
- Code Review Guide
- OWASP ESAPI
You can mask the PAN, BUT...
Under PCI Requirement 3.4...
- Use a hash algorithm like SHA1
- Store 6 first and last 4 digits
xxxxxxxxxxxxxxxx (10 quadrillons)
4xxxxxxxxxxxxxxx (visa - 4 quadrillons)
401288xxxxxx1881 (under req. 3.3)
How long does it take to crack it?
What is PCI?
Meanwhile in the wild internet...
- Organization created by Visa, Amex, Mastercard, Discover, JCB in 2006.
- Defines security standards for debit/credit payments.
Secure Authentication with ESAPI
Two methods: Login / Createuser
All users are disabled and locked when created as default.
The login only works through an SSL connection.
Why was PCI created?
It helps prevent security incidents with credit and debit cards.
Defines requirements to be adopted by:
- merchants which accept those payment methods (PCI DSS).
- software companies or implementers that provide that functionality (PCI PA-DSS).
- many more...
Does it affect me?
Do you accept with credit/debit cards online payments or over the phone?
Is this information stored/processed in YOUR server and/or by a third party?
PCI-PA DSS Requirements
required by PA-DSS
- Secure Authentication
- Proper Session Management
- Channel Encryption
- Data Encryption
- Injection Prevention
- XSS Prevention
- CSRF Prevention
- Secure Data Access
- Error Handling
What is ESAPI?
- Easy to use.
Proper Session Management
Interface: HTTP utilities
- Prevents Session Fixation.
- Guarantees a unique ID.
Methods: encrypt / seal
Guarantees data encryption
(*) Other methods are also available in the frameworks..
Same as Injection
plus the flag
Adds a unique token per operation/transaction.
- Indirect object.
- Data Access control.
Indirect Object Reference
What happens if I change it?
Data Access Control
Methods: isauthorizedForXXX / randomaccessmap
Interfaces: AccessReferenceMap / AccessController
Guarantees only authorized users can access the resources (data, functions, etc)
Error & Log Handling
Methods: getusermessage / getlogmessage / isauthorizedforXXX
Two different logs.
- Apache Shiro (Java)
- Spring Framework (Java)
- Visual Studio .Net (Guide
for PCI Compliance)
Do you need to store credit card PAN?
Try to use a tokenization service like:
Identifying Credit Card data location...
Where do I go from here?
What are we trying to protect?
And reality hit us...
Let's come up with a plan...
And for Mobile...
1. Isolating sensitive functions and data in trusted environments
2. Implementing secure coding best practices
3. Eliminating unnecessary third part access and privilege escalation
3. Creating the ability to remotely disable payment applications
4. Creating server-side controls and reporting unauthorized access
- See more at: https://www.pcisecuritystandards.org/documents/Mobile%20Payment%20Security%20Guidelines%20v1%200.pdf
- Identify card data location.
- Decide if necessary to store it.
- Implement security controls.