PCI DSS for Pentesting

  • View
    1.680

  • Download
    4

Embed Size (px)

DESCRIPTION

null Mumbai Chapter - March 2013 Meet

Text of PCI DSS for Pentesting

  • 1. PCI DSSfor Penetration Testers K. K. Mookhey

2. What is PCI DSS ? Payment Card Industry (PCI) Data Security Standard (DSS) PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS comprises a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks 3. Why Is Compliance with PCI DSS Important? A security breach and subsequent compromise of paymentcard data has far-reaching consequences for affectedorganizations, including: Regulatory notification requirements, Loss of reputation, Loss of customers, Potential financial liabilities (for example, regulatory and otherfees and fines), and Litigation. 4. PCI DSSPayment Card Industry Data Security Standard Standard applies to: Merchants Service Providers (Third Third-party vendor, gateways) Systems (Hardware, software) Who: Store cardholder data Transmit cardholder data Process cardholder data Inclusive of: Electronic Transactions Paper Transactions 5. The PCI Security Standards Council (PCI SSC) An open global forum, launched in 2006, responsible for thedevelopment, management, education, and awareness of the PCISecurity Standards, including: Data Security Standard (DSS) Payment Application Data Security Standard (PA-DSS) Pin Transaction Security (PTS) Formally known as Pin-Entry Device (PED)PCI PTSPCI PA-DSSPCI DSS 6. PCI SSC- Standards 7. PIN Transaction (PTS) SecurityRequirements It is a set of security requirements focused on characteristics andmanagement of devices used in the protection of cardholder PINsand other payment processing related activities. The requirements are for manufacturers to follow in the design,manufacture and transport of a device to the entity thatimplements it. Financial institutions, processors, merchants and service providersshould only use devices or components that are tested andapproved by the PCI SSC.www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html 8. Payment Application Data Security Standard (PA-DSS) The PA-DSS is for software developers and integrators of paymentapplications that store, process or transmit cardholder data as partof authorization or settlement when these applications are sold,distributed or licensed to third parties. Most card brands encourage merchants to use payment applicationsthat are tested and approved by the PCI SSC.Validated applications are listed at:www.pcisecuritystandards.org/security_standards/pa_dss.shtml 9. PCI Data Security Standard (DSS) The PCI DSS applies to all entities that store, process, and/ortransmit cardholder data. It covers technical and operational system componentsincluded in or connected to cardholder data. If you are a merchant who accepts or processes paymentcards, you must comply with the PCI DSS. 10. The PCI Security Standards Founders 11. Data on Payment Card 12. Track 1 vs. Track 2 Data 13. Track 1 vs. Track 2 Data (cont..) If full track (either Track 1 or Track 2, from the magnetic stripe, magnetic-stripe image in a chip, or elsewhere) data is stored, malicious individualswho obtain that data can reproduce and sell payment cards around theworld. Full track data storage also violates the payment brands operatingregulations and can lead to fines and penalties. 14. What to store & what not to store 15. Guidelines for Storage1. One-way hash functions based on strong cryptography converts theentire PAN into a unique, fixed-length cryptographic value.2. Truncation permanently removes a segment of the data (for example, retainingonly the last four digits).3. Index tokens and securely stored pads encryption algorithm that combinessensitive plain text data with a random key or pad that works only once.4. Strong cryptography with associated key management processes andprocedures. Refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations andAcronyms for the definition of strong cryptography. 16. The PCI Data Security StandardSix Goals, Twelve RequirementsBuild and Maintain a 1. Install and maintain a firewall configuration to protect cardholderSecure Networkdata 2. Do not use vendor-supplied defaults for system passwords andother security parametersProtect Cardholder Data3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, publicnetworksMaintain a Vulnerability 5. Use and regularly update anti-virus software or programsManagement Program 6. Develop and maintain secure systems and applicationsImplement Strong Access7. Restrict access to cardholder data by business need-to-knowControl Measures 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder dataRegularly Monitor and10. Track and monitor all access to network resources and cardholderTest Networksdata 11. Regularly test security systems and processesMaintain an Information12. Maintain a policy that addresses information security forSecurity Policyemployees and contractors 17. Other PCI Standards 18. PCI SSC- Standards 19. PIN Transaction (PTS) SecurityRequirements It is a set of security requirements focused on characteristics andmanagement of devices used in the protection of cardholder PINsand other payment processing related activities. The requirements are for manufacturers to follow in the design,manufacture and transport of a device to the entity thatimplements it. Financial institutions, processors, merchants and service providersshould only use devices or components that are tested andapproved by the PCI SSC.www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html 20. PIN Transaction (PTS) SecurityRequirements (cont..) Objective 1 : PINs used in transactions governed by theserequirements are processed using equipment and methodologiesthat ensure they are kept secure. Objective 2 : Cryptographic keys used for PINencryption/decryption and related key management are createdusing processes that ensure that it is not possible to predict any keyor determine that certain keys are more probable than other keys. Objective 3 : Keys are conveyed or transmitted in a securemanner. 21. PIN Transaction (PTS) SecurityRequirements (cont..) Objective 4 : Key-loading to hosts and PIN entry devices ishandled in a secure manner. Objective 5 : Keys are used in a manner that prevents or detectstheir unauthorized usage. Objective 6 : Keys are administered in a secure manner. Objective 7 : Equipment used to process PINs and keys ismanaged in a secure manner. 22. Payment Application Data Security Standard (PA-DSS) The PA-DSS is for software developers and integrators of paymentapplications that store, process or transmit cardholder data as partof authorization or settlement when these applications are sold,distributed or licensed to third parties. Most card brands encourage merchants to use payment applicationsthat are tested and approved by the PCI SSC.Validated applications are listed at:www.pcisecuritystandards.org/security_standards/pa_dss.shtml 23. PA-DSS (cont..) Requirement 1 : Do not retain full magnetic stripe, cardverification code or value (CAV2, CID, CVC2, CVV2), or PINblock data Requirement 2 : Protect stored cardholder data Requirement 3 : Provide secure authentication features Requirement 4 : Log payment application activity Requirement 5 : Develop secure payment applications Requirement 6 : Protect wireless transmissions Requirement 7 : Test payment applications to addressvulnerabilities Requirement 8 : Facilitate secure network implementation Requirement 9 : Cardholder data must never be stored ona server connected to the Internet 24. PA-DSS (cont..) Requirement 10 : Facilitate secure remote access topayment application Requirement 11 : Encrypt sensitive traffic over publicnetworks Requirement 12 : Encrypt all non-console administrativeaccess Requirement 13 : Maintain instructional documentationand training programs for customers, resellers, andintegrators 25. Thank you!Questions / QueriesNETWORK INTELLIGENCE INDIA PVT. LTD.AN ISO/IEC 27001:2005 CERTIFIED COMPANYWeb http://www.niiconsulting.comEmail kkmookhey@niiconsulting.comTel +91-22-2839-2628+91-22-4005-2628Fax +91-22-2837-5454