Download pdf - PCI DSS for Pentesting

Transcript
Page 1: PCI DSS for Pentesting

PCI DSS

for Penetration Testers

K. K. Mookhey

Page 2: PCI DSS for Pentesting

What is PCI DSS ?

Payment Card Industry (PCI) Data Security Standard (DSS)

PCI DSS provides a baseline of technical and operational

requirements designed to protect cardholder data.

PCI DSS comprises a minimum set of requirements for

protecting cardholder data, and may be enhanced by additional

controls and practices to further mitigate risks

Page 3: PCI DSS for Pentesting

Why Is Compliance with PCI DSS Important?

A security breach and subsequent compromise of payment

card data has far-reaching consequences for affected

organizations, including:

Regulatory notification requirements,

Loss of reputation,

Loss of customers,

Potential financial liabilities (for example, regulatory and other

fees and fines), and

Litigation.

Page 4: PCI DSS for Pentesting
Page 5: PCI DSS for Pentesting

PCI DSS Payment Card Industry Data Security Standard

Standard applies to: Merchants

Service Providers (Third Third-party vendor, gateways)

Systems (Hardware, software)

Who: Store cardholder data

Transmit cardholder data

Process cardholder data

Inclusive of: Electronic Transactions

Paper Transactions

Page 6: PCI DSS for Pentesting

The PCI Security Standards Council (PCI SSC)

An open global forum, launched in 2006, responsible for the

development, management, education, and awareness of the PCI

Security Standards, including:

Data Security Standard (DSS)

Payment Application Data Security Standard (PA-DSS)

Pin Transaction Security (PTS)

Formally known as Pin-Entry Device (PED)

PCI DSS PCI PA-DSS PCI PTS

Page 7: PCI DSS for Pentesting

PCI SSC- Standards

Page 8: PCI DSS for Pentesting

PIN Transaction (PTS) Security Requirements

• It is a set of security requirements focused on characteristics and

management of devices used in the protection of cardholder PINs

and other payment processing related activities.

• The requirements are for manufacturers to follow in the design,

manufacture and transport of a device to the entity that

implements it.

• Financial institutions, processors, merchants and service providers

should only use devices or components that are tested and

approved by the PCI SSC.

www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.

html

Page 9: PCI DSS for Pentesting

Payment Application Data Security Standard (PA-DSS)

• The PA-DSS is for software developers and integrators of payment

applications that store, process or transmit cardholder data as part

of authorization or settlement when these applications are sold,

distributed or licensed to third parties.

• Most card brands encourage merchants to use payment applications

that are tested and approved by the PCI SSC.

Validated applications are listed at:

www.pcisecuritystandards.org/security_standards/pa_dss.shtml

Page 10: PCI DSS for Pentesting

PCI Data Security Standard (DSS)

• The PCI DSS applies to all entities that store, process, and/or

transmit cardholder data.

• It covers technical and operational system components

included in or connected to cardholder data.

• If you are a merchant who accepts or processes payment

cards, you must comply with the PCI DSS.

Page 11: PCI DSS for Pentesting

The PCI Security Standards Founders

Page 12: PCI DSS for Pentesting

Data on Payment Card

Page 13: PCI DSS for Pentesting

Track 1 vs. Track 2 Data

Page 14: PCI DSS for Pentesting

Track 1 vs. Track 2 Data (cont..) If full track (either Track 1 or Track 2, from the magnetic stripe, magnetic-

stripe image in a chip, or elsewhere) data is stored, malicious individuals who obtain that data can reproduce and sell payment cards around the world.

Full track data storage also violates the payment brands' operating regulations and can lead to fines and penalties.

Page 15: PCI DSS for Pentesting

What to store & what not to store

Page 16: PCI DSS for Pentesting

Guidelines for Storage

1. One-way hash functions based on strong cryptography – converts the

entire PAN into a unique, fixed-length cryptographic value.

2. Truncation – permanently removes a segment of the data (for example, retaining

only the last four digits).

3. Index tokens and securely stored pads – encryption algorithm that combines

sensitive plain text data with a random key or “pad” that works only once.

4. Strong cryptography – with associated key management processes and

procedures. Refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations and

Acronyms for the definition of “strong cryptography.”

Page 17: PCI DSS for Pentesting

The PCI Data Security Standard

Build and Maintain a

Secure Network

1. Install and maintain a firewall configuration to protect cardholder

data

2. Do not use vendor-supplied defaults for system passwords and

other security parameters

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public

networks

Maintain a Vulnerability

Management Program

5. Use and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

Implement Strong Access

Control Measures

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and

Test Networks

10. Track and monitor all access to network resources and cardholder

data

11. Regularly test security systems and processes

Maintain an Information

Security Policy

12. Maintain a policy that addresses information security for

employees and contractors

Six Goals, Twelve Requirements

Page 18: PCI DSS for Pentesting

Other PCI Standards

Page 19: PCI DSS for Pentesting

PCI SSC- Standards

Page 20: PCI DSS for Pentesting

PIN Transaction (PTS) Security Requirements

• It is a set of security requirements focused on characteristics and

management of devices used in the protection of cardholder PINs

and other payment processing related activities.

• The requirements are for manufacturers to follow in the design,

manufacture and transport of a device to the entity that

implements it.

• Financial institutions, processors, merchants and service providers

should only use devices or components that are tested and

approved by the PCI SSC.

www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.

html

Page 21: PCI DSS for Pentesting

PIN Transaction (PTS) Security Requirements (cont..)

• Objective 1 : PINs used in transactions governed by these

requirements are processed using equipment and methodologies

that ensure they are kept secure.

• Objective 2 : Cryptographic keys used for PIN

encryption/decryption and related key management are created

using processes that ensure that it is not possible to predict any key

or determine that certain keys are more probable than other keys.

• Objective 3 : Keys are conveyed or transmitted in a secure

manner.

Page 22: PCI DSS for Pentesting

PIN Transaction (PTS) Security Requirements (cont..)

• Objective 4 : Key-loading to hosts and PIN entry devices is

handled in a secure manner.

• Objective 5 : Keys are used in a manner that prevents or detects

their unauthorized usage.

• Objective 6 : Keys are administered in a secure manner.

• Objective 7 : Equipment used to process PINs and keys is

managed in a secure manner.

Page 23: PCI DSS for Pentesting

Payment Application Data Security Standard (PA-DSS)

• The PA-DSS is for software developers and integrators of payment

applications that store, process or transmit cardholder data as part

of authorization or settlement when these applications are sold,

distributed or licensed to third parties.

• Most card brands encourage merchants to use payment applications

that are tested and approved by the PCI SSC.

Validated applications are listed at:

www.pcisecuritystandards.org/security_standards/pa_dss.shtml

Page 24: PCI DSS for Pentesting

PA-DSS (cont..)

• Requirement 1 : Do not retain full magnetic stripe, card

verification code or value (CAV2, CID, CVC2, CVV2), or PIN

block data

• Requirement 2 : Protect stored cardholder data

• Requirement 3 : Provide secure authentication features

• Requirement 4 : Log payment application activity

• Requirement 5 : Develop secure payment applications

• Requirement 6 : Protect wireless transmissions

• Requirement 7 : Test payment applications to address

vulnerabilities

• Requirement 8 : Facilitate secure network implementation

• Requirement 9 : Cardholder data must never be stored on

a server connected to the Internet

Page 25: PCI DSS for Pentesting

PA-DSS (cont..)

• Requirement 10 : Facilitate secure remote access to

payment application

• Requirement 11 : Encrypt sensitive traffic over public

networks

• Requirement 12 : Encrypt all non-console administrative

access

• Requirement 13 : Maintain instructional documentation

and training programs for customers, resellers, and

integrators

Page 26: PCI DSS for Pentesting

NETWORK INTELLIGENCE INDIA PVT. LTD. AN ISO/IEC 27001:2005 CERTIFIED COMPANY

Thank you!

Questions / Queries

Web http://www.niiconsulting.com

Email [email protected]

Tel +91-22-2839-2628

+91-22-4005-2628

Fax +91-22-2837-5454


Recommended