PCI DSS for Penetration Testers K. K. Mookhey
Jun 17, 2015
PCI DSS
for Penetration Testers
K. K. Mookhey
What is PCI DSS ?
Payment Card Industry (PCI) Data Security Standard (DSS)
PCI DSS provides a baseline of technical and operational
requirements designed to protect cardholder data.
PCI DSS comprises a minimum set of requirements for
protecting cardholder data, and may be enhanced by additional
controls and practices to further mitigate risks
Why Is Compliance with PCI DSS Important?
A security breach and subsequent compromise of payment
card data has far-reaching consequences for affected
organizations, including:
Regulatory notification requirements,
Loss of reputation,
Loss of customers,
Potential financial liabilities (for example, regulatory and other
fees and fines), and
Litigation.
PCI DSS Payment Card Industry Data Security Standard
Standard applies to: Merchants
Service Providers (Third Third-party vendor, gateways)
Systems (Hardware, software)
Who: Store cardholder data
Transmit cardholder data
Process cardholder data
Inclusive of: Electronic Transactions
Paper Transactions
The PCI Security Standards Council (PCI SSC)
An open global forum, launched in 2006, responsible for the
development, management, education, and awareness of the PCI
Security Standards, including:
Data Security Standard (DSS)
Payment Application Data Security Standard (PA-DSS)
Pin Transaction Security (PTS)
Formally known as Pin-Entry Device (PED)
PCI DSS PCI PA-DSS PCI PTS
PCI SSC- Standards
PIN Transaction (PTS) Security Requirements
• It is a set of security requirements focused on characteristics and
management of devices used in the protection of cardholder PINs
and other payment processing related activities.
• The requirements are for manufacturers to follow in the design,
manufacture and transport of a device to the entity that
implements it.
• Financial institutions, processors, merchants and service providers
should only use devices or components that are tested and
approved by the PCI SSC.
www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.
html
Payment Application Data Security Standard (PA-DSS)
• The PA-DSS is for software developers and integrators of payment
applications that store, process or transmit cardholder data as part
of authorization or settlement when these applications are sold,
distributed or licensed to third parties.
• Most card brands encourage merchants to use payment applications
that are tested and approved by the PCI SSC.
Validated applications are listed at:
www.pcisecuritystandards.org/security_standards/pa_dss.shtml
PCI Data Security Standard (DSS)
• The PCI DSS applies to all entities that store, process, and/or
transmit cardholder data.
• It covers technical and operational system components
included in or connected to cardholder data.
• If you are a merchant who accepts or processes payment
cards, you must comply with the PCI DSS.
The PCI Security Standards Founders
Data on Payment Card
Track 1 vs. Track 2 Data
Track 1 vs. Track 2 Data (cont..) If full track (either Track 1 or Track 2, from the magnetic stripe, magnetic-
stripe image in a chip, or elsewhere) data is stored, malicious individuals who obtain that data can reproduce and sell payment cards around the world.
Full track data storage also violates the payment brands' operating regulations and can lead to fines and penalties.
What to store & what not to store
Guidelines for Storage
1. One-way hash functions based on strong cryptography – converts the
entire PAN into a unique, fixed-length cryptographic value.
2. Truncation – permanently removes a segment of the data (for example, retaining
only the last four digits).
3. Index tokens and securely stored pads – encryption algorithm that combines
sensitive plain text data with a random key or “pad” that works only once.
4. Strong cryptography – with associated key management processes and
procedures. Refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations and
Acronyms for the definition of “strong cryptography.”
The PCI Data Security Standard
Build and Maintain a
Secure Network
1. Install and maintain a firewall configuration to protect cardholder
data
2. Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public
networks
Maintain a Vulnerability
Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access
Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and
Test Networks
10. Track and monitor all access to network resources and cardholder
data
11. Regularly test security systems and processes
Maintain an Information
Security Policy
12. Maintain a policy that addresses information security for
employees and contractors
Six Goals, Twelve Requirements
Other PCI Standards
PCI SSC- Standards
PIN Transaction (PTS) Security Requirements
• It is a set of security requirements focused on characteristics and
management of devices used in the protection of cardholder PINs
and other payment processing related activities.
• The requirements are for manufacturers to follow in the design,
manufacture and transport of a device to the entity that
implements it.
• Financial institutions, processors, merchants and service providers
should only use devices or components that are tested and
approved by the PCI SSC.
www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.
html
PIN Transaction (PTS) Security Requirements (cont..)
• Objective 1 : PINs used in transactions governed by these
requirements are processed using equipment and methodologies
that ensure they are kept secure.
• Objective 2 : Cryptographic keys used for PIN
encryption/decryption and related key management are created
using processes that ensure that it is not possible to predict any key
or determine that certain keys are more probable than other keys.
• Objective 3 : Keys are conveyed or transmitted in a secure
manner.
PIN Transaction (PTS) Security Requirements (cont..)
• Objective 4 : Key-loading to hosts and PIN entry devices is
handled in a secure manner.
• Objective 5 : Keys are used in a manner that prevents or detects
their unauthorized usage.
• Objective 6 : Keys are administered in a secure manner.
• Objective 7 : Equipment used to process PINs and keys is
managed in a secure manner.
Payment Application Data Security Standard (PA-DSS)
• The PA-DSS is for software developers and integrators of payment
applications that store, process or transmit cardholder data as part
of authorization or settlement when these applications are sold,
distributed or licensed to third parties.
• Most card brands encourage merchants to use payment applications
that are tested and approved by the PCI SSC.
Validated applications are listed at:
www.pcisecuritystandards.org/security_standards/pa_dss.shtml
PA-DSS (cont..)
• Requirement 1 : Do not retain full magnetic stripe, card
verification code or value (CAV2, CID, CVC2, CVV2), or PIN
block data
• Requirement 2 : Protect stored cardholder data
• Requirement 3 : Provide secure authentication features
• Requirement 4 : Log payment application activity
• Requirement 5 : Develop secure payment applications
• Requirement 6 : Protect wireless transmissions
• Requirement 7 : Test payment applications to address
vulnerabilities
• Requirement 8 : Facilitate secure network implementation
• Requirement 9 : Cardholder data must never be stored on
a server connected to the Internet
PA-DSS (cont..)
• Requirement 10 : Facilitate secure remote access to
payment application
• Requirement 11 : Encrypt sensitive traffic over public
networks
• Requirement 12 : Encrypt all non-console administrative
access
• Requirement 13 : Maintain instructional documentation
and training programs for customers, resellers, and
integrators
NETWORK INTELLIGENCE INDIA PVT. LTD. AN ISO/IEC 27001:2005 CERTIFIED COMPANY
Thank you!
Questions / Queries
Web http://www.niiconsulting.com
Email [email protected]
Tel +91-22-2839-2628
+91-22-4005-2628
Fax +91-22-2837-5454