YOU ARE DOWNLOADING DOCUMENT

Wow Such PCI Compliance

Category:

Software

Wow Such PCI Compliance

Please tick the box to continue:

Transcript
Page 1: Wow Such PCI Compliance

WOW SUCH PCI COMPLIANCEVery card, wow security wow

PHILLIP JACKSONLEAD MAGENTO ARCHITECT, SOMETHING DIGITAL

1 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 2: Wow Such PCI Compliance

@PHILWINKLEGITHUB.COM/PHILWINKLE

2 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 3: Wow Such PCI Compliance

@MAGETALK

3 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 4: Wow Such PCI Compliance

PCI MYTHS4 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 5: Wow Such PCI Compliance

1. IF I don't store CREDIT CARDS PCI doesn't apply

5 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 6: Wow Such PCI Compliance

FALSE6 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 7: Wow Such PCI Compliance

The only way to avoid PCI compliance is to transfer the risk entirely to someone else ... where credit card information never traverses your own

servers1

-- Focus on PCI

1 http://www.focusonpci.com/site/index.php/articles/pci-misconceptions.html7 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 8: Wow Such PCI Compliance

2. MAGENTO IS PCI COMPLIANT, SO THEREFORE

I'm PCI compliant8 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 9: Wow Such PCI Compliance

FALSE(kinda)

9 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 10: Wow Such PCI Compliance

MAGENTO IS PCI DSS COMPLIANT ONLY WHEN USED IN CONJUCTION WITH SECURE

PAYMENT BRIDGE2

2 http://magento.com/resources/pci10 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 11: Wow Such PCI Compliance

WHY ISN'T MAGENTO ITSELF PCI COMPLIANT?▸ Magento is monolithic ▸ Swift update deployment

▸ Limit the scope of feature impact▸ $$$$

11 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 12: Wow Such PCI Compliance

3. I AM IN THE EU/AUS/ANTARCTICA AND I DON'T

NEED TO ABIDE BY PCI12 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 13: Wow Such PCI Compliance

FALSE13 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 14: Wow Such PCI Compliance

YOU CAN'T UN-HACK YOUR SITE

14 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 15: Wow Such PCI Compliance

15 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 16: Wow Such PCI Compliance

16 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 17: Wow Such PCI Compliance

HOW LONG UNTIL A DEFAULTMAGENTO CE 1.9.0.0 IS hacked?

17 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 18: Wow Such PCI Compliance

18 MINUTES18 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 19: Wow Such PCI Compliance

19 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 20: Wow Such PCI Compliance

COMMON PCI FAILURES

20 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 21: Wow Such PCI Compliance

DO YOU USE 3rd party MODULES?

21 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 22: Wow Such PCI Compliance

DO YOU USE SOURCE CONTROL FOR DEPLOYMENTS?

CHECK YOURSITE.COM/.GIT AND YOURSITE.COM/VAR RIGHT AWAY

22 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 23: Wow Such PCI Compliance

WHAT HAPPENS IF an employee TAKES A CREDIT

CARD OVER THE PHONE?23 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 24: Wow Such PCI Compliance

DO YOU HAVE WIFI? I BET YOU DO.

24 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 25: Wow Such PCI Compliance

WHEN WAS YOUR LAST SECURITY SCAN?

25 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 26: Wow Such PCI Compliance

WHAT IS YOUR LOG RETENTION POLICY AND IS IT

STORED offsite, AND FOR how long?

26 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 27: Wow Such PCI Compliance

WHAT IS YOUR PASSWORD POLICY?

27 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 28: Wow Such PCI Compliance

WHAT DO YOU DO IN CASE OF A DATA BREACH?

28 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 29: Wow Such PCI Compliance

WHAT IS YOUR BACKUP STRATEGY?

29 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 30: Wow Such PCI Compliance

DO YOU HAVE A STAGING ENVIRONMENT?

30 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 31: Wow Such PCI Compliance

DO YOU HAVE SEPARATE DEVELOPMENT

ENVIRONMENTS?31 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 32: Wow Such PCI Compliance

DO YOU COPY LIVE CUSTOMER DATA TO YOUR DEVELOPMENT OR STAGING ENVIRONMENTS?

32 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 33: Wow Such PCI Compliance

ARE YOU SCARED YET?33 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 34: Wow Such PCI Compliance

HOW DO I GET COMPLIANT?

34 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 35: Wow Such PCI Compliance

CONVENIENT 12-STEP PROGRAM

35 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 36: Wow Such PCI Compliance

BUILD AND Maintain A SECURE NETWORK

1. Install and maintain a firewall2. Do not use vendor-supplied defaults

36 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 37: Wow Such PCI Compliance

PROTECT CARDHOLDER DATA

1. Protect stored cardholder data2. Encrypt transmission of cardholder data

37 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 38: Wow Such PCI Compliance

MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM

1. Use and regularly update anti-virus software 2. Develop and maintain secure systems and

applications

38 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 39: Wow Such PCI Compliance

YES, AUDITORS WILL REQUIRE AV ON PRODUCTION HARDWARE

39 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 40: Wow Such PCI Compliance

YES THIS IS DUMBLOOK INTO THESE: CLAMAV (FREE), SOPHOS (INEXPENSIVE)

40 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 41: Wow Such PCI Compliance

TO DEVELOP SECURE SYSTEMS

41 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 42: Wow Such PCI Compliance

TOOLS TO ASSIST IN SECURE CODE DELIVERY▸ FOSS tools3

▸ RIPS for PHP▸ SQLmap

▸ OWASP Xenotix XSS Exploit Framework

3 http://www.isaca.org/Groups/Professional-English/pci-compliance/GroupDocuments/Meet%20PCI%20DSS%20Requirements%20with%20FOSS.pdf

42 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 43: Wow Such PCI Compliance

IMPLEMENT STRONG ACCESS CONTROL MEASURES

1. Restrict employee access to cardholder data2. Assign a unique ID to each person

3. Restrict physical access

43 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 44: Wow Such PCI Compliance

REGULARLY MONITOR AND TEST NETWORKS

1. Track and monitor all access to network resources and cardholder data

2. Regularly test security systems and processes

44 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 45: Wow Such PCI Compliance

MAINTAIN AN INFORMATION SECURITY POLICY

1. Maintain a policy that addresses information security

SAMPLE POLICIES AVAILABLE ONLINE45

5 https://github.com/catalyzeio/policies

4 https://www.dmoz.org/Computers/Security/Policy/Sample_Policies/

45 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 46: Wow Such PCI Compliance

FREEDOM46 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 47: Wow Such PCI Compliance

CONCLUSION47 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 48: Wow Such PCI Compliance

THIS SOUNDS HARD48 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 49: Wow Such PCI Compliance

LET'S MAKE IT EASIER49 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 50: Wow Such PCI Compliance

WAYS WE CAN contribute AS A COMMUNITY

▸ Security Stackexchange▸ Magento Stackexchange

▸ Magento Subreddit (r/magento)

50 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 51: Wow Such PCI Compliance

WAYS WE CAN stay secure▸ OWASP mailing list

▸ Magento security mailing list▸ Managed hosting▸ Policy reminders

51 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 52: Wow Such PCI Compliance

PERFORM AN ASSESSMENT

52 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 53: Wow Such PCI Compliance

MAGENTO ECG CODING STANDARD▸ anywhere you see $_GET, be scared▸ anywhere you see direct SQL, be scared

53 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 54: Wow Such PCI Compliance

RUN MAGEREPORT▸ Byte.nl

▸ Scans for patch vulnerability and other issues

54 — ©2015 Philwinkle LLC Meet Magento Spain 2015

Page 55: Wow Such PCI Compliance

THANK YOU!SOMETHINGDIGITAL.COM

@PHILWINKLEGITHUB.COM/PHILWINKLE

55 — ©2015 Philwinkle LLC Meet Magento Spain 2015


Related Documents
PCI DSS Compliance Statement
PCI DSS Compliance Statement
Category: Documents
PCI DSS Compliance
PCI DSS Compliance
Category: Business
PCI DSS Compliance Services - Galitt · 2016-04-01 · PCI DSS Compliance Services 20160104-Galitt-PCI DSS Compliance Services.pptx . Agenda ... insurance company (2015) ... • The
PCI DSS Compliance Services - Galitt · 2016-04-01 · PCI....
Category: Documents
Compliance to PCI DSS
Compliance to PCI DSS
Category: Technology
Evolve Pci Compliance
Evolve Pci Compliance
Category: Business
PCI Compliance DG
PCI Compliance DG
Category: Documents
PCI Compliance Overview
PCI Compliance Overview
Category: Technology
PCI Wireless Compliance Demystified Best Practices for …leeds-faculty.colorado.edu/marlattj/acct45405540spring2013/PCI... · PCI Wireless Compliance Demystified Best Practices for
PCI Wireless Compliance Demystified Best Practices for...
Category: Documents
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
PCI Compliance: The Gateway to Paradise PCI Compliance: The....
Category: Documents
Pci compliance training agents
Pci compliance training agents
Category: Documents
PCI Compliance Roundtable Update Presented by the PCI Compliance Task Force.
PCI Compliance Roundtable Update Presented by the PCI...
Category: Documents
PCI Amsterdam: 27.11.2014: Rocky-Road-to-PCI-Compliance
PCI Amsterdam: 27.11.2014: Rocky-Road-to-PCI-Compliance
Category: Technology
NEW PCI DSS 3.0 Requirements (PCI Compliance)
NEW PCI DSS 3.0 Requirements (PCI Compliance)
Category: Documents
Policy Compliance, PCI Compliance
Policy Compliance, PCI Compliance
Category: Education
PCI COMPLIANCE IS UNDERSTANDING PCI COMPLIANCE … · UNDERSTANDING PCI COMPLIANCE ... 2015, to avoid being assessed a monthly non compliance fee until certification is proven. If
PCI COMPLIANCE IS UNDERSTANDING PCI COMPLIANCE … ·...
Category: Documents
PCI Compliance 101
PCI Compliance 101
Category: Documents
PCI Compliance Technical Overview
PCI Compliance Technical Overview
Category: Documents
PCI Compliance
PCI Compliance
Category: Documents
Getting Started with the PCI Compliance Service - … · Introducing the PCI Compliance Service PCI Scan Workflow Getting Started with the PCI Compliance Service 7 the component report
Getting Started with the PCI Compliance Service - … ·...
Category: Documents
PCI Compliance for LCS
PCI Compliance for LCS
Category: Documents
PCI COMPLIANCE VALIDATION CERTIFICATE - Everyware PCI Compliance Certificate.pdf · PCI COMPLIANCE VALIDATION CERTIFICATE DBA Name: EVERYWARE INC Merchant Officer Attesting to Compliance:
PCI COMPLIANCE VALIDATION CERTIFICATE - Everyware PCI...
Category: Documents
pci compliance for dummies
pci compliance for dummies
Category: Documents
Understanding PCI Compliance - Cognoscape, LLC€¦ · 3 | Understanding PCI Compliance | cognoscape.com Why Does PCI Compliance Matter to My Business? If your company accepts credit
Understanding PCI Compliance - Cognoscape, LLC€¦ · 3 |....
Category: Documents
Getting PCI Compliance Right: Key Findings from the Verizon 2014 PCI Compliance Report
Getting PCI Compliance Right: Key Findings from the Verizon....
Category: Technology
Wp020 PBUL PCI Compliance
Wp020 PBUL PCI Compliance
Category: Documents
PCI Compliance Manager Demo - Treasury Operations...33 PCI Compliance Manager. Confidential and proprietary. More Info Manage / Scan. 34 PCI Compliance Manager. Confidential and proprietary
PCI Compliance Manager Demo - Treasury Operations...33 PCI.....
Category: Documents
PCI Compliance in AWS
PCI Compliance in AWS
Category: Technology
PCI Servces - PCI Compliance Questionnaire
PCI Servces - PCI Compliance Questionnaire
Category: Business
PCI COMPLIANCE - Online security begins with an … COMPLIANCE Cloud-based solution to help merchants and service providers quickly comply with PCI DSS Qualys PCI Compliance (PCI)
PCI COMPLIANCE - Online security begins with an …...
Category: Documents
SmartSec PCI Compliancea030f85c1e25003d7609-b98377aee968aad08453374eb1df3398.r40.… · 2013-02-21 · exceeds PCI DSS compliance. achieving compliance with pci Requirements The PCI
SmartSec PCI...
Category: Documents