how not to fail at - magento track … · understand basic security best-practices. pci-dss...
Post on 15-Jun-2020
0 Views
Preview:
TRANSCRIPT
How Not to FAIL At
PCI Compliance
Chris WellsCEO - Nexcess
PCI-DSS is a good thing
PCI-DSS is a minimum security standard for
handling cardholder data
PCI provides a framework for merchants to
understand basic security best-practices
PCI-DSS consists of 12 core requirements
spanning 6 categories
That sound manageable…
The 12 core PCI requirements have over
220 sub-requirements
These requirements span all industries and
permutations of possible environments
Maintaining PCI compliance is hard
“…no compromised entity has yet been
found to be in compliance with PCI-DSS at
the time of a breach”
Ellen Richey
Chief Enterprise Risk Officer at Visa Inc.
Notable Breaches
• 2007: Hannaford Brothers Co
– 4 million card details exposed
• 2007: Heartland Payment Systems
– 130 million card details exposed
• 2013: Target Corp.
– 110 million card details exposed
• Many, many others
Every one had been formally assessed and
complied with PCI-DSS during assessment
PCI-DSS is NOT set-it-and-forget-it
PCI requires consistent and dedicated effort(i.e. PCI is a daily grind)
PCI requires a partnership between
merchant and vendor
Nexcess is assessed annually for all
locations on PCI
But that’s simply not enough…
The “problem” of scope
1.1: Establish and implement firewall and
router configuration standards
8.2.4: Change user passwords/passphrases
at least once every 90 days.
12.1: Establish, publish, maintain, and
disseminate a security policy.
9.1: Use appropriate facility entry controls to
limit and monitor physical access to
systems in the cardholder data
environment.
Magento code/admin access can pull
merchants directly into scope
1.1: Establish and implement firewall and
router configuration standards
8.2.4: Change user passwords/passphrases
at least once every 90 days.
12.1: Establish, publish, maintain, and
disseminate a security policy.
9.1: Use appropriate facility entry controls to
limit and monitor physical access to
systems in the cardholder data
environment.
PCI compliance can be confusing
Common PCI merchant oversights
Employee / On-premises Oversights
• Install personal firewalls for outside access (1.4)
• Documented approval process for access (7.1.4)
• Deploy anti-virus software (5.1)
• Ensure anti-virus definitions are current (5.2)
• Enforce “need-to-know” access only (7.2)
Magento Admin Oversights
• Users must have unique usernames (8.1.1)
• 15 minute session expiration (8.1.8)
• Two-factor authentication (8.3)
• Passwords must be sufficiently complex (8.2.3)
• Change passwords every 90 days (8.2.4)
• No password re-use (8.2.5)
• Have policies in place for authentication
Magento Deployment Oversights
• Audit custom code prior to release (6.3.2)
– This means extensions too!!
• Separation of dev/prod environments (6.4.1)
• Separation of dev/prod duties (6.4.2)
• Don’t use live (customer) data for testing (6.4.3)
• Documented change procedures for patches
– Documentation of approval (6.4.5.2)
– Pre-release security/functionality testing (6.4.5.3)
How Not to FAIL at PCI Compliance
1) Don’t store credit card data(CC #, PIN, CVV, stripe/chip contents etc)
2) Accept that PCI is an on-going process
3) Read the PCI-DSS requirements document(implement everything you can)
4) Assume 100% responsibility for PCI(then work with vendors to define actual scope)
5) Get used to asking “does this affect PCI?”
6) Document everything
7) Ask for an AOC (Attestation of Compliance)
from critical vendors
Do I need to get formally assessed?
PCI Merchant Levels
• Level 4: < 20k e-commerce trans/year
< 1M non e-commerce trans/year
• Level 3: 20k => 1M e-commerce transactions /
year
• Level 2: 1M => 6M transactions / year
• Level 1: > 6M transactions / year
– Or if Visa says so for Visa’s own protection
– 3rd party on-site assessment required!
Questions?
top related