How Not to FAIL At

PCI Compliance

Chris WellsCEO - Nexcess

PCI-DSS is a good thing

PCI-DSS is a minimum security standard for

handling cardholder data

PCI provides a framework for merchants to

understand basic security best-practices

PCI-DSS consists of 12 core requirements

spanning 6 categories

That sound manageable…

The 12 core PCI requirements have over

220 sub-requirements

These requirements span all industries and

permutations of possible environments

Maintaining PCI compliance is hard

“…no compromised entity has yet been

found to be in compliance with PCI-DSS at

the time of a breach”

Ellen Richey

Chief Enterprise Risk Officer at Visa Inc.

Notable Breaches

• 2007: Hannaford Brothers Co

– 4 million card details exposed

• 2007: Heartland Payment Systems

– 130 million card details exposed

• 2013: Target Corp.

– 110 million card details exposed

• Many, many others

Every one had been formally assessed and

complied with PCI-DSS during assessment

PCI-DSS is NOT set-it-and-forget-it

PCI requires consistent and dedicated effort(i.e. PCI is a daily grind)

PCI requires a partnership between

merchant and vendor

Nexcess is assessed annually for all

locations on PCI

But that’s simply not enough…

The “problem” of scope

1.1: Establish and implement firewall and

router configuration standards

8.2.4: Change user passwords/passphrases

at least once every 90 days.

12.1: Establish, publish, maintain, and

disseminate a security policy.

9.1: Use appropriate facility entry controls to

limit and monitor physical access to

systems in the cardholder data

environment.

Magento code/admin access can pull

merchants directly into scope

1.1: Establish and implement firewall and

router configuration standards

8.2.4: Change user passwords/passphrases

at least once every 90 days.

12.1: Establish, publish, maintain, and

disseminate a security policy.

9.1: Use appropriate facility entry controls to

limit and monitor physical access to

systems in the cardholder data

environment.

PCI compliance can be confusing

Common PCI merchant oversights

Employee / On-premises Oversights

• Install personal firewalls for outside access (1.4)

• Documented approval process for access (7.1.4)

• Deploy anti-virus software (5.1)

• Ensure anti-virus definitions are current (5.2)

• Enforce “need-to-know” access only (7.2)

Magento Admin Oversights

• Users must have unique usernames (8.1.1)

• 15 minute session expiration (8.1.8)

• Two-factor authentication (8.3)

• Passwords must be sufficiently complex (8.2.3)

• Change passwords every 90 days (8.2.4)

• No password re-use (8.2.5)

• Have policies in place for authentication

Magento Deployment Oversights

• Audit custom code prior to release (6.3.2)

– This means extensions too!!

• Separation of dev/prod environments (6.4.1)

• Separation of dev/prod duties (6.4.2)

• Don’t use live (customer) data for testing (6.4.3)

• Documented change procedures for patches

– Documentation of approval (6.4.5.2)

– Pre-release security/functionality testing (6.4.5.3)

How Not to FAIL at PCI Compliance

1) Don’t store credit card data(CC #, PIN, CVV, stripe/chip contents etc)

2) Accept that PCI is an on-going process

3) Read the PCI-DSS requirements document(implement everything you can)

4) Assume 100% responsibility for PCI(then work with vendors to define actual scope)

5) Get used to asking “does this affect PCI?”

6) Document everything

7) Ask for an AOC (Attestation of Compliance)

from critical vendors

Do I need to get formally assessed?

PCI Merchant Levels

• Level 4: < 20k e-commerce trans/year

< 1M non e-commerce trans/year

• Level 3: 20k => 1M e-commerce transactions /

year

• Level 2: 1M => 6M transactions / year

• Level 1: > 6M transactions / year

– Or if Visa says so for Visa’s own protection

– 3rd party on-site assessment required!

Questions?