how not to fail at - magento track … · understand basic security best-practices. pci-dss...
TRANSCRIPT
![Page 1: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/1.jpg)
![Page 2: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/2.jpg)
How Not to FAIL At
PCI Compliance
![Page 3: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/3.jpg)
Chris WellsCEO - Nexcess
![Page 4: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/4.jpg)
PCI-DSS is a good thing
![Page 5: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/5.jpg)
PCI-DSS is a minimum security standard for
handling cardholder data
![Page 6: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/6.jpg)
PCI provides a framework for merchants to
understand basic security best-practices
![Page 7: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/7.jpg)
PCI-DSS consists of 12 core requirements
spanning 6 categories
![Page 8: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/8.jpg)
That sound manageable…
![Page 9: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/9.jpg)
The 12 core PCI requirements have over
220 sub-requirements
![Page 10: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/10.jpg)
These requirements span all industries and
permutations of possible environments
![Page 11: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/11.jpg)
Maintaining PCI compliance is hard
![Page 12: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/12.jpg)
“…no compromised entity has yet been
found to be in compliance with PCI-DSS at
the time of a breach”
Ellen Richey
Chief Enterprise Risk Officer at Visa Inc.
![Page 13: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/13.jpg)
Notable Breaches
• 2007: Hannaford Brothers Co
– 4 million card details exposed
• 2007: Heartland Payment Systems
– 130 million card details exposed
• 2013: Target Corp.
– 110 million card details exposed
• Many, many others
![Page 14: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/14.jpg)
Every one had been formally assessed and
complied with PCI-DSS during assessment
![Page 15: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/15.jpg)
PCI-DSS is NOT set-it-and-forget-it
![Page 16: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/16.jpg)
PCI requires consistent and dedicated effort(i.e. PCI is a daily grind)
![Page 17: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/17.jpg)
PCI requires a partnership between
merchant and vendor
![Page 18: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/18.jpg)
Nexcess is assessed annually for all
locations on PCI
![Page 19: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/19.jpg)
But that’s simply not enough…
![Page 20: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/20.jpg)
The “problem” of scope
![Page 21: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/21.jpg)
1.1: Establish and implement firewall and
router configuration standards
![Page 22: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/22.jpg)
8.2.4: Change user passwords/passphrases
at least once every 90 days.
![Page 23: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/23.jpg)
12.1: Establish, publish, maintain, and
disseminate a security policy.
![Page 24: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/24.jpg)
9.1: Use appropriate facility entry controls to
limit and monitor physical access to
systems in the cardholder data
environment.
![Page 25: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/25.jpg)
Magento code/admin access can pull
merchants directly into scope
![Page 26: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/26.jpg)
1.1: Establish and implement firewall and
router configuration standards
![Page 27: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/27.jpg)
8.2.4: Change user passwords/passphrases
at least once every 90 days.
![Page 28: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/28.jpg)
12.1: Establish, publish, maintain, and
disseminate a security policy.
![Page 29: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/29.jpg)
9.1: Use appropriate facility entry controls to
limit and monitor physical access to
systems in the cardholder data
environment.
![Page 30: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/30.jpg)
PCI compliance can be confusing
![Page 31: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/31.jpg)
Common PCI merchant oversights
![Page 32: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/32.jpg)
Employee / On-premises Oversights
• Install personal firewalls for outside access (1.4)
• Documented approval process for access (7.1.4)
• Deploy anti-virus software (5.1)
• Ensure anti-virus definitions are current (5.2)
• Enforce “need-to-know” access only (7.2)
![Page 33: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/33.jpg)
Magento Admin Oversights
• Users must have unique usernames (8.1.1)
• 15 minute session expiration (8.1.8)
• Two-factor authentication (8.3)
• Passwords must be sufficiently complex (8.2.3)
• Change passwords every 90 days (8.2.4)
• No password re-use (8.2.5)
• Have policies in place for authentication
![Page 34: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/34.jpg)
Magento Deployment Oversights
• Audit custom code prior to release (6.3.2)
– This means extensions too!!
• Separation of dev/prod environments (6.4.1)
• Separation of dev/prod duties (6.4.2)
• Don’t use live (customer) data for testing (6.4.3)
• Documented change procedures for patches
– Documentation of approval (6.4.5.2)
– Pre-release security/functionality testing (6.4.5.3)
![Page 35: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/35.jpg)
How Not to FAIL at PCI Compliance
![Page 36: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/36.jpg)
1) Don’t store credit card data(CC #, PIN, CVV, stripe/chip contents etc)
![Page 37: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/37.jpg)
2) Accept that PCI is an on-going process
![Page 38: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/38.jpg)
3) Read the PCI-DSS requirements document(implement everything you can)
![Page 39: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/39.jpg)
4) Assume 100% responsibility for PCI(then work with vendors to define actual scope)
![Page 40: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/40.jpg)
5) Get used to asking “does this affect PCI?”
![Page 41: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/41.jpg)
6) Document everything
![Page 42: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/42.jpg)
7) Ask for an AOC (Attestation of Compliance)
from critical vendors
![Page 43: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/43.jpg)
Do I need to get formally assessed?
![Page 44: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/44.jpg)
PCI Merchant Levels
• Level 4: < 20k e-commerce trans/year
< 1M non e-commerce trans/year
• Level 3: 20k => 1M e-commerce transactions /
year
• Level 2: 1M => 6M transactions / year
• Level 1: > 6M transactions / year
– Or if Visa says so for Visa’s own protection
– 3rd party on-site assessment required!
![Page 45: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/45.jpg)
Questions?
![Page 46: How Not to FAIL At - Magento Track … · understand basic security best-practices. PCI-DSS consists of 12 core requirements spanning 6 categories. That sound manageable… The 12](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756ed7e708231d41c7efb/html5/thumbnails/46.jpg)