CFObjective() 2008 - Day 2 - PCI-DSS

labs.fusionlink.com pcianswers.com

Created by the major CC companies to protect CC info. pcisecuritystandards.org - actual doc is only 16 pages

PCI compliance is Pass/Fail - either you have it 100% or nothing.

Applies to any company that processes, transmits, or stored CC info. Web or brick and mortar. It is enforced by the merchant account issuer.

Non-compliance can results in fines $90-$500 per card exposed. Includes re-imbursement of fees incurred from breach. This is contractually enforced through the contract when you obtain your merchant account. You need liability insurance if you do any CC work.

Other state or federal laws that might apply: - Base II - Gramm-Leach-Biley Act - Heath Insurance Portability Act - Sarbanes-Oxley - California Bill AB 779

Merchant Levels - Level 1 - Over 6 million transactions - Level 2 - 1 to 6 million - Level 3 - 20,000 to 1 mill - Level 4 - Less than 20,000

Rules for each level is slightly different. The levels are not set in stone.

Level 4 merchants are supposed to do a self-audit annually with sign-off of CTO-level person.

What is in PCI-DSS? 6 logical areas with 12 requirements

Maintain a secure network

- Install and maintain a firewall - Document list of service and ports used - Have a formal process for approving and testing external conns - Quarterly review of firewall and router rule sets - Firewall should deny all traffic other than allowed - DB servers must be segregated from the DMZ - Personal firewall software needs to be on mobile devices with access to the network

Maintain a Secure Network

- Do not use default passwords - Eliminated unnecessary accounts - Only 1 primary function per server (web, db, dns, etc.) - disable all unnecc scripts, drivers, freatures. - encrypt all data moving in and out of the server SSH, SFTP, etc.

Protect Cardholder Data

- Keep card storage to a minimum (ie, 30-day money back guarantee, etc) - Do not store the CC verification number! Never - Do not store the card's PIN - Mask PAN when displayed, for example only show the last 4 digits - Encrypt PAN when it is stored (PAN is the actual card number) industry standard - Encrypt transmission of cardholder data across networks SSL etc. - Never send PANs via email (unencrypted)

Maintain a Vulnerability Management Program

- Update virus software and make sure it's good stuff - Everything needs to be logged

- Develop and maintain secure systems and apps - All software needs to have latest patches (within a month of release) - Maintain separate dev, test, and production environment - Live PANS cannot be used for testing - Code must be reviewed for vulnerabilities before going live

Regarding ColdFusion

Cover these common coding vulnerabilities - unvalidated input - broken access control - broken authentication and session management (use of session cookies) - cross site scripting attacks - buffer overflows - injection flaws - improper error handling - insecure storage - denial of service - session timeouts must be 15 minutes or less! - client management, if used, must be set to DB - "scriptprotect" in cfapplication needs to be set to "all", though it's poor protection - Have all code reviewed for these common vulnerabilities by an outside org that specializes in security by June 30, 2008. - Have a "Web Application Firewall". port80.com

Implement Strong Access Control Measures

- Assign a unique ID to each person with computer access. FTP is usually a failing here. Must be logged. - All passwords must be encrypted. Min 7 chars alphanumeric. - Need a lockout policy not more than 6 attempts with log and notification to self. - Physical access needs to be secure - Determine between employees and non-employees

Regularly Monitor and Test Networks - Audit trails - Clocks must be synched - Backup logs off server - Review logs daily! HAHAHAHa - Retain logs for 1 year - Test security controls annually - Run internal/external scans quarterly. Companies who provide this vary WIDELY in quality. - Perform penetration testing annually - Use network intrusion detection systems. Need to be alerted to an attack.

Maintain a Security Policy

- Estabish and publish security standard - Develop daily operations procedures - Implement a formal security awareness program for all employees - Educate employees upon hire and annually - Outside vendors required to be PCI compliant

XSS - cross-site scripting is probably the area you should focus on. And logging is very important. For example, if you scrub data, you might want to log the dirty data first before you scrub it so you can see what people are trying to do.

Keep in mind!

CC transactions can be outsourced completely. The PCI compliance can be avoided with this method. Duh, thanks for telling this at the very end of the presentation.