PCI Compliance and Drupal - Commerce Guys Webinar
37
Let's Talk About PCI Compliance for Drupal Rick Manelius, PhD @rickmanelius
-
Upload
rickmanelius -
Category
Technology
-
view
156 -
download
1
description
These are the slides taken from the Commerce Guys webinar on PCI compliance for Drupal (recorded on 11/14/2013). You can watch the video recording at the following link: http://commerceguys.com/webinars/archive/pci-compliance-drupal Original webinar description below: You’re taking payments online, so you must be PCI Compliant, right? How do you know? Drupal.org reports over 80,000+ active Ubercart and Drupal Commerce installations. That’s great news! With such a large and active portion of our community involved in eCommerce, effort and resources must go toward helping these websites achieve the mandatory security standards set forth by the Payment Card Industry (PCI). In the past, a definitive guide or comprehensive resource simply didn’t exist. Information seekers could find a handful of articles, forum threads, and videos; but most of these resources were fragmented, outdated, and might have contained inaccurate information...Not a good thing when failing to become PCI compliant exposes businesses to legal and financial liabilities. That’s why we’ve invited Rick Manelius to our next Commerce Guys webinar. He’s one of the authors of a new report on PCI compliance, focused specifically on Drupal. The report was created as a means to help Drupal shops, developers, and customers understand their PCI compliance responsibilities.. and discover the steps to achieving full compliance. He’ll be joined by Robert Douglass, a long time Drupal contributor and Director of Product Operations for Commerce Guys. Together they’ll present a very open and honest view of the eCommerce landscape for Drupal and lend valuable insight for companies looking to achieve success…and security...when taking payments online.
Transcript of PCI Compliance and Drupal - Commerce Guys Webinar
Let's Talk About PCI Compliance for Drupal
Rick Manelius, PhD @rickmanelius
Overview
• Why (should I care)?
• What (exactly is this PCI compliance thing)?
• How (do I get started)?
Why?
My Story
• From great success to sheer panic.
• You’ll experience something similar at some point.
• The 5 Stages of PCI Compliance Grief
• Denial (“That doesn’t pertain to me.”)
• Anger (“WTF! Why didn’t someone tell me?”)
• Bargaining (“I’m more secure than others.”)
• Depression (“This is going to be so hard…”)
• Acceptance (“Alright, let’s do this!”)
Why? It’s In the News
You’ve Got Mail!
Security Breaches Hurt
• Adobe - 2.9 million customer records.
• Sony Playstation Network - $77 Million.
• JC Penny - 650,000 records.
• Ubercart with custom module (3)
• $25-$215 / Breached Record. (1)
• Small merchants — 80+% of breaches. (2)
• One strike rule for PCI Level.
1. 2010 Annual Study: U.S. Cost of a Data Breach (symantec.com) 2. In Data Leaks, Culprits Often Are Mom (Online Wall Street Journal)
PCI Compliance is Mandatory
• Golden Rule
• Contractual
• Privilege
• It can be revoked
• One strike rule
My Goals
• World Class eCommerce Platform => Set the Standard
• 4 Stages of Mastery
1. Unconscious Incompetence
2. Conscious Incompetence
3. Conscious Competence
4. Unconscious Competence
• I believe the Drupal community is primarily at 1-2.
• At the very least, we need to get to 2 (awareness).
• Ideally 90+% of Drupal eCommerce sites get to 3.
Drupal PCI Compliance White Paper
• http://drupalpcicompliance.org
• Co-authors:
• Greg Knaddison (Head of Drupal Security Team)
• Ned McClain (QSA at Applied Trust)
• Readable in less than an hour.
• Target audiences: developers, shops, & evaluators.
• Drupal specific information.
• Goes well beyond the information in this talk.
Sponsors
What?
The Journey of a Credit Card
• User’s browser
• Internet
• Hosting Network
• Server
• LAMP Stack
• Drupal App
• Payment Gateway
• Merchant Service Provider
Holistic Approach
• Card Data Environment (CDE)
• Everything that can touch the card falls into CDE.
• Security (& trust) is as strong as the weakest link.
• Need a policy to ensure end to end security.
PCI-DSS
• PCI = Payment Card Industry
• DSS = Data Security Standard
• 12 requirements (aka the dirty dozen)
• We will (quickly) go through them.
PCI Data Security Standard
• 1. Install and Maintain a Firewall
• 2. Do Not Use Vendor Supplied Default Passwords
• 3. Protect Stored Data
• 4. Encrypt transmission of cardholder data across open, public networks
• 5. Use and regularly update anti-virus software or programs
• 6. Develop and maintain secure systems and applications
PCI Data Security Standard
• 7. Restrict access to cardholder data by business need-to-know
• 8. Assign a unique ID to each person with computer access
• 9. Restrict physical access to cardholder data
• 10. Track and monitor all access to network resources and cardholder data
• 11. Regularly test security systems and processes
• 12. Maintain a policy that addresses information security for all personnel
PCI Data Security Standard
• 288 total checklist items.
• The number of items an eCommerce site is responsible for depends on how its structured!
How?
So... Where Do I Start?
• Key Factors: Volume & Validation Type.
• Volume determines PCI Level (1, 2, 3, or 4)
• Validation type determines SAQ (A, B, C, C-VT, D)
• SAQ = Self Assessment Questionnaires
• Provides checklist for 12 requirements.
Volume
!
!
!
!
!
!
!
• Reported Breach = Automatic Level 1
Validation Type
• (i.e. method by which you accept payment)
• A, C, and D are the most relevant for eCommerce.
Validation Type (English Please!)
• SAQ A: Fully outsourced handling of sensitive data.
• SAQ C: “Standard” eCommerce setup.
• SAC D: Storing sensitive data.
Determining Your SAQ
• Largely a function of payment method.
• 3 types of payment methods:
• Wholly Outsourced
• Shared-Management
• Merchant Managed
Determining Your SAQ
• Largely a function of payment method.
• 3 types of payment methods:
• Wholly Outsourced
• Shared-Management
• Merchant Managed
Wholly Outsourced: SAQ A
• Sensitive data is completely handled by another vendor.
• Examples: Volusions, Big Commerce, etc.
• Grey area for Drupal payment gateways (more on this later).
Merchant Managed: SAQ C/D
• Drupal application processes and transmits credit card data to the payment gateway.
• If you store cards, you’re SAQ D (dangerous!)
• Do not do this unless you absolutely, positively know what you’re doing.
Shared Management: SAQ A/C
• Three Types
• Hosted Payment Page
• Direct Post
• iFrame
• Often advertised as SAQ A.
• PCI Council outlines vulnerabilities.
• Consider these an “easier SAQ C”.
iFrame
• Basically direct post with the additional security of an iframe surrounding the form element.
• Protects from JS attacks from the parent DOM.
Attacking Shared-Management
• Direct Post (Stripe, Braintree, etc)
• JS Keylogger.
• Hosted Payment Page (Paypal, etc)
• Redirecting to a spoof site.
• iframe (Auth.net hosted CIM, Hosted PCI)
• Replace the iframe.
• While still vulnerable, shared-management solutions are considerably less risky than merchant managed solutions!
SAQ Breakdown
• Merchant Managed - SAQ C/D
• Shared-Management - SAQ A/C
• Wholly Outsourced - SAQ A
• SAQ C - “Standard” eCommerce Site.
• SAQ D - Storing Cardholder Data.
Recommendations
• Use shared-management types.
• iFrame or Hosted Payment Pages Preferred
• Use SAQ C regardless of vendor claims.
• New 3.0 PCI standard coming out soon.
• Consider SAQ the minimum level.
• Seek help if you have any questions.
Recommendations
• Download: Drupal PCI Compliance White Paper!
• http://drupalpcicompliance.org/
Summarizing
• Why
• Mandatory
• Financial, PR, and legal risks.
• What
• Standard that addresses security holistically.
• How
• Determine your volume + transaction type.
• Complete the relevant SAQ form.
• Do your due diligence!!!
Questions
!
!
!
!
!
• PS. Don’t forget:
• http://drupalpcicompliance.org/
• Drupal.org/IRC/twitter: @rickmanelius
