PCI DSS v 3.2に対する対応

by benzookapi

Slide 1

Slide 1 text

PCI DSS v 3.2ʹର͢ΔରԠ Junichi Okamura @ Security Night #1 2016.5.11

Slide 2

Slide 2 text

Who am I? • Junichi Okamura @benzookapi • API Lover/Midnight Creator/TDD (Talk Driven Development) Advocator • Rock/Wine/DQ/JOJO/I18N/Marketing/Payment • Scala/Java/Ruby/Python/Node.js/PHP/Mobile/Unity/../ppt

Slide 3

Slide 3 text

Today’s Topic PCI DSSͷ௒΍ΜΘΓઆ໌ͱɺ ͱ͋ΔFinTechاۀͷରԠʹ͍ͭͯ

Slide 4

Slide 4 text

PCI DSSͱ͸ʁ Payment Card Industry Data Security Standardͷུɻ ࠃࡍϖΠϝϯτϒϥϯυ5͕ࣾڞಉͰࡦఆͨ͠ɺ ΫϨδοτۀքʹ͓͚ΔάϩʔόϧηΩϡϦςΟج४ɻ PCI SSCʹΑͬͯ؅ཧɻ

Slide 5

Slide 5 text

PCI SSCͱ͸ʁ Payment Card Industry Security Standards Councilͷུɻ લग़̑ࣾͰઃཱͨ͠ηΩϡϦςΟ؅ཧஂମɻ

Slide 6

Slide 6 text

ͬ͘͟Γݴ͏ͱ ΫϨδοτΧʔυΛѻ͏ۀऀ͕औಘ͢΂͖ηΩϡϦςΟن֨

Slide 7

Slide 7 text

͞Βʹݴ͏ͱ ΫϨδοτΧʔυ৘ใ͕̍ճͰ΋఻ૹ͢ΔՄೳੑͷ͋Δۀऀ͸औΒͳ ͍ͱμϝͳ΋ͷͰ͢ɻʢຊདྷ͸ʣ

Slide 8

Slide 8 text

PCI DSSͷओཁ߲໨ ҆શͳωοτϫʔΫͷߏஙɾҡ࣋ Χʔυձһσʔλͷอޢ ੬ऑੑΛ؅ཧ͢ΔϓϩάϥϜͷ੔උ ڧݻͳΞΫηε੍ޚख๏ͷಋೖ ఆظతͳωοτϫʔΫͷ؂ࢹ͓Αͼςετ ৘ใηΩϡϦςΟɾϙϦγʔͷ੔උ ʢ࣮ࡍ͸΋ͷ͘͢͝ࡉ෼Խ͞Εఆٛ͞Ε͍ͯ·͢ʣ

Slide 9

Slide 9 text

PCI DSSͷऔಘํ๏ ໰਍ථʹΑΔࣗݾ਍அ ੬ऑੑεΩϟχϯάςετ ๚໰ௐࠪ ʢ࣮ࡍ͸ΫϨδοτΧʔυͷѻ͍ํͰϨϕϧ෼͚͞Ε͍ͯ·͢ʣ

Slide 10

Slide 10 text

PCI DSSͷऔಘίετ औಘ͢ΔϨϕϧʹΑΓ·͕͢ɺ ௨ৗ೥ؒ਺ඦສ͙Β͍͔͔Γ·͢ɻ

Slide 11

Slide 11 text

PCI DSSΛऔΒͳ͍ͱͲ͏ͳΔͷʁ ΧʔυܾࡁΛड͚෇͚Δ͜ͱ͸Ͱ͖·ͤΜ ʢຊདྷ͸ʣ

Slide 12

Slide 12 text

࣮৘͸… ܾࡁ୅ߦ΍ࢿۚҠಈۀऀͳͲ͕औಘ͍ͯͯ͠ɺ Χʔυ৘ใ͸൴Β͕ѻ͏ͷͰɺ Ұൠͷۀऀ͸൴ΒΛհͯ͠ΧʔυܾࡁΛड͚Δ͜ͱ͕Ͱ͖·͢

Slide 13

Slide 13 text

PCI DSSͷৄࡉʹ͍ͭͯ͸ ࣍ճҎ߱Ͱಛू૊Ή༧ఆͰ͢ ࠓ೔͸͜ͷลͰצห

Slide 14

Slide 14 text

PCI DSSͷόʔδϣϯ 2004೥12݄ ੍ఆ 2006೥9݄ v 1.1 2008೥10݄ v1.2 -> v 2.0 2013೥12݄ v 3.0 2015೥4݄ v 3.1 2016೥4݄ v 3.2 (࠷৽ʣ

Slide 15

Slide 15 text

࠷৽൛ v 3.2ʹ͍ͭͯ v 3.0 ͔Βͷओͳมߋ఺ɿ TLS 1.1Ҏ্ͷ௨৴Λαϙʔτ͠ͳ͍͞ʢ2016೥6݄30೔·Ͱʹʣ SSL/TLS 1.0ͷ௨৴ΛແޮԽ͠ͳ͍͞ʢ2018೥6݄30೔·Ͱʹʣ

Slide 16

Slide 16 text

ͭ·Γ 2016೥6݄30೔Ҏ߱ʹTLS1.1Λαϙʔτ͍ͯ͠ͳ͍ۀऀ 2018೥6݄30೔Ҏ߱ʹSSl/TLS1.0Λαϙʔτ͍ͯ͠Δۀऀ ʹ PCI DSSΛണୣ͞ΕΔʁʢ͸ͣʣ

Slide 17

Slide 17 text

SSLʁTLSʁ ͍͖ͳΓࠓ೔ͷςʔϚʹ͍͖ۙͮͯ·ͨ͠

Slide 18

Slide 18 text

ͳͥ͜Μͳมߋ͕ͳ͞Εͨͷ͔ʁ ͜͜Ͱͪΐͬͱࢥ͍ग़ͯ͠Έ·͠ΐ͏

Slide 19

Slide 19 text

ࡢࠓͷOSSͷ੬ऑੑͷൃ֮ Heartbleedʢ2014೥4݄ʣ POODLEʢ2014೥10݄ʣ Logjamʢ2015೥5݄ʣ … ଟ෼಺༰͸Α͘Θ͔Βͳͯ͘΋ฉ͍ͨ͜ͱ͸͋Δ͸ͣ

Slide 20

Slide 20 text

҆શͳωοτϫʔΫͷߏஙɾҡ࣋ ͜ͷେલఏ͕͜ͷ··ͩͱڴ͔͞ΕΔ ͦΕΛ્ࢭ͢ΔͨΊͷߋ৽

Slide 21

Slide 21 text

PCI DSSΛऔಘ͍ͯ͠ΔاۀͷରԠ ΍͸ΓFinTechاۀ͕Ұ൪හײ

Slide 22

Slide 22 text

FinTechاۀҐ֎͸ؔ܎ͳ͍ʁ ͦ͏Ͱ͸͋Γ·ͤΜ ݸਓ৘ใͳͲ༷ʑͳηϯγςΟϒ৘ใΛѻ͏େاۀ͸ PCI DSSΛऔಘ͍ͯ͠Δ͜ͱ͕ଟ͍Ͱ͢ ʢྫɿAWS͞Μͱ͔ʣ ͦ΋ͦ΋ηΩϡϦςΟ͸શͯͷαʔϏεʹେࣄ

Slide 23

Slide 23 text

FinTechاۀͷରԠྫ

Slide 24

Slide 24 text

PayPalͷࣄྫ PCI DSS v3.2Ҏ֎ͷ΋ͷ΋ؚΜͰ ηΩϡϦςΟܭըͱͯ͠άϩʔόϧͰ࣮ࢪ

Slide 25

Slide 25 text

ରԠ߲໨ SSLূ໌ॻͷΞοϓάϨʔυʢVeriSign G5ʣ TLS1.2/HTTP1.1΁ͷΞοϓάϨʔυ γεςϜؒ௨৴ͷHTTPͷഇࢭ ClassicɹAPIͷGETഇࢭʢREST͸আ͘ʣ ͦͷଞ…

Slide 26

Slide 26 text

ৄࡉʢϚΠΫϩαΠτʣ https://www.paypal-knowledge.com/infocenter/index? page=content&id=FAQ1913&expand=true&locale=ja_JP

Slide 27

Slide 27 text

։ൃऀ޲͚ηΩϡϦςΟΨΠυϥΠϯ https://developer.paypal.com/docs/classic/lifecycle/info-security- guidelines/

Slide 28

Slide 28 text

ͳͥʢલ౗ͯ͠͠·Ͱʣ΍Δ͔ʁ FinTechاۀͱͯ͠ͷ҆શɾ҆શͷͨΊ

Slide 29

Slide 29 text

Thank You Junichi Okamura @ Security Night #1 2016.5.11