Building PCI compliant Django applications

BUILDING PCI
COMPLIANT DJANGO
APPLICATIONS
Ken Cochrane
@KenCochrane
Site Reliability Engineer
dotCloud.com
1
Thursday, September 6, 12

View Slide

THANK YOU
http://www.dotcloud.com/jobs/
We’re hiring!
2

View Slide

MY BACKGROUND
Site Reliability Engineer at dotCloud.com
Was the director of web and mobile technologies at
CashStar.com (3.5 years)
I’m not a certiﬁed PCI Expert (QSA)
3

View Slide

CASHSTAR.COM
Electronic Gift Card e-commerce platform built
with Django
100+ brands including (Home Depot, BestBuy,
Starbucks, Staples, etc)
Many millions of dollars in credit card transactions
each year
Helped get PCI certiﬁcation (SAQ-D)
4

View Slide

QUICK SURVEY
5

View Slide

SHOW OF HANDS
Raise your hand if you:
Own a credit card?
Have heard of PCI before?
Know what PCI is?
Have a website that accepts credit cards online?
Know you are PCI compliant?
6

View Slide

CREDIT CARD NATION
1.4B Cards in Circulation in USA
181M (77%) of adults have credit card
20B credit card transaction each year
$1.9T total value (12.9% of GDP)
source: http://www.indexcreditcards.com
2011
7

View Slide

CREDIT BY BRAND
39% Visa
24% MasterCard
23% American Express
14%
23%
24%
39%
Visa MasterCard
American Express Other
2011
source: http://www.indexcreditcards.com
8

View Slide

FRAUD
9

View Slide

CREDIT CARD FRAUD
10% of Americans victims of credit card fraud
$399 median amount reported
$5.55 Billion worldwide in credit card fraud.
http://www.statisticbrain.com/credit-card-fraud-statistics/
10

View Slide

HOW?
Dumpster diving (always shred your documents)
Theft (stolen wallet, B&E)
Phishing
Hacking
Before the internet
With the internet
11

View Slide

HACKED SINCE 2005
TJ Maxx
Bank of America
Citigroup
BJ’s wholesale club
Hotels.com
LexisNexis
Polo Ralph Lauren
Wachovia
Heartland Payment Systems
Hannaford
Global Payments
CardSystem Solutions
12

View Slide

WHAT TO DO?
13

View Slide

PCI WAS BORN
2004 - MasterCard created the PaymentCard Industry
(PCI) Data Security Standards
Visa, American Express, Discover, JCB decided to
drop their own efforts and join MasterCard
June 30, 2005 - PCI 1.0 took effect
14

View Slide

WHY WAS PCI CREATED?
It was created in response to a spike
in data security breaches.
It gives merchants a guide to help
them make sure they are following
best security practices when it comes
to card holder data.
15

View Slide

WHAT IS PCI?
16

View Slide

WHAT’S PCI?
Computer Expansion Slot?
image source: http://en.wikipedia.org/wiki/File:PCI_Slots_Digon3.JPG
17

View Slide

NOT THAT PCI!
Computer Expansion Slot?
image source: http://en.wikipedia.org/wiki/File:PCI_Slots_Digon3.JPG
PCI !=
18

View Slide

WHAT IS PCI?
Information security standard for handling
cardholder information. (PCI DSS)
12 core requirements and roughly 250 controls
4 certiﬁcation levels
Current version is 2.0
Not a law
19

View Slide

PCI REQ #1
Install and maintain a ﬁrewall
conﬁguration to protect data
20

View Slide

PCI REQ #2
Do not use default passwords
21

View Slide

PCI REQ #3
Protect stored data
22

View Slide

PCI REQ #4
Encrypt transmission of
cardholder data across public
networks (SSL, VPN, etc)
23

View Slide

PCI REQ #5
Use and regularly update
anti-virus software
24

View Slide

PCI REQ #6
Develop and maintain a secure
system and applications
25

View Slide

PCI REQ #7
Restrict access to data by
business need to know
26

View Slide

PCI REQ #8
Assign a unique ID to each person
with computer access
27

View Slide

PCI REQ #9
Restrict physical access to
cardholder data
28

View Slide

PCI REQ #10
Track and monitor all access to
network resources and cardholder
data
29

View Slide

PCI REQ #11
Regularly test security systems
and processes
30

View Slide

PCI REQ #12
Maintain a policy that addresses
information security
31

View Slide

CERTIFICATION
32

View Slide

HOW DOES PCI
CERTIFICATION WORK?
Find out which Self-Assessment Questionnaire
(SAQ) you need and ﬁll it out.
Find out what level you are
Make sure you follow all recommendations for that
SAQ and level
Fix any issues
Attestation of Compliance (if self assessing)
33

View Slide

SELF-ASSESSMENT
QUESTIONNAIRE (SAQ)
A questionnaire with lots of questions about your
payment system
Four levels (A,B,C,D). Level based on certain criteria
Everyone is required to ﬁll one out for PCI
compliance.
Filled out yearly
They can be very easy or very hard, depends on how
much card holder data you have access too.
34

View Slide

SAQ-A
Merchants who have outsourced all
processing, transmission and
storage of credit card data
35

View Slide

SAQ-B
Merchants who process cardholder data
via imprint machines or stand-alone
dial-up terminals only.
36

View Slide

SAQ-C
Merchants whose payment
applications systems are connected
to the internet
37

View Slide

SAQ-D
All other merchants
38

View Slide

SAQ-A VS SAQ-D
SAQ-A SAQ-D
Time to become PCI compliant
PCI DSS Controls to meet
Assessment costs to determine scope
Hardware/Software upgrades
Ongoing expenses
about 5 days 6-18 months
Less than 20 Over 200
$0 $44k - $125k*
$0 $81k - $568k*
Fixed Variable
source: https://www.braintreepayments.com/tour/pci-compliance * Gartner estimates merchant Level 1-3
39

View Slide

4 LEVELS OF PCI
Level Description
1 6M+ Visa trans per year
2 1M to 6M Visa trans per year
3 20K to 1M Visa trans per year
4 Everyone else
40

View Slide

PCI COST BY LEVEL
Level # of Trans Scope Compliance Audit type
1 6M+ $125K $586K onsite
2 1M-6M $105K $267K SAQ
3 20K-1M $44K $81K SAQ
4 < 20K ? ? SAQ
http://blog.elementps.com/element_payment_solutions/2009/02/pci-compliance-costs.html
http://www.networkworld.com/news/2010/030110-pci-compliance-audit-cost.html
41

View Slide

EXTERNAL AUDITS
Need to hire a Qualiﬁed Security Assessor (QSA)
Lasts a few weeks or more on site.
Low end $20K-$30K
$225K a year on average
10% paying over $500K
Source: http://www.networkworld.com/news/2010/030110-pci-compliance-audit-cost.html
42

View Slide

PCI 2.0
Took full effect Jan 1st, 2012
132 changes 2 new ones, the rest are clariﬁcation or
additional guidelines
Added more guidelines around virtualization, and
how it affects PCI.
Amazon Web Services is now Level 1 PCI
compliant
43

View Slide

CREDIT CARD DATA
Credit Card information that can be stored
Storage Permitted
Protection
Required
Cardholder Data
Cardholder Data
Cardholder Data
Account number Y Y
Cardholder name Y Y
Expiration Date Y Y
Service Code Y Y
Authentication Data
Authentication Data
Authentication Data
Magnetic strip N n/a
CVV N n/a
PIN data N n/a
44

View Slide

WHAT IF HACKED?
You could be banned from accepting credit cards.
Loss of reputation and customers
Fines up to $500,000 per incident.
Litigation
45

View Slide

PCI BOILED DOWN
46

View Slide

SUMMARY #1
All Merchants, regardless if credit card
data is stored, must achieve and
maintain compliance at all times.
47

View Slide

SUMMARY #2
Merchants cannot store certain credit
card information including CVV,
track data, magnetic strip or PIN data
48

View Slide

SUMMARY #3
If you store permitted credit card data,
you need to store it in a secure way
following the PCI security standards.
49

View Slide

COMMON REASONS WHY
COMPANIES ARE NOT
PCI COMPLIANT
50

View Slide

COMMON MISTAKES
Storing credit card information in plain text
Default passwords not changed
Poorly coded websites resulting in SQL injection
and other vulnerabilities
Lack of monitoring and logging
51

View Slide

COMMON MISTAKES 2
Not using SSL for payment page
Logging payment information into log ﬁles especially
when there is an error. (django error emails)
Missing security patches
52

View Slide

PEOPLE DON’T KNOW
PCI rules are complex
PCI rules change often
PCI is boring
Training and information is not readily available
53

View Slide

PEOPLE ARE LAZY
They have systems working ﬁne today, and they
don’t want to change them
They don’t want to take time to learn PCI rules
They cut corners to save time and money
54

View Slide

PEOPLE ARE CHEAP
Changing “stuff” costs money
Adding more processes and services costs money
Doing things right takes more time, which in turn
costs more money
55

View Slide

PEOPLE ARE COCKY
It won’t happen to me, why would someone hack
me?
My code is the best that is ever written
56

View Slide

PEOPLE ARE DUMB
Some people write really bad code and not even
know it
People are tweeting pictures of their credit cards
https://twitter.com/needadebitcard
57

View Slide

DJANGO PAYMENT APP
REVIEW
58

View Slide

DJANGO PAYMENTS
TALK
Joe Jasinski
http://www.djangocon.us/schedule/presentations/60/
59

View Slide

PAYMENT TYPES
3rd party (Paypal, google checkout, etc)
Hosted payment page
Transparent redirect
Client-side encryption
Self serve payment page
Recurring payments (subscriptions, on demand, etc)
60

View Slide

TOKENIZATION
If you need to store credit card information, use a
tokenization service instead of storing it yourself
You store the credit card information in their system.
They give you a unique token that you use for all
future transactions against that credit card.
Most payment processors support this.
61

View Slide

THIRD PARTY PAYMENT
Customers leave your site to pay.
You don’t touch any credit card data
Paypal, Google Checkout, Amazon payments
Risk: None SAQ: A
Effort: Low
62

View Slide

THIRD PARTY PAYMENT
Source: http://help.yahoo.com/l/us/yahoo/smallbusiness/store/order/paypal/paypal-31.html
63

View Slide

HOSTED PAYMENT PAGE
The actual payment page is hosted somewhere else
Usually done with an iFrame
Can’t usually customize the page, limited features
You see no credit card data
Risk: None SAQ: A
Effort: Low
64

View Slide

TRANSPARENT REDIRECT
Source: https://samurai.feeﬁghters.com/transparent-redirect
65

View Slide

TRANSPARENT REDIRECT
You host the payment page
When form submitted, the page POST’s to someone
else. They take credit card data, remove it, add token.
Then they post back to you, minus credit card data.
Authorize.net, Braintree payments, Fee Fighters
Risk: Low SAQ: A
Effort: Medium
66

View Slide

CLIENT-SIDE ENCRYPTION
You install javascript on your payment page
The JS will encrypt and remove the sensitive data in
browser before sending to you.
You get the data and pass it on to payment gateway.
Braintree, Stripe, fee ﬁghters
Risk: Low SAQ: A
Effort: Medium
67

View Slide

SELF-SERVE PAYMENTS
You host the payment page.
When form is submitted credit card data is sent to
you and lives in memory on your server.
You pass it along to payment gateway.
Most common, very ﬂexible you can do what ever
you want on payment page.
Risk: High SAQ: D
Effort: High
68

View Slide

SELF-SERVE PAYMENTS
Source: http://www.braintreepayments.com/services/pci-compliance
69

View Slide

RECURRING PAYMENTS
Someone signs up for your service, gives you their
credit card once, you charge them on a set schedule
How to store the credit card info for future payments
What if credit card expires or becomes inactive
recurly, stripe, braintree, paypal, etc
Risk: Low Effort: Medium SAQ: A
70

View Slide

EDGE TOKENIZATION
The credit card data is removed and replaced with a
token on a proxy server on the way to your server.
Fairly new, Expensive, Limited gateway support
Good if you need to handle payments over an API.
Akamai
Risk: Low SAQ: A
Effort: High
71

View Slide

COMPARISON
Risk Effort SAQ Customization
3rd Party
Hosted
Trans. Redirect
JS encryption
Self Hosted
Recurring
Edge Token.
None Low A Bad
Low Low A Bad
Low Medium A Good
Low Medium A Good
High High D Great
Low Medium A Good
Low High A Good
72

View Slide

SAQ-A VS SAQ-D
SAQ-A SAQ-D
Ongoing expenses
$0 $44k - $125k*
$0 $81k - $568k*
Fixed Variable
73

View Slide

TIPS
&
RECOMMENDATIONS
74

View Slide

GENERAL
RECOMMENDATIONS
Don’t let credit card data touch your systems
Use a payment system that handles all credit card
data for you.
Use payment tokens whenever possible
Don’t store any sensitive data
75

View Slide

NEVER EVER
Store credit card information in the database
Even if it is encrypted
Not worth the hassle, risk, and cost of the external
audit.
76

View Slide

SAQ-A VS SAQ-D
SAQ-A SAQ-D
Ongoing expenses
$0 $44k - $125k*
$0 $81k - $568k*
Fixed Variable
77

View Slide

AVOID DB ENCRYPTION
Where do you encrypt (column, whole database, FS)
Slows down transactions
Makes things more complicated
need to manage/protect certiﬁcates and key
78

View Slide

DJANGO TIPS
django-secure and django-axes
Use SSL everywhere
Secure cookies
XSS protection
Change Django admin url (/_the_admin_/)
Don’t log sensitive data from forms
Turn auto-complete off, on payment forms.
79

View Slide

DJANGO-SECURE
Written by Carl Meyer
Helping you remember to do the stupid little things
to improve your Django site's security.
Checks your settings to make sure you have them all
set correctly
Provides some utilities to make your project safer
http://django-secure.readthedocs.org
80

View Slide

DJANGO-AXES
Log login attempts to your django app
Lock out brute force attempts after a set number of
login failures
81

View Slide

ERROR LOGS
If you are not careful, sensitive data could leak into
Logs
If you have sensitive data make sure you use (since Django 1.2.6
and Django 1.3.1)
@sensitive_variables()
@sensitive_post_variables()
https://docs.djangoproject.com/en/dev/howto/error-reporting/
#ﬁltering-sensitive-information
82

View Slide

DJANGO APP REVIEW
83

View Slide

DJANGO PAYMENT
PROJECTS
Satchmo
Lightning fast shop
Mezzanine/Cartridge
Django-shop
Django-Oscar
Django-Merchant
84

View Slide

SATCHMO
SatchmoProject.com
Most popular Django e-commerce solution, been
around for a long time.
Lots of great features and documentation
SAQ-D if you use something other then Paypal or
Google Checkout.
http://www.satchmoproject.com/docs/dev/deploying.html
85

View Slide

LIGHTNING FAST SHOP
http://getLFS.com
New kid on the block, lots of great features, with new
releases often
If using Credit Card means SAQ-D
86

View Slide

MEZZANINE / CARTRIDGE
http://mezzanine.jupo.org
Mezzanine is a powerful, consistent, and ﬂexible
content management platform
Cartridge is the shopping cart module.
Direct access to credit card data in payment form.
SAQ-D out of the box.
87

View Slide

DJANGO-SHOP
From the folks that brought you django-cms
Out of the box it doesn’t have credit card payment
support, you have to add your own.
Looks like it is still in early in development?
SAQ-A, out of the box
88

View Slide

DJANGO-OSCAR
http://OscarCommerce.com
Lots of integrations SAP, Google eBookstore, etc.
Extensions (Paypal, goCardLess,DataCash, etc)
Has access to credit card data in payment form. SAQ-
D out of the box.
89

View Slide

DJANGO-MERCHANT
Gateway support: auth.net, Paypal, eWAY, Braintree,
stripe, Fee Fighters
Support for off-site processing: (PayPal, RBS
WorldPay, Google Checkout, Amazon FPS, Braintree
(TR), Stripe.js, Samurai, eWAY
SAQ-A options out of the box
90

View Slide

COMPARE PAYMENT
APPS
Project Version SAQ-?
Satchmo 0.9-1
Lightning Fast Shop 0.7.6
Mezzanine / Cartridge 0.6.0
Django-shop 0.0.13
Django-Oscar 0.4
Django-Merchant 0.05
D
D
D
A
D
A
91

View Slide

PCI IN THE CLOUD
Need to ﬁnd a PCI compliant cloud provider
AWS - Yes , RackSpace - No [1][2]
Use an off-site payment processor
SSL for everything (load balancer to DB)
Setup Monthly Security scans
Might require Intrusion Detection System (IDS)
[1] http://www.rackspace.com/knowledge_center/article/how-to-utilize-cloud-sites-in-an-e-commerce-solution
[2] http://www.rackspace.com/knowledge_center/article/pci-frequently-asked-questions#cloudsites
92

View Slide

PCI CLOUD RESOURCES
http://bit.ly/Qxvb2n - RightScale: PCI
Compliance in the public IaaS cloud
http://www.cloudpassage.com - 3rd party
hosted cloud security
http://AlertLogic.com : AWS cloud security
93

View Slide

INTRUSION DETECTION
SYSTEM
Hardware and Software versions available
Network or host based
Software: Snot, Samhain, TripWire, etc
Hardware: AlertLogic, Cisco, etc
94

View Slide

SECURITY SCANNERS
Application
Server
Network Vulnerability Scans
95

View Slide

VULNERABILITY
SCANNERS
Cross-site scripting
SQL injection
Remote ﬁle inclusion
Known application, server, and network
vulnerabilities
Much more.
96

View Slide

OTHER THINGS TO
CONSIDER
payments over the phone (call centers)
payments via fax
payments via mail
97

View Slide

ORIGINAL BLOG POST
http://kencochrane.net/blog/2012/01/developers-
guide-to-pci-compliant-web-applications/
98

View Slide

QUESTIONS?
99

View Slide

THANK YOU
Ken Cochrane
[email protected]
@KenCochrane
100

View Slide

Building PCI compliant Django applications

Building PCI compliant Django applications

Ken Cochrane

More Decks by Ken Cochrane

Other Decks in Technology

Featured

Transcript