$30 off During Our Annual Pro Sale. View Details »

Building PCI compliant Django applications

Ken Cochrane
September 06, 2012

Building PCI compliant Django applications

If you currently accept credit cards with your Django application today, or you plan on accepting them in the future, then you will need to worry about PCI DSS. Learn what you need to do to make sure that your application is PCI DSS compliant, and if it is not, what you need to do to bring it into compliance.

Presented at DjangoCon US 2012

Ken Cochrane

September 06, 2012
Tweet

More Decks by Ken Cochrane

Other Decks in Technology

Transcript

  1. BUILDING PCI
    COMPLIANT DJANGO
    APPLICATIONS
    Ken Cochrane
    @KenCochrane
    Site Reliability Engineer
    dotCloud.com
    1
    Thursday, September 6, 12

    View Slide

  2. THANK YOU
    http://www.dotcloud.com/jobs/
    We’re hiring!
    2
    Thursday, September 6, 12

    View Slide

  3. MY BACKGROUND
    Site Reliability Engineer at dotCloud.com
    Was the director of web and mobile technologies at
    CashStar.com (3.5 years)
    I’m not a certified PCI Expert (QSA)
    3
    Thursday, September 6, 12

    View Slide

  4. CASHSTAR.COM
    Electronic Gift Card e-commerce platform built
    with Django
    100+ brands including (Home Depot, BestBuy,
    Starbucks, Staples, etc)
    Many millions of dollars in credit card transactions
    each year
    Helped get PCI certification (SAQ-D)
    4
    Thursday, September 6, 12

    View Slide

  5. QUICK SURVEY
    5
    Thursday, September 6, 12

    View Slide

  6. SHOW OF HANDS
    Raise your hand if you:
    Own a credit card?
    Have heard of PCI before?
    Know what PCI is?
    Have a website that accepts credit cards online?
    Know you are PCI compliant?
    6
    Thursday, September 6, 12

    View Slide

  7. CREDIT CARD NATION
    1.4B Cards in Circulation in USA
    181M (77%) of adults have credit card
    20B credit card transaction each year
    $1.9T total value (12.9% of GDP)
    source: http://www.indexcreditcards.com
    2011
    7
    Thursday, September 6, 12

    View Slide

  8. CREDIT BY BRAND
    39% Visa
    24% MasterCard
    23% American Express
    14%
    23%
    24%
    39%
    Visa MasterCard
    American Express Other
    2011
    source: http://www.indexcreditcards.com
    8
    Thursday, September 6, 12

    View Slide

  9. FRAUD
    9
    Thursday, September 6, 12

    View Slide

  10. CREDIT CARD FRAUD
    10% of Americans victims of credit card fraud
    $399 median amount reported
    $5.55 Billion worldwide in credit card fraud.
    http://www.statisticbrain.com/credit-card-fraud-statistics/
    10
    Thursday, September 6, 12

    View Slide

  11. HOW?
    Dumpster diving (always shred your documents)
    Theft (stolen wallet, B&E)
    Phishing
    Hacking
    Before the internet
    With the internet
    11
    Thursday, September 6, 12

    View Slide

  12. HACKED SINCE 2005
    TJ Maxx
    Bank of America
    Citigroup
    BJ’s wholesale club
    Hotels.com
    LexisNexis
    Polo Ralph Lauren
    Wachovia
    Heartland Payment Systems
    Hannaford
    Global Payments
    CardSystem Solutions
    12
    Thursday, September 6, 12

    View Slide

  13. WHAT TO DO?
    13
    Thursday, September 6, 12

    View Slide

  14. PCI WAS BORN
    2004 - MasterCard created the PaymentCard Industry
    (PCI) Data Security Standards
    Visa, American Express, Discover, JCB decided to
    drop their own efforts and join MasterCard
    June 30, 2005 - PCI 1.0 took effect
    14
    Thursday, September 6, 12

    View Slide

  15. WHY WAS PCI CREATED?
    It was created in response to a spike
    in data security breaches.
    It gives merchants a guide to help
    them make sure they are following
    best security practices when it comes
    to card holder data.
    15
    Thursday, September 6, 12

    View Slide

  16. WHAT IS PCI?
    16
    Thursday, September 6, 12

    View Slide

  17. WHAT’S PCI?
    Computer Expansion Slot?
    image source: http://en.wikipedia.org/wiki/File:PCI_Slots_Digon3.JPG
    17
    Thursday, September 6, 12

    View Slide

  18. NOT THAT PCI!
    Computer Expansion Slot?
    image source: http://en.wikipedia.org/wiki/File:PCI_Slots_Digon3.JPG
    PCI !=
    18
    Thursday, September 6, 12

    View Slide

  19. WHAT IS PCI?
    Information security standard for handling
    cardholder information. (PCI DSS)
    12 core requirements and roughly 250 controls
    4 certification levels
    Current version is 2.0
    Not a law
    19
    Thursday, September 6, 12

    View Slide

  20. PCI REQ #1
    Install and maintain a firewall
    configuration to protect data
    20
    Thursday, September 6, 12

    View Slide

  21. PCI REQ #2
    Do not use default passwords
    21
    Thursday, September 6, 12

    View Slide

  22. PCI REQ #3
    Protect stored data
    22
    Thursday, September 6, 12

    View Slide

  23. PCI REQ #4
    Encrypt transmission of
    cardholder data across public
    networks (SSL, VPN, etc)
    23
    Thursday, September 6, 12

    View Slide

  24. PCI REQ #5
    Use and regularly update
    anti-virus software
    24
    Thursday, September 6, 12

    View Slide

  25. PCI REQ #6
    Develop and maintain a secure
    system and applications
    25
    Thursday, September 6, 12

    View Slide

  26. PCI REQ #7
    Restrict access to data by
    business need to know
    26
    Thursday, September 6, 12

    View Slide

  27. PCI REQ #8
    Assign a unique ID to each person
    with computer access
    27
    Thursday, September 6, 12

    View Slide

  28. PCI REQ #9
    Restrict physical access to
    cardholder data
    28
    Thursday, September 6, 12

    View Slide

  29. PCI REQ #10
    Track and monitor all access to
    network resources and cardholder
    data
    29
    Thursday, September 6, 12

    View Slide

  30. PCI REQ #11
    Regularly test security systems
    and processes
    30
    Thursday, September 6, 12

    View Slide

  31. PCI REQ #12
    Maintain a policy that addresses
    information security
    31
    Thursday, September 6, 12

    View Slide

  32. CERTIFICATION
    32
    Thursday, September 6, 12

    View Slide

  33. HOW DOES PCI
    CERTIFICATION WORK?
    Find out which Self-Assessment Questionnaire
    (SAQ) you need and fill it out.
    Find out what level you are
    Make sure you follow all recommendations for that
    SAQ and level
    Fix any issues
    Attestation of Compliance (if self assessing)
    33
    Thursday, September 6, 12

    View Slide

  34. SELF-ASSESSMENT
    QUESTIONNAIRE (SAQ)
    A questionnaire with lots of questions about your
    payment system
    Four levels (A,B,C,D). Level based on certain criteria
    Everyone is required to fill one out for PCI
    compliance.
    Filled out yearly
    They can be very easy or very hard, depends on how
    much card holder data you have access too.
    34
    Thursday, September 6, 12

    View Slide

  35. SAQ-A
    Merchants who have outsourced all
    processing, transmission and
    storage of credit card data
    35
    Thursday, September 6, 12

    View Slide

  36. SAQ-B
    Merchants who process cardholder data
    via imprint machines or stand-alone
    dial-up terminals only.
    36
    Thursday, September 6, 12

    View Slide

  37. SAQ-C
    Merchants whose payment
    applications systems are connected
    to the internet
    37
    Thursday, September 6, 12

    View Slide

  38. SAQ-D
    All other merchants
    38
    Thursday, September 6, 12

    View Slide

  39. SAQ-A VS SAQ-D
    SAQ-A SAQ-D
    Time to become PCI compliant
    PCI DSS Controls to meet
    Assessment costs to determine scope
    Hardware/Software upgrades
    Ongoing expenses
    about 5 days 6-18 months
    Less than 20 Over 200
    $0 $44k - $125k*
    $0 $81k - $568k*
    Fixed Variable
    source: https://www.braintreepayments.com/tour/pci-compliance * Gartner estimates merchant Level 1-3
    39
    Thursday, September 6, 12

    View Slide

  40. 4 LEVELS OF PCI
    Level Description
    1 6M+ Visa trans per year
    2 1M to 6M Visa trans per year
    3 20K to 1M Visa trans per year
    4 Everyone else
    40
    Thursday, September 6, 12

    View Slide

  41. PCI COST BY LEVEL
    Level # of Trans Scope Compliance Audit type
    1 6M+ $125K $586K onsite
    2 1M-6M $105K $267K SAQ
    3 20K-1M $44K $81K SAQ
    4 < 20K ? ? SAQ
    http://blog.elementps.com/element_payment_solutions/2009/02/pci-compliance-costs.html
    http://www.networkworld.com/news/2010/030110-pci-compliance-audit-cost.html
    41
    Thursday, September 6, 12

    View Slide

  42. EXTERNAL AUDITS
    Need to hire a Qualified Security Assessor (QSA)
    Lasts a few weeks or more on site.
    Low end $20K-$30K
    $225K a year on average
    10% paying over $500K
    Source: http://www.networkworld.com/news/2010/030110-pci-compliance-audit-cost.html
    42
    Thursday, September 6, 12

    View Slide

  43. PCI 2.0
    Took full effect Jan 1st, 2012
    132 changes 2 new ones, the rest are clarification or
    additional guidelines
    Added more guidelines around virtualization, and
    how it affects PCI.
    Amazon Web Services is now Level 1 PCI
    compliant
    43
    Thursday, September 6, 12

    View Slide

  44. CREDIT CARD DATA
    Credit Card information that can be stored
    Storage Permitted
    Protection
    Required
    Cardholder Data
    Cardholder Data
    Cardholder Data
    Account number Y Y
    Cardholder name Y Y
    Expiration Date Y Y
    Service Code Y Y
    Authentication Data
    Authentication Data
    Authentication Data
    Magnetic strip N n/a
    CVV N n/a
    PIN data N n/a
    44
    Thursday, September 6, 12

    View Slide

  45. WHAT IF HACKED?
    You could be banned from accepting credit cards.
    Loss of reputation and customers
    Fines up to $500,000 per incident.
    Litigation
    45
    Thursday, September 6, 12

    View Slide

  46. PCI BOILED DOWN
    46
    Thursday, September 6, 12

    View Slide

  47. SUMMARY #1
    All Merchants, regardless if credit card
    data is stored, must achieve and
    maintain compliance at all times.
    47
    Thursday, September 6, 12

    View Slide

  48. SUMMARY #2
    Merchants cannot store certain credit
    card information including CVV,
    track data, magnetic strip or PIN data
    48
    Thursday, September 6, 12

    View Slide

  49. SUMMARY #3
    If you store permitted credit card data,
    you need to store it in a secure way
    following the PCI security standards.
    49
    Thursday, September 6, 12

    View Slide

  50. COMMON REASONS WHY
    COMPANIES ARE NOT
    PCI COMPLIANT
    50
    Thursday, September 6, 12

    View Slide

  51. COMMON MISTAKES
    Storing credit card information in plain text
    Default passwords not changed
    Poorly coded websites resulting in SQL injection
    and other vulnerabilities
    Lack of monitoring and logging
    51
    Thursday, September 6, 12

    View Slide

  52. COMMON MISTAKES 2
    Not using SSL for payment page
    Logging payment information into log files especially
    when there is an error. (django error emails)
    Missing security patches
    52
    Thursday, September 6, 12

    View Slide

  53. PEOPLE DON’T KNOW
    PCI rules are complex
    PCI rules change often
    PCI is boring
    Training and information is not readily available
    53
    Thursday, September 6, 12

    View Slide

  54. PEOPLE ARE LAZY
    They have systems working fine today, and they
    don’t want to change them
    They don’t want to take time to learn PCI rules
    They cut corners to save time and money
    54
    Thursday, September 6, 12

    View Slide

  55. PEOPLE ARE CHEAP
    Changing “stuff” costs money
    Adding more processes and services costs money
    Doing things right takes more time, which in turn
    costs more money
    55
    Thursday, September 6, 12

    View Slide

  56. PEOPLE ARE COCKY
    It won’t happen to me, why would someone hack
    me?
    My code is the best that is ever written
    56
    Thursday, September 6, 12

    View Slide

  57. PEOPLE ARE DUMB
    Some people write really bad code and not even
    know it
    People are tweeting pictures of their credit cards
    https://twitter.com/needadebitcard
    57
    Thursday, September 6, 12

    View Slide

  58. DJANGO PAYMENT APP
    REVIEW
    58
    Thursday, September 6, 12

    View Slide

  59. DJANGO PAYMENTS
    TALK
    Joe Jasinski
    http://www.djangocon.us/schedule/presentations/60/
    59
    Thursday, September 6, 12

    View Slide

  60. PAYMENT TYPES
    3rd party (Paypal, google checkout, etc)
    Hosted payment page
    Transparent redirect
    Client-side encryption
    Self serve payment page
    Recurring payments (subscriptions, on demand, etc)
    60
    Thursday, September 6, 12

    View Slide

  61. TOKENIZATION
    If you need to store credit card information, use a
    tokenization service instead of storing it yourself
    You store the credit card information in their system.
    They give you a unique token that you use for all
    future transactions against that credit card.
    Most payment processors support this.
    61
    Thursday, September 6, 12

    View Slide

  62. THIRD PARTY PAYMENT
    Customers leave your site to pay.
    You don’t touch any credit card data
    Paypal, Google Checkout, Amazon payments
    Risk: None SAQ: A
    Effort: Low
    62
    Thursday, September 6, 12

    View Slide

  63. THIRD PARTY PAYMENT
    Source: http://help.yahoo.com/l/us/yahoo/smallbusiness/store/order/paypal/paypal-31.html
    63
    Thursday, September 6, 12

    View Slide

  64. HOSTED PAYMENT PAGE
    The actual payment page is hosted somewhere else
    Usually done with an iFrame
    Can’t usually customize the page, limited features
    You see no credit card data
    Risk: None SAQ: A
    Effort: Low
    64
    Thursday, September 6, 12

    View Slide

  65. TRANSPARENT REDIRECT
    Source: https://samurai.feefighters.com/transparent-redirect
    65
    Thursday, September 6, 12

    View Slide

  66. TRANSPARENT REDIRECT
    You host the payment page
    When form submitted, the page POST’s to someone
    else. They take credit card data, remove it, add token.
    Then they post back to you, minus credit card data.
    Authorize.net, Braintree payments, Fee Fighters
    Risk: Low SAQ: A
    Effort: Medium
    66
    Thursday, September 6, 12

    View Slide

  67. CLIENT-SIDE ENCRYPTION
    You install javascript on your payment page
    The JS will encrypt and remove the sensitive data in
    browser before sending to you.
    You get the data and pass it on to payment gateway.
    Braintree, Stripe, fee fighters
    Risk: Low SAQ: A
    Effort: Medium
    67
    Thursday, September 6, 12

    View Slide

  68. SELF-SERVE PAYMENTS
    You host the payment page.
    When form is submitted credit card data is sent to
    you and lives in memory on your server.
    You pass it along to payment gateway.
    Most common, very flexible you can do what ever
    you want on payment page.
    Risk: High SAQ: D
    Effort: High
    68
    Thursday, September 6, 12

    View Slide

  69. SELF-SERVE PAYMENTS
    Source: http://www.braintreepayments.com/services/pci-compliance
    69
    Thursday, September 6, 12

    View Slide

  70. RECURRING PAYMENTS
    Someone signs up for your service, gives you their
    credit card once, you charge them on a set schedule
    How to store the credit card info for future payments
    What if credit card expires or becomes inactive
    recurly, stripe, braintree, paypal, etc
    Risk: Low Effort: Medium SAQ: A
    70
    Thursday, September 6, 12

    View Slide

  71. EDGE TOKENIZATION
    The credit card data is removed and replaced with a
    token on a proxy server on the way to your server.
    Fairly new, Expensive, Limited gateway support
    Good if you need to handle payments over an API.
    Akamai
    Risk: Low SAQ: A
    Effort: High
    71
    Thursday, September 6, 12

    View Slide

  72. COMPARISON
    Risk Effort SAQ Customization
    3rd Party
    Hosted
    Trans. Redirect
    JS encryption
    Self Hosted
    Recurring
    Edge Token.
    None Low A Bad
    Low Low A Bad
    Low Medium A Good
    Low Medium A Good
    High High D Great
    Low Medium A Good
    Low High A Good
    72
    Thursday, September 6, 12

    View Slide

  73. SAQ-A VS SAQ-D
    SAQ-A SAQ-D
    Time to become PCI compliant
    PCI DSS Controls to meet
    Assessment costs to determine scope
    Hardware/Software upgrades
    Ongoing expenses
    about 5 days 6-18 months
    Less than 20 Over 200
    $0 $44k - $125k*
    $0 $81k - $568k*
    Fixed Variable
    source: https://www.braintreepayments.com/tour/pci-compliance * Gartner estimates merchant Level 1-3
    73
    Thursday, September 6, 12

    View Slide

  74. TIPS
    &
    RECOMMENDATIONS
    74
    Thursday, September 6, 12

    View Slide

  75. GENERAL
    RECOMMENDATIONS
    Don’t let credit card data touch your systems
    Use a payment system that handles all credit card
    data for you.
    Use payment tokens whenever possible
    Don’t store any sensitive data
    75
    Thursday, September 6, 12

    View Slide

  76. NEVER EVER
    Store credit card information in the database
    Even if it is encrypted
    Not worth the hassle, risk, and cost of the external
    audit.
    76
    Thursday, September 6, 12

    View Slide

  77. SAQ-A VS SAQ-D
    SAQ-A SAQ-D
    Time to become PCI compliant
    PCI DSS Controls to meet
    Assessment costs to determine scope
    Hardware/Software upgrades
    Ongoing expenses
    about 5 days 6-18 months
    Less than 20 Over 200
    $0 $44k - $125k*
    $0 $81k - $568k*
    Fixed Variable
    source: https://www.braintreepayments.com/tour/pci-compliance * Gartner estimates merchant Level 1-3
    77
    Thursday, September 6, 12

    View Slide

  78. AVOID DB ENCRYPTION
    Where do you encrypt (column, whole database, FS)
    Slows down transactions
    Makes things more complicated
    need to manage/protect certificates and key
    78
    Thursday, September 6, 12

    View Slide

  79. DJANGO TIPS
    django-secure and django-axes
    Use SSL everywhere
    Secure cookies
    XSS protection
    Change Django admin url (/_the_admin_/)
    Don’t log sensitive data from forms
    Turn auto-complete off, on payment forms.
    79
    Thursday, September 6, 12

    View Slide

  80. DJANGO-SECURE
    Written by Carl Meyer
    Helping you remember to do the stupid little things
    to improve your Django site's security.
    Checks your settings to make sure you have them all
    set correctly
    Provides some utilities to make your project safer
    http://django-secure.readthedocs.org
    80
    Thursday, September 6, 12

    View Slide

  81. DJANGO-AXES
    Log login attempts to your django app
    Lock out brute force attempts after a set number of
    login failures
    81
    Thursday, September 6, 12

    View Slide

  82. ERROR LOGS
    If you are not careful, sensitive data could leak into
    Logs
    If you have sensitive data make sure you use (since Django 1.2.6
    and Django 1.3.1)
    @sensitive_variables()
    @sensitive_post_variables()
    https://docs.djangoproject.com/en/dev/howto/error-reporting/
    #filtering-sensitive-information
    82
    Thursday, September 6, 12

    View Slide

  83. DJANGO APP REVIEW
    83
    Thursday, September 6, 12

    View Slide

  84. DJANGO PAYMENT
    PROJECTS
    Satchmo
    Lightning fast shop
    Mezzanine/Cartridge
    Django-shop
    Django-Oscar
    Django-Merchant
    84
    Thursday, September 6, 12

    View Slide

  85. SATCHMO
    SatchmoProject.com
    Most popular Django e-commerce solution, been
    around for a long time.
    Lots of great features and documentation
    SAQ-D if you use something other then Paypal or
    Google Checkout.
    http://www.satchmoproject.com/docs/dev/deploying.html
    85
    Thursday, September 6, 12

    View Slide

  86. LIGHTNING FAST SHOP
    http://getLFS.com
    New kid on the block, lots of great features, with new
    releases often
    If using Credit Card means SAQ-D
    86
    Thursday, September 6, 12

    View Slide

  87. MEZZANINE / CARTRIDGE
    http://mezzanine.jupo.org
    Mezzanine is a powerful, consistent, and flexible
    content management platform
    Cartridge is the shopping cart module.
    Direct access to credit card data in payment form.
    SAQ-D out of the box.
    87
    Thursday, September 6, 12

    View Slide

  88. DJANGO-SHOP
    From the folks that brought you django-cms
    Out of the box it doesn’t have credit card payment
    support, you have to add your own.
    Looks like it is still in early in development?
    SAQ-A, out of the box
    88
    Thursday, September 6, 12

    View Slide

  89. DJANGO-OSCAR
    http://OscarCommerce.com
    Lots of integrations SAP, Google eBookstore, etc.
    Extensions (Paypal, goCardLess,DataCash, etc)
    Has access to credit card data in payment form. SAQ-
    D out of the box.
    89
    Thursday, September 6, 12

    View Slide

  90. DJANGO-MERCHANT
    Gateway support: auth.net, Paypal, eWAY, Braintree,
    stripe, Fee Fighters
    Support for off-site processing: (PayPal, RBS
    WorldPay, Google Checkout, Amazon FPS, Braintree
    (TR), Stripe.js, Samurai, eWAY
    SAQ-A options out of the box
    90
    Thursday, September 6, 12

    View Slide

  91. COMPARE PAYMENT
    APPS
    Project Version SAQ-?
    Satchmo 0.9-1
    Lightning Fast Shop 0.7.6
    Mezzanine / Cartridge 0.6.0
    Django-shop 0.0.13
    Django-Oscar 0.4
    Django-Merchant 0.05
    D
    D
    D
    A
    D
    A
    91
    Thursday, September 6, 12

    View Slide

  92. PCI IN THE CLOUD
    Need to find a PCI compliant cloud provider
    AWS - Yes , RackSpace - No [1][2]
    Use an off-site payment processor
    SSL for everything (load balancer to DB)
    Setup Monthly Security scans
    Might require Intrusion Detection System (IDS)
    [1] http://www.rackspace.com/knowledge_center/article/how-to-utilize-cloud-sites-in-an-e-commerce-solution
    [2] http://www.rackspace.com/knowledge_center/article/pci-frequently-asked-questions#cloudsites
    92
    Thursday, September 6, 12

    View Slide

  93. PCI CLOUD RESOURCES
    http://bit.ly/Qxvb2n - RightScale: PCI
    Compliance in the public IaaS cloud
    http://www.cloudpassage.com - 3rd party
    hosted cloud security
    http://AlertLogic.com : AWS cloud security
    93
    Thursday, September 6, 12

    View Slide

  94. INTRUSION DETECTION
    SYSTEM
    Hardware and Software versions available
    Network or host based
    Software: Snot, Samhain, TripWire, etc
    Hardware: AlertLogic, Cisco, etc
    94
    Thursday, September 6, 12

    View Slide

  95. SECURITY SCANNERS
    Application
    Server
    Network Vulnerability Scans
    95
    Thursday, September 6, 12

    View Slide

  96. VULNERABILITY
    SCANNERS
    Cross-site scripting
    SQL injection
    Remote file inclusion
    Known application, server, and network
    vulnerabilities
    Much more.
    96
    Thursday, September 6, 12

    View Slide

  97. OTHER THINGS TO
    CONSIDER
    payments over the phone (call centers)
    payments via fax
    payments via mail
    97
    Thursday, September 6, 12

    View Slide

  98. ORIGINAL BLOG POST
    http://kencochrane.net/blog/2012/01/developers-
    guide-to-pci-compliant-web-applications/
    98
    Thursday, September 6, 12

    View Slide

  99. QUESTIONS?
    99
    Thursday, September 6, 12

    View Slide

  100. THANK YOU
    Ken Cochrane
    [email protected]
    @KenCochrane
    100
    Thursday, September 6, 12

    View Slide