BUILDING PCI
COMPLIANT DJANGO
APPLICATIONS
Ken Cochrane
@KenCochrane
Site Reliability Engineer
dotCloud.com
1
Thursday, September 6, 12
Slide 2
Slide 2 text
THANK YOU
http://www.dotcloud.com/jobs/
We’re hiring!
2
Thursday, September 6, 12
Slide 3
Slide 3 text
MY BACKGROUND
Site Reliability Engineer at dotCloud.com
Was the director of web and mobile technologies at
CashStar.com (3.5 years)
I’m not a certified PCI Expert (QSA)
3
Thursday, September 6, 12
Slide 4
Slide 4 text
CASHSTAR.COM
Electronic Gift Card e-commerce platform built
with Django
100+ brands including (Home Depot, BestBuy,
Starbucks, Staples, etc)
Many millions of dollars in credit card transactions
each year
Helped get PCI certification (SAQ-D)
4
Thursday, September 6, 12
Slide 5
Slide 5 text
QUICK SURVEY
5
Thursday, September 6, 12
Slide 6
Slide 6 text
SHOW OF HANDS
Raise your hand if you:
Own a credit card?
Have heard of PCI before?
Know what PCI is?
Have a website that accepts credit cards online?
Know you are PCI compliant?
6
Thursday, September 6, 12
Slide 7
Slide 7 text
CREDIT CARD NATION
1.4B Cards in Circulation in USA
181M (77%) of adults have credit card
20B credit card transaction each year
$1.9T total value (12.9% of GDP)
source: http://www.indexcreditcards.com
2011
7
Thursday, September 6, 12
Slide 8
Slide 8 text
CREDIT BY BRAND
39% Visa
24% MasterCard
23% American Express
14%
23%
24%
39%
Visa MasterCard
American Express Other
2011
source: http://www.indexcreditcards.com
8
Thursday, September 6, 12
Slide 9
Slide 9 text
FRAUD
9
Thursday, September 6, 12
Slide 10
Slide 10 text
CREDIT CARD FRAUD
10% of Americans victims of credit card fraud
$399 median amount reported
$5.55 Billion worldwide in credit card fraud.
http://www.statisticbrain.com/credit-card-fraud-statistics/
10
Thursday, September 6, 12
Slide 11
Slide 11 text
HOW?
Dumpster diving (always shred your documents)
Theft (stolen wallet, B&E)
Phishing
Hacking
Before the internet
With the internet
11
Thursday, September 6, 12
Slide 12
Slide 12 text
HACKED SINCE 2005
TJ Maxx
Bank of America
Citigroup
BJ’s wholesale club
Hotels.com
LexisNexis
Polo Ralph Lauren
Wachovia
Heartland Payment Systems
Hannaford
Global Payments
CardSystem Solutions
12
Thursday, September 6, 12
Slide 13
Slide 13 text
WHAT TO DO?
13
Thursday, September 6, 12
Slide 14
Slide 14 text
PCI WAS BORN
2004 - MasterCard created the PaymentCard Industry
(PCI) Data Security Standards
Visa, American Express, Discover, JCB decided to
drop their own efforts and join MasterCard
June 30, 2005 - PCI 1.0 took effect
14
Thursday, September 6, 12
Slide 15
Slide 15 text
WHY WAS PCI CREATED?
It was created in response to a spike
in data security breaches.
It gives merchants a guide to help
them make sure they are following
best security practices when it comes
to card holder data.
15
Thursday, September 6, 12
NOT THAT PCI!
Computer Expansion Slot?
image source: http://en.wikipedia.org/wiki/File:PCI_Slots_Digon3.JPG
PCI !=
18
Thursday, September 6, 12
Slide 19
Slide 19 text
WHAT IS PCI?
Information security standard for handling
cardholder information. (PCI DSS)
12 core requirements and roughly 250 controls
4 certification levels
Current version is 2.0
Not a law
19
Thursday, September 6, 12
Slide 20
Slide 20 text
PCI REQ #1
Install and maintain a firewall
configuration to protect data
20
Thursday, September 6, 12
Slide 21
Slide 21 text
PCI REQ #2
Do not use default passwords
21
Thursday, September 6, 12
Slide 22
Slide 22 text
PCI REQ #3
Protect stored data
22
Thursday, September 6, 12
Slide 23
Slide 23 text
PCI REQ #4
Encrypt transmission of
cardholder data across public
networks (SSL, VPN, etc)
23
Thursday, September 6, 12
Slide 24
Slide 24 text
PCI REQ #5
Use and regularly update
anti-virus software
24
Thursday, September 6, 12
Slide 25
Slide 25 text
PCI REQ #6
Develop and maintain a secure
system and applications
25
Thursday, September 6, 12
Slide 26
Slide 26 text
PCI REQ #7
Restrict access to data by
business need to know
26
Thursday, September 6, 12
Slide 27
Slide 27 text
PCI REQ #8
Assign a unique ID to each person
with computer access
27
Thursday, September 6, 12
Slide 28
Slide 28 text
PCI REQ #9
Restrict physical access to
cardholder data
28
Thursday, September 6, 12
Slide 29
Slide 29 text
PCI REQ #10
Track and monitor all access to
network resources and cardholder
data
29
Thursday, September 6, 12
Slide 30
Slide 30 text
PCI REQ #11
Regularly test security systems
and processes
30
Thursday, September 6, 12
Slide 31
Slide 31 text
PCI REQ #12
Maintain a policy that addresses
information security
31
Thursday, September 6, 12
Slide 32
Slide 32 text
CERTIFICATION
32
Thursday, September 6, 12
Slide 33
Slide 33 text
HOW DOES PCI
CERTIFICATION WORK?
Find out which Self-Assessment Questionnaire
(SAQ) you need and fill it out.
Find out what level you are
Make sure you follow all recommendations for that
SAQ and level
Fix any issues
Attestation of Compliance (if self assessing)
33
Thursday, September 6, 12
Slide 34
Slide 34 text
SELF-ASSESSMENT
QUESTIONNAIRE (SAQ)
A questionnaire with lots of questions about your
payment system
Four levels (A,B,C,D). Level based on certain criteria
Everyone is required to fill one out for PCI
compliance.
Filled out yearly
They can be very easy or very hard, depends on how
much card holder data you have access too.
34
Thursday, September 6, 12
Slide 35
Slide 35 text
SAQ-A
Merchants who have outsourced all
processing, transmission and
storage of credit card data
35
Thursday, September 6, 12
Slide 36
Slide 36 text
SAQ-B
Merchants who process cardholder data
via imprint machines or stand-alone
dial-up terminals only.
36
Thursday, September 6, 12
Slide 37
Slide 37 text
SAQ-C
Merchants whose payment
applications systems are connected
to the internet
37
Thursday, September 6, 12
Slide 38
Slide 38 text
SAQ-D
All other merchants
38
Thursday, September 6, 12
Slide 39
Slide 39 text
SAQ-A VS SAQ-D
SAQ-A SAQ-D
Time to become PCI compliant
PCI DSS Controls to meet
Assessment costs to determine scope
Hardware/Software upgrades
Ongoing expenses
about 5 days 6-18 months
Less than 20 Over 200
$0 $44k - $125k*
$0 $81k - $568k*
Fixed Variable
source: https://www.braintreepayments.com/tour/pci-compliance * Gartner estimates merchant Level 1-3
39
Thursday, September 6, 12
Slide 40
Slide 40 text
4 LEVELS OF PCI
Level Description
1 6M+ Visa trans per year
2 1M to 6M Visa trans per year
3 20K to 1M Visa trans per year
4 Everyone else
40
Thursday, September 6, 12
Slide 41
Slide 41 text
PCI COST BY LEVEL
Level # of Trans Scope Compliance Audit type
1 6M+ $125K $586K onsite
2 1M-6M $105K $267K SAQ
3 20K-1M $44K $81K SAQ
4 < 20K ? ? SAQ
http://blog.elementps.com/element_payment_solutions/2009/02/pci-compliance-costs.html
http://www.networkworld.com/news/2010/030110-pci-compliance-audit-cost.html
41
Thursday, September 6, 12
Slide 42
Slide 42 text
EXTERNAL AUDITS
Need to hire a Qualified Security Assessor (QSA)
Lasts a few weeks or more on site.
Low end $20K-$30K
$225K a year on average
10% paying over $500K
Source: http://www.networkworld.com/news/2010/030110-pci-compliance-audit-cost.html
42
Thursday, September 6, 12
Slide 43
Slide 43 text
PCI 2.0
Took full effect Jan 1st, 2012
132 changes 2 new ones, the rest are clarification or
additional guidelines
Added more guidelines around virtualization, and
how it affects PCI.
Amazon Web Services is now Level 1 PCI
compliant
43
Thursday, September 6, 12
Slide 44
Slide 44 text
CREDIT CARD DATA
Credit Card information that can be stored
Storage Permitted
Protection
Required
Cardholder Data
Cardholder Data
Cardholder Data
Account number Y Y
Cardholder name Y Y
Expiration Date Y Y
Service Code Y Y
Authentication Data
Authentication Data
Authentication Data
Magnetic strip N n/a
CVV N n/a
PIN data N n/a
44
Thursday, September 6, 12
Slide 45
Slide 45 text
WHAT IF HACKED?
You could be banned from accepting credit cards.
Loss of reputation and customers
Fines up to $500,000 per incident.
Litigation
45
Thursday, September 6, 12
Slide 46
Slide 46 text
PCI BOILED DOWN
46
Thursday, September 6, 12
Slide 47
Slide 47 text
SUMMARY #1
All Merchants, regardless if credit card
data is stored, must achieve and
maintain compliance at all times.
47
Thursday, September 6, 12
Slide 48
Slide 48 text
SUMMARY #2
Merchants cannot store certain credit
card information including CVV,
track data, magnetic strip or PIN data
48
Thursday, September 6, 12
Slide 49
Slide 49 text
SUMMARY #3
If you store permitted credit card data,
you need to store it in a secure way
following the PCI security standards.
49
Thursday, September 6, 12
Slide 50
Slide 50 text
COMMON REASONS WHY
COMPANIES ARE NOT
PCI COMPLIANT
50
Thursday, September 6, 12
Slide 51
Slide 51 text
COMMON MISTAKES
Storing credit card information in plain text
Default passwords not changed
Poorly coded websites resulting in SQL injection
and other vulnerabilities
Lack of monitoring and logging
51
Thursday, September 6, 12
Slide 52
Slide 52 text
COMMON MISTAKES 2
Not using SSL for payment page
Logging payment information into log files especially
when there is an error. (django error emails)
Missing security patches
52
Thursday, September 6, 12
Slide 53
Slide 53 text
PEOPLE DON’T KNOW
PCI rules are complex
PCI rules change often
PCI is boring
Training and information is not readily available
53
Thursday, September 6, 12
Slide 54
Slide 54 text
PEOPLE ARE LAZY
They have systems working fine today, and they
don’t want to change them
They don’t want to take time to learn PCI rules
They cut corners to save time and money
54
Thursday, September 6, 12
Slide 55
Slide 55 text
PEOPLE ARE CHEAP
Changing “stuff” costs money
Adding more processes and services costs money
Doing things right takes more time, which in turn
costs more money
55
Thursday, September 6, 12
Slide 56
Slide 56 text
PEOPLE ARE COCKY
It won’t happen to me, why would someone hack
me?
My code is the best that is ever written
56
Thursday, September 6, 12
Slide 57
Slide 57 text
PEOPLE ARE DUMB
Some people write really bad code and not even
know it
People are tweeting pictures of their credit cards
https://twitter.com/needadebitcard
57
Thursday, September 6, 12
Slide 58
Slide 58 text
DJANGO PAYMENT APP
REVIEW
58
Thursday, September 6, 12
Slide 59
Slide 59 text
DJANGO PAYMENTS
TALK
Joe Jasinski
http://www.djangocon.us/schedule/presentations/60/
59
Thursday, September 6, 12
Slide 60
Slide 60 text
PAYMENT TYPES
3rd party (Paypal, google checkout, etc)
Hosted payment page
Transparent redirect
Client-side encryption
Self serve payment page
Recurring payments (subscriptions, on demand, etc)
60
Thursday, September 6, 12
Slide 61
Slide 61 text
TOKENIZATION
If you need to store credit card information, use a
tokenization service instead of storing it yourself
You store the credit card information in their system.
They give you a unique token that you use for all
future transactions against that credit card.
Most payment processors support this.
61
Thursday, September 6, 12
Slide 62
Slide 62 text
THIRD PARTY PAYMENT
Customers leave your site to pay.
You don’t touch any credit card data
Paypal, Google Checkout, Amazon payments
Risk: None SAQ: A
Effort: Low
62
Thursday, September 6, 12
Slide 63
Slide 63 text
THIRD PARTY PAYMENT
Source: http://help.yahoo.com/l/us/yahoo/smallbusiness/store/order/paypal/paypal-31.html
63
Thursday, September 6, 12
Slide 64
Slide 64 text
HOSTED PAYMENT PAGE
The actual payment page is hosted somewhere else
Usually done with an iFrame
Can’t usually customize the page, limited features
You see no credit card data
Risk: None SAQ: A
Effort: Low
64
Thursday, September 6, 12
Slide 65
Slide 65 text
TRANSPARENT REDIRECT
Source: https://samurai.feefighters.com/transparent-redirect
65
Thursday, September 6, 12
Slide 66
Slide 66 text
TRANSPARENT REDIRECT
You host the payment page
When form submitted, the page POST’s to someone
else. They take credit card data, remove it, add token.
Then they post back to you, minus credit card data.
Authorize.net, Braintree payments, Fee Fighters
Risk: Low SAQ: A
Effort: Medium
66
Thursday, September 6, 12
Slide 67
Slide 67 text
CLIENT-SIDE ENCRYPTION
You install javascript on your payment page
The JS will encrypt and remove the sensitive data in
browser before sending to you.
You get the data and pass it on to payment gateway.
Braintree, Stripe, fee fighters
Risk: Low SAQ: A
Effort: Medium
67
Thursday, September 6, 12
Slide 68
Slide 68 text
SELF-SERVE PAYMENTS
You host the payment page.
When form is submitted credit card data is sent to
you and lives in memory on your server.
You pass it along to payment gateway.
Most common, very flexible you can do what ever
you want on payment page.
Risk: High SAQ: D
Effort: High
68
Thursday, September 6, 12
Slide 69
Slide 69 text
SELF-SERVE PAYMENTS
Source: http://www.braintreepayments.com/services/pci-compliance
69
Thursday, September 6, 12
Slide 70
Slide 70 text
RECURRING PAYMENTS
Someone signs up for your service, gives you their
credit card once, you charge them on a set schedule
How to store the credit card info for future payments
What if credit card expires or becomes inactive
recurly, stripe, braintree, paypal, etc
Risk: Low Effort: Medium SAQ: A
70
Thursday, September 6, 12
Slide 71
Slide 71 text
EDGE TOKENIZATION
The credit card data is removed and replaced with a
token on a proxy server on the way to your server.
Fairly new, Expensive, Limited gateway support
Good if you need to handle payments over an API.
Akamai
Risk: Low SAQ: A
Effort: High
71
Thursday, September 6, 12
Slide 72
Slide 72 text
COMPARISON
Risk Effort SAQ Customization
3rd Party
Hosted
Trans. Redirect
JS encryption
Self Hosted
Recurring
Edge Token.
None Low A Bad
Low Low A Bad
Low Medium A Good
Low Medium A Good
High High D Great
Low Medium A Good
Low High A Good
72
Thursday, September 6, 12
Slide 73
Slide 73 text
SAQ-A VS SAQ-D
SAQ-A SAQ-D
Time to become PCI compliant
PCI DSS Controls to meet
Assessment costs to determine scope
Hardware/Software upgrades
Ongoing expenses
about 5 days 6-18 months
Less than 20 Over 200
$0 $44k - $125k*
$0 $81k - $568k*
Fixed Variable
source: https://www.braintreepayments.com/tour/pci-compliance * Gartner estimates merchant Level 1-3
73
Thursday, September 6, 12
Slide 74
Slide 74 text
TIPS
&
RECOMMENDATIONS
74
Thursday, September 6, 12
Slide 75
Slide 75 text
GENERAL
RECOMMENDATIONS
Don’t let credit card data touch your systems
Use a payment system that handles all credit card
data for you.
Use payment tokens whenever possible
Don’t store any sensitive data
75
Thursday, September 6, 12
Slide 76
Slide 76 text
NEVER EVER
Store credit card information in the database
Even if it is encrypted
Not worth the hassle, risk, and cost of the external
audit.
76
Thursday, September 6, 12
Slide 77
Slide 77 text
SAQ-A VS SAQ-D
SAQ-A SAQ-D
Time to become PCI compliant
PCI DSS Controls to meet
Assessment costs to determine scope
Hardware/Software upgrades
Ongoing expenses
about 5 days 6-18 months
Less than 20 Over 200
$0 $44k - $125k*
$0 $81k - $568k*
Fixed Variable
source: https://www.braintreepayments.com/tour/pci-compliance * Gartner estimates merchant Level 1-3
77
Thursday, September 6, 12
Slide 78
Slide 78 text
AVOID DB ENCRYPTION
Where do you encrypt (column, whole database, FS)
Slows down transactions
Makes things more complicated
need to manage/protect certificates and key
78
Thursday, September 6, 12
Slide 79
Slide 79 text
DJANGO TIPS
django-secure and django-axes
Use SSL everywhere
Secure cookies
XSS protection
Change Django admin url (/_the_admin_/)
Don’t log sensitive data from forms
Turn auto-complete off, on payment forms.
79
Thursday, September 6, 12
Slide 80
Slide 80 text
DJANGO-SECURE
Written by Carl Meyer
Helping you remember to do the stupid little things
to improve your Django site's security.
Checks your settings to make sure you have them all
set correctly
Provides some utilities to make your project safer
http://django-secure.readthedocs.org
80
Thursday, September 6, 12
Slide 81
Slide 81 text
DJANGO-AXES
Log login attempts to your django app
Lock out brute force attempts after a set number of
login failures
81
Thursday, September 6, 12
Slide 82
Slide 82 text
ERROR LOGS
If you are not careful, sensitive data could leak into
Logs
If you have sensitive data make sure you use (since Django 1.2.6
and Django 1.3.1)
@sensitive_variables()
@sensitive_post_variables()
https://docs.djangoproject.com/en/dev/howto/error-reporting/
#filtering-sensitive-information
82
Thursday, September 6, 12
Slide 83
Slide 83 text
DJANGO APP REVIEW
83
Thursday, September 6, 12
Slide 84
Slide 84 text
DJANGO PAYMENT
PROJECTS
Satchmo
Lightning fast shop
Mezzanine/Cartridge
Django-shop
Django-Oscar
Django-Merchant
84
Thursday, September 6, 12
Slide 85
Slide 85 text
SATCHMO
SatchmoProject.com
Most popular Django e-commerce solution, been
around for a long time.
Lots of great features and documentation
SAQ-D if you use something other then Paypal or
Google Checkout.
http://www.satchmoproject.com/docs/dev/deploying.html
85
Thursday, September 6, 12
Slide 86
Slide 86 text
LIGHTNING FAST SHOP
http://getLFS.com
New kid on the block, lots of great features, with new
releases often
If using Credit Card means SAQ-D
86
Thursday, September 6, 12
Slide 87
Slide 87 text
MEZZANINE / CARTRIDGE
http://mezzanine.jupo.org
Mezzanine is a powerful, consistent, and flexible
content management platform
Cartridge is the shopping cart module.
Direct access to credit card data in payment form.
SAQ-D out of the box.
87
Thursday, September 6, 12
Slide 88
Slide 88 text
DJANGO-SHOP
From the folks that brought you django-cms
Out of the box it doesn’t have credit card payment
support, you have to add your own.
Looks like it is still in early in development?
SAQ-A, out of the box
88
Thursday, September 6, 12
Slide 89
Slide 89 text
DJANGO-OSCAR
http://OscarCommerce.com
Lots of integrations SAP, Google eBookstore, etc.
Extensions (Paypal, goCardLess,DataCash, etc)
Has access to credit card data in payment form. SAQ-
D out of the box.
89
Thursday, September 6, 12
Slide 90
Slide 90 text
DJANGO-MERCHANT
Gateway support: auth.net, Paypal, eWAY, Braintree,
stripe, Fee Fighters
Support for off-site processing: (PayPal, RBS
WorldPay, Google Checkout, Amazon FPS, Braintree
(TR), Stripe.js, Samurai, eWAY
SAQ-A options out of the box
90
Thursday, September 6, 12
Slide 91
Slide 91 text
COMPARE PAYMENT
APPS
Project Version SAQ-?
Satchmo 0.9-1
Lightning Fast Shop 0.7.6
Mezzanine / Cartridge 0.6.0
Django-shop 0.0.13
Django-Oscar 0.4
Django-Merchant 0.05
D
D
D
A
D
A
91
Thursday, September 6, 12
Slide 92
Slide 92 text
PCI IN THE CLOUD
Need to find a PCI compliant cloud provider
AWS - Yes , RackSpace - No [1][2]
Use an off-site payment processor
SSL for everything (load balancer to DB)
Setup Monthly Security scans
Might require Intrusion Detection System (IDS)
[1] http://www.rackspace.com/knowledge_center/article/how-to-utilize-cloud-sites-in-an-e-commerce-solution
[2] http://www.rackspace.com/knowledge_center/article/pci-frequently-asked-questions#cloudsites
92
Thursday, September 6, 12
Slide 93
Slide 93 text
PCI CLOUD RESOURCES
http://bit.ly/Qxvb2n - RightScale: PCI
Compliance in the public IaaS cloud
http://www.cloudpassage.com - 3rd party
hosted cloud security
http://AlertLogic.com : AWS cloud security
93
Thursday, September 6, 12
Slide 94
Slide 94 text
INTRUSION DETECTION
SYSTEM
Hardware and Software versions available
Network or host based
Software: Snot, Samhain, TripWire, etc
Hardware: AlertLogic, Cisco, etc
94
Thursday, September 6, 12
Slide 95
Slide 95 text
SECURITY SCANNERS
Application
Server
Network Vulnerability Scans
95
Thursday, September 6, 12
Slide 96
Slide 96 text
VULNERABILITY
SCANNERS
Cross-site scripting
SQL injection
Remote file inclusion
Known application, server, and network
vulnerabilities
Much more.
96
Thursday, September 6, 12
Slide 97
Slide 97 text
OTHER THINGS TO
CONSIDER
payments over the phone (call centers)
payments via fax
payments via mail
97
Thursday, September 6, 12
Slide 98
Slide 98 text
ORIGINAL BLOG POST
http://kencochrane.net/blog/2012/01/developers-
guide-to-pci-compliant-web-applications/
98
Thursday, September 6, 12
Slide 99
Slide 99 text
QUESTIONS?
99
Thursday, September 6, 12
Slide 100
Slide 100 text
THANK YOU
Ken Cochrane
[email protected]
@KenCochrane
100
Thursday, September 6, 12