Building PCI compliant Django applications

Transcript

1. BUILDING PCI COMPLIANT DJANGO APPLICATIONS Ken Cochrane @KenCochrane Site Reliability

   Engineer dotCloud.com 1 Thursday, September 6, 12

2. THANK YOU http://www.dotcloud.com/jobs/ We’re hiring! 2 Thursday, September 6, 12

3. MY BACKGROUND Site Reliability Engineer at dotCloud.com Was the director

   of web and mobile technologies at CashStar.com (3.5 years) I’m not a certified PCI Expert (QSA) 3 Thursday, September 6, 12

4. CASHSTAR.COM Electronic Gift Card e-commerce platform built with Django 100+

   brands including (Home Depot, BestBuy, Starbucks, Staples, etc) Many millions of dollars in credit card transactions each year Helped get PCI certification (SAQ-D) 4 Thursday, September 6, 12

5. QUICK SURVEY 5 Thursday, September 6, 12

6. SHOW OF HANDS Raise your hand if you: Own a

   credit card? Have heard of PCI before? Know what PCI is? Have a website that accepts credit cards online? Know you are PCI compliant? 6 Thursday, September 6, 12

7. CREDIT CARD NATION 1.4B Cards in Circulation in USA 181M

   (77%) of adults have credit card 20B credit card transaction each year $1.9T total value (12.9% of GDP) source: http://www.indexcreditcards.com 2011 7 Thursday, September 6, 12

8. CREDIT BY BRAND 39% Visa 24% MasterCard 23% American Express

   14% 23% 24% 39% Visa MasterCard American Express Other 2011 source: http://www.indexcreditcards.com 8 Thursday, September 6, 12

9. FRAUD 9 Thursday, September 6, 12

10. CREDIT CARD FRAUD 10% of Americans victims of credit card

    fraud $399 median amount reported $5.55 Billion worldwide in credit card fraud. http://www.statisticbrain.com/credit-card-fraud-statistics/ 10 Thursday, September 6, 12

11. HOW? Dumpster diving (always shred your documents) Theft (stolen wallet,

    B&E) Phishing Hacking Before the internet With the internet 11 Thursday, September 6, 12

12. HACKED SINCE 2005 TJ Maxx Bank of America Citigroup BJ’s

    wholesale club Hotels.com LexisNexis Polo Ralph Lauren Wachovia Heartland Payment Systems Hannaford Global Payments CardSystem Solutions 12 Thursday, September 6, 12

13. WHAT TO DO? 13 Thursday, September 6, 12

14. PCI WAS BORN 2004 - MasterCard created the PaymentCard Industry

    (PCI) Data Security Standards Visa, American Express, Discover, JCB decided to drop their own efforts and join MasterCard June 30, 2005 - PCI 1.0 took effect 14 Thursday, September 6, 12

15. WHY WAS PCI CREATED? It was created in response to

    a spike in data security breaches. It gives merchants a guide to help them make sure they are following best security practices when it comes to card holder data. 15 Thursday, September 6, 12

16. WHAT IS PCI? 16 Thursday, September 6, 12

17. WHAT’S PCI? Computer Expansion Slot? image source: http://en.wikipedia.org/wiki/File:PCI_Slots_Digon3.JPG 17 Thursday,

    September 6, 12

18. NOT THAT PCI! Computer Expansion Slot? image source: http://en.wikipedia.org/wiki/File:PCI_Slots_Digon3.JPG PCI

    != 18 Thursday, September 6, 12

19. WHAT IS PCI? Information security standard for handling cardholder information.

    (PCI DSS) 12 core requirements and roughly 250 controls 4 certification levels Current version is 2.0 Not a law 19 Thursday, September 6, 12

20. PCI REQ #1 Install and maintain a firewall configuration to

    protect data 20 Thursday, September 6, 12

21. PCI REQ #2 Do not use default passwords 21 Thursday,

    September 6, 12

22. PCI REQ #3 Protect stored data 22 Thursday, September 6,

    12

23. PCI REQ #4 Encrypt transmission of cardholder data across public

    networks (SSL, VPN, etc) 23 Thursday, September 6, 12

24. PCI REQ #5 Use and regularly update anti-virus software 24

    Thursday, September 6, 12

25. PCI REQ #6 Develop and maintain a secure system and

    applications 25 Thursday, September 6, 12

26. PCI REQ #7 Restrict access to data by business need

    to know 26 Thursday, September 6, 12

27. PCI REQ #8 Assign a unique ID to each person

    with computer access 27 Thursday, September 6, 12

28. PCI REQ #9 Restrict physical access to cardholder data 28

    Thursday, September 6, 12

29. PCI REQ #10 Track and monitor all access to network

    resources and cardholder data 29 Thursday, September 6, 12

30. PCI REQ #11 Regularly test security systems and processes 30

    Thursday, September 6, 12

31. PCI REQ #12 Maintain a policy that addresses information security

    31 Thursday, September 6, 12

32. CERTIFICATION 32 Thursday, September 6, 12

33. HOW DOES PCI CERTIFICATION WORK? Find out which Self-Assessment Questionnaire

    (SAQ) you need and fill it out. Find out what level you are Make sure you follow all recommendations for that SAQ and level Fix any issues Attestation of Compliance (if self assessing) 33 Thursday, September 6, 12

34. SELF-ASSESSMENT QUESTIONNAIRE (SAQ) A questionnaire with lots of questions about

    your payment system Four levels (A,B,C,D). Level based on certain criteria Everyone is required to fill one out for PCI compliance. Filled out yearly They can be very easy or very hard, depends on how much card holder data you have access too. 34 Thursday, September 6, 12

35. SAQ-A Merchants who have outsourced all processing, transmission and storage

    of credit card data 35 Thursday, September 6, 12

36. SAQ-B Merchants who process cardholder data via imprint machines or

    stand-alone dial-up terminals only. 36 Thursday, September 6, 12

37. SAQ-C Merchants whose payment applications systems are connected to the

    internet 37 Thursday, September 6, 12

38. SAQ-D All other merchants 38 Thursday, September 6, 12

39. SAQ-A VS SAQ-D SAQ-A SAQ-D Time to become PCI compliant

    PCI DSS Controls to meet Assessment costs to determine scope Hardware/Software upgrades Ongoing expenses about 5 days 6-18 months Less than 20 Over 200 $0 $44k - $125k* $0 $81k - $568k* Fixed Variable source: https://www.braintreepayments.com/tour/pci-compliance * Gartner estimates merchant Level 1-3 39 Thursday, September 6, 12

40. 4 LEVELS OF PCI Level Description 1 6M+ Visa trans

    per year 2 1M to 6M Visa trans per year 3 20K to 1M Visa trans per year 4 Everyone else 40 Thursday, September 6, 12

41. PCI COST BY LEVEL Level # of Trans Scope Compliance

    Audit type 1 6M+ $125K $586K onsite 2 1M-6M $105K $267K SAQ 3 20K-1M $44K $81K SAQ 4 < 20K ? ? SAQ http://blog.elementps.com/element_payment_solutions/2009/02/pci-compliance-costs.html http://www.networkworld.com/news/2010/030110-pci-compliance-audit-cost.html 41 Thursday, September 6, 12

42. EXTERNAL AUDITS Need to hire a Qualified Security Assessor (QSA)

    Lasts a few weeks or more on site. Low end $20K-$30K $225K a year on average 10% paying over $500K Source: http://www.networkworld.com/news/2010/030110-pci-compliance-audit-cost.html 42 Thursday, September 6, 12

43. PCI 2.0 Took full effect Jan 1st, 2012 132 changes

    2 new ones, the rest are clarification or additional guidelines Added more guidelines around virtualization, and how it affects PCI. Amazon Web Services is now Level 1 PCI compliant 43 Thursday, September 6, 12

44. CREDIT CARD DATA Credit Card information that can be stored

    Storage Permitted Protection Required Cardholder Data Cardholder Data Cardholder Data Account number Y Y Cardholder name Y Y Expiration Date Y Y Service Code Y Y Authentication Data Authentication Data Authentication Data Magnetic strip N n/a CVV N n/a PIN data N n/a 44 Thursday, September 6, 12

45. WHAT IF HACKED? You could be banned from accepting credit

    cards. Loss of reputation and customers Fines up to $500,000 per incident. Litigation 45 Thursday, September 6, 12

46. PCI BOILED DOWN 46 Thursday, September 6, 12

47. SUMMARY #1 All Merchants, regardless if credit card data is

    stored, must achieve and maintain compliance at all times. 47 Thursday, September 6, 12

48. SUMMARY #2 Merchants cannot store certain credit card information including

    CVV, track data, magnetic strip or PIN data 48 Thursday, September 6, 12

49. SUMMARY #3 If you store permitted credit card data, you

    need to store it in a secure way following the PCI security standards. 49 Thursday, September 6, 12

50. COMMON REASONS WHY COMPANIES ARE NOT PCI COMPLIANT 50 Thursday,

    September 6, 12

51. COMMON MISTAKES Storing credit card information in plain text Default

    passwords not changed Poorly coded websites resulting in SQL injection and other vulnerabilities Lack of monitoring and logging 51 Thursday, September 6, 12

52. COMMON MISTAKES 2 Not using SSL for payment page Logging

    payment information into log files especially when there is an error. (django error emails) Missing security patches 52 Thursday, September 6, 12

53. PEOPLE DON’T KNOW PCI rules are complex PCI rules change

    often PCI is boring Training and information is not readily available 53 Thursday, September 6, 12

54. PEOPLE ARE LAZY They have systems working fine today, and

    they don’t want to change them They don’t want to take time to learn PCI rules They cut corners to save time and money 54 Thursday, September 6, 12

55. PEOPLE ARE CHEAP Changing “stuff” costs money Adding more processes

    and services costs money Doing things right takes more time, which in turn costs more money 55 Thursday, September 6, 12

56. PEOPLE ARE COCKY It won’t happen to me, why would

    someone hack me? My code is the best that is ever written 56 Thursday, September 6, 12

57. PEOPLE ARE DUMB Some people write really bad code and

    not even know it People are tweeting pictures of their credit cards https://twitter.com/needadebitcard 57 Thursday, September 6, 12

58. DJANGO PAYMENT APP REVIEW 58 Thursday, September 6, 12

59. DJANGO PAYMENTS TALK Joe Jasinski http://www.djangocon.us/schedule/presentations/60/ 59 Thursday, September 6,

    12

60. PAYMENT TYPES 3rd party (Paypal, google checkout, etc) Hosted payment

    page Transparent redirect Client-side encryption Self serve payment page Recurring payments (subscriptions, on demand, etc) 60 Thursday, September 6, 12

61. TOKENIZATION If you need to store credit card information, use

    a tokenization service instead of storing it yourself You store the credit card information in their system. They give you a unique token that you use for all future transactions against that credit card. Most payment processors support this. 61 Thursday, September 6, 12

62. THIRD PARTY PAYMENT Customers leave your site to pay. You

    don’t touch any credit card data Paypal, Google Checkout, Amazon payments Risk: None SAQ: A Effort: Low 62 Thursday, September 6, 12

63. THIRD PARTY PAYMENT Source: http://help.yahoo.com/l/us/yahoo/smallbusiness/store/order/paypal/paypal-31.html 63 Thursday, September 6, 12

64. HOSTED PAYMENT PAGE The actual payment page is hosted somewhere

    else Usually done with an iFrame Can’t usually customize the page, limited features You see no credit card data Risk: None SAQ: A Effort: Low 64 Thursday, September 6, 12

65. TRANSPARENT REDIRECT Source: https://samurai.feefighters.com/transparent-redirect 65 Thursday, September 6, 12

66. TRANSPARENT REDIRECT You host the payment page When form submitted,

    the page POST’s to someone else. They take credit card data, remove it, add token. Then they post back to you, minus credit card data. Authorize.net, Braintree payments, Fee Fighters Risk: Low SAQ: A Effort: Medium 66 Thursday, September 6, 12

67. CLIENT-SIDE ENCRYPTION You install javascript on your payment page The

    JS will encrypt and remove the sensitive data in browser before sending to you. You get the data and pass it on to payment gateway. Braintree, Stripe, fee fighters Risk: Low SAQ: A Effort: Medium 67 Thursday, September 6, 12

68. SELF-SERVE PAYMENTS You host the payment page. When form is

    submitted credit card data is sent to you and lives in memory on your server. You pass it along to payment gateway. Most common, very flexible you can do what ever you want on payment page. Risk: High SAQ: D Effort: High 68 Thursday, September 6, 12

69. SELF-SERVE PAYMENTS Source: http://www.braintreepayments.com/services/pci-compliance 69 Thursday, September 6, 12

70. RECURRING PAYMENTS Someone signs up for your service, gives you

    their credit card once, you charge them on a set schedule How to store the credit card info for future payments What if credit card expires or becomes inactive recurly, stripe, braintree, paypal, etc Risk: Low Effort: Medium SAQ: A 70 Thursday, September 6, 12

71. EDGE TOKENIZATION The credit card data is removed and replaced

    with a token on a proxy server on the way to your server. Fairly new, Expensive, Limited gateway support Good if you need to handle payments over an API. Akamai Risk: Low SAQ: A Effort: High 71 Thursday, September 6, 12

72. COMPARISON Risk Effort SAQ Customization 3rd Party Hosted Trans. Redirect

    JS encryption Self Hosted Recurring Edge Token. None Low A Bad Low Low A Bad Low Medium A Good Low Medium A Good High High D Great Low Medium A Good Low High A Good 72 Thursday, September 6, 12

73. SAQ-A VS SAQ-D SAQ-A SAQ-D Time to become PCI compliant

    PCI DSS Controls to meet Assessment costs to determine scope Hardware/Software upgrades Ongoing expenses about 5 days 6-18 months Less than 20 Over 200 $0 $44k - $125k* $0 $81k - $568k* Fixed Variable source: https://www.braintreepayments.com/tour/pci-compliance * Gartner estimates merchant Level 1-3 73 Thursday, September 6, 12

74. TIPS & RECOMMENDATIONS 74 Thursday, September 6, 12

75. GENERAL RECOMMENDATIONS Don’t let credit card data touch your systems

    Use a payment system that handles all credit card data for you. Use payment tokens whenever possible Don’t store any sensitive data 75 Thursday, September 6, 12

76. NEVER EVER Store credit card information in the database Even

    if it is encrypted Not worth the hassle, risk, and cost of the external audit. 76 Thursday, September 6, 12

77. SAQ-A VS SAQ-D SAQ-A SAQ-D Time to become PCI compliant

    PCI DSS Controls to meet Assessment costs to determine scope Hardware/Software upgrades Ongoing expenses about 5 days 6-18 months Less than 20 Over 200 $0 $44k - $125k* $0 $81k - $568k* Fixed Variable source: https://www.braintreepayments.com/tour/pci-compliance * Gartner estimates merchant Level 1-3 77 Thursday, September 6, 12

78. AVOID DB ENCRYPTION Where do you encrypt (column, whole database,

    FS) Slows down transactions Makes things more complicated need to manage/protect certificates and key 78 Thursday, September 6, 12

79. DJANGO TIPS django-secure and django-axes Use SSL everywhere Secure cookies

    XSS protection Change Django admin url (/_the_admin_/) Don’t log sensitive data from forms Turn auto-complete off, on payment forms. 79 Thursday, September 6, 12

80. DJANGO-SECURE Written by Carl Meyer Helping you remember to do

    the stupid little things to improve your Django site's security. Checks your settings to make sure you have them all set correctly Provides some utilities to make your project safer http://django-secure.readthedocs.org 80 Thursday, September 6, 12

81. DJANGO-AXES Log login attempts to your django app Lock out

    brute force attempts after a set number of login failures 81 Thursday, September 6, 12

82. ERROR LOGS If you are not careful, sensitive data could

    leak into Logs If you have sensitive data make sure you use (since Django 1.2.6 and Django 1.3.1) @sensitive_variables() @sensitive_post_variables() https://docs.djangoproject.com/en/dev/howto/error-reporting/ #filtering-sensitive-information 82 Thursday, September 6, 12

83. DJANGO APP REVIEW 83 Thursday, September 6, 12

84. DJANGO PAYMENT PROJECTS Satchmo Lightning fast shop Mezzanine/Cartridge Django-shop Django-Oscar

    Django-Merchant 84 Thursday, September 6, 12

85. SATCHMO SatchmoProject.com Most popular Django e-commerce solution, been around for

    a long time. Lots of great features and documentation SAQ-D if you use something other then Paypal or Google Checkout. http://www.satchmoproject.com/docs/dev/deploying.html 85 Thursday, September 6, 12

86. LIGHTNING FAST SHOP http://getLFS.com New kid on the block, lots

    of great features, with new releases often If using Credit Card means SAQ-D 86 Thursday, September 6, 12

87. MEZZANINE / CARTRIDGE http://mezzanine.jupo.org Mezzanine is a powerful, consistent, and

    flexible content management platform Cartridge is the shopping cart module. Direct access to credit card data in payment form. SAQ-D out of the box. 87 Thursday, September 6, 12

88. DJANGO-SHOP From the folks that brought you django-cms Out of

    the box it doesn’t have credit card payment support, you have to add your own. Looks like it is still in early in development? SAQ-A, out of the box 88 Thursday, September 6, 12

89. DJANGO-OSCAR http://OscarCommerce.com Lots of integrations SAP, Google eBookstore, etc. Extensions

    (Paypal, goCardLess,DataCash, etc) Has access to credit card data in payment form. SAQ- D out of the box. 89 Thursday, September 6, 12

90. DJANGO-MERCHANT Gateway support: auth.net, Paypal, eWAY, Braintree, stripe, Fee Fighters

    Support for off-site processing: (PayPal, RBS WorldPay, Google Checkout, Amazon FPS, Braintree (TR), Stripe.js, Samurai, eWAY SAQ-A options out of the box 90 Thursday, September 6, 12

91. COMPARE PAYMENT APPS Project Version SAQ-? Satchmo 0.9-1 Lightning Fast

    Shop 0.7.6 Mezzanine / Cartridge 0.6.0 Django-shop 0.0.13 Django-Oscar 0.4 Django-Merchant 0.05 D D D A D A 91 Thursday, September 6, 12

92. PCI IN THE CLOUD Need to find a PCI compliant

    cloud provider AWS - Yes , RackSpace - No [1][2] Use an off-site payment processor SSL for everything (load balancer to DB) Setup Monthly Security scans Might require Intrusion Detection System (IDS) [1] http://www.rackspace.com/knowledge_center/article/how-to-utilize-cloud-sites-in-an-e-commerce-solution [2] http://www.rackspace.com/knowledge_center/article/pci-frequently-asked-questions#cloudsites 92 Thursday, September 6, 12

93. PCI CLOUD RESOURCES http://bit.ly/Qxvb2n - RightScale: PCI Compliance in the

    public IaaS cloud http://www.cloudpassage.com - 3rd party hosted cloud security http://AlertLogic.com : AWS cloud security 93 Thursday, September 6, 12

94. INTRUSION DETECTION SYSTEM Hardware and Software versions available Network or

    host based Software: Snot, Samhain, TripWire, etc Hardware: AlertLogic, Cisco, etc 94 Thursday, September 6, 12

95. SECURITY SCANNERS Application Server Network Vulnerability Scans 95 Thursday, September

    6, 12

96. VULNERABILITY SCANNERS Cross-site scripting SQL injection Remote file inclusion Known

    application, server, and network vulnerabilities Much more. 96 Thursday, September 6, 12

97. OTHER THINGS TO CONSIDER payments over the phone (call centers)

    payments via fax payments via mail 97 Thursday, September 6, 12

98. ORIGINAL BLOG POST http://kencochrane.net/blog/2012/01/developers- guide-to-pci-compliant-web-applications/ 98 Thursday, September 6, 12

99. QUESTIONS? 99 Thursday, September 6, 12

100. THANK YOU Ken Cochrane [email protected] @KenCochrane 100 Thursday, September 6,

     12