Save 37% off PRO during our Black Friday Sale! »

Tony Perez - The Security Considerations When Building Your eCommerce Website

Tony Perez - The Security Considerations When Building Your eCommerce Website

Tony Perez is one of the co-founders of and CEO at Sucuri; a globally recognized website security firm specializing in cleaning and protecting websites. He has spent the better part of five years building an organization designed to provide value to website owners when they need it most. He has worked with 100’s of thousands of websites, helping them navigate their online security challenges, has spoken at events and conferences around the world, and is adamant in the power of education and awareness. He actively writes and shares his thoughts on both business and security on his personal web properties.

The Security Considerations When Building Your eCommerce Website

The website security landscape is a complex one, attacks are continuously evolving but the affects of a successful compromise are the same. Unlike traditional websites, eCommerce websites are a higher target; they offer attackers an opportunity to intercept and steal potentially valuable information in the form of Personal Identifiable Information (PII) and Credit Card information. Not only is this information priceless to your customers, they are critical to your online business.

In this talk I’ll explore both traditional WordPress Security, but specifically tailored to those that leverage the platform for eCommerce. IWe’ll go through a number of practical considerations for website administrators and integrators, and high-level insights into the affects of compromises valuable to any online business owner.

1885ae854a900f592f0e22e609c0c345?s=128

WooConf

April 06, 2016
Tweet

Transcript

  1. PEREZ TONY 02:30 SUCURI MAIN ROOM NEXT WOOCONF2016 THE SECURITY

    CONSIDERATIONS WHEN BUILDING YOUR ECOMMERCE WEBSITE DEVELOPER TRACK
  2. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net E-COMMERCE SECURITY Considerations when building your online store
  3. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net SECURITY IS NOT A STATIC STATE, IT’S A CONTINUOUS PROCESS.
  4. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net
  5. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net TECHNOLOGY DOES NOT REPLACE YOUR RESPONSIBILITY FOR SECURITY.
  6. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net
  7. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net SECURITY IS A MINDSET.
  8. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net
  9. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net Content Management System Administrative Panels Apache | NGINX | IIS Linux | Windows Physical Servers Networks
  10. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net
  11. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net THE MINUTE WE START ACCEPTING PAYMENT INFORMATION THE GAME CHANGES
  12. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net WE HAVE A RESPONSIBILITY: • We do not have the luxury of saying security is not a concern when it comes to e- commerce. • If you are a merchant that accepts Credit Cards, the major Credit issuers (e.g., Visa, MasterCard, JCB, Discover, American Express) hold you accountable for security. • Our customers depend on us to provide them a safe online experience, which includes their sensitive information in addition to quality service and products. • To the greater internet ecosystem, to help thwart the continuous degradation in trust consumers feel with online environments.
  13. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net DO NOT PROCESS TRANSACTIONS LOCALLY
  14. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net SSL/TLS PROVIDES A MECHANISM FOR HANDLING DATA IN TRANSIT SECURELY
  15. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net
  16. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net
  17. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net SSL/TLS DOES NOT SECURE YOUR WEBSITE
  18. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI DSS) PCI DSS version 3.1 (April 2015): https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf
  19. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net “IF A MERCHANT ACCEPTS, PROCESSES, TRANSMITS OR IN ANY OTHER WAY HANDLES CREDIT CARDS TRANSACTIONS, THEY MUST COMPLY WITH PCI DSS”
  20. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net PCI TAKE-AWAYS • Unlike SOX or HIPAA, PCI is not law it can however be more devastating to your business. • Established Visa, MasterCard, American Express, Discover and JCB to ensure that credit card customer information and the associated payment systems are adequately protected from fraud • The goal was for the credit card industry to protect itself from financial loss or eroded consumer confidence in credit cards. • There are penalties for non-compliance, including fines and the inability to accept credit cards.
  21. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net PCI COMPLIANCE INCORRECTLY FACILITIES A CHECKLIST MINDSET
  22. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net YOU CAN BE COMPLIANT, BUT INSECURE
  23. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net PCI CAN BE AMBIGUOUS AND MISINTERPRETED
  24. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net MERCHANT LEVEL DESCRIPTION 1 Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. 2 Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year. 3 Any merchant processing 20,000 to 1M Visa e-commerce transactions per year. 4 Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.
  25. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net CORE COMPETENCY PCI DSS REQUIREMENT Build and Maintain a Secure Network 1 Install and maintain a firewall configuration to protect cardholder data 2 Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3 Protect stored cardholder data 4 Encrypt Transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5 Use and Regularly update anti-virus software or programs 6 Develop and maintain secure systems and applications Implement Strong Access Control Measures 7 Restrict access to cardholder data by business need to know 8 Assign a unique ID to each person with computer access 9 Restrict physical access to cardholder data Regularly Monitor and Test Networks 10 Track and Monitor all access to network resources and cardholder data 11 Regularly test security systems and processes Maintain and Information Security Policy 12 Maintain a policy that addresses information security for all personnel
  26. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net CARD PROCESSING SELF-ASSESSMENT VALIDATION Card-not-present (e-commerce or mail/telephone- order) merchants, all cardholder data functions outsourced. SAQ type A, which is the smallest. It only includes parts of two out of 12 requirements, 14 questions. E-Commerce only merchants that partially outsource their payment processing to PCI DSS validated entities and to not electronically process, store or transmit any cardholder data. SAQ Type A-EP that covers a subset of all 12 requirements. SAQ A Reference: https://www.pcisecuritystandards.org/documents/SAQ_A_v3.pdf SAQ A-EP Reference: https://www.pcisecuritystandards.org/documents/SAQ_A-EP_v3.pdf E-Commerce Guidelines: https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf
  27. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net COMPLY WITH THE PCI DSS SAQ A-EP STANDARD Reference: https://www.pcisecuritystandards.org/documents/SAQ_A-EP_v3.pdf
  28. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net 5 TIPS
 ACCOUNTING FOR SECURITY
  29. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net Tip #1 FUNCTIONAL ISOLATION WITHIN THE WEB ENVIRONMENT
  30. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net Tip #2 MONITOR AND STORE ALL ACTIVITY
  31. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net Tip #3 EMPLOY LEAST PRIVILEGED PRINCIPLES
  32. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net Tip #4 LEVERAGE A TOOL THAT MITIGATES EXPLOITATION OF SOFTWARE VULNERABILITIES
  33. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net Tip #5 BE MINDFUL OF YOUR CARD DATA ENVIRONMENT (CDE)
  34. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net Q & A TWEET US @SUCURISECURITY USING #ASKSUCURI
  35. E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |

    sucuri.net DEFENSE IN DEPTH A layered approach to proactive and reactive website security. DETECTION Continuous website security monitoring to quickly identify potential Indicators of Compromise (IoC). RESPONSE Professional incident response team available 24/7/365. PROTECTION Website Application Firewall (WAF) & Intrusion Prevention System (IPS). SUCURI SECURITY STACK