Tony Perez - The Security Considerations When Building Your eCommerce Website

PEREZ TONY 02:30 SUCURI MAIN ROOM NEXT WOOCONF2016 THE SECURITY
CONSIDERATIONS WHEN BUILDING YOUR ECOMMERCE WEBSITE DEVELOPER TRACK

E-COMMERCE SECURITY Tony Perez | @perezbox #AskSucuri #WooConf SucuriSecurity |
sucuri.net E-COMMERCE SECURITY Considerations when building your online store

sucuri.net SECURITY IS NOT A STATIC STATE, IT’S A CONTINUOUS PROCESS.

sucuri.net

sucuri.net TECHNOLOGY DOES NOT REPLACE YOUR RESPONSIBILITY FOR SECURITY.

sucuri.net

sucuri.net SECURITY IS A MINDSET.

sucuri.net

sucuri.net Content Management System Administrative Panels Apache | NGINX | IIS Linux | Windows Physical Servers Networks

sucuri.net

sucuri.net THE MINUTE WE START ACCEPTING PAYMENT INFORMATION THE GAME CHANGES

sucuri.net WE HAVE A RESPONSIBILITY: • We do not have the luxury of saying security is not a concern when it comes to e- commerce. • If you are a merchant that accepts Credit Cards, the major Credit issuers (e.g., Visa, MasterCard, JCB, Discover, American Express) hold you accountable for security. • Our customers depend on us to provide them a safe online experience, which includes their sensitive information in addition to quality service and products. • To the greater internet ecosystem, to help thwart the continuous degradation in trust consumers feel with online environments.

sucuri.net DO NOT PROCESS TRANSACTIONS LOCALLY

sucuri.net SSL/TLS PROVIDES A MECHANISM FOR HANDLING DATA IN TRANSIT SECURELY

sucuri.net

sucuri.net SSL/TLS DOES NOT SECURE YOUR WEBSITE

sucuri.net PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI DSS) PCI DSS version 3.1 (April 2015): https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf

sucuri.net “IF A MERCHANT ACCEPTS, PROCESSES, TRANSMITS OR IN ANY OTHER WAY HANDLES CREDIT CARDS TRANSACTIONS, THEY MUST COMPLY WITH PCI DSS”

sucuri.net PCI TAKE-AWAYS • Unlike SOX or HIPAA, PCI is not law it can however be more devastating to your business. • Established Visa, MasterCard, American Express, Discover and JCB to ensure that credit card customer information and the associated payment systems are adequately protected from fraud • The goal was for the credit card industry to protect itself from financial loss or eroded consumer confidence in credit cards. • There are penalties for non-compliance, including fines and the inability to accept credit cards.

sucuri.net PCI COMPLIANCE INCORRECTLY FACILITIES A CHECKLIST MINDSET

sucuri.net YOU CAN BE COMPLIANT, BUT INSECURE

sucuri.net PCI CAN BE AMBIGUOUS AND MISINTERPRETED

sucuri.net MERCHANT LEVEL DESCRIPTION 1 Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. 2 Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year. 3 Any merchant processing 20,000 to 1M Visa e-commerce transactions per year. 4 Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.

sucuri.net CORE COMPETENCY PCI DSS REQUIREMENT Build and Maintain a Secure Network 1 Install and maintain a firewall configuration to protect cardholder data 2 Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3 Protect stored cardholder data 4 Encrypt Transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5 Use and Regularly update anti-virus software or programs 6 Develop and maintain secure systems and applications Implement Strong Access Control Measures 7 Restrict access to cardholder data by business need to know 8 Assign a unique ID to each person with computer access 9 Restrict physical access to cardholder data Regularly Monitor and Test Networks 10 Track and Monitor all access to network resources and cardholder data 11 Regularly test security systems and processes Maintain and Information Security Policy 12 Maintain a policy that addresses information security for all personnel

sucuri.net CARD PROCESSING SELF-ASSESSMENT VALIDATION Card-not-present (e-commerce or mail/telephone- order) merchants, all cardholder data functions outsourced. SAQ type A, which is the smallest. It only includes parts of two out of 12 requirements, 14 questions. E-Commerce only merchants that partially outsource their payment processing to PCI DSS validated entities and to not electronically process, store or transmit any cardholder data. SAQ Type A-EP that covers a subset of all 12 requirements. SAQ A Reference: https://www.pcisecuritystandards.org/documents/SAQ_A_v3.pdf SAQ A-EP Reference: https://www.pcisecuritystandards.org/documents/SAQ_A-EP_v3.pdf E-Commerce Guidelines: https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf

sucuri.net COMPLY WITH THE PCI DSS SAQ A-EP STANDARD Reference: https://www.pcisecuritystandards.org/documents/SAQ_A-EP_v3.pdf

sucuri.net 5 TIPS  ACCOUNTING FOR SECURITY

sucuri.net Tip #1 FUNCTIONAL ISOLATION WITHIN THE WEB ENVIRONMENT

sucuri.net Tip #2 MONITOR AND STORE ALL ACTIVITY

sucuri.net Tip #3 EMPLOY LEAST PRIVILEGED PRINCIPLES

sucuri.net Tip #4 LEVERAGE A TOOL THAT MITIGATES EXPLOITATION OF SOFTWARE VULNERABILITIES

sucuri.net Tip #5 BE MINDFUL OF YOUR CARD DATA ENVIRONMENT (CDE)

sucuri.net Q & A TWEET US @SUCURISECURITY USING #ASKSUCURI

sucuri.net DEFENSE IN DEPTH A layered approach to proactive and reactive website security. DETECTION Continuous website security monitoring to quickly identify potential Indicators of Compromise (IoC). RESPONSE Professional incident response team available 24/7/365. PROTECTION Website Application Firewall (WAF) & Intrusion Prevention System (IPS). SUCURI SECURITY STACK

Tony Perez - The Security Considerations When B...

Tony Perez - The Security Considerations When Building Your eCommerce Website

More Decks by WooConf

Other Decks in Programming

Featured

Transcript