Let's Talk About PCI Compliance for Drupal
Rick Manelius, PhD @rickmanelius
Overview
• Why (should I care)?
• What (exactly is this PCI compliance thing)?
• How (do I get started)?
Why?
My Story
• From great success to sheer panic.
• You’ll experience something similar at some point.
• The 5 Stages of PCI Compliance Grief
• Denial (“That doesn’t pertain to me.”)
• Anger (“WTF! Why didn’t someone tell me?”)
• Bargaining (“I’m more secure than others.”)
• Depression (“This is going to be so hard…”)
• Acceptance (“Alright, let’s do this!”)
Why? It’s In the News
You’ve Got Mail!
Security Breaches Hurt
• Adobe - 2.9 million customer records.
• Sony Playstation Network - $77 Million.
• JC Penny - 650,000 records.
• Ubercart with custom module (3)
• $25-$215 / Breached Record. (1)
• Small merchants — 80+% of breaches. (2)
• One strike rule for PCI Level.
1. 2010 Annual Study: U.S. Cost of a Data Breach (symantec.com) 2. In Data Leaks, Culprits Often Are Mom (Online Wall Street Journal)
PCI Compliance is Mandatory
• Golden Rule
• Contractual
• Privilege
• It can be revoked
• One strike rule
My Goals
• World Class eCommerce Platform => Set the Standard
• 4 Stages of Mastery
1. Unconscious Incompetence
2. Conscious Incompetence
3. Conscious Competence
4. Unconscious Competence
• I believe the Drupal community is primarily at 1-2.
• At the very least, we need to get to 2 (awareness).
• Ideally 90+% of Drupal eCommerce sites get to 3.
Drupal PCI Compliance White Paper
• http://drupalpcicompliance.org
• Co-authors:
• Greg Knaddison (Head of Drupal Security Team)
• Ned McClain (QSA at Applied Trust)
• Readable in less than an hour.
• Target audiences: developers, shops, & evaluators.
• Drupal specific information.
• Goes well beyond the information in this talk.
Sponsors
What?
The Journey of a Credit Card
• User’s browser
• Internet
• Hosting Network
• Server
• LAMP Stack
• Drupal App
• Payment Gateway
• Merchant Service Provider
Holistic Approach
• Card Data Environment (CDE)
• Everything that can touch the card falls into CDE.
• Security (& trust) is as strong as the weakest link.
• Need a policy to ensure end to end security.
PCI-DSS
• PCI = Payment Card Industry
• DSS = Data Security Standard
• 12 requirements (aka the dirty dozen)
• We will (quickly) go through them.
PCI Data Security Standard
• 1. Install and Maintain a Firewall
• 2. Do Not Use Vendor Supplied Default Passwords
• 3. Protect Stored Data
• 4. Encrypt transmission of cardholder data across open, public networks
• 5. Use and regularly update anti-virus software or programs
• 6. Develop and maintain secure systems and applications
PCI Data Security Standard
• 7. Restrict access to cardholder data by business need-to-know
• 8. Assign a unique ID to each person with computer access
• 9. Restrict physical access to cardholder data
• 10. Track and monitor all access to network resources and cardholder data
• 11. Regularly test security systems and processes
• 12. Maintain a policy that addresses information security for all personnel
PCI Data Security Standard
• 288 total checklist items.
• The number of items an eCommerce site is responsible for depends on how its structured!
How?
So... Where Do I Start?
• Key Factors: Volume & Validation Type.
• Volume determines PCI Level (1, 2, 3, or 4)
• Validation type determines SAQ (A, B, C, C-VT, D)
• SAQ = Self Assessment Questionnaires
• Provides checklist for 12 requirements.
Volume
!
!
!
!
!
!
!
• Reported Breach = Automatic Level 1
Validation Type
• (i.e. method by which you accept payment)
• A, C, and D are the most relevant for eCommerce.
Validation Type (English Please!)
• SAQ A: Fully outsourced handling of sensitive data.
• SAQ C: “Standard” eCommerce setup.
• SAC D: Storing sensitive data.
Determining Your SAQ
• Largely a function of payment method.
• 3 types of payment methods:
• Wholly Outsourced
• Shared-Management
• Merchant Managed
Determining Your SAQ
• Largely a function of payment method.
• 3 types of payment methods:
• Wholly Outsourced
• Shared-Management
• Merchant Managed
Wholly Outsourced: SAQ A
• Sensitive data is completely handled by another vendor.
• Examples: Volusions, Big Commerce, etc.
• Grey area for Drupal payment gateways (more on this later).
Merchant Managed: SAQ C/D
• Drupal application processes and transmits credit card data to the payment gateway.
• If you store cards, you’re SAQ D (dangerous!)
• Do not do this unless you absolutely, positively know what you’re doing.
Shared Management: SAQ A/C
• Three Types
• Hosted Payment Page
• Direct Post
• iFrame
• Often advertised as SAQ A.
• PCI Council outlines vulnerabilities.
• Consider these an “easier SAQ C”.
iFrame
• Basically direct post with the additional security of an iframe surrounding the form element.
• Protects from JS attacks from the parent DOM.
Attacking Shared-Management
• Direct Post (Stripe, Braintree, etc)
• JS Keylogger.
• Hosted Payment Page (Paypal, etc)
• Redirecting to a spoof site.
• iframe (Auth.net hosted CIM, Hosted PCI)
• Replace the iframe.
• While still vulnerable, shared-management solutions are considerably less risky than merchant managed solutions!
SAQ Breakdown
• Merchant Managed - SAQ C/D
• Shared-Management - SAQ A/C
• Wholly Outsourced - SAQ A
• SAQ C - “Standard” eCommerce Site.
• SAQ D - Storing Cardholder Data.
Recommendations
• Use shared-management types.
• iFrame or Hosted Payment Pages Preferred
• Use SAQ C regardless of vendor claims.
• New 3.0 PCI standard coming out soon.
• Consider SAQ the minimum level.
• Seek help if you have any questions.
Recommendations
• Download: Drupal PCI Compliance White Paper!
• http://drupalpcicompliance.org/
Summarizing
• Why
• Mandatory
• Financial, PR, and legal risks.
• What
• Standard that addresses security holistically.
• How
• Determine your volume + transaction type.
• Complete the relevant SAQ form.
• Do your due diligence!!!
Questions
!
!
!
!
!
• PS. Don’t forget:
• http://drupalpcicompliance.org/
• Drupal.org/IRC/twitter: @rickmanelius
Recommended
