Created
March 21, 2012 21:55
-
-
Save chrisjlee/2153484 to your computer and use it in GitHub Desktop.
Denver Drupalcon 2012 - PCI compliance with vordude (notes)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* qsa - qualified security assessor | |
Hartland Data breach | |
- law suits | |
- example of unauthorized access to credit card data | |
Costs of data breach | |
- Law suites | |
- reputation | |
Dirty dozen | |
- 12 dirty dozen requirements of PCI Requirement | |
- alot of them are just security best practices | |
Some of the dirty dozen | |
- update antivirus (broad scope could be desktop client) | |
- add firewall | |
- don't use default vender username passwords | |
- develop secure applications | |
- restrict card holder data - if you don't need to know don't store it | |
- monitor access to network and cardholder data | |
Takeaways from dirty dozen | |
- shouldn't be storing cardholder data | |
- full track - don't all the numbers of credit card and / or metadata (cvv) etc | |
- document everything if it's not on paper neverhappened | |
- hosting companies and payment processors - must be compliant | |
- third party vender non-compliance means your non-compliance | |
What is SAQ? | |
- each of them are tests. The following 3 are more relevant to drupal development: | |
- SAQ-A all sensitive data handling offloaded | |
- SAQ-c "Standard" | |
- SAQ-D "other" for those that don't fit in other areas | |
- Stands for Self assessment qualifier | |
SAQ-A | |
- offload sensitive data and have another vendor store data | |
- document processes | |
- e.g. paypal and return to page | |
- vendors now use tokenization of data - e.g. alows that to be seamless | |
SAQ-i | |
- 225 questions | |
Merchant Level | |
- Levels 1-4 | |
- each merchant each have different version of merchant level | |
- each credit card level provide different levels | |
- visa has a table that describes levels | |
- june 30, 2012 deadline - saq for new credit card vendors must complete QSA or certified ISA | |
cache form in table | |
- may contain information leftover from forms | |
Session variable | |
- session table may store unencrypted data | |
http/hijack | |
- cookie / session hijacking | |
- drupal.org/securepages - secure pages modules allow configure different parts of site to be ssl and non-ssl connection | |
PCI Update | |
- single module and will scan | |
- disables other issues | |
Security update team | |
- drupal has security team | |
- signup for updates on drupal.org |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment