chrisjlee/2012dcdenver-pcicompliance.txt

## 2012dcdenver-pcicompliance.txt
* qsa - qualified security assessor

Hartland Data breach
- law suits
- example of unauthorized access to credit card data

Costs of data breach
- Law suites
- reputation

Dirty dozen
- 12 dirty dozen requirements of PCI Requirement
- alot of them are just security best practices

Some of the dirty dozen
- update antivirus (broad scope could be desktop client)
- add firewall
- don't use default vender username passwords
- develop secure applications
- restrict card holder data - if you don't need to know don't store it
- monitor access to network and cardholder data

Takeaways from dirty dozen
- shouldn't be storing cardholder data
- full track - don't all the numbers of credit card and / or metadata (cvv) etc
- document everything if it's not on paper neverhappened
- hosting companies and payment processors - must be compliant
- third party vender non-compliance means your non-compliance

What is SAQ?
- each of them are tests. The following 3 are more relevant to drupal development:
- SAQ-A all sensitive data handling offloaded
- SAQ-c "Standard"
- SAQ-D "other" for those that don't fit in other areas
- Stands for Self assessment qualifier

SAQ-A
- offload sensitive data and have another vendor store data
- document processes
- e.g. paypal and return to page
- vendors now use tokenization of data - e.g. alows that to be seamless

SAQ-i
- 225 questions

Merchant Level
- Levels 1-4
- each merchant each have different version of merchant level
- each credit card level provide different levels
- visa has a table that describes levels
- june 30, 2012 deadline - saq for new credit card vendors must complete QSA or certified ISA

cache form in table
- may contain information leftover from forms

Session variable
- session table may store unencrypted data

http/hijack
- cookie / session hijacking
- drupal.org/securepages - secure pages modules allow configure different parts of site to be ssl and non-ssl connection

PCI Update
- single module and will scan
- disables other issues

Security update team
- drupal has security team
- signup for updates on drupal.org
	* qsa - qualified security assessor

	Hartland Data breach
	- law suits
	- example of unauthorized access to credit card data

	Costs of data breach
	- Law suites
	- reputation

	Dirty dozen
	- 12 dirty dozen requirements of PCI Requirement
	- alot of them are just security best practices

	Some of the dirty dozen
	- update antivirus (broad scope could be desktop client)
	- add firewall
	- don't use default vender username passwords
	- develop secure applications
	- restrict card holder data - if you don't need to know don't store it
	- monitor access to network and cardholder data

	Takeaways from dirty dozen
	- shouldn't be storing cardholder data
	- full track - don't all the numbers of credit card and / or metadata (cvv) etc
	- document everything if it's not on paper neverhappened
	- hosting companies and payment processors - must be compliant
	- third party vender non-compliance means your non-compliance

	What is SAQ?
	- each of them are tests. The following 3 are more relevant to drupal development:
	- SAQ-A all sensitive data handling offloaded
	- SAQ-c "Standard"
	- SAQ-D "other" for those that don't fit in other areas
	- Stands for Self assessment qualifier

	SAQ-A
	- offload sensitive data and have another vendor store data
	- document processes
	- e.g. paypal and return to page
	- vendors now use tokenization of data - e.g. alows that to be seamless

	SAQ-i
	- 225 questions

	Merchant Level
	- Levels 1-4
	- each merchant each have different version of merchant level
	- each credit card level provide different levels
	- visa has a table that describes levels
	- june 30, 2012 deadline - saq for new credit card vendors must complete QSA or certified ISA

	cache form in table
	- may contain information leftover from forms

	Session variable
	- session table may store unencrypted data

	http/hijack
	- cookie / session hijacking
	- drupal.org/securepages - secure pages modules allow configure different parts of site to be ssl and non-ssl connection

	PCI Update
	- single module and will scan
	- disables other issues

	Security update team
	- drupal has security team
	- signup for updates on drupal.org