If you store, transmit or process credit card data, PCI applies.
How can OWASP help you with PCI compliance?
Credit card data:
Card data attacks have been increasing in sophistication.
PCI-DSS affects anyone who transmits, processes or stores payment card data. E.g. merchants, service providers (e.g. Paymark, DPS).
Look at 12 requirements of PCI-DSS (firewalls, storage etc)
Protecting stored data:
You must not store sensitive authentication data. Principle: if you don't need it, don't store it. Consider outsourcing, truncation, tokenisation.
Tokenisation: Replace PAN with a unique identifier "token"
Truncation: don't store all the data (e.g. first 4, last 4 digits)
Encryption: Encrypt at point of capture, only decrypt when required, use industry standard encryption, protect your keys.
Developing secure applications / Test app was built securely / Use secure coding guidelines:
Standard OWASP guidelines
Annual risk assessment:
Every year, new threats will affect your site. Go and re-assess against the new threats.
Fixing legacy systems: make sure no old data is lying around.
Real life example: it's very easy to mess up (example of reverting to old code)
Parting thoughts: achieve, maintain and validate compliance. Secure development is a key activity. OWASP is a good source. Reduce storage of PAN data.
The opinions expressed herein are my own personal opinions and do not represent
my employer's view in any way.
Page rendered at Saturday, April 19, 2014 11:59:25 PM (New Zealand Standard Time, UTC+12:00)