If you store, transmit or process credit card data, PCI applies.
How can OWASP help you with PCI compliance?
Credit card data:
- Primary Account Number (PAN): Can store it, but protection required.
- Can never store the CVD 3 digit number or mag stripe
Card data attacks have been increasing in sophistication.
PCI-DSS affects anyone who transmits, processes or stores payment card data. E.g. merchants, service providers (e.g. Paymark, DPS).
Look at 12 requirements of PCI-DSS (firewalls, storage etc)
Protecting stored data:
You must not store sensitive authentication data. Principle: if you don't need it, don't store it. Consider outsourcing, truncation, tokenisation.
Tokenisation: Replace PAN with a unique identifier "token"
Truncation: don't store all the data (e.g. first 4, last 4 digits)
Encryption: Encrypt at point of capture, only decrypt when required, use industry standard encryption, protect your keys.
Developing secure applications / Test app was built securely / Use secure coding guidelines:
Standard OWASP guidelines
Annual risk assessment:
Every year, new threats will affect your site. Go and re-assess against the new threats.
Fixing legacy systems: make sure no old data is lying around.
Real life example: it's very easy to mess up (example of reverting to old code)
Parting thoughts: achieve, maintain and validate compliance. Secure development is a key activity. OWASP is a good source. Reduce storage of PAN data.