CYA with PCI

PCI Compliance:

What it is and What You Need to Know

with Josh Lee and Brie Hoblin

Brie Hoblin

QA Engineer

Founder of Sage Logik

Specializes in implementing QA in companies that haven't had QA before

 

 

@bhoblin

brie@sagelogik.com

Josh Lee

Developer and consultant

10+ years w/ eCommerce

Specializing in PCI, HIPAA, and WCAG Compliance

 

 

 

@joshleecreates

josh@joshuamlee.com

Just one thing...

You don't want to do this.

*yourself

Even for organizations where security is a core competency, breaches are becoming a common occurrence.

(World's Biggest Data Breaches)

So what is PCI?

"PCI DSS"

 

"The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment."

"PCI DSS"

 

  • Payment Card Industry Data Security Standard
  • A voluntary standard established by the major payment providers (VISA, MasterCard)
  • Compliance is required for any organization handling credit cards digitally OR in person

so what happens if you're not compliant?

What happens if you're not compliant?

  • After a breach:
    Massive fines, immediate account termination, banned from network
  • Before a breach:
    Large fines, account termination
    (e.g., somebody from your bank visits your store website and notices that SSL is expired)

Horror Story 1:

They're in the vents!*

Horror Story 2:

The firewall is breached!

Firebase App Audit

  • Appthority reviewed 28k apps
  • Over 10% of apps reviewed exposed user data
  • Leaky backends exposed over 2.6 million unencrypted username/password combinations
  • Over 50,000 personal financial records exposed

PCI is an organization-wide security concern.

We must consider the totality of our systems and all possible attack vectors.

data breach Severity questionnaire

PCI Compliance overview: 4 Levels

Text

PCI Compliance Levels

  • Higher levels have stricter validation requirements.
  • Your bank will determine your level.
  • Your "level" is the same for all networks (e.g. VISA, MC) even though the guidelines may differ.

PCI Compliance SAQ's

  • PCI Compliance is currently on v. 3.3.
  • With 3.0 forward there are "Self Assessment Questionnaires."
  • For most small businesses, the SAQ is the only validation requirement.

SAQs

  • There are different SAQs depending on how your organization processes payment data.
  • Your bank will sometimes tell you if you require validation above-and-beyond an appropriate SAQ.

SAQ Types

  • There is also SAQ-B for offline-only.
  • SAQ-D is 10x longer than SAQ A-EP.
  • You require SAQ-D if you don't meet the criteria
    for any other SAQ.
  • Even if you require SAQ-D, you'll still want to
    outsource as much as possible.

Compliance is not just a checklist

More than a SAQ

  • An SAQ is often the only validation step required to get started, but it is not the end of your responsibility.
  • In the event of a breach, you will need to be able to defend your organization's practices and procedures.

Be Prepared

  1. Have a person within your organization designated as the owner of all PCI-related issues.
  2. Have a written strategy for PCI compliance.
  3. Have written procedures for any interactions with payment data.
  4. Perform regular reviews of your strategy, technology, and systems.
  5. Educate yourself on other requirements (we are not lawyers).

Developers

What do I need to process Credit cards online?

  1. Checkout Page
  2. Payment "Gateway"
  3. "Merchant Account"

Checkout page

  • Where users enter their credit card information.
  • This can live on your own "site" ...
  • Or you can direct users to another site managed by your payment processor.
  • Often you will be given options to customize the look and feel of an outsourced payment page.

Payment Gateway

  • Translates Web API calls to the payment network used by credit card terminals.
  • May or may not come with a merchant account.
  • Popular providers: Authorize.net, Braintree

Merchant account

  • A special account required to process credit cards online or in person.
  • Money is usually transferred to your actual bank account every 24 hours.
  • Brick and mortar businesses likely have one already with their bank.
  • Bank-provided merchant accounts may not be compatible with your gateway of choice.
  • Full-service gateways like Stripe and Paypal will provide this for you.

Strategies for e-commerce

  • Outsource everything (SAQ-A)
    "Don't touch the data"
  • Outsource most things (SAQ-AEP)
    "Don't let the data touch your servers"
  • Full control (SAQ-D)
    ... try not to do this.

Outsource everything (SAQ A)

  • Your entire checkout flow is outsourced to a PCI-compliant 3rd-party.
  • Your organization does not have direct access to customer CC data.
  • Easiest, lowest risk

Outsource most things (SAQ A-EP)

  • Your checkout flow is hosted in an iframe or on a 3rd party's servers, and you have some control over CSS and JS.
  • You use tokenized credit card data for recurring transactions.
  • A-EP is a relatively new validation level, designed specifically for e-commerce ease.

Other components of e-commerce

  • Shopping carts
  • Payment notification
  • Fulfillment services
  • Login/order review
  • Subscriptions & recurring billing

Strategies for e-commerce

Examples

Outsource everything (WITH a shopping cart)

  • Marketplace (e.g. Etsy, Ebay, Amazon)
  • Shopify + Shopify Payments
  • BigCommerce + Managed Checkout

Outsource everything (no shopping cart)

  • PayPal "Buy Now" Buttons

Outsource most things

  • Customized SaaS checkout on your own domain
  • Customized 3rd-party payment form (e.g. Authorize.net)
  • Embedded payment form on your site (e.g. Stripe, Paypal)
  • Your servers handle tokenized CC data, e.g. for recurring billing

Direct gateway integration

Direct gateway integration

  • You need complete control of the checkout and payment process.
  • Customer credit card data is processed on your servers.
  • Your servers interact directly with your payment processor's Gateway via API calls.


Things are going to get a lot more complicated. You should have security and networking experts on your team before attempting this. You will need to hire 3rd parties to verify your servers and software.

Recurring billing & subscriptions

  • Storing customer CC data on your servers is yet more complicated.
  • Before Stripe, this was really, really hard.
  • Now, tokenization is common so you don't have to do this yourself.

Credit card Tokenization

  1. The user's credit card number and expiry is transmitted to a payment processor directly from the user's browser.
  2. The payment processor returns a token, which the user's browser then forwards to your servers.
  3. Your servers can verify the token with the payment processor, then us that token as a short-term alternative to a credit card for charging that customer.

testing for pci compliance

testing for pci compliance

So how do we test for this stuff?

  • Build up your own understanding of PCI Compliance
  • Know what tier / type of SAQ your organization is using
  • Understand what is required for that tier / SAQ

So how do we test for this stuff?

  • Make sure where your application passes users to a 3rd party payment method is secure (not subject to redirects or iframe vulnerabilities)
  • Verify that developer / software team is diligent about SAQ requirements
  • Include the ability to fake payments in your staging environment

third party payment methods with fake payments

  • Shopify
  • Stripe
  • Apple Pay
  • Paypal
  • Authorize.net
  • NOT Western Union

So how do we test for this stuff?

  • Initial one time payments
  • Recurring payments
  • Refunds
  • Declined payments
  • Declined payments being retried
  • * It is against PCI terms to pay yourself with your own credit card (this is equivalent to an illegal cash advance)

what happens when...

  • User enters an expired credit card
  • User enters invalid CC number
  • User enters card that hasn't been activated
  • User enters card that is over spend limit
  • An unexpected error comes from the
    payment processor

summary

  • Know what is required of you.
  • Leverage 3rd party services (outsource!)
  • Constant vigilance pays off!

Resources

Resources CONT'd