1. Challenges in implementing and certifying an
online payment application
October 2013
Ana Tudosa
Java Senior Developer

2. Why Do We Care About Security?
AN INTRODUCTION HERE
HELP!!!! 
Challenges in implementing and certifying an online payment application

3. How Hard Is It To Compromise?
The majority of the attacks are very easy to
execute
78% of the attacks required Low or Very Low
difficulty to execute
Source: Verizon Data breach investigation report 2013
Challenges in implementing and certifying an online payment application

4. Some Hacker Profiling
Variety and origin of external attackers
Source: Verizon Data breach investigation report 2013
Challenges in implementing and certifying an online payment application

5. Some Hacker Profiling
Variety of internal attackers

Hey developers are pretty honest comparing to upper
management and system administrators 
Source: Verizon Data breach investigation report 2013
Challenges in implementing and certifying an online payment application

6. What is Being Compromised?
Most commonly applications
Source: Post Breach Boom, Ponemon Institute 2013
Challenges in implementing and certifying an online payment application

7. How Did It Occur?
SQL injection is the most common form of
successful attack
Source: Post Breach Boom, Ponemon Institute 2013
Challenges in implementing and certifying an online payment application

8. Types of Breaches
In order to protect your application you
need to understand WHO, WHY and HOW
 APT
 Opportunistic breach
 Hacktivist breach
 Self-inflicted breach
Challenges in implementing and certifying an online payment application

9. Night Dragon
Source: Global energy cyber attacks, “Night Dragon”, McAfee, 2011
Challenges in implementing and certifying an online payment application

10. The Hacktivist Breach
Challenges in implementing and certifying an online payment application

11. Cost Of a Data Breach
$395,262.00
$565,020.00
Detection and Escalation
Notification
$3,030,814.00
$1,412,548.00
Ex-Post Response
Lost Business
Source: Cost of A Data Breach: Global Analysis Ponemon Institute 2013
Challenges in implementing and certifying an online payment application

12. What is PCI-DSS?
Payment Card Industry Data
Security Standard
Enforced by all the credit card
companies around the globe
Created the PCI Council
Its purpose is to protect the
customer’s data
The merchant is most often the
weakest link
Why?
Challenges in implementing and certifying an online payment application

13. WHO Needs It?
MANUFACTURERS
PCI PTS
PIN Transaction
Security
SOFTWARE
DEVELOPERS
PCI PA-DSS
Payment Application
Vendors
MERCHANT &
PROCESSORS
PCI DSS
Data Security
Standard
PCI SECURITY
STANDARDS
& COMPLIANCE
Ecosystem of payment devices, applications, infrastructure and users
Challenges in implementing and certifying an online payment application

14. What Does It Mean To Adhere To The Standard
Realize that it refers to the entire organization:








IT infrastructure & management
How you store data (in particular CC data)
Security procedures
How you limit access to CC data
How you log everything
How strong is your application (security wise)
What is the level of physical security
Tons of documents you need to produce
PCI does not allow different styles of compliancy
100% compliant, less is not acceptable
Challenges in implementing and certifying an online payment application

15. PCI data elements
Cardholder data
 PAN – primary account number
 Expiration date
 Card holder name
Sensitive authentication data
 Track data
 CAV/ CVV /CVC / CID
 PIN
Challenges in implementing and certifying an online payment application

16. OWASP
Whenever you get some sort of feedback from either
QA or security audit you will be referred to OWASP
Open Web Application Security Project
Not-for-profit organization
Focused on providing application security
Technology agnostic
They produce the “Top ten most critical web
application security risks”
Not the only one, there are others like Microsoft SDL
Challenges in implementing and certifying an online payment application

17. OWASP top 10
A1: Injection
A2: Broken authentication and session
management
A3: Cross site scripting (XSS)
A4: Insecure direct object references
A5: Security misconfiguration
A6: Sensitive data exposure
A7: Missing function level access control
A8: Cross-site request forgery (CSRF)
A9: Using unknown vulnerable components
A10: Unvalidated redirects and forwards
Source: OWASP TOP 10 , 2013
Challenges in implementing and certifying an online payment application

18. JSF Components
We implemented our own set of JSF
components
The requirements were :
 Single way to present the UI
 Highly customizable
It came in handy when implementing
protection against top 10 security threats
 Escaping, URL encoding, validation, challenge codes
Challenges in implementing and certifying an online payment application

19. A2: Broken authentication and session management
Method: Application functions related to
authentication and session management are
often not implemented correctly.
Risk:
 Compromise passwords, keys, session tokens
 Assume other user’s identities
 Unauthorized access to application
Challenges in implementing and certifying an online payment application

20. A2: Broken authentication and session management
Solution









Session cookies - secured and httponly
No session ID in URLs
Session timeouts and maximum session TTL
Create new session after login
Challenge codes
Use password hashing (with salt)
Use strong encryption algorithms for sensitive data
Login from an encrypted page
Don’t re-invent the wheel (use existing session
management)
Challenges in implementing and certifying an online payment application

21. A2: Example: Tunisian Arab Spring
Challenges in implementing and certifying an online payment application

22. A5: Security misconfiguration
Method: Exploit incorrect secure
configuration such as AS/DB servers defaults
Risk:
 Unauthorized access to some system data or
functionality.
 Occasionally, such flaws result in a complete
system compromise.
 Very generic, it can be anything
Challenges in implementing and certifying an online payment application

23. A5: Security misconfiguration
Solution:
 AS hardening
 Implementing new AS services for extended
cryptographic capabilities
 Keep dependencies up to date
 Periodic scans/audits
 A strong application architecture - tokenization
Challenges in implementing and certifying an online payment application

24. A5: Application Architecture : Tokenization
1001101010
Facade
Tokenization Module
Facade
Tokenization
1001101010
Encryption Engine
Clearing
Datasets in Memory
Connectors
Challenges in implementing and certifying an online payment application

25. A5: Application Architecture
Un-Trusted Users
Application Server
Payment Application (core)
Un-Trusted
Web Server
Payment Application (web)
Firewall
App Tier
DMZ
DB Tier
Database
Internal Network
Users
Challenges in implementing and certifying an online payment application

26. A6: Sensitive data exposure
Method: Exploit poorly protected sensitive
data
This used to be old A7&A9
 A7: Insecure Cryptographic Storage
 A9: Insufficient Transport Layer Protection
Risk:
 Information Leakage
 Unauthorized access to sensitive data in transit
 Network sniffing
Challenges in implementing and certifying an online payment application

27. A6: Sensitive data exposure
Solution:
 Use existing strong encryption algorithms
 Generate keys offline and store private keys with
extreme care
 Ensure that properly secured
 Always use SSL 3.0/TLS 1.2 for sensitive data in
transit
 Protect communication between web servers and
data bases
 Use certificates where applicable even in internal
networks
Challenges in implementing and certifying an online payment application

28. And The Result
https://www.pcisecuritystandards.org/appro
ved_companies_providers/validated_payme
nt_applications.php?agree=true
Challenges in implementing and certifying an online payment application

29. Please fill in the evaluation form
Contact: ana.tudosa@mindcti.com
Challenges in implementing and certifying an online payment application